Protecting apps and APIs using Nordic eIDs

•Download as PPTX, PDF•

1 like•844 views

Erik Wahlström

Technology

Erik Wahlström
Technology Strategist
9/19/2013
3
Todays topics
 eIDs is in the news.
 What is an eID?
 What are the Nordic eID?
 Three ways to use your eIDs to protect apps and APIs.

Erik Wahlström
Technology Strategist
9/19/2013
4
What is a eID?
 Digital passport to authenticate and sign.
 Issued or trusted by governments.
 Legally binding.

Erik Wahlström
Technology Strategist
9/19/2013
5

Erik Wahlström
Technology Strategist
9/19/2013
6
Smartcards or eIDs on file

Erik Wahlström
Technology Strategist
9/19/2013
7
Software based OTPs.

Erik Wahlström
Technology Strategist
9/19/2013
8
Tupas.

Erik Wahlström
Technology Strategist
9/19/2013
9
API based.

Erik Wahlström
Technology Strategist
9/19/2013
10
What’s up next?
 New platform for Swedish BankID.
 SAML based identity federations like eID2.
 New projects in Norway and Finland.

Erik Wahlström
Technology Strategist
9/19/2013
11
How to protect an API using eID?
 Web based APIs.
 Protocol handlers.
 Use browsers and OAuth2.
 A token can be anything.
 Alternatives to call an API:
 Swedish Mobile BankID.
 OAuth2 to authenticate using any other type of eID.
 Bind two devices together to use smartcards on
smartphones.

Erik Wahlström
Technology Strategist
9/19/2013
12
Alternative one – Swedish Mobile BankID

Erik Wahlström
Technology Strategist
9/19/2013
13

Erik Wahlström
Technology Strategist
9/19/2013
14
bankid://redirect=nexus%3A%2F%2Fstate%3Dxyz

Erik Wahlström
Technology Strategist
9/19/2013
15

Erik Wahlström
Technology Strategist
9/19/2013
16
nexus://state=xyz

Erik Wahlström
Technology Strategist
9/19/2013
17

Erik Wahlström
Technology Strategist
9/19/2013
18
Swedish Mobile BankID
Deep dive

Erik Wahlström
Technology Strategist
9/19/2013
19
Personal number
Authentication
Collect
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
20
Personal number
Authentication
Collect
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
21
Personal number
Authentication
Collect
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
22
Personal number
Authentication
Collect
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
23
bankid://redirect=nexus%3A%2F%2Fstate%3Dxyz
Personal number
Authentication
Collect
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
24
Personal number
Authentication
Collect
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
25
Personal number
Authentication
Collect
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
26
Personal number
Authentication
Collect
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
27
nexus://state=xyz
Personal number
Authentication
Collect
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
28
Personal number
Authentication
Collect
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
29
Personal number
Authentication
Collect
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
30
Alternative two – Others eIDs

Erik Wahlström
Technology Strategist
9/19/2013
31
Use your browser to authenticate
using any eID
 OAuth2 industry standard to protect APIs.
 Define a way to get a authorization to use an API.
 A token or two is good.
 Use the token to access the API.
 Use OAuth2 and a browser dance to authenticate.
 Enables any method and eIDaaS.

Erik Wahlström
Technology Strategist
9/19/2013
32

Erik Wahlström
Technology Strategist
9/19/2013
33
https://example.com/oauth2?
response_type=code&client_id=nexus&redirect_uri=nexus%3A%2F%
2Fauthorization&scope=api&state=xyz

Erik Wahlström
Technology Strategist
9/19/2013
34

Erik Wahlström
Technology Strategist
9/19/2013
35
nexus://authorization?code=oauth2grant&stat
e=xyz

Erik Wahlström
Technology Strategist
9/19/2013
36
Other eIDs
Deep dive

Erik Wahlström
Technology Strategist
9/19/2013
37
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
38
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
39
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
40
Alternative three – eID on other device

Erik Wahlström
Technology Strategist
9/19/2013
41
Use an eID on another device
 Put the rather sad user to work.
 Connect two devices.
 Refresh tokens makes it usable.

Erik Wahlström
Technology Strategist
9/19/2013
42

Erik Wahlström
Technology Strategist
9/19/2013
43

Erik Wahlström
Technology Strategist
9/19/2013
44

Erik Wahlström
Technology Strategist
9/19/2013
45
Final words

Erik Wahlström
Technology Strategist
9/19/2013
46
Final words
 BYOD and consumerization.
 eIDaaS and OAuth2 for best coverage.
 Refresh tokens is not always ok.
 WebCrypto is cool.

Erik Wahlström
Technology Strategist
9/19/2013
47
Thanks!
 @erik_wahlstrom
 erik.wahlstrom@nexusgroup.com

Similar to Protecting apps and APIs using Nordic eIDs

According to #TechSci Research Report- Vietnam Cyber Security market was valued at USD0.142 billion in 2020 and is projected to grow around USD0.350 billion by 2026 owing to the proliferation of technologies such as cloud-based systems, rising big data demand and increasing usage of internet of things and social media Report URL : https://www.techsciresearch.com/report/vietnam-cybersecurity-market/7793.html #marketresearch #consultingfirms #marketintelligence

Vietnam cyber security market size, shre & market forecast 2016 2026

TechSci Research

Paranoia or risk management 2013

Henrik Kramshøj

Fuelling Digital Innovation - Webinar Deck

The Digital Insurer

The state of cybersecurity in Switzerland - FinTechDay 2017

Tiago Henriques

UK Government identity initiatives since the late 1990s - IDnext 2015

Jerry Fishenden

Smart maintenance of security has emerged as a cardinal concern for any personnel systems, especially for an individuals dwelling place. Over the last decade, the rapid rise of burglary and theft all over the world is threatening due to the vulnerability of traditional home security systems. According to Knoema.com, a company which deals with data. Netherland is the top most country with highest rate of burglary. Looking at the statistics, It is very important to create a safe and secured home environment to avoid theft and burglary. The only thing that is with us all time in today’s world is our smartphone. We can carry out Remote monitoring and security of house using a mobile application. It will help us to check security and monitor our homes from any corner of the world just using an internet connection.

Secured home with 3 factor authentication using android application

Iliyas Khan

Military Enlists Digital Twin Technology to Secure Chips

TJR Global

Cyber security is a prime concern for every business nowadays. Currently, most of the government and private company are using digital platform such as desktop, mobile and application for information transferring. Important information such as financial transaction, healthcare data, and personal information recorded online. To protect user data transmission SSL certificate provider as a secure data transfer device to avoid data loss through hackers and malware.

Top SSL Certificate Providers for Your Business

ClickSSL

CIO Roundtable IOT

Jim Sutter

CIO RoundtableIot IOT

James Sutter

IoT World Forum Press Conference - 10.14.2014

Bessie Wang

Accelerating the creation and deployment of e-Government services by ensuring...

Secure Identity Alliance

Blockchain Devices.pdf

RonnyMartine

Trends in IRM: Internet of Things

ForgeRock

20161201 witdom bdva summit

Elsa Prieto

Smart lock market

ameliasimon0

The potential trillion dollar Internet of Things (IoT) business opportunity rests precariously on one critical factor – security. 71% of executives in our survey agreed that security concerns will influence customers’ purchase decision for IoT products. However, despite increasing cyber attacks and ample warning from security experts, most organizations do not provide adequate security and privacy safeguards for their IoT products. In fact, only 33% of IoT executives in our survey believe that the IoT products in their industry are highly resilient to cyber security attacks. Further, despite rising consumer concerns regarding data privacy, 47% of organizations do not provide any privacy related information regarding their IoT products. So, why are organizations lagging behind in securing their IoT products and systems? Key reasons for this include an expanded attack surface, inefficiencies in the IoT product development process, and the lack of specialized security skill-sets. For instance, our survey showed that only 48% of companies focus on securing their IoT products from the beginning of the product development phase. Building a secure IoT system begins with the recognition that security needs to be as much of a priority as the features and functionality of an IoT product. The report highlights the key measures that organizations must take in order to put security at the core of their IoT value proposition.

Securing the Internet of Things Opportunity: Putting Cybersecurity at the Hea...

Capgemini

Securing the internet of things opportunity putting cybersecurity at the hear...

Rick Bouter

SecureMAG Volume 6 - 2014

Chin Wan Lim

Security In an IoT World

syrinxtech

Similar to Protecting apps and APIs using Nordic eIDs (20)

Vietnam cyber security market size, shre & market forecast 2016 2026

Paranoia or risk management 2013

Fuelling Digital Innovation - Webinar Deck

The state of cybersecurity in Switzerland - FinTechDay 2017

UK Government identity initiatives since the late 1990s - IDnext 2015

Secured home with 3 factor authentication using android application

Military Enlists Digital Twin Technology to Secure Chips

Top SSL Certificate Providers for Your Business

CIO Roundtable IOT

CIO RoundtableIot IOT

IoT World Forum Press Conference - 10.14.2014

Accelerating the creation and deployment of e-Government services by ensuring...

Blockchain Devices.pdf

Trends in IRM: Internet of Things

20161201 witdom bdva summit

Smart lock market

Securing the Internet of Things Opportunity: Putting Cybersecurity at the Hea...

Securing the internet of things opportunity putting cybersecurity at the hear...

SecureMAG Volume 6 - 2014

Security In an IoT World

Recently uploaded

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Histor y of HAM Radio presentation slide

vu2urc

BooK Now Call us at +918448380779 to hire a gorgeous and seductive call girl for sex. Take a Delhi Escort Service. The help of our escort agency is mostly meant for men who want sexual Indian Escorts In Delhi NCR. It should be noted that any impersonator will get 100 attention from our Young Girls Escorts in Delhi. They will assume the position of reliable allies. VIP Call Girl With Original Photos Book Tonight +918448380779 Our Cheap Price 1 Hour not available 2 Hours 5000 Full Night 8000 TAG: Call Girls in Delhi, Noida, Gurgaon, Ghaziabad, Connaught Place, Greater Kailash Delhi, Lajpat Nagar Delhi, Mayur Vihar Delhi, Chanakyapuri Delhi, New Friends Colony Delhi, Majnu Ka Tilla, Karol Bagh, Malviya Nagar, Saket, Khan Market, Noida Sector 18, Noida Sector 76, Noida Sector 51, Gurgaon Mg Road, Iffco Chowk Gurgaon, Rajiv Chowk Gurgaon All Delhi Ncr Free Home Deliver

08448380779 Call Girls In Greater Kailash - I Women Seeking Men

Delhi Call girls

CNv6 Instructor Chapter 6 Quality of Service

giselly40

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Finology Group – Insurtech Innovation Award 2024

The Digital Insurer

Presentation on how to chat with PDF using ChatGPT code interpreter

naman860154

GenCyber Cyber Security Day Presentation

Michael W. Hawkins

What is a good lead in your organisation? Which leads are priority? What happens to leads? When sales and marketing give different answers to these questions, or perhaps aren't sure of the answers at all, frustrations build and opportunities are left on the table. Join us for an illuminating session with Cian McLoughlin, HubSpot Principal Customer Success Manager, as we look at that crucial piece of the customer journey in which leads are transferred from marketing to sales.

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

HampshireHUG

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

Tech Trends Report 2024 Future Today Institute.pdf

hans926745

Sara Mae O’Brien Scott and Tatiana Baquero Cakici, Senior Consultants at Enterprise Knowledge (EK), presented “AI Fast Track to Search-Focused AI Solutions” at the Information Architecture Conference (IAC24) that took place on April 11, 2024 in Seattle, WA. In their presentation, O’Brien-Scott and Cakici focused on what Enterprise AI is, why it is important, and what it takes to empower organizations to get started on a search-based AI journey and stay on track. The presentation explored the complexities of enterprise search challenges and how IA principles can be leveraged to provide AI solutions through the use of a semantic layer. O’Brien-Scott and Cakici showcased a case study where a taxonomy, an ontology, and a knowledge graph were used to structure content at a healthcare workforce solutions organization, providing personalized content recommendations and increasing content findability. In this session, participants gained insights about the following: Most common types of AI categories and use cases; Recommended steps to design and implement taxonomies and ontologies, ensuring they evolve effectively and support the organization’s search objectives; Taxonomy and ontology design considerations and best practices; Real-world AI applications that illustrated the value of taxonomies, ontologies, and knowledge graphs; and Tools, roles, and skills to design and implement AI-powered search solutions.

IAC 2024 - IA Fast Track to Search Focused AI Solutions

Enterprise Knowledge

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Recently uploaded (20)

Boost PC performance: How more available memory can improve productivity

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Histor y of HAM Radio presentation slide

08448380779 Call Girls In Greater Kailash - I Women Seeking Men

CNv6 Instructor Chapter 6 Quality of Service

Exploring the Future Potential of AI-Enabled Smartphone Processors

Finology Group – Insurtech Innovation Award 2024

Presentation on how to chat with PDF using ChatGPT code interpreter

GenCyber Cyber Security Day Presentation

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

Tech Trends Report 2024 Future Today Institute.pdf

IAC 2024 - IA Fast Track to Search Focused AI Solutions

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Boost Fertility New Invention Ups Success Rates.pdf

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

How to Troubleshoot Apps for the Modern Connected Worker

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Protecting apps and APIs using Nordic eIDs

1. Erik Wahlström Technology Strategist 9/19/2013 1

2. Erik Wahlström Technology Strategist 9/19/2013 2 Protecting your Applications and APIs with Nordic e-IDs

3. Erik Wahlström Technology Strategist 9/19/2013 3 Todays topics  eIDs is in the news.  What is an eID?  What are the Nordic eID?  Three ways to use your eIDs to protect apps and APIs.

4. Erik Wahlström Technology Strategist 9/19/2013 4 What is a eID?  Digital passport to authenticate and sign.  Issued or trusted by governments.  Legally binding.

5. Erik Wahlström Technology Strategist 9/19/2013 5

6. Erik Wahlström Technology Strategist 9/19/2013 6 Smartcards or eIDs on file

7. Erik Wahlström Technology Strategist 9/19/2013 7 Software based OTPs.

8. Erik Wahlström Technology Strategist 9/19/2013 8 Tupas.

9. Erik Wahlström Technology Strategist 9/19/2013 9 API based.

10. Erik Wahlström Technology Strategist 9/19/2013 10 What’s up next?  New platform for Swedish BankID.  SAML based identity federations like eID2.  New projects in Norway and Finland.

11. Erik Wahlström Technology Strategist 9/19/2013 11 How to protect an API using eID?  Web based APIs.  Protocol handlers.  Use browsers and OAuth2.  A token can be anything.  Alternatives to call an API:  Swedish Mobile BankID.  OAuth2 to authenticate using any other type of eID.  Bind two devices together to use smartcards on smartphones.

12. Erik Wahlström Technology Strategist 9/19/2013 12 Alternative one – Swedish Mobile BankID

13. Erik Wahlström Technology Strategist 9/19/2013 13

14. Erik Wahlström Technology Strategist 9/19/2013 14 bankid://redirect=nexus%3A%2F%2Fstate%3Dxyz

15. Erik Wahlström Technology Strategist 9/19/2013 15

16. Erik Wahlström Technology Strategist 9/19/2013 16 nexus://state=xyz

17. Erik Wahlström Technology Strategist 9/19/2013 17

18. Erik Wahlström Technology Strategist 9/19/2013 18 Swedish Mobile BankID Deep dive

19. Erik Wahlström Technology Strategist 9/19/2013 19 Personal number Authentication Collect Token Question

20. Erik Wahlström Technology Strategist 9/19/2013 20 Personal number Authentication Collect Token Question

21. Erik Wahlström Technology Strategist 9/19/2013 21 Personal number Authentication Collect Token Question

22. Erik Wahlström Technology Strategist 9/19/2013 22 Personal number Authentication Collect Token Question

23. Erik Wahlström Technology Strategist 9/19/2013 23 bankid://redirect=nexus%3A%2F%2Fstate%3Dxyz Personal number Authentication Collect Token Question

24. Erik Wahlström Technology Strategist 9/19/2013 24 Personal number Authentication Collect Token Question

25. Erik Wahlström Technology Strategist 9/19/2013 25 Personal number Authentication Collect Token Question

26. Erik Wahlström Technology Strategist 9/19/2013 26 Personal number Authentication Collect Token Question

27. Erik Wahlström Technology Strategist 9/19/2013 27 nexus://state=xyz Personal number Authentication Collect Token Question

28. Erik Wahlström Technology Strategist 9/19/2013 28 Personal number Authentication Collect Token Question

29. Erik Wahlström Technology Strategist 9/19/2013 29 Personal number Authentication Collect Token Question

30. Erik Wahlström Technology Strategist 9/19/2013 30 Alternative two – Others eIDs

31. Erik Wahlström Technology Strategist 9/19/2013 31 Use your browser to authenticate using any eID  OAuth2 industry standard to protect APIs.  Define a way to get a authorization to use an API.  A token or two is good.  Use the token to access the API.  Use OAuth2 and a browser dance to authenticate.  Enables any method and eIDaaS.

32. Erik Wahlström Technology Strategist 9/19/2013 32

33. Erik Wahlström Technology Strategist 9/19/2013 33 https://example.com/oauth2? response_type=code&client_id=nexus&redirect_uri=nexus%3A%2F% 2Fauthorization&scope=api&state=xyz

34. Erik Wahlström Technology Strategist 9/19/2013 34

35. Erik Wahlström Technology Strategist 9/19/2013 35 nexus://authorization?code=oauth2grant&stat e=xyz

36. Erik Wahlström Technology Strategist 9/19/2013 36 Other eIDs Deep dive

37. Erik Wahlström Technology Strategist 9/19/2013 37 Token Question

38. Erik Wahlström Technology Strategist 9/19/2013 38 Token Question

39. Erik Wahlström Technology Strategist 9/19/2013 39 Token Question

40. Erik Wahlström Technology Strategist 9/19/2013 40 Alternative three – eID on other device

41. Erik Wahlström Technology Strategist 9/19/2013 41 Use an eID on another device  Put the rather sad user to work.  Connect two devices.  Refresh tokens makes it usable.

42. Erik Wahlström Technology Strategist 9/19/2013 42

43. Erik Wahlström Technology Strategist 9/19/2013 43

44. Erik Wahlström Technology Strategist 9/19/2013 44

45. Erik Wahlström Technology Strategist 9/19/2013 45 Final words

46. Erik Wahlström Technology Strategist 9/19/2013 46 Final words  BYOD and consumerization.  eIDaaS and OAuth2 for best coverage.  Refresh tokens is not always ok.  WebCrypto is cool.

47. Erik Wahlström Technology Strategist 9/19/2013 47 Thanks!  @erik_wahlstrom  erik.wahlstrom@nexusgroup.com

Protecting apps and APIs using Nordic eIDs

Recommended

Recommended

More Related Content

Similar to Protecting apps and APIs using Nordic eIDs

Similar to Protecting apps and APIs using Nordic eIDs (20)

Recently uploaded

Recently uploaded (20)

Protecting apps and APIs using Nordic eIDs