SlideShare a Scribd company logo

Improving Mobile Authentication for Public Safety and First Responders

Priyanka Aash
Priyanka Aash

William Fisher presented on improving mobile authentication for public safety and first responders. He discussed challenges with password management and outlined requirements for an effective authentication solution, including being flexible, efficient, interoperable, and improving credential management. He then demonstrated a solution using standards-based multifactor authentication and single sign-on to provide benefits like reducing authentication time and the number of credentials needed. Finally, he highlighted new NIST guidance on implementing mobile single sign-on solutions.

Technology
1 of 58
Download to read offline
SESSION ID: #RSAC William Fisher IMPROVING MOBILE AUTHENTICATION FOR PUBLIC SAFETY AND FIRST RESPONDERS MBS-R02 Security Engineer National Cybersecurity Center of Excellence @Billfshr
#RSAC LET’S TALK ABOUT AUTHENTICATION
Authentication impacts users Image courtesy of: www.pexels.com
How many of us use Android or iOS devices daily for work? Image courtesy of: www.pexels.com
How many of our apps require their own passwords?
Need an image for Bio-metrics here Biometrics help, but…
5am: Please re-enter your password. Image courtesy of: www.imgflip.com
We know this… 10 Greene, K. K., Gallagher, M. A., Stanton, B. C., Lee, P. Y.: I Can’t Type That! P@$$w0rd Entry on Mobile Devices. In: Human Aspects of Information, Security, Privacy, and Trust. Lecture Notes in Computer Science, Vol. 8533, pp 160-171. (2014)
What do we get for our troubles? 11 Not much in the way of security… All tables from the Verizon 2018 DBIR https://www.verizonenterprise.com/verizon-insights-lab/dbir/
Perhaps not all is lost… What was my password? 4-8-15-18-23-42? 4-8-15-16-23-48? Image courtesy of: abc
#RSAC LETS CONSIDER CONTEXT!
At the office? Image courtesy of: www.pexels.com
In the shower? Image courtesy of: www.amazon.com
Driving? Image courtesy of: www.pexels.com
But, what if you were trying to do this? Image courtesy of: www.pexels.com
Or this? Image courtesy of: www.pexels.com
Or this? Image courtesy of: Instagram - PCarsenault
I mean, THIS!
Suddenly, this doesn’t seem so complicated. Image courtesy of: www.pexels.com
What we really want, is these folks… Image courtesy of: Flickr artist Thomas Hawke
…doing more of this… Filmland: Karl Urban in Dredd 3D
…or this… Image courtesy of: www.pexels.com
…and less of this.
but wait… we’ll need to account for these, Image courtesy of: USAF-E
…and these, Image courtesy of: www.media.defense.gov
… … Image courtesy of: www.spoonuniversity.com
…and these. Image courtesy of: www.military-media.defense.gov
…and we’re also short on this. Image courtesy of: www.pexels.com
AND we need to communicate with these,
AND we need to communicate with these, and these,
AND we need to communicate with these, and these, and all of these,
# R S A C Requirements: 34 Authentication that is: Flexible – can handle diverse sets of public safety operational environments Efficient – can be done quickly during line of duty Interoperable – promotes cross-jurisdictional informational sharing
“Yeaaa, if you could just go ahead and audit all of our user accounts by Monday that would be greaaaaat…” But also…
# R S A C Requirements: 36 Authentication that is: Flexible – can handle diverse sets of public safety operational environments Efficient – can be done quickly during line of duty Interoperable – promotes cross-jurisdictional informational sharing Improve credential and account management: Mainly by reducing the number of credentials and accounts needed
And finally… Definitely want to use AES25…hey bitcoin is over 9000!
# R S A C Requirements: 38 Authentication that is: Flexible – can handle diverse sets of public safety operational environments Efficient – can be done quickly during line of duty Interoperable – promotes cross-jurisdictional informational sharing Improve credential and account management: Mainly by reducing the number of credentials and accounts needed Get mobile application developers out of: Developing custom authentication solutions Managing users accounts and directory services
Filler Text / Question / Statement Save the world! Image courtesy of: www.pexels.com
Accelerate adoption of secure technologies: collaborate with innovators to provide real- world, standards-based cybersecurity capabilities that address business needs
NIST Public Safety Communication Research Lab (PSCR) is the primary federal laboratory conducting research, development, testing, and evaluation for public safety communications technologies
#RSAC WHAT WE BUILT? Using standards of course!
# R S A C NCCoE Benefits – Standards-Based 43 NCCoE solutions implement standards and best practices: Using modern commercially available technology:
# R S A C 44 Core Capabilities p@$$w0rd + Multifactor Authentication (MFA) to Mobile Resources • Biometrics, external hardware authenticators and other authentication options Single Sign-on (SSO) to Mobile Resources • Authenticate once with mobile native app or web apps • Leverage initial MFA when accessing multiple applications Identity Federation • Leverage directory services already in place • Send identities across jurisdictional boundaries
#RSAC AUTHENTICATION & SINGLE SIGN-ON DEMO “don’t tell me, show me!”
# R S A C Demo – What you’ll see, MFA + SSO 46 FIDO UAF Authentication Leverages fingerprint registered to device No Password Input FIDO U2F Authentication Using FIDO key as second factor Private key pair on the device Mobile App Single Sign-On Access to mapping and chat apps without need to re-authenticate Implements IETF RFC 8252 for SSO on Native Mobile Apps p1n + + Private Key Biometric
# R S A C Demo – What you’ll won’t see, federation 47 Identity Federation We have examples identity federation using both SAML 2.0 and OpenID Connection 1.0 But as with all federation its “under the hood”
#RSAC SOLUTION BENEFITS “is This Good for the COMPANY?”
# R S A C Remember password management challenge? 49 Reduces: The amount of authentication time and attempts for PSFR personnel The number of credentials that PSFR personnel and organizations need to manage Requirements for complex passwords
# R S A C Standards help! 50 Increases: Interoperability through the use of open, standards-based architecture —Identity providers can leverage their current active directory Authenticator flexibility through the FIDO ecosystem —External hardware authenticators, biometrics, etc…
# R S A C Standards based MFA 51 FIDO: Multifactor authentication in line with NIST 800-63-3 Requirements No secrets (private keys or biometric templates) are stored server-side — “verifier compromise resistance” Phishing resistance
# R S A C Standards-Based SSO 52 IETF BCP for Mobile SSO: User's password and other credentials are never exposed to the SaaS provider or mobile app Apps get an OAuth Token with limited scope of authorization - apps only get access to back-end systems they should be accessing Reduced number of credentials decreased risk of credential re-use
# R S A C 53 AppAuth Software Development Kit Implementation of the “OAuth 2.0 for Native Apps” RFC Free and open source on GitHub – developed by Google and given to OpenID Developers can “Drag and Drop” into a mobile app Oh by the way… its easy for developers
#RSAC NEW NIST GUIDANCE! “yes but how?”
# R S A C NIST SP 1800-13 out now for public comment! 55 • NIST Cybersecurity Practice Guide SP 1800-13 includes: Technical Decisions Trade-offs Lessons Learned Build Instructions Functional Tests
# R S A C Take-aways? 56 1. Everyone, download SP 1800 -13, Available Now! 2. Developers, implement standards-based SSO with AppAuth! 3. Check out the FIDO vendors on the RSA exhibit floor
# R S A C References 57 SP 1800-13: https://www.nccoe.nist.gov/projects/use-cases/mobile-sso IETF RFC 8252: https://tools.ietf.org/html/rfc8252 AppAuth: https://github.com/openid/AppAuth-Android FIDO: https://fidoalliance.org/about/what-is-fido/
# R S A C Any questions? 58 William Fisher, Security Engineer Email: William.Fisher@nist.gov Project Updates: https://nccoe.nist.gov/projects/use-cases/mobile-sso

Recommended

API SECURITY by krishna murari and vikas maurya
API SECURITY by krishna murari and vikas mauryaAPI SECURITY by krishna murari and vikas maurya
API SECURITY by krishna murari and vikas maurya
Krishna Murari
 
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPasswords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Priyanka Aash
 
Making APIs Secure Demands Tracing and Machine Learning to Rapidly Limit Dama...
Making APIs Secure Demands Tracing and Machine Learning to Rapidly Limit Dama...Making APIs Secure Demands Tracing and Machine Learning to Rapidly Limit Dama...
Making APIs Secure Demands Tracing and Machine Learning to Rapidly Limit Dama...
Dana Gardner
 
Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017
Satheesh Kumar V
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...
owaspindia
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
Ankit Giri
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
espheresecurity
 
The Road to Identity 2.0
The Road to Identity 2.0The Road to Identity 2.0
The Road to Identity 2.0
Adam Lewis
 

Recommended

API SECURITY by krishna murari and vikas maurya
API SECURITY by krishna murari and vikas mauryaAPI SECURITY by krishna murari and vikas maurya
API SECURITY by krishna murari and vikas maurya
Krishna Murari
 
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPasswords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Priyanka Aash
 
Making APIs Secure Demands Tracing and Machine Learning to Rapidly Limit Dama...
Making APIs Secure Demands Tracing and Machine Learning to Rapidly Limit Dama...Making APIs Secure Demands Tracing and Machine Learning to Rapidly Limit Dama...
Making APIs Secure Demands Tracing and Machine Learning to Rapidly Limit Dama...
Dana Gardner
 
Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017
Satheesh Kumar V
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing! hem...
owaspindia
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
Ankit Giri
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
espheresecurity
 
The Road to Identity 2.0
The Road to Identity 2.0The Road to Identity 2.0
The Road to Identity 2.0
Adam Lewis
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
Jose Manuel Ortega Candel
 
BehavioSec Web Summit START slideshare
BehavioSec Web Summit START slideshareBehavioSec Web Summit START slideshare
BehavioSec Web Summit START slideshare
Neil Costigan
 
Security News Bytes
Security News BytesSecurity News Bytes
Security News Bytes
Raghunath G
 
FirstNet ICAM
FirstNet ICAMFirstNet ICAM
FirstNet ICAM
Adam Lewis
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
OWASP
 
Python For Droid
Python For DroidPython For Droid
Python For Droid
Rich Helton
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile security
Judy Ngure
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
Adam Lewis
 
Python Final
Python FinalPython Final
Python Final
Rich Helton
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
SensePost
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
cclark_isec
 
Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9
Clare Nelson, CISSP, CIPP-E
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailar
Hai Nguyen
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
Hai Nguyen
 
Why iOS developers requires code signing certificate.?
Why iOS developers requires code signing certificate.?Why iOS developers requires code signing certificate.?
Why iOS developers requires code signing certificate.?
Kayra Obrain
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018
Will Adams
 
Android open-source operating System for mobile devices
Android open-source operating System for mobile devicesAndroid open-source operating System for mobile devices
Android open-source operating System for mobile devices
IOSR Journals
 
Voice Driven User Interface Design
Voice Driven User Interface DesignVoice Driven User Interface Design
Voice Driven User Interface Design
Engine Neer
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
Dilip Kr. Jangir
 
verification_slides
verification_slidesverification_slides
verification_slides
Alessio Parzian
 
Mobile Application Single Sign-On for Public Safety First Responders
Mobile Application Single Sign-On for Public Safety First RespondersMobile Application Single Sign-On for Public Safety First Responders
Mobile Application Single Sign-On for Public Safety First Responders
Ads Manager
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
Priyanka Aash
 

More Related Content

What's hot

Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
Jose Manuel Ortega Candel
 
BehavioSec Web Summit START slideshare
BehavioSec Web Summit START slideshareBehavioSec Web Summit START slideshare
BehavioSec Web Summit START slideshare
Neil Costigan
 
Security News Bytes
Security News BytesSecurity News Bytes
Security News Bytes
Raghunath G
 
FirstNet ICAM
FirstNet ICAMFirstNet ICAM
FirstNet ICAM
Adam Lewis
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
OWASP
 
Python For Droid
Python For DroidPython For Droid
Python For Droid
Rich Helton
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile security
Judy Ngure
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
Adam Lewis
 
Python Final
Python FinalPython Final
Python Final
Rich Helton
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
SensePost
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
cclark_isec
 
Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9
Clare Nelson, CISSP, CIPP-E
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailar
Hai Nguyen
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
Hai Nguyen
 
Why iOS developers requires code signing certificate.?
Why iOS developers requires code signing certificate.?Why iOS developers requires code signing certificate.?
Why iOS developers requires code signing certificate.?
Kayra Obrain
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018
Will Adams
 
Android open-source operating System for mobile devices
Android open-source operating System for mobile devicesAndroid open-source operating System for mobile devices
Android open-source operating System for mobile devices
IOSR Journals
 
Voice Driven User Interface Design
Voice Driven User Interface DesignVoice Driven User Interface Design
Voice Driven User Interface Design
Engine Neer
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
Dilip Kr. Jangir
 
verification_slides
verification_slidesverification_slides
verification_slides
Alessio Parzian
 

What's hot (20)

Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
 
BehavioSec Web Summit START slideshare
BehavioSec Web Summit START slideshareBehavioSec Web Summit START slideshare
BehavioSec Web Summit START slideshare
 
Security News Bytes
Security News BytesSecurity News Bytes
Security News Bytes
 
FirstNet ICAM
FirstNet ICAMFirstNet ICAM
FirstNet ICAM
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
 
Python For Droid
Python For DroidPython For Droid
Python For Droid
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile security
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
 
Python Final
Python FinalPython Final
Python Final
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9Multi factor authentication issa0415-x9
Multi factor authentication issa0415-x9
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailar
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
Why iOS developers requires code signing certificate.?
Why iOS developers requires code signing certificate.?Why iOS developers requires code signing certificate.?
Why iOS developers requires code signing certificate.?
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018
 
Android open-source operating System for mobile devices
Android open-source operating System for mobile devicesAndroid open-source operating System for mobile devices
Android open-source operating System for mobile devices
 
Voice Driven User Interface Design
Voice Driven User Interface DesignVoice Driven User Interface Design
Voice Driven User Interface Design
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
 
verification_slides
verification_slidesverification_slides
verification_slides
 

Similar to Improving Mobile Authentication for Public Safety and First Responders

Mobile Application Single Sign-On for Public Safety First Responders
Mobile Application Single Sign-On for Public Safety First RespondersMobile Application Single Sign-On for Public Safety First Responders
Mobile Application Single Sign-On for Public Safety First Responders
Ads Manager
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
Priyanka Aash
 
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesDecrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Blueboxer2014
 
Mobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsMobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing Passwords
CA API Management
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
CA API Management
 
What I Learned at RSAC 2020
What I Learned at RSAC 2020What I Learned at RSAC 2020
What I Learned at RSAC 2020
Ulf Mattsson
 
Mobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesMobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best Practices
Cisco Canada
 
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Davide Cioccia
 
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat
 
Cybersecurity Slides
Cybersecurity SlidesCybersecurity Slides
Cybersecurity Slides
Jim Kaplan CIA CFE
 
Security as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application developmentSecurity as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application development
Ștefan Popa
 
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security Certs
LabSharegroup
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016
Brian Spector
 
Mobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityMobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App Security
CA Technologies
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identity
WAFAA AL SALMAN
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
Prathan Phongthiproek
 
Brafton White Paper Example
Brafton White Paper ExampleBrafton White Paper Example
Brafton White Paper Example
Kayla Perry
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story
42Crunch
 
Securing broker less publish subscribe systems using identity-based encryption
Securing broker less publish subscribe systems using identity-based encryptionSecuring broker less publish subscribe systems using identity-based encryption
Securing broker less publish subscribe systems using identity-based encryption
LeMeniz Infotech
 

Similar to Improving Mobile Authentication for Public Safety and First Responders (20)

Mobile Application Single Sign-On for Public Safety First Responders
Mobile Application Single Sign-On for Public Safety First RespondersMobile Application Single Sign-On for Public Safety First Responders
Mobile Application Single Sign-On for Public Safety First Responders
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
 
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesDecrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
 
Mobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing PasswordsMobile SSO: Give App Users a Break from Typing Passwords
Mobile SSO: Give App Users a Break from Typing Passwords
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
What I Learned at RSAC 2020
What I Learned at RSAC 2020What I Learned at RSAC 2020
What I Learned at RSAC 2020
 
Mobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesMobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best Practices
 
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server
 
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
 
Cybersecurity Slides
Cybersecurity SlidesCybersecurity Slides
Cybersecurity Slides
 
Security as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application developmentSecurity as a top of mind issue for mobile application development
Security as a top of mind issue for mobile application development
 
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security Certs
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016
 
Mobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityMobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App Security
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identity
 
Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)Mobile Defense-in-Dev (Depth)
Mobile Defense-in-Dev (Depth)
 
Brafton White Paper Example
Brafton White Paper ExampleBrafton White Paper Example
Brafton White Paper Example
 
API Security: the full story
API Security: the full storyAPI Security: the full story
API Security: the full story
 
Securing broker less publish subscribe systems using identity-based encryption
Securing broker less publish subscribe systems using identity-based encryptionSecuring broker less publish subscribe systems using identity-based encryption
Securing broker less publish subscribe systems using identity-based encryption
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
Priyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
Priyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
Priyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
Priyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
Priyanka Aash
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
Priyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Priyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
Priyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
Priyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
Priyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
Priyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
Priyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Priyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Discover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched ContentDiscover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched Content
ScyllaDB
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
UiPathCommunity
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
Enterprise Knowledge
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
FilipTomaszewski5
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
Fwdays
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
BibashShahi
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
Sease
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
zjhamm304
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 

Recently uploaded (20)

The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Discover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched ContentDiscover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched Content
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
Day 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio FundamentalsDay 2 - Intro to UiPath Studio Fundamentals
Day 2 - Intro to UiPath Studio Fundamentals
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeckPoznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
Poznań ACE event - 19.06.2024 Team 24 Wrapup slidedeck
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke"Scaling RAG Applications to serve millions of users", Kevin Goedecke
"Scaling RAG Applications to serve millions of users", Kevin Goedecke
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 

Improving Mobile Authentication for Public Safety and First Responders

  • 1. SESSION ID: #RSAC William Fisher IMPROVING MOBILE AUTHENTICATION FOR PUBLIC SAFETY AND FIRST RESPONDERS MBS-R02 Security Engineer National Cybersecurity Center of Excellence @Billfshr
  • 2. #RSAC LET’S TALK ABOUT AUTHENTICATION
  • 3. Authentication impacts users Image courtesy of: www.pexels.com
  • 4. How many of us use Android or iOS devices daily for work? Image courtesy of: www.pexels.com
  • 5. How many of our apps require their own passwords?
  • 6. Need an image for Bio-metrics here Biometrics help, but…
  • 7. 5am: Please re-enter your password. Image courtesy of: www.imgflip.com
  • 8.
  • 9.
  • 10. We know this… 10 Greene, K. K., Gallagher, M. A., Stanton, B. C., Lee, P. Y.: I Can’t Type That! P@$$w0rd Entry on Mobile Devices. In: Human Aspects of Information, Security, Privacy, and Trust. Lecture Notes in Computer Science, Vol. 8533, pp 160-171. (2014)
  • 11. What do we get for our troubles? 11 Not much in the way of security… All tables from the Verizon 2018 DBIR https://www.verizonenterprise.com/verizon-insights-lab/dbir/
  • 12. Perhaps not all is lost… What was my password? 4-8-15-18-23-42? 4-8-15-16-23-48? Image courtesy of: abc
  • 14. At the office? Image courtesy of: www.pexels.com
  • 15. In the shower? Image courtesy of: www.amazon.com
  • 16. Driving? Image courtesy of: www.pexels.com
  • 17. But, what if you were trying to do this? Image courtesy of: www.pexels.com
  • 18. Or this? Image courtesy of: www.pexels.com
  • 19. Or this? Image courtesy of: Instagram - PCarsenault
  • 21. Suddenly, this doesn’t seem so complicated. Image courtesy of: www.pexels.com
  • 22. What we really want, is these folks… Image courtesy of: Flickr artist Thomas Hawke
  • 23. …doing more of this… Filmland: Karl Urban in Dredd 3D
  • 24. …or this… Image courtesy of: www.pexels.com
  • 25. …and less of this.
  • 26. but wait… we’ll need to account for these, Image courtesy of: USAF-E
  • 27. …and these, Image courtesy of: www.media.defense.gov
  • 28. … … Image courtesy of: www.spoonuniversity.com
  • 29. …and these. Image courtesy of: www.military-media.defense.gov
  • 30. …and we’re also short on this. Image courtesy of: www.pexels.com
  • 31. AND we need to communicate with these,
  • 32. AND we need to communicate with these, and these,
  • 33. AND we need to communicate with these, and these, and all of these,
  • 34. # R S A C Requirements: 34 Authentication that is: Flexible – can handle diverse sets of public safety operational environments Efficient – can be done quickly during line of duty Interoperable – promotes cross-jurisdictional informational sharing
  • 35. “Yeaaa, if you could just go ahead and audit all of our user accounts by Monday that would be greaaaaat…” But also…
  • 36. # R S A C Requirements: 36 Authentication that is: Flexible – can handle diverse sets of public safety operational environments Efficient – can be done quickly during line of duty Interoperable – promotes cross-jurisdictional informational sharing Improve credential and account management: Mainly by reducing the number of credentials and accounts needed
  • 37. And finally… Definitely want to use AES25…hey bitcoin is over 9000!
  • 38. # R S A C Requirements: 38 Authentication that is: Flexible – can handle diverse sets of public safety operational environments Efficient – can be done quickly during line of duty Interoperable – promotes cross-jurisdictional informational sharing Improve credential and account management: Mainly by reducing the number of credentials and accounts needed Get mobile application developers out of: Developing custom authentication solutions Managing users accounts and directory services
  • 39. Filler Text / Question / Statement Save the world! Image courtesy of: www.pexels.com
  • 40. Accelerate adoption of secure technologies: collaborate with innovators to provide real- world, standards-based cybersecurity capabilities that address business needs
  • 41. NIST Public Safety Communication Research Lab (PSCR) is the primary federal laboratory conducting research, development, testing, and evaluation for public safety communications technologies
  • 42. #RSAC WHAT WE BUILT? Using standards of course!
  • 43. # R S A C NCCoE Benefits – Standards-Based 43 NCCoE solutions implement standards and best practices: Using modern commercially available technology:
  • 44. # R S A C 44 Core Capabilities p@$$w0rd + Multifactor Authentication (MFA) to Mobile Resources • Biometrics, external hardware authenticators and other authentication options Single Sign-on (SSO) to Mobile Resources • Authenticate once with mobile native app or web apps • Leverage initial MFA when accessing multiple applications Identity Federation • Leverage directory services already in place • Send identities across jurisdictional boundaries
  • 45. #RSAC AUTHENTICATION & SINGLE SIGN-ON DEMO “don’t tell me, show me!”
  • 46. # R S A C Demo – What you’ll see, MFA + SSO 46 FIDO UAF Authentication Leverages fingerprint registered to device No Password Input FIDO U2F Authentication Using FIDO key as second factor Private key pair on the device Mobile App Single Sign-On Access to mapping and chat apps without need to re-authenticate Implements IETF RFC 8252 for SSO on Native Mobile Apps p1n + + Private Key Biometric
  • 47. # R S A C Demo – What you’ll won’t see, federation 47 Identity Federation We have examples identity federation using both SAML 2.0 and OpenID Connection 1.0 But as with all federation its “under the hood”
  • 48. #RSAC SOLUTION BENEFITS “is This Good for the COMPANY?”
  • 49. # R S A C Remember password management challenge? 49 Reduces: The amount of authentication time and attempts for PSFR personnel The number of credentials that PSFR personnel and organizations need to manage Requirements for complex passwords
  • 50. # R S A C Standards help! 50 Increases: Interoperability through the use of open, standards-based architecture —Identity providers can leverage their current active directory Authenticator flexibility through the FIDO ecosystem —External hardware authenticators, biometrics, etc…
  • 51. # R S A C Standards based MFA 51 FIDO: Multifactor authentication in line with NIST 800-63-3 Requirements No secrets (private keys or biometric templates) are stored server-side — “verifier compromise resistance” Phishing resistance
  • 52. # R S A C Standards-Based SSO 52 IETF BCP for Mobile SSO: User's password and other credentials are never exposed to the SaaS provider or mobile app Apps get an OAuth Token with limited scope of authorization - apps only get access to back-end systems they should be accessing Reduced number of credentials decreased risk of credential re-use
  • 53. # R S A C 53 AppAuth Software Development Kit Implementation of the “OAuth 2.0 for Native Apps” RFC Free and open source on GitHub – developed by Google and given to OpenID Developers can “Drag and Drop” into a mobile app Oh by the way… its easy for developers
  • 55. # R S A C NIST SP 1800-13 out now for public comment! 55 • NIST Cybersecurity Practice Guide SP 1800-13 includes: Technical Decisions Trade-offs Lessons Learned Build Instructions Functional Tests
  • 56. # R S A C Take-aways? 56 1. Everyone, download SP 1800 -13, Available Now! 2. Developers, implement standards-based SSO with AppAuth! 3. Check out the FIDO vendors on the RSA exhibit floor
  • 57. # R S A C References 57 SP 1800-13: https://www.nccoe.nist.gov/projects/use-cases/mobile-sso IETF RFC 8252: https://tools.ietf.org/html/rfc8252 AppAuth: https://github.com/openid/AppAuth-Android FIDO: https://fidoalliance.org/about/what-is-fido/
  • 58. # R S A C Any questions? 58 William Fisher, Security Engineer Email: William.Fisher@nist.gov Project Updates: https://nccoe.nist.gov/projects/use-cases/mobile-sso