V0.13, Anders Rundgren, WebPKI.org 2008Two-factor Authentication in the EnterpriseIt is sometimes claimed that a single enterprise credential can cover allauthentication needs of an employee. This has in practice shown to be fairlytheoretical for reasons like technical limitations in the infrastructure outside ofthe enterprise (a smart card typically doesn’t work in public terminals) toprivacy reasons (merchants do not really need your company or governmentID, they rather need a verified binding to the purchasing organization orsimply a valid payment).Currently two-factor authentication schemes like OTP, PKI, and more recentlyMicrosoft’s CardSpace® are handled by completely disparate issuing,distribution, and usage processes making it difficult for organizationsdeploying multiple credentials addressing the situation described above.This presentation outlines a “united” enterprise multi-credential vision in partbased on a work-in-progress called KeyGen2.
V0.13, Anders Rundgren, WebPKI.org 2008Select Card XSelect Card XEnhanced TLS or Kerberos client usingPKI for authentication to the Acme intranetInformation Card using PKI forauthenticating to the Acme IdPDirect Mode Federated ModeOne GUI Paradigm* - Multiple Credentials and ScenariosJohn DoeID03450184*) Client-side PKI in TLScan be regarded asmanaged cards runningin self-issued mode Purchasing CardJohn Doe
V0.13, Anders Rundgren, WebPKI.org 2008One Time PasswordSmartPhone with OTP application support,“emulating” OTP token devicesDirect ModeUbiquitous Enterprise Web Access - An OTP “Killer Application”0453245John DoeStandard “PC” (Windows, Linux, Mac)without any additional authenticationmiddleware or hardwareAlthough not shown, OTP tokenselection can be performed usingan Information Card GUI as well
V0.13, Anders Rundgren, WebPKI.org 2008One Provisioning Step* (using KeyGen2) - Multiple CredentialsThe ability for an entity to issue and manage all user credentials “in parallel”makes it realistic offering multiple credentials, each optimized for a set of use-cases. To further reduce help-desk support and increase user-convenience,all credentials from a specific issuer would typically be protected by a singleuser-defined PIN.*) From user’s point of view it appears to be a single step while the protocolitself performs 6 to 8 different passes, including asymmetric key-pairgeneration in the client.OTP (One Time Password) “seed”The card logotype was added for supportingan Information Card compatible OTP selection GUIManaged Information Card(s)You may need multiple cards, where each cardis adapted for a particular federation networkPKI (primarily used for desktop and intranet login)New usage: powering enterprise Information CardsPotential usage: internal signature operationsThe card logotype was added for supportingan Information Card compatible PKI selection GUIClient SystemJohn DoeID03450184ReferencingJohn DoeSingle packagePurchasing CardJohn Doe
V0.13, Anders Rundgren, WebPKI.org 2008And in What Should We Keep All these Credentials?http://middleware.internet2.edu/idtrust/2008/slides/03-pekka-roaming-identity.pptMaybe these guys are on to something?