Authentication without Authentication - Peerlyst meetup

•Download as PPTX, PDF•

0 likes•186 views

This document summarizes a presentation about authenticating devices without traditional authentication. It describes using digital signatures and one-time passwords to uniquely identify devices based on cryptographic keys. The presentation covers OpenID, digital signatures, one-time passwords, and demonstrates authenticating an API request without passwords. Edge cases like network failures and compromised devices are also addressed. Requirements for the authentication method are that it provides strong authentication, unique device identification, simplicity, unique requests, and fault tolerance.

Technology

Authentication Without
Authentication
December 2017
@omerlh
#MeetupAtSoluto

Agenda
● Introduction
● OpenID
● Digital Signature
● One Time Password
● Demo
● Edge Cases

Can we Authenticate without Authentication?

- Helping people get the most out of their technology

“...a significant amount of drop-off in app usage,
losing up to 56% of users,
but are pretty much essential for the
majority of apps out there today...”
Source: Optimizely

Source: https://www.engadget.com/2016/01/08/samsung-family-hub-smart-fridge-hands-on/

Source: https://turcomusa.com/turcom-smart-home-camera-kit-with-motion-sensor-door-sensor-and-alarm-key-fob.html

● “Simple Identity Layer”
● Token-based authentication
● Widely supported
● Modularity - many authentication flows

Authorization Server
Application ServerDevice

Supported Authentication Methods
Authorization/Implicit/Hybrid
Client credentials
Resource Owner
JWT client assertion

Requirements
❏ Strong authentication solution
❏ Unique device identification
❏ Simple
❏ Unique per request
❏ Replay Attacks
❏ Fault tolerant

Dear Bob
Dear BobSign Verify
Leo Bob the BuilderTM
Source: Bob the Buildertm Official Site

Authorization Server
Device
Public Key, Id
Public Key, Id
Id: 5467

Authorization ServerDevice
Digital Signature, Id
Public Key, Id
Id: 5467

So far we have:
✓ Strong authentication solution
✓ Unique device identification
✓ Simple
❏ Unique per request
❏ Fault tolerant

Client State Server State
Old 5
New 2
Old 5
New 2
Old 2
New 42
Old 5
New 2
Old 2
New 42
Token

Client
Authorization
Server
Application Server
(Sensitive API)

Let’s see it in action...
All the code is available on GitHub

Network request can fail
● Reasons:
○ Timeout
○ Network failure
○ Temporary server errors
● Unknown server state
○ State did not changed
○ State changed

Client State Server State
Old 2
New 42
Old 1
New 2
Old 2
New 42
Old 2
New 42
Old 1
New 2
Token
Error

Client State Server State
Old 2
New 42
Old 2
New 42
Old 1
New 2
Old 2
New 42Old 2
New 42Old 2
New 42
Error

Client State Server State
Old 2
New 42
Old 2
New 42
Old 42
New 86
Old 42
New 86
Old 2
New 42
Bad Request (400)
Token

Client State Server State
Old 2
New 42
Old 1
New 2
Eve
Old 2
New 42
Old 1
New 2
Old 2
New 42
Old 2
New 42 Token

Client State Server State
Old 2
New 42
Old 2
New 42
Eve
Old 42
New 56
Old 2
New 42
Old 2
New 42
Bad
Request
(400)

Client State Server State
Old 42
New 78
Old 2
New 42
Eve
Old 42
New 56
Old 2
New 42
Old 42
New 78
Old 42
New 78Token

Client State Server State
Old 78
New 4
Old 7
New 78
Eve
Old 7
New 56
Old 7
New 78
Old 7
New 93
400 Bad
Request

Requirements
✓ Strong authentication solution
✓ Unique device identification
✓ Simple
✓ Unique per request
✓ Fault tolerant

How can you use it?
@omerlh
#MeetupAtSoluto

@omerlh
#MeetupAtSoluto
We’re hiring!
Thank You!

SpringOne Platform 2016 Speaker: David Ferriera; Director, Cloud Technology, Forgerock Microservices architecture elevates the challenges for Authentication and Authorization management. When a single frontend request can result in many backend microservices calls, it is important to balance security and performance. ForgeRock provides a standards-based blueprint that provides a flexible solution for making these choices while protecting your Cloud Foundry services end to end.

OpenID Connect: The new standard for connecting to your Customers, Partners, ...

Salesforce Developers

With the proliferation of cloud applications, mobile devices, and the need to connect to external users, IT organizations are increasingly challenged with how to manage and gain transparency into user access to systems and applications. As your organization looks to deploy Identity in the cloud, it’s critical that this is backed by open-standards. In this webinar, Chuck Mortimore, Pat Patterson, and Ian Glazer will give you a broad overview of how OpenID Connect can help better connect you with your customers, partners, apps, and devices Key Takeaways Get introduced to OpenID Connect, learn how it builds on top of OAuth, and discover why it’s an important new standard for your organization Consume OpenID Connect from popular Identity providers with Social Sign-On Provide a single, branded Identity to your own users and applications using OpenID Connect Use OpenID Connect to easily build Identity-enabled mobile applications Plan for the next generation of connected devices Intended Audience This webinar is aimed at a technical audience of administrators, developers, architects and business analysts who are wishing to learn more about Identity and Standards

CIS 2015 OpenID Connect and Mobile Applications - David Chase

CloudIDSummit

Mit 2014 introduction to open id connect and o-auth 2

Justin Richer

Microservices Manchester: Authentication in Microservice Systems by David Borsos

OpenCredo

When implementing applications using a microservice architecture, concerns of authenticating and authorising end-users or other services requires a different approach, especially when scalability and no single points of failure is in mind. I’d like to talk about some “lessons learned” in the past few years and show a few ideas how to deal with these concerns. About David Borsos David is a Senior Consultant for OpenCredo having joined the company as a consultant in 2013. David works on a number of technical engagements for OpenCredo and has a several years experience working in the financial industry, developing web-based enterprise applications, mostly of internally used tools that supported the maintenance and operations of a large IT infrastructure.

Using Federation to Simplify Access to SharePoint, SaaS and Partner Applications

Novell

Identity federation has become the standard method for delivering access to services across organizational boundaries. More recently, federation has become the preferred method for managing user access within Microsoft SharePoint environments. In this session, you will get an overview of the federation capabilities in Novell Access Manager. Specifically, the presenters will provide an introduction to identity federation, cover basic setup and configuration, and show you how to enable federated access to Microsoft SharePoint and Google applications. No previous knowledge of federation standards is required for this session.

muCon 2016: Authentication in Microservice Systems By David Borsos

OpenCredo

Software security is hard. Software security in Microservice Systems is even harder. Microservice-style software architectures have steadily been gaining popularity in recent years. They offer many benefits over traditional monolithic software products, however they also introduce new challenges - one of these being security. In recent years David has worked on this problem in several independent projects, and this talk will draw on his learnings within the topic of authenticating end-users. David will describe, compare and evaluate several authentication options from the perspective of how secure they are and how well they comply with the qualities of a well-designed microservice system. You will leave the talk with suggested evaluation criteria and guidance for implementation based on their use cases.

CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...

CloudIDSummit

John DaSilva, Identity Architect, Ping Identity Brian Campbell, Portfolio Architect, Ping Identity If you asked yourself the question, "What is OAuth and will it solve my mobile device SSO headaches?” then this is the session for you! In this bootcamp, you will learn the basic foundations of OAuth, the drivers (the “why”) behind it, the use cases, the protocol flow and basic terminology. Once we have a basic understanding of OAuth, we will explore various implementation strategies for OAuth 2.0. We’ll dissect the Web Server, User Agent and Native Application use cases, and describe how to configure OAuth in PingFederate Authorization Server. We will even take a look at the up and coming OpenID Connect specification. Bring your laptop; a configuration of PingFederate that you can set up and temporary product licenses will be supplied.

Are you worried that your REST API may be the next victim of an attack by ruthless hackers? Don't fret. Utilizing the same standards implemented by OAuth 2.0 and OpenID Connect, you can secure your REST API. Open and proven standards are the best ways to secure your REST APIs for now and well into the future. JSON Object Signing and Encryption (JOSE) is the core of a truly secure standards based REST API. In this talk, you will learn how to use the components of JOSE to secure your REST API for now and the future.

Exploring Advanced Authentication Methods in Novell Access Manager

Novell

Novell Access Manager provides many different levels of authentication beyond a simple user name and password. In this session, you will learn about its more advanced methods of authentication—from emerging standard like OpenID and CardSpace to tokens and certificates. Attendees will also see a demonstration of FreeRADIUS and the Vasco Digipass with Novell eDirectory, the Vasco NMAS method and an Access Manager plug-in that provides SSO to Web applications that expect a static password.

Indianapolis mule soft_meetup_30_jan_2021 (1)

ikram_ahamed

Let's get started with passwordless authentication using windows hello in you...

Chris Ryu

This demonstrates deploying your own FIDO authentication infrastructure to your Azure. Deploy a FIDO server and describe how Windows Hello works with the FIDO server. With Windows Hello and FIDO Server, you can implement secure authentication on your infrastructure. If people is considering passwordless system in their own cloud infrastructure, this session can provide such as their requirement. This shows how to deploy FIDO 1.0, 2 to their infra structure to implement passwordless system in their infrastructure for desktop & mobile.

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...

Brian Campbell

OpenID Connect: An Overview

Pat Patterson

Smart Card AuthenticationDan Usher

Implementing MITREid - CIS 2014 Presentation

Justin Richer

Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)

Richard Bullington-McGuire

ID連携入門 (実習編) - Security Camp 2016

Nov Matake

Beyond Bearer: Token Binding as the Foundation for a More Secure Web

Brian Campbell

The overwhelming majority of security tokens used today on the web are bearer tokens (e.g. HTTP cookies, OpenID Connect ID tokens, SAML assertions, OAuth tokens). Any party in possession of a bearer token is able to use it to gain access to the associated protected resources, which makes them a highly attractive target for attackers. Although there have been many efforts to provide better than bearer security, none have achieved widespread deployment success. Token Binding is new IETF protocol that enables strong cryptographic defenses against the use of stolen security tokens and, with a novel approach and the backing of some very significant industry players, has the potential to find the success that’s been elusive to previous attempts. This session will provide an overview of how Token Binding works and its application to higher level protocols like OpenID Connect and OAuth. Some bad jokes and gratuitous photography will be included to take the edge off the otherwise very nerdy content.

The Client is not always right! How to secure OAuth authentication from your...

Mike Schwartz

The OpenID Connect or OAuth frameworks can be used to achieve a range of security levels. Properly used, it mitigates many risks. However, OpenID Connect’s flexibility, combined with its shared ontogeny with OAuth 2.0, creates opportunities for error--developers may not use (or even know about ) certain features necessary to achieve the transaction integrity they desire. The good news is that client software and middleware services can do some of the heavy lifting. You can have the best of both worlds--maximizing security and developer joy. Whether you’re a developer or security architect, what should you look for in an application that acts as an OpenID Connect client?

The Ultimate Guide to Mobile API Security

Stormpath

OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update

OpenIDFoundation

OpenID Connect and Single Sign-On for Beginners

Salesforce Developers

Websites and applications are implementing social single sign-on to allow users to login using trusted authentication providers such as Google, Facebook, and even Salesforce. Join us to learn how to configure the OpenID Connect authentication provider to allow users to authenticate at Google to access a Salesforce environment. We'll also look at how you can relieve yourself of the burden of password management by having your web app login users via Salesforce.

Workshop: Advanced Federation Use-Cases with PingFederate

Craig Wu

OpenID Foundation RISC WG Update - 2018-04-02

MikeLeszcz

Dr. Omar Ali Alibrahim - Ssl talk

promediakw

Authentication Without Authentication

Authentication without Authentication - Peerlyst meetup

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Authentication without Authentication - Peerlyst meetup

Similar to Authentication without Authentication - Peerlyst meetup (20)

More from Soluto

More from Soluto (20)

Recently uploaded

Recently uploaded (20)

Authentication without Authentication - Peerlyst meetup