Multiple credentials-in-the-enterprise


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Multiple credentials-in-the-enterprise

  1. 1. V0.13, Anders Rundgren, 2008Two-factor Authentication in the EnterpriseIt is sometimes claimed that a single enterprise credential can cover allauthentication needs of an employee. This has in practice shown to be fairlytheoretical for reasons like technical limitations in the infrastructure outside ofthe enterprise (a smart card typically doesn’t work in public terminals) toprivacy reasons (merchants do not really need your company or governmentID, they rather need a verified binding to the purchasing organization orsimply a valid payment).Currently two-factor authentication schemes like OTP, PKI, and more recentlyMicrosoft’s CardSpace® are handled by completely disparate issuing,distribution, and usage processes making it difficult for organizationsdeploying multiple credentials addressing the situation described above.This presentation outlines a “united” enterprise multi-credential vision in partbased on a work-in-progress called KeyGen2.
  2. 2. V0.13, Anders Rundgren, 2008Select Card XSelect Card XEnhanced TLS or Kerberos client usingPKI for authentication to the Acme intranetInformation Card using PKI forauthenticating to the Acme IdPDirect Mode Federated ModeOne GUI Paradigm* - Multiple Credentials and ScenariosJohn DoeID03450184*) Client-side PKI in TLScan be regarded asmanaged cards runningin self-issued mode Purchasing CardJohn Doe
  3. 3. V0.13, Anders Rundgren, 2008One Time PasswordSmartPhone with OTP application support,“emulating” OTP token devicesDirect ModeUbiquitous Enterprise Web Access - An OTP “Killer Application”0453245John DoeStandard “PC” (Windows, Linux, Mac)without any additional authenticationmiddleware or hardwareAlthough not shown, OTP tokenselection can be performed usingan Information Card GUI as well
  4. 4. V0.13, Anders Rundgren, 2008One Provisioning Step* (using KeyGen2) - Multiple CredentialsThe ability for an entity to issue and manage all user credentials “in parallel”makes it realistic offering multiple credentials, each optimized for a set of use-cases. To further reduce help-desk support and increase user-convenience,all credentials from a specific issuer would typically be protected by a singleuser-defined PIN.*) From user’s point of view it appears to be a single step while the protocolitself performs 6 to 8 different passes, including asymmetric key-pairgeneration in the client.OTP (One Time Password) “seed”The card logotype was added for supportingan Information Card compatible OTP selection GUIManaged Information Card(s)You may need multiple cards, where each cardis adapted for a particular federation networkPKI (primarily used for desktop and intranet login)New usage: powering enterprise Information CardsPotential usage: internal signature operationsThe card logotype was added for supportingan Information Card compatible PKI selection GUIClient SystemJohn DoeID03450184ReferencingJohn DoeSingle packagePurchasing CardJohn Doe
  5. 5. V0.13, Anders Rundgren, 2008And in What Should We Keep All these Credentials? these guys are on to something?