LOA Alternatives - A Modest Proposal

•

1 like•1,934 views

This document proposes a new model for Level of Assurance (LOA) that separates it into two parts: Level of Strength (LoS) of authentication and Level of Confidence (LoC) of attributes. LoS would measure the strength of the authentication process using levels like single-factor, two-factor, or two-factor with hardware token. LoC would measure the degree to which a relying party can depend on attributes based on the identity proofing process using levels like self-asserted, remotely verified, or in-person verified. This new model aims to avoid problems with the current LOA structure and emphasize meaningful distinctions between levels.

Technology

LOA
Alterna+ves:

A
Modest
Proposal

Jim
Fenton

IIW
XX

April
2015

Background

•  LOA
is
deﬁned
in
OMB
Memo
M-‐04-‐04,
“E-‐
Authen+ca+on
Guidance
for
Federal

Agencies”

•  Technical
means
to
sa+sfy
are
deﬁned
in
NIST

SP
800-‐63-‐*

•  Federal
authen+ca+on
requirements
are

changing
due
to
Execu+ve
Order
13681

EO
13681

“…all
agencies
making
personal
data
accessible
to
ci+zens

through
digital
applica+ons
require
the
use
of
mul+ple
factors
of

authen+ca+on
and
an
eﬀec+ve
iden+ty
prooﬁng
process,
as

appropriate.”

-‐-‐
Execu+ve
Order
13681

October
17,
2014

Ø Current
LOA
1
and
2
are
going
to
be
a
lot
less
useful

Three
Alterna+ves
for
OMB

•  (1)
Keep
current
LOA
structure,
change
impact

– Increase
impact
of
personal
data
disclosure

– Drives
more
things
to
LOA
3

•  (2)
Keep
LOA
structure,
change
800-‐63

– Likely
to
confuse
agencies
and
industry

•  (2)
Change
the
LOA
structure
somehow

– Let’s
discuss
this
more

Some
principles

•  Avoid
current
LOA
problems

– LOA
2
both
proofed
and
pseudonymous

– No
strong
pseudonymous
authen+ca+on

– Lower
LOA
geeng
less
useful

•  Keep
it
simple

– Emphasize
meaningful
dis+nc+ons
between
levels

– Minimize
dimensionality
(of
vector)

Meaningful
dis+nc+ons?

•  As
mul+-‐factor
authen+ca+on
becomes
more
widely
used,
dis+nc+ons
in

single-‐factor
become
less
important

Authen'ca'on
LOA
Prooﬁng

Single
factor
1
None

Single
factor
2
pseudonymous
None

Single
factor
2
Remote

Mul+-‐factor
3
Remote

Mul+-‐factor
w/

hardware
token

4
In-‐person
only

{
Similar
(though

not
iden+cal)

requirements

}

Similar
(though

not
iden+cal)

requirements

A
New
Model

•  Separate
Level
of
Assurance
into
two
parts:

–  Level
of
Strength
(of
authen+ca+on)

–  Level
of
Conﬁdence
(of
akributes)

•  Emphasis
on
meaningful
dis+nc+ons

–  Signiﬁcant
diﬀerences
in
usability,
availability

–  Require
good
prac+ces
internally
(e.g.,
use
of
crypto
rather
than

shared
secrets)

•  Emphasis
on
expressing
the
relying
party’s
requirements
to

the
user
and
authen+ca+on
and
akribute
providers

Level
of
Strength
(LoS)

•  Measures
the
strength
of
the
authen+ca+on

process

•  Candidate
levels:

•  Detailed
requirements
per
level
to
be
deﬁned
in

SP
800-‐63-‐2
successor

Level
Descrip'on

1
Single-‐factor
authen+ca+on
(cf.
LOA
2)

2
Two-‐factor
authen+ca+on
(cf.
LOA
3)

3
Two-‐factor
authen+ca+on
with
hardware
token
(cf.
LOA
4)

Level
of
Conﬁdence
(LoC)

•  Measure
of
the
degree
to
which
the
Relying
Party
can

depend
on
akributes,
par+cularly
iden+fying
akributes

•  Incorporates
the
iden+ty
prooﬁng
process
and
the

binding
to
the
creden+al

•  Again,
detailed
requirements
TBD.

Level
Descrip'on

1
Self-‐asserted
akribute
(cf.
LOA
1)

2
Remotely
iden+ty
proofed
(cf.
LOA
3)

3
In-‐person
iden+ty
proofed
(cf.
LOA
4)

Mapping
LOA
to
LOS/LOC

LOA
Level
of
Strength
Level
of
Conﬁdence

1
1
(see
note)
1

2
1
1
(pseudonynous)
or
2

3
2
2

4
3
3

Note:
Some
LOA
1
authen+ca+on
methodologies
may
not
be
acceptable
at
LOS
1.

Mapping
LOS/LOC
to
LOA

LOC
1
LOC
2
LOC
3

LOS
1
1,
2P
2
Note
2

LOS
2
Note
1
3
Note
2

LOS
3
Note
1
4

Notes:

1. 
Strong
pseudonymous
or
anonymous
authen+ca+on

2. 
Lower
LOS
may
limit
eﬀec+ve
LOC

Not
included

•  Characteris+cs
of
authen+ca+on
and
akribute
provider

–  Accredita+on
of
the
authen+ca+on
or
akribute
provider

•  May
only
permit
certain
levels
of
asser+on

–  Trust
by
relying
party
of
accredi+ng
agency

•  Addi+onal
detail
(such
as
loca+on)
for
risk-‐based

authen+ca+on
decisions

–  Are
these
really
akributes?

•  Risk
characteris+cs
at
each
level

–  To
be
deﬁned
based
on
detailed
technical
requirements
at

each
level

•  Asser+on
metadata

–  Expira+on,
usage
restric+ons,
etc.

This document proposes a new web application vulnerability assessment framework consisting of four phases: Application Analysis, Vulnerability Scanning/Exploitation, Assessment, and Mitigation. The Application Analysis phase involves identifying application, server, and network specifics. Vulnerability Scanning/Exploitation tests for vulnerabilities specific to the application, server, and network. Assessment evaluates the impact of any vulnerabilities found. Finally, Mitigation provides recommendations to address identified security issues. The framework takes a simplified approach to web application security testing.

Web Application Security Testing Tools

Eric Lai

This document discusses software development center web application security testing tools. It provides an overview of the top 10 most critical web application security risks according to OWASP and describes several individual tools that can test for each risk, including W3AF for injection, ZAP for cross-site scripting, and Burp Suite for insecure direct object references. It also outlines steps for using the security tools to test a web application, generating a security report, and planning to address prioritized issues found.

Testing Web Application Security

Ted Husted

Web applications are commonly used to transmit, accept and store data that is personal, company confidential and sensitive. More enterprises are spending more time testing web applications, but many still do not integrate security testing into an application's overall test plan. In this presentation, we explore ways to integrate security testing into an end-to-end test plan, exercise security features in unit tests, integration tests, acceptance tests.

Secure Code Warrior - Logging

Secure Code Warrior

Cyber 51 Ltd. offers web application penetration testing to identify vulnerabilities in applications. Their methodology involves analyzing the application's configuration, authentication, session management, authorization, data validation, and any web services. They aim to find both inadvertent flaws and potential security risks that could be exploited by hackers. The final report provides mitigation recommendations to help customers address issues.

Clear Pci Vulnerability Scans Web2

Cybera Inc

This document summarizes ClearPCI's vulnerability scanning service for PCI compliance. It states that ClearPCI allows unlimited scanning of up to 5 IP addresses annually at a low cost to help identify vulnerabilities. The scanning is performed by an Approved Scan Vendor and generates reports and documentation needed for PCI compliance. The service can be integrated with ClearPCI's ONE solution for additional security features and lower overall costs.

CompTIA Security+ SY0-601 Domain 1

ShivamSharma909

CompTIA Security+ is a worldwide certification that verifies the fundamental skills required to execute basic security activities and build a career in information security. CompTIA Security+ SY0-601 is the latest version of the Security+ certification. The very first security certification that IT professionals can obtain is CompTIA Security+, and it is the best entry-level certification. https://www.infosectrain.com/blog/comptia-security-sy0-601-domain-1-attacks-threats-and-vulnerabilities/

WLAN Security

Gururaj H L

This document discusses security mechanisms for wireless local area networks (WLANs). It begins with an overview of common WLAN standards like 802.11, 802.11b, and 802.11g. It then discusses authentication and encryption methods used in WLANs like WEP, 802.11i, and RADIUS. Finally, it covers security challenges for WLANs like malware, denial of service attacks, and intrusion detection systems. The document is intended as part of a lecture on WLAN security.

Phishing Detection using Machine Learning

Arjun BM

This document describes Mudpile, a system for detecting malicious URLs using machine learning. It collects data from URLs, extracts features related to phishing indicators, trains a classification model to label URLs as legitimate or phishing, and exposes the model as a REST API. The system is deployed to classify incoming web traffic in real-time and block phishing sites. It is retrained periodically for improved accuracy and to address new phishing techniques.

Framework for analyzing template security and privacy in biometric authentica...

nithyakarunanithi

The document proposes a new framework for analyzing biometric authentication systems that aims to improve privacy and security. It analyzes vulnerabilities in existing systems and proposes separating biometric systems into four logical entities: the sensor, authentication server, database, and matcher. This separation is intended to prevent attacks from malicious insiders by restricting data flows between entities. The framework also considers different attack goals and strategies against recent biometric authentication protocols to demonstrate potential weaknesses when attackers are not assumed to be honest-but-curious.

7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...

Inspirisys Solutions Limited

Web applications can pose threats to the corporate network administrators as the clients can tunnel data. Due to this security challenge, organizations should ensure the security posture of their web applications. Some security threats are known to affect web application and some are advanced level threats. Both can compromise the security architecture of a web application seamlessly when they left unnoticed. So, shedding light on known and unknown web application threats can support your organization to take calculated security decisions. This deck attempts to support your organization to discover security vulnerabilities in your web applications.

CA Day 2014

CASCouncil

This document summarizes developments within the CA/Browser Forum in 2014. It discusses new working groups on code signing and policy/information sharing. Key topics of discussion included the SHA-1 deprecation timeline, the Heartbleed vulnerability, and how to define the scope and requirements of SSL certificates. Current discussions focus on issues like certificate authority authorization records and the proposed retirement of SHA-1 in browsers.

Identity Hub’s Role in Social Logins

WSO2

[OPD 2019] Life after pentest

OWASP

1. The document discusses life after penetration testing from the perspective of an application security engineer. It outlines the typical process of addressing vulnerabilities found during a pen test or other security reviews. 2. This process includes validating the vulnerability, recalculating the risk level, determining a fix timeline, and revalidating once complete. Additional factors like business impact are considered when establishing priority. 3. Common mistakes made when addressing vulnerabilities are also examined, such as insecure quick fixes that do not fully resolve the issue. The importance of clear communication between security and development teams is emphasized.

Building a secure BFF at Postman

Ankit Muchhala

The document discusses building a secure backend for frontend (BFF) and outlines various security considerations and best practices. It notes that a BFF is a single point of failure and attack as a public-facing service. It recommends implementing validation, the principle of least privilege, request tagging, access control, content security, audits, and health checks to achieve confidentiality, integrity and availability. Some specific techniques mentioned include input validation, logging sensitive data, enforcing secure dependencies, and integrating security tests into the development lifecycle.

Software Security Testing

srivinayak

This document discusses software security testing. It outlines various aspects of secure software like confidentiality, integrity, data security, authentication, and availability. It then describes different types of software that require security testing like operating systems, applications, databases, and network software. Various techniques for security testing are explained in detail, such as vulnerability scanning, penetration testing, firewall rule testing, SQL injection testing, and ethical hacking. The document emphasizes the importance of early security testing and providing recommendations to overcome weaknesses found.

Web Application Security 101 - 04 Testing Methodology

Websecurify

Techniques for securing rest

Sudhakar Anivella

The document discusses techniques for securing REST (REpresentational State Transfer) services and APIs. It begins by explaining that REST services are vulnerable to the same attacks as traditional web applications, such as injection attacks and authentication issues. It then describes how REST security differs from SOAP security in that REST messages can be more easily identified by analyzing the HTTP commands, unlike SOAP messages which require inspecting envelopes. The document outlines challenges for REST APIs like input validation, broken authentication, and risks of emerging protocols. It concludes by recommending best practices for REST security such as consistent security checks across access points and use of proven security frameworks and libraries.

OpenID Certification Program Update - 2018-04-02

MikeLeszcz

The document discusses OpenID Certification, which allows OpenID Connect implementations to be certified as meeting defined technical profiles through testing. Certification provides value by helping ensure technical interoperability and enhancing organizations' reputations. Current certifiable profiles include basic, implicit, hybrid, and dynamic profiles for OpenID providers and relying parties. The certification process uses self-certification where organizations test their own implementations against public test suites. Certified implementations can use the "OpenID Certified" logo. The international certification effort aims to promote further adoption and make interoperable OpenID Connect implementations commonplace.

OpenID Foundation Workshop at EIC 2018 - OpenID Connect Working Group Update

MikeLeszcz

Get Ready for Web Application Security Testing

Alan Kan

IRJET- Data Security with Multifactor Authentication

IRJET Journal

This document discusses a multi-factor authentication system for improving data security. It proposes using passwords, one-time passwords via QR codes, and encryption/decryption of stored data. The system uses three stages of verification: login with username and password, verification with a randomly generated OTP QR code, and encrypting uploaded data and decrypting downloaded data with keys. By adding multiple layers of authentication and encrypting data, the system aims to minimize unauthorized access to secure systems and stored information.

Cyber Vulnerabilities & How companies can test them

24by7Security Inc

The document discusses common cyber threats like malware, phishing, and ransomware and how phishing is the leading cause of ransomware infections. It provides statistics on phishing attacks and outlines external and internal cyber vulnerabilities for companies. The document then describes how companies can test for these vulnerabilities through external and internal penetration testing, vulnerability assessments, web application testing, and social engineering techniques like phishing, vishing, and tailgating. It concludes by providing contact information for a cybersecurity company.

Toward Better Password Requirements

Jim Fenton

The document summarizes proposed changes to NIST's Digital Authentication Guideline SP 800-63-3 regarding password requirements. Some key changes include increasing the minimum password length to 8 characters, allowing passwords up to 64 characters, accepting all printable ASCII characters and emojis, removing composition rules and knowledge-based authentication questions, and prohibiting password expiration unless compromised. The document encourages participation in the public review process on GitHub to help finalize the updated guidelines.

Security Questions Considered Harmful

Jim Fenton

What's hot

Secure Code Warrior - Defense in depth

Secure Code Warrior

Web Application Penetration Test

martinvoelk

Clear Pci Vulnerability Scans Web2

Cybera Inc

CompTIA Security+ SY0-601 Domain 1

ShivamSharma909

WLAN Security

Gururaj H L

Phishing Detection using Machine Learning

Arjun BM

Framework for analyzing template security and privacy in biometric authentica...

nithyakarunanithi

7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...

Inspirisys Solutions Limited

CA Day 2014

CASCouncil

Identity Hub’s Role in Social Logins

WSO2

[OPD 2019] Life after pentest

OWASP

Building a secure BFF at Postman

Ankit Muchhala

Software Security Testing

srivinayak

Web Application Security 101 - 04 Testing Methodology

Websecurify

Techniques for securing rest

Sudhakar Anivella

OpenID Certification Program Update - 2018-04-02

MikeLeszcz

OpenID Foundation Workshop at EIC 2018 - OpenID Connect Working Group Update

MikeLeszcz

Get Ready for Web Application Security Testing

Alan Kan

IRJET- Data Security with Multifactor Authentication

IRJET Journal

Cyber Vulnerabilities & How companies can test them

24by7Security Inc

What's hot (20)

Secure Code Warrior - Defense in depth

Web Application Penetration Test

Clear Pci Vulnerability Scans Web2

CompTIA Security+ SY0-601 Domain 1

WLAN Security

Phishing Detection using Machine Learning

Framework for analyzing template security and privacy in biometric authentica...

7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...

CA Day 2014

Identity Hub’s Role in Social Logins

[OPD 2019] Life after pentest

Building a secure BFF at Postman

Software Security Testing

Web Application Security 101 - 04 Testing Methodology

Techniques for securing rest

OpenID Certification Program Update - 2018-04-02

OpenID Foundation Workshop at EIC 2018 - OpenID Connect Working Group Update

Get Ready for Web Application Security Testing

IRJET- Data Security with Multifactor Authentication

Cyber Vulnerabilities & How companies can test them

Viewers also liked

Toward Better Password Requirements

Jim Fenton

Security Questions Considered Harmful

Jim Fenton

Confessions of a “Recovering” Data Broker: Responsible Innovation in the Age ...

Jim Adler

It's been said that the human brain is comprised of 300 million pattern matchers fed with data from our five primary senses and memories. In this age of distributed computing and cheap storage in the cloud, "thinking" without a biological brain is possible for the first time in history. The sensory input into this new, extracorporeal brain is big data. Global data supply chains carry exabytes of government, corporate, and social data powering breakthrough uses in medicine, transportation, communications, and energy. However, equally fantastic is the specter of abuses by powerful players to exploit private information, subtly discriminate, or mistakenly prosecute the innocent. This talk discusses the current state of these data supply chains, where they are headed, and the societal implications for privacy, security, and liberty. And it calls technologists, business leaders, and humanists -- i.e., geeks, suits, and wonks -- to together resolve the tension between cultural values and fast-paced technology.

Using Assessment Tools on ICS (English)

Digital Bond

Malware Detection with OSSEC HIDS - OSSECCON 2014

Santiago Bassett

Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014

Santiago Bassett

Threat Intelligence has become increasingly important as the number and severity of threats is growing continuously. We live in an era where our prevention technologies are not enough anymore, antivirus products fail to detect new or sophisticated pieces of malware, our firewalls and perimeter defenses are easily bypassed and the attacker’s techniques are growing in complexity. In this new landscape, sharing threat intelligence has become a key component to mitigate cyber-attacks. In this session we will define what Threat Intelligence is and discuss how to collect and integrate threat intelligence from public sources. In addition, we’ll demonstrate how to build your own Threat Intelligence data using Open Source tools such as sandboxes, honeypots, sinkholes and other publicly available tools. The industry’s reticence to share information about attack vectors gives the adversary a huge advantage. Using Threat Intelligence we can reduce this advantage and enable preventative response. We will guide you through the different standards (OpenIOC, STIX, MAEC, OTX, IODEF…) to describe and share cyber intelligence, as well as Open Source Frameworks such as CIF (Collective Intelligence Framework) that allows you to combine different threat sources. One of the biggest problems with Threat Intelligence is finding out how to take advantage of the data you have to actually improve the detection/prevention capabilities in your environment. We will describe how to leverage Threat Intelligence to detect threats and provide defenses, and we will focus on how to use Open Source Tools (Suricata, OSSIM, OSSEC, Bro, Yara…) to get the most of your Threat Intelligence. Presenters: Jaime Blasco and Santiago Bassett Cornerstones of Trust 2014: https://www.cornerstonesoftrust.com

Viewers also liked (6)

Toward Better Password Requirements

Security Questions Considered Harmful

Confessions of a “Recovering” Data Broker: Responsible Innovation in the Age ...

Using Assessment Tools on ICS (English)

Malware Detection with OSSEC HIDS - OSSECCON 2014

Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014

Similar to LOA Alternatives - A Modest Proposal

NIST 800-63 Guidance & FIDO Authentication

FIDO Alliance

The update to NIST Special Publication 800-63 Revision 3 covers guidelines on digital identity management, identity proofing and authentication of users working with government IT systems over open networks – and serves as de facto guidance far beyond government and into many industries that are depending on secure user authentication. Part of the guidelines recommend higher-assurance authentication, including the use of multi-factor authentication with public key cryptography, where private keys are tightly bound to the device. This, of course, is the core of the FIDO approach which has been implemented in over 300 FIDO certified products worldwide that are powering authentication solutions from top service providers such as Google, Facebook, Aetna and more. In this presentation, experts review the NIST guidelines and their relationship to FIDO Authentication.

Crypto Analysis slides presentation slides

tahirsaleem54

A certificate authority (CA) binds public keys to user identities through digital certificates. This establishes a public key infrastructure (PKI) based on asymmetric cryptography. However, a single CA cannot handle all public key queries, so certificate authority hierarchies are used with multiple levels of CAs. The X.509 standard defines the structure of digital certificates, including the issuer, validity period, subject, and signature.

2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...

APIsecure_ Official

Why Assertion-based Access Token is preferred to Handle-based one?

Hitachi, Ltd. OSS Solution Center.

This document discusses the differences between assertion-based access tokens and handle-based access tokens in OAuth 2.0. Assertion-based tokens are parsable tokens like JWTs that contain user and client information, while handle-based tokens are opaque references. Assertion-based tokens have advantages for performance and scalability but require cryptographic protection, while handle-based tokens require validation through the authorization server. The document then examines scenarios where handle-based tokens could cause problems, such as with multiple authorization servers, and outlines secure validation steps for assertion-based tokens.

Aa imagine ny19_verizon-041019ppt.aai.format

Tracy Gibson

Verizon implemented a 3-month pilot program to move its Automation Anywhere platform to AWS, establishing governance, training, and a Center of Excellence. The migration involved setting up EC2 instances and RDS databases across availability zones, with load balancers and security groups. Automation Anywhere instances were deployed in a federated model per line of business. The document discusses establishing metrics and streamlining bot development processes, while implementing security, legal and risk controls through required documentation and auditing. It also covers automating infrastructure provisioning and optimizing resource utilization.

Automation Anywhere - Imagine New York 2019 - Verizon

Automation Anywhere

Verizon implemented a 3-month pilot program to move its Automation Anywhere platform to AWS. This included establishing governance, security, and legal structures for bot development as well as training developers. The migration involved setting up Automation Anywhere instances across multiple AWS availability zones, with control room nodes behind an ELB. Infrastructure is provisioned via ServiceNow and Jenkins to automate the process and ensure resources are utilized efficiently. Key performance metrics are analyzed to validate cost savings targets are met.

DAY_ONE_2017AM_SingleSignOn_II.ppsx

KasaTiga

This document discusses single sign-on (SSO) technologies and the OAuth 2.0 protocol for implementing SSO within the SIF infrastructure. It provides an overview of how OAuth 2.0 authentication works by exchanging credentials for a bearer token, which can then be included in authentication requests to access data. However, OAuth 2.0 alone does not specify how to validate tokens. The document proposes using OpenID Connect to address this gap and also lists some other SSO standards like SAML and Kerberos. It encourages readers to get involved in discussions on identity management within the A4L community.

Cache Security- Adding Security to Non-Secure Applications

InterSystems Corporation

This document provides an overview of an academy that will teach attendees how to secure an existing unsecured web application that processes online purchases. The academy will cover applying authentication, authorization, securing connectivity, and encrypting credit card data. The scenario involves securing an e-commerce application called Things-R-Us that is currently non-secure and integrates various systems. The agenda includes securing the application, connectivity, and encrypting specific data elements.

2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core

Vladimir Bychkov

This document summarizes a presentation on authentication and authorization in ASP.NET Core 2. It discusses identity and principal objects, claims-based authentication, middleware, and local and external logins. OAuth 2.0 and OpenID Connect are covered, including flows like client credentials, authorization code, and implicit. Demos show implementing these flows. The document also discusses policy-based authorization and other security concerns like CORS, CSRF, and XSS protection.

An Authentication and Authorization Architecture for a Microservices World

VMware Tanzu

The document discusses authentication and authorization architectures for microservices. It describes using OpenAM for centralized authentication and authorization across microservices. Tokens like access tokens, refresh tokens and ID tokens are used to authenticate service-to-service calls in a stateless manner. The document outlines approaches for different tiers of microservices and integrating OpenAM with Cloud Foundry.

[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...

WSO2

Client-side applications are becoming an increasingly popular technology to build applications owing to the advanced user experience that they provide consumers. Authentication and API authorization for these applications are also becoming equally popular topics that many developers have a hard time getting their heads around. Check these slides, where Johann Nallathamby, Head of Solutions Architecture for IAM at WSO2, will attempt to demystify some complexities and misconceptions surrounding this topic and help you better understand the most important features to consider when choosing an authentication and API authorization solution for client-side applications. These slides will review: - The broader classification of client-side applications and their legacy and more recent authentication and API authorization patterns - Sender-constrained token patterns - Solution patterns being employed to improve user experience in client-side applications

INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...

apidays

Securing Data retrieval using CPABE scheme with Two Party Computation in DTN ...

IRJET Journal

The document proposes a secure data retrieval scheme for disruption tolerant military networks using ciphertext-policy attribute-based encryption (CP-ABE) combined with a two-party computation protocol. Key challenges in decentralized disruption tolerant networks include attribute revocation, key escrow issues due to a single trusted authority, and coordination of attributes from multiple authorities. The proposed scheme addresses these by having multiple independent key authorities handle attributes and issue user keys using a two-party computation protocol, preventing any single authority from accessing encrypted data or combining attribute keys. This allows for secure and efficient access control and retrieval of confidential data distributed across disruption tolerant networks.

Distributed Authorization with Open Policy Agent.pdf

Nordic APIs

Presentation

Laxman Kumar

Single Sign On (SSO) allows a user to authenticate once and gain access to multiple related systems without re-authenticating. SSO uses protocols like SAML and OAuth to issue authentication tokens after initial login. SAML is an XML-based standard that transfers user identity and attribute data between an identity provider and service provider using assertions. Metadata ensures secure transactions by allowing providers to look up authentication endpoints and validate digital signatures. The SSO workflow involves a user authenticating with an identity provider, which issues a token for the user to access a service provider. Major SSO providers include Microsoft, IBM, Red Hat, and ForgeRock.

Cloud Identity Management

Damian T. Gordon

This document discusses identity management and security in cloud computing. It covers key topics such as: - Centralized identity management provides benefits like a single user identity, consistent security policies, and reduced costs. - Authentication establishes a user's identity through credentials. Popular methods include JSON web tokens (JWTs) which use digital signatures to authenticate API requests without authenticating each one individually. - JWTs work by having a client authenticate once to get a token, then include that token in subsequent requests to prove identity without further authentication. The token contains identity claims and is digitally signed by an authentication authority.

Outsourcing Your SharePoint Hosting - the clouds fine print magnified

SherWeb

This document discusses outsourcing SharePoint hosting to the cloud. It begins by outlining opportunities like faster upgrades and scalability as well as concerns around security and availability. It then defines different hosting models like private, public, and hybrid clouds. The document also discusses licensing options for SharePoint in cloud environments and how to evaluate a potential cloud provider through service level agreements and other metrics. It concludes by stressing the importance of understanding your needs and comparing total cost of ownership between on-premise and cloud options.

Sps chicago suburbs outsourcing your share point hosting - the clouds fine ...

SherWeb

This document discusses outsourcing SharePoint hosting to the cloud. It begins by outlining opportunities like faster upgrades and scalability as well as concerns around data security and availability. It then defines different hosting models like private, public, and hybrid clouds. The rest of the document provides advice on evaluating cloud providers, including looking at service level agreements, data security certifications, customer satisfaction metrics, and licensing options. It emphasizes understanding requirements before moving to the cloud and choosing a provider that meets both current and future needs.

Sps chicago suburbs outsourcing your share point hosting - the clouds fine ...

SherWeb

This document discusses outsourcing SharePoint hosting to the cloud. It begins by outlining opportunities like faster upgrades and scalability as well as concerns around data security and availability. It then defines different hosting models like private, public, and hybrid clouds. The rest of the document provides advice on evaluating cloud providers, including looking at service level agreements, data security certifications, customer satisfaction metrics, business continuity policies, and licensing options and costs. It concludes by stressing the importance of understanding your needs before moving to the cloud and choosing a provider that meets your requirements.

FIWARE Training: Identity Management and Access Control

FIWARE

An online training course run by the FIWARE Foundation in conjunction with the i4Trust project and IShare Foundation. The core part of this virtual training camp (27 Jun - 01 Jul 2022) covered all the necessary skills to develop smart solutions powered by FIWARE. It introduces the basis of Digital Twin programming using NGSI-LD (the simple yet powerful open standard API enabling to publish and access digital twin data) combined with common smart data models In addition, it covers the supplementary FIWARE technologies used to implement the rest of functions typically required when architecting a complete smart solution: Identity and Access Management (IAM) functions to secure access to digital twin data, and functions enabling the interface with IoT and 3rd systems, or the connection with different tools for processing and monitoring current and historic big data. Extending this core part, the training camp also cover how you can easily integrate FIWARE systems with blockchain networks to create audit-proof logs of processes and ensure transparency.

Similar to LOA Alternatives - A Modest Proposal (20)

NIST 800-63 Guidance & FIDO Authentication

Crypto Analysis slides presentation slides

2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...

Why Assertion-based Access Token is preferred to Handle-based one?

Aa imagine ny19_verizon-041019ppt.aai.format

Automation Anywhere - Imagine New York 2019 - Verizon

DAY_ONE_2017AM_SingleSignOn_II.ppsx

Cache Security- Adding Security to Non-Secure Applications

2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core

An Authentication and Authorization Architecture for a Microservices World

[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...

INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...

Securing Data retrieval using CPABE scheme with Two Party Computation in DTN ...

Distributed Authorization with Open Policy Agent.pdf

Presentation

Cloud Identity Management

Outsourcing Your SharePoint Hosting - the clouds fine print magnified

Sps chicago suburbs outsourcing your share point hosting - the clouds fine ...

FIWARE Training: Identity Management and Access Control

More from Jim Fenton

Notifs 2018

Jim Fenton

The document proposes a new abuse-resistant notification protocol called Nōtif. Some key points: - Existing messaging protocols like email and SMS are not well-suited for notifications due to abuse issues. Nōtif aims to address this with opt-in notifications that are authenticated, prioritized, and can be deleted when no longer relevant. - Nōtif is intended for notifications only, not general correspondence. Notifications would be requested by users and time-sensitive. - The proposed system involves notifiers generating notifications which are stored by independent Nōtif agents on behalf of users. Users can authorize notifiers and receive notifications via various endpoints. - A prototype Nōtif agent and SDK

REQUIRETLS: Sender Control of TLS Requirements

Jim Fenton

Recent policy mechanisms (notably MTA-STS and DANE) allow email recipient domains to advertise their support for TLS email transport. REQUIRETLS (RFC 8689) complements those mechanisms by giving message senders the ability to send messages with the requirement that they be transported over TLS -- or not at all. This talk describes the REQUIRETLS protocol extensions as well as potential mechanisms to allow users to control the selection of the REQUIRETLS mechanisms for relevant messages.

User Authentication: Passwords and Beyond

Jim Fenton

The document discusses user authentication beyond passwords. It provides guidance on emphasizing usability, having realistic security expectations, and burdening systems rather than users. It also covers password threats like online guessing, offline attacks, and side channels. It recommends techniques like throttling logins, prohibiting common passwords, using long passphrases, allowing diverse characters, and avoiding hints, expiration, and composition rules.

User Authentication Overview

Jim Fenton

This document discusses user authentication and NIST Special Publication 800-63, which provides guidelines for digital identity. It outlines four levels of authenticator assurance (AALs) and describes various types of authenticators that can be used, including passwords, one-time passwords, crypto devices, and biometrics. While no single authenticator is ideal, two-factor authentication is recommended to strengthen security. The document provides an overview of key concepts around digital identity authentication standards.

Making User Authentication More Usable

Jim Fenton

A recent revision to the US Government’s authentication guideline, NIST SP 800-63B "Authentication and Lifecycle Management", puts a greater emphasis on the usability of authentication in its recommendations. This talk will discuss the ways in which it attempts to relieve the users’ burden and shift more responsibility to the services themselves, hopefully improving overall security in the process. Presentation to BayCHI, December 12, 2017

Notifs update

Jim Fenton

IgnitePII2014 Nōtifs

Jim Fenton

iBeacons: Security and Privacy?

Jim Fenton

OneID Garage Door

Jim Fenton

Identity systems

Jim Fenton

The document discusses key concepts related to identity systems, including subjects, relying parties, attributes, and the basic functions of an identity provider. It outlines a basic identity system model where the identity provider authenticates the user and authorizes the release of attributes to relying parties. It also covers important topics such as user trust, authentication methods, credential management, directed identity, attribute sources, and security and availability challenges.

More from Jim Fenton (10)

Notifs 2018

REQUIRETLS: Sender Control of TLS Requirements

User Authentication: Passwords and Beyond

User Authentication Overview

Making User Authentication More Usable

Notifs update

IgnitePII2014 Nōtifs

iBeacons: Security and Privacy?

OneID Garage Door

Identity systems

Recently uploaded

What is an RPA CoE? Session 1 – CoE Vision

DianaGray10

Y-Combinator seed pitch deck template PP

c5vrf27qcz

Harnessing the Power of NLP and Knowledge Graphs for Opioid Research

Neo4j

Programming Foundation Models with DSPy - Meetup Slides

Zilliz

The Microsoft 365 Migration Tutorial For Beginner.pptx

operationspcvita

“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...

Edge AI and Vision Alliance

For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/ Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit. The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers. Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.

HCL Notes and Domino License Cost Reduction in the World of DLAU

panagenda

Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/ The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this! We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model. Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward. These topics will be covered - Reducing license cost by finding and fixing misconfigurations and superfluous accounts - How do CCB and CCX licenses really work? - Understanding the DLAU tool and how to best utilize it - Tips for common problem areas, like team mailboxes, functional/test users, etc - Practical examples and best practices to implement right away

Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...

Pitangent Analytics & Technology Solutions Pvt. Ltd

Leveraging the Graph for Clinical Trials and Standards

Neo4j

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf

Chart Kalyan

JavaLand 2024: Application Development Green Masterplan

Miro Wengner

Artificial Intelligence and Electronic Warfare

Papadakis K.-Cyber-Information Warfare Analyst & Cyber Defense/Security Consultant-Hellenic MoD

Driving Business Innovation: Latest Generative AI Advancements & Success Story

Safe Software

Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency. During the hour, we’ll take you through: Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board. Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes. Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI. We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI. This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!

Mutation Testing for Task-Oriented Chatbots

Pablo Gómez Abajo

Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots. To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...

saastr

GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph

Neo4j

Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors

DianaGray10

Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more. The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications. We’ll discuss and demo the benefits of UiPath Apps and connectors including: Creating a compelling user experience for any software, without the limitations of APIs. Accelerating the app creation process, saving time and effort Enjoying high-performance CRUD (create, read, update, delete) operations, for seamless data management. Speakers: Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP Charlie Greenberg, host

5th LF Energy Power Grid Model Meet-up Slides

DanBrown980551

5th Power Grid Model Meet-up It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology. Power Grid Model The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services. Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability. Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization. What to expect For the upcoming meetup we are organizing, we have an exciting lineup of activities planned: -Insightful presentations covering two practical applications of the Power Grid Model. -An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024. -An interactive brainstorming session to discuss and propose new feature requests. -An opportunity to connect with fellow Power Grid Model enthusiasts and users.

Northern Engraving | Nameplate Manufacturing Process - 2024

Northern Engraving

Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!

Principle of conventional tomography-Bibash Shahi ppt..pptx

BibashShahi

Recently uploaded (20)

What is an RPA CoE? Session 1 – CoE Vision

Y-Combinator seed pitch deck template PP

Harnessing the Power of NLP and Knowledge Graphs for Opioid Research

Programming Foundation Models with DSPy - Meetup Slides

The Microsoft 365 Migration Tutorial For Beginner.pptx

“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...

HCL Notes and Domino License Cost Reduction in the World of DLAU

Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...

Leveraging the Graph for Clinical Trials and Standards

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf

JavaLand 2024: Application Development Green Masterplan

Artificial Intelligence and Electronic Warfare

Driving Business Innovation: Latest Generative AI Advancements & Success Story

Mutation Testing for Task-Oriented Chatbots

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...

GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph

Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors

5th LF Energy Power Grid Model Meet-up Slides

Northern Engraving | Nameplate Manufacturing Process - 2024

Principle of conventional tomography-Bibash Shahi ppt..pptx

LOA Alternatives - A Modest Proposal

1. LOA Alterna+ves: A Modest Proposal Jim Fenton IIW XX April 2015

2. Background •  LOA is deﬁned in OMB Memo M-‐04-‐04, “E-‐ Authen+ca+on Guidance for Federal Agencies” •  Technical means to sa+sfy are deﬁned in NIST SP 800-‐63-‐* •  Federal authen+ca+on requirements are changing due to Execu+ve Order 13681

3. EO 13681 “…all agencies making personal data accessible to ci+zens through digital applica+ons require the use of mul+ple factors of authen+ca+on and an eﬀec+ve iden+ty prooﬁng process, as appropriate.” -‐-‐ Execu+ve Order 13681 October 17, 2014 Ø Current LOA 1 and 2 are going to be a lot less useful

4. Three Alterna+ves for OMB •  (1) Keep current LOA structure, change impact – Increase impact of personal data disclosure – Drives more things to LOA 3 •  (2) Keep LOA structure, change 800-‐63 – Likely to confuse agencies and industry •  (2) Change the LOA structure somehow – Let’s discuss this more

5. Some principles •  Avoid current LOA problems – LOA 2 both proofed and pseudonymous – No strong pseudonymous authen+ca+on – Lower LOA geeng less useful •  Keep it simple – Emphasize meaningful dis+nc+ons between levels – Minimize dimensionality (of vector)

6. Meaningful dis+nc+ons? •  As mul+-‐factor authen+ca+on becomes more widely used, dis+nc+ons in single-‐factor become less important Authen'ca'on LOA Prooﬁng Single factor 1 None Single factor 2 pseudonymous None Single factor 2 Remote Mul+-‐factor 3 Remote Mul+-‐factor w/ hardware token 4 In-‐person only { Similar (though not iden+cal) requirements } Similar (though not iden+cal) requirements

7. A New Model •  Separate Level of Assurance into two parts: –  Level of Strength (of authen+ca+on) –  Level of Confidence (of akributes) •  Emphasis on meaningful dis+nc+ons –  Significant differences in usability, availability –  Require good prac+ces internally (e.g., use of crypto rather than shared secrets) •  Emphasis on expressing the relying party’s requirements to the user and authen+ca+on and akribute providers

8. Level of Strength (LoS) •  Measures the strength of the authen+ca+on process •  Candidate levels: •  Detailed requirements per level to be deﬁned in SP 800-‐63-‐2 successor Level Descrip'on 1 Single-‐factor authen+ca+on (cf. LOA 2) 2 Two-‐factor authen+ca+on (cf. LOA 3) 3 Two-‐factor authen+ca+on with hardware token (cf. LOA 4)

9. Level of Conﬁdence (LoC) •  Measure of the degree to which the Relying Party can depend on akributes, par+cularly iden+fying akributes •  Incorporates the iden+ty prooﬁng process and the binding to the creden+al •  Again, detailed requirements TBD. Level Descrip'on 1 Self-‐asserted akribute (cf. LOA 1) 2 Remotely iden+ty proofed (cf. LOA 3) 3 In-‐person iden+ty proofed (cf. LOA 4)

10. Mapping LOA to LOS/LOC LOA Level of Strength Level of Conﬁdence 1 1 (see note) 1 2 1 1 (pseudonynous) or 2 3 2 2 4 3 3 Note: Some LOA 1 authen+ca+on methodologies may not be acceptable at LOS 1.

11. Mapping LOS/LOC to LOA LOC 1 LOC 2 LOC 3 LOS 1 1, 2P 2 Note 2 LOS 2 Note 1 3 Note 2 LOS 3 Note 1 4 Notes: 1.  Strong pseudonymous or anonymous authen+ca+on 2.  Lower LOS may limit eﬀec+ve LOC

12. Not included •  Characteris+cs of authen+ca+on and akribute provider –  Accredita+on of the authen+ca+on or akribute provider •  May only permit certain levels of asser+on –  Trust by relying party of accredi+ng agency •  Addi+onal detail (such as loca+on) for risk-‐based authen+ca+on decisions –  Are these really akributes? •  Risk characteris+cs at each level –  To be deﬁned based on detailed technical requirements at each level •  Asser+on metadata –  Expira+on, usage restric+ons, etc.

LOA Alternatives - A Modest Proposal

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (6)

Similar to LOA Alternatives - A Modest Proposal

Similar to LOA Alternatives - A Modest Proposal (20)

More from Jim Fenton

More from Jim Fenton (10)

Recently uploaded

Recently uploaded (20)

LOA Alternatives - A Modest Proposal