SlideShare a Scribd company logo

Trust elevation-abbie-v1

Download as PPT, PDF
Abbie Barbir
Abbie Barbir

Trust Elevation

1 of 15
www.oasis-open.org OASIS Trust Elevation Elevate Trust in Electronic Identities International Cloud Symposium Washington DC October 2012 Abbie Barbir, Ph.D Co-Chair OASIS Trust Elevation TC
Goal OASIS Trust Elevation TC • Goal is • to define a set of methods or standardized protocols that service providers may use to elevate the trust in an electronic identity presented to them for authentication purposes 2
Why are we doing this work? • Few consumers have high LOA-credentials. • User Name and Password is not good enough • More organizations look to implement systems that require authentication at higher Levels of Assurance • When dealing with consumers and citizens, there is a clear need for dynamic authentication • a customer should only be asked to do multi-factor authentication when they want to do “a high value transaction”, not as a prerequisite to visiting a website. • There is an increased interest in transaction-based assurance: “authentication” based on the necessary current conditions of specified, validated attributes and agreements. • Use of a step-up approach to multi-factor authentication. • Recommendations by the Federal Financial Institutions Examination Council (FFIEC) and the highly publicized breaches in 2011 have made trust elevation a more urgent topic. • Responding to suggestions from the public sector, including the U.S. National Strategy for Trusted Identities in Cyberspace (NSTIC). 3
Approach 1. Phase I: Catalog of Trust Elevation Methods • Create a comprehensive list of methods being used currently to authenticate identities online to the degree necessary to transact business where material amounts of economic value or personally identifiable data are involved. • Status: phase is completed – Committee Note pending publication 2. Phase II: Analysis of Trust Elevation Methods • Analysis of identified methods to determine their ability to provide a service provider with assurance of the submitter's identity sufficient for elevation between each pair of assurance levels, to transact business where material amounts of economic value or personally identifiable data are involved. • Status: phase ending, final stages of delivering work 3. Phase III: Establish Trust Elevation Protocol • Propose a protocol for Trust Elevation • Status: phase starting 4
Definition of Trust Elevation Trust elevation: • Increasing the strength of trust by adding factors from the same or different categories of trust elevation methods that don’t have the same vulnerabilities. • There are five categories of trust elevation methods • who you are, • what you know, • what you have, • what you typically do and • the context. • What you typically do consists of behavioral habits that are independent of physical biometric attributes. • Context includes, “but is not limited” to, location, time, party, prior relationship, social relationship and source. • Elevation can be within the classic four X.1254 ITU-T LoA (ISO 29115 (NIST 800-063)) 5
Categories of Trust Elevation Methods • Who you are – biometrics, behavioral attributes • What you know – shared secrets, public and relationship knowledge • What you have – devices, tokens - hard, soft, OTP • What you typically do – described by ITU-T x1254 – behavioral habits that are independent of physical biometric attributes • Context – e.g. location, time, party, prior relationship, social relationship and source 6
Levels of Assurance • Trust Elevation Paths between Levels of Assurance 7
Trust Elevation Method List • Methods sorted by trust elevation method category • What you are – Biometric -- use of distinctive measurements about your physical body and or your behavior that are unique • Physical Biometric – considered immutable and unique – Facial recognition – Iris Scan – Retinal Scan – Fingerprint Palm Scan – Voice – Liveliness biometric factors include: » Pulse. » CAPTCHA; » Temperature. • Behavioral Biometric -- person’s physical behavioral activity patterns – Keyboard signature – Voice 8
Trust Elevation Method List • What you know – User Name and Password (UN/PW) – Knowledge Based Authentication (KBA) • User is asked one or more (sometimes 3 to 5) challenge questions • User-data procured at enrollment time • Static KBA – Questions and answers that do not change • Dynamic KBA – questions that are user-specific and/or change over time and/or the answers to the questions change over time (e.g., asking the value of the customer’s last VISA transaction) 9
Trust Elevation Method List • What you have – End Point Identity • Landline number; • Mobile phone number and or SIM and or OS; • IP address, router, provider; • Cookie, OS, browser, chip. – Token • Hardware tokens – Proprietary tokens – USB tokens – Smart Cards – Mobile phone and or SIM. • Software tokens – Digital certificates – Cookies 10
Trust Elevation Method List • What you have – Out of Band • User calls service provider from a registered phone; • Response to a phone call from the service provider; • Response to an email from the service provider; • Response to an SMS message from the service provider; • Response to a mobile application transaction initiated by the service provider; • Response to a post card; • Response to a letter, registered or otherwise. – One Time Password (OTP) • Email; • Mobile phone voice message; • Mobile phone SMS message; • Mobile phone application; • Landline voice message; • Mail (postcard, letter, registered mail, etc.); • Proprietary hardware token with password generation capability. 11
Trust Elevation Method List • What You Typically Do -- an individual’s repeated behaviors or behavioral habits – Browsing patterns (order in which pages are accessed, duration of access, links accessed, etc.); – Time of access; – Type of access, etc. 12
Trust Elevation Method List • Context -- attributes relevant to the user or situation – Location; – Time of access; – Frequency of access; – Party; – Prior relationship ; – Social relationship; – Source and endpoint identity attributes such as • Date of last virus scan • IP address • Subscriber identity module (SIM) • Device basic input/ouput system (BIOS) • Virus scan software version • CallerID • Cookie (presence and or contents); – Multi-channel combination; – Credential lifecycle attributes; – Certificate binding and or other chain of trust attributes; – Secure device with user specific disk allocation. 13
Method Examples (Use Cases) • Reuse of Primary Authenticator Method Example • Customer Retention Method Example • Cloud Access Method Example • Static KBA Method Example • Session Elevation to Level of Identity Proofing Method Example • Hub Provider of Pseudonymous Identity Method Example • Step-Up Authorization Method Example • Multi-channel by Phone Method Example • Generic KBA Method Example • Address Verification Service Method Example • Split Large (Risky) Transactions into Multiple Smaller Transactions Method Example • Use of Tokenized Device/Network Attributes Method Example • Trust Elevation by Hard Token (OTP Generator) Method Example • Multi-Attribute-Based Trust Elevation Service Method Example (AKA Fraud Detection) • Emergency Access to Patient Healthcare Information – a European Method Example 14
Resources • OASIS Trust-El Technical Committee Homepage https://www.oasis-open.org/committees/trust-el abarbir@live.ca 15

Recommended

Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methodslapao2014
 
Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication TechnologiesNicholas Davis
 
Proofing ex post facto from Cloud Identity Summit 2017
Proofing ex post facto from Cloud Identity Summit 2017Proofing ex post facto from Cloud Identity Summit 2017
Proofing ex post facto from Cloud Identity Summit 2017David Kelts, CIPT
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 
Electronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordElectronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordNicholas Davis
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Hai Nguyen
 

Recommended

Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methodslapao2014
 
Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication TechnologiesNicholas Davis
 
Proofing ex post facto from Cloud Identity Summit 2017
Proofing ex post facto from Cloud Identity Summit 2017Proofing ex post facto from Cloud Identity Summit 2017
Proofing ex post facto from Cloud Identity Summit 2017David Kelts, CIPT
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 
Electronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordElectronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordNicholas Davis
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Hai Nguyen
 
P hallam baker_keynote
P hallam baker_keynoteP hallam baker_keynote
P hallam baker_keynoteshindeshekhar
 
E collaborationscottrea
E collaborationscottreaE collaborationscottrea
E collaborationscottreaCollaborative Health Consortium
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web SecurityOliver Pfaff
 
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...Nicholas Davis
 
Fishnet Security Overview
Fishnet Security OverviewFishnet Security Overview
Fishnet Security Overviewtbeckwith
 
Highwinds Secure Delivery Content Protection And Monetization 120217a
Highwinds Secure Delivery Content Protection And Monetization 120217aHighwinds Secure Delivery Content Protection And Monetization 120217a
Highwinds Secure Delivery Content Protection And Monetization 120217admartin1020
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldKatherine Cola
 
3rd deliverable preso v1.2a
3rd deliverable preso v1.2a3rd deliverable preso v1.2a
3rd deliverable preso v1.2aAbbie Barbir
 
Itu ics-pii
Itu ics-piiItu ics-pii
Itu ics-piiAbbie Barbir
 
Trust elevation-share
Trust elevation-shareTrust elevation-share
Trust elevation-shareAbbie Barbir
 
Abbie Barbir Tcg Final
Abbie Barbir Tcg FinalAbbie Barbir Tcg Final
Abbie Barbir Tcg FinalAbbie Barbir
 
Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...
Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...
Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...Abbie Barbir
 
EVOLVE'16 | Enhance | Anil Kalbag & Anshul Chhabra | Comparative Architecture...
EVOLVE'16 | Enhance | Anil Kalbag & Anshul Chhabra | Comparative Architecture...EVOLVE'16 | Enhance | Anil Kalbag & Anshul Chhabra | Comparative Architecture...
EVOLVE'16 | Enhance | Anil Kalbag & Anshul Chhabra | Comparative Architecture...Evolve The Adobe Digital Marketing Community
 
Centre for blinds and visually impaired
Centre for blinds and visually impairedCentre for blinds and visually impaired
Centre for blinds and visually impairedMayur karodia
 
How Cloud-Based Service Providers Can Integrate Strong Identity and Security
How Cloud-Based Service Providers Can Integrate Strong Identity and SecurityHow Cloud-Based Service Providers Can Integrate Strong Identity and Security
How Cloud-Based Service Providers Can Integrate Strong Identity and SecurityGlobalSign
 
Authentication technologies
Authentication technologiesAuthentication technologies
Authentication technologiesNicholas Davis
 
Security audit
Security auditSecurity audit
Security auditNicholas Davis
 
Security Audit
Security AuditSecurity Audit
Security AuditNicholas Davis
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity ManagementKarthikeyan Dhayalan
 
Cyber Security - ASGFOA
Cyber Security - ASGFOACyber Security - ASGFOA
Cyber Security - ASGFOAPeter Henley
 
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...Liam Cleary [MVP]
 
Moving to the Cloud: A Security and Hosting Introduction
Moving to the Cloud: A Security and Hosting IntroductionMoving to the Cloud: A Security and Hosting Introduction
Moving to the Cloud: A Security and Hosting IntroductionBlackbaud
 

More Related Content

What's hot

P hallam baker_keynote
P hallam baker_keynoteP hallam baker_keynote
P hallam baker_keynoteshindeshekhar
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web SecurityOliver Pfaff
 
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...Nicholas Davis
 
Fishnet Security Overview
Fishnet Security OverviewFishnet Security Overview
Fishnet Security Overviewtbeckwith
 
Highwinds Secure Delivery Content Protection And Monetization 120217a
Highwinds Secure Delivery Content Protection And Monetization 120217aHighwinds Secure Delivery Content Protection And Monetization 120217a
Highwinds Secure Delivery Content Protection And Monetization 120217admartin1020
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldKatherine Cola
 

What's hot (7)

P hallam baker_keynote
P hallam baker_keynoteP hallam baker_keynote
P hallam baker_keynote
 
E collaborationscottrea
E collaborationscottreaE collaborationscottrea
E collaborationscottrea
 
New Trends in Web Security
New Trends in Web SecurityNew Trends in Web Security
New Trends in Web Security
 
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
 
Fishnet Security Overview
Fishnet Security OverviewFishnet Security Overview
Fishnet Security Overview
 
Highwinds Secure Delivery Content Protection And Monetization 120217a
Highwinds Secure Delivery Content Protection And Monetization 120217aHighwinds Secure Delivery Content Protection And Monetization 120217a
Highwinds Secure Delivery Content Protection And Monetization 120217a
 
Smart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud WorldSmart Identity for the Hybrid Multicloud World
Smart Identity for the Hybrid Multicloud World
 

Viewers also liked

3rd deliverable preso v1.2a
3rd deliverable preso v1.2a3rd deliverable preso v1.2a
3rd deliverable preso v1.2aAbbie Barbir
 
Trust elevation-share
Trust elevation-shareTrust elevation-share
Trust elevation-shareAbbie Barbir
 
Abbie Barbir Tcg Final
Abbie Barbir Tcg FinalAbbie Barbir Tcg Final
Abbie Barbir Tcg FinalAbbie Barbir
 
Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...
Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...
Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...Abbie Barbir
 
Centre for blinds and visually impaired
Centre for blinds and visually impairedCentre for blinds and visually impaired
Centre for blinds and visually impairedMayur karodia
 

Viewers also liked (7)

3rd deliverable preso v1.2a
3rd deliverable preso v1.2a3rd deliverable preso v1.2a
3rd deliverable preso v1.2a
 
Itu ics-pii
Itu ics-piiItu ics-pii
Itu ics-pii
 
Trust elevation-share
Trust elevation-shareTrust elevation-share
Trust elevation-share
 
Abbie Barbir Tcg Final
Abbie Barbir Tcg FinalAbbie Barbir Tcg Final
Abbie Barbir Tcg Final
 
Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...
Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...
Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...
 
EVOLVE'16 | Enhance | Anil Kalbag & Anshul Chhabra | Comparative Architecture...
EVOLVE'16 | Enhance | Anil Kalbag & Anshul Chhabra | Comparative Architecture...EVOLVE'16 | Enhance | Anil Kalbag & Anshul Chhabra | Comparative Architecture...
EVOLVE'16 | Enhance | Anil Kalbag & Anshul Chhabra | Comparative Architecture...
 
Centre for blinds and visually impaired
Centre for blinds and visually impairedCentre for blinds and visually impaired
Centre for blinds and visually impaired
 

Similar to Trust elevation-abbie-v1

How Cloud-Based Service Providers Can Integrate Strong Identity and Security
How Cloud-Based Service Providers Can Integrate Strong Identity and SecurityHow Cloud-Based Service Providers Can Integrate Strong Identity and Security
How Cloud-Based Service Providers Can Integrate Strong Identity and SecurityGlobalSign
 
Authentication technologies
Authentication technologiesAuthentication technologies
Authentication technologiesNicholas Davis
 
Cyber Security - ASGFOA
Cyber Security - ASGFOACyber Security - ASGFOA
Cyber Security - ASGFOAPeter Henley
 
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...Liam Cleary [MVP]
 
Moving to the Cloud: A Security and Hosting Introduction
Moving to the Cloud: A Security and Hosting IntroductionMoving to the Cloud: A Security and Hosting Introduction
Moving to the Cloud: A Security and Hosting IntroductionBlackbaud
 
CFO Half-Day Conference
CFO Half-Day ConferenceCFO Half-Day Conference
CFO Half-Day Conferencegppcpa
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoLiam Cleary [MVP]
 
SharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and ComplianceSharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and ComplianceMatthew R. Barrett
 
2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...David Cunningham
 
Identity Proofing to provision accurately
Identity Proofing to provision accuratelyIdentity Proofing to provision accurately
Identity Proofing to provision accuratelyDavid Kelts, CIPT
 
Basic of Biometrics Technology
Basic of Biometrics Technology Basic of Biometrics Technology
Basic of Biometrics Technology NEHA SINGH
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems Maganathin Veeraragaloo
 
Towards Self Sovereign Identity 20180508
Towards Self Sovereign Identity 20180508Towards Self Sovereign Identity 20180508
Towards Self Sovereign Identity 20180508Arnaud Le Hors
 
Date security identifcation and authentication
Date security identifcation and authenticationDate security identifcation and authentication
Date security identifcation and authenticationLeo Mark Villar
 
Identity 3.0 and Oracle
Identity 3.0 and OracleIdentity 3.0 and Oracle
Identity 3.0 and OracleBram van Pelt
 

Similar to Trust elevation-abbie-v1 (20)

How Cloud-Based Service Providers Can Integrate Strong Identity and Security
How Cloud-Based Service Providers Can Integrate Strong Identity and SecurityHow Cloud-Based Service Providers Can Integrate Strong Identity and Security
How Cloud-Based Service Providers Can Integrate Strong Identity and Security
 
Authentication technologies
Authentication technologiesAuthentication technologies
Authentication technologies
 
Security audit
Security auditSecurity audit
Security audit
 
Security Audit
Security AuditSecurity Audit
Security Audit
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity Management
 
Cyber Security - ASGFOA
Cyber Security - ASGFOACyber Security - ASGFOA
Cyber Security - ASGFOA
 
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...SharePoint Saturday The Conference DC - Are you who you say you are share poi...
SharePoint Saturday The Conference DC - Are you who you say you are share poi...
 
Moving to the Cloud: A Security and Hosting Introduction
Moving to the Cloud: A Security and Hosting IntroductionMoving to the Cloud: A Security and Hosting Introduction
Moving to the Cloud: A Security and Hosting Introduction
 
CFO Half-Day Conference
CFO Half-Day ConferenceCFO Half-Day Conference
CFO Half-Day Conference
 
SharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San FranciscoSharePoint Authentication And Authorization SPTechCon San Francisco
SharePoint Authentication And Authorization SPTechCon San Francisco
 
FirstNet ICAM
FirstNet ICAMFirstNet ICAM
FirstNet ICAM
 
SharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and ComplianceSharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and Compliance
 
2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...
 
Unit 5
Unit 5Unit 5
Unit 5
 
Identity Proofing to provision accurately
Identity Proofing to provision accuratelyIdentity Proofing to provision accurately
Identity Proofing to provision accurately
 
Basic of Biometrics Technology
Basic of Biometrics Technology Basic of Biometrics Technology
Basic of Biometrics Technology
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems
 
Towards Self Sovereign Identity 20180508
Towards Self Sovereign Identity 20180508Towards Self Sovereign Identity 20180508
Towards Self Sovereign Identity 20180508
 
Date security identifcation and authentication
Date security identifcation and authenticationDate security identifcation and authentication
Date security identifcation and authentication
 
Identity 3.0 and Oracle
Identity 3.0 and OracleIdentity 3.0 and Oracle
Identity 3.0 and Oracle
 

Trust elevation-abbie-v1

  • 1. www.oasis-open.org OASIS Trust Elevation Elevate Trust in Electronic Identities International Cloud Symposium Washington DC October 2012 Abbie Barbir, Ph.D Co-Chair OASIS Trust Elevation TC
  • 2. Goal OASIS Trust Elevation TC • Goal is • to define a set of methods or standardized protocols that service providers may use to elevate the trust in an electronic identity presented to them for authentication purposes 2
  • 3. Why are we doing this work? • Few consumers have high LOA-credentials. • User Name and Password is not good enough • More organizations look to implement systems that require authentication at higher Levels of Assurance • When dealing with consumers and citizens, there is a clear need for dynamic authentication • a customer should only be asked to do multi-factor authentication when they want to do “a high value transaction”, not as a prerequisite to visiting a website. • There is an increased interest in transaction-based assurance: “authentication” based on the necessary current conditions of specified, validated attributes and agreements. • Use of a step-up approach to multi-factor authentication. • Recommendations by the Federal Financial Institutions Examination Council (FFIEC) and the highly publicized breaches in 2011 have made trust elevation a more urgent topic. • Responding to suggestions from the public sector, including the U.S. National Strategy for Trusted Identities in Cyberspace (NSTIC). 3
  • 4. Approach 1. Phase I: Catalog of Trust Elevation Methods • Create a comprehensive list of methods being used currently to authenticate identities online to the degree necessary to transact business where material amounts of economic value or personally identifiable data are involved. • Status: phase is completed – Committee Note pending publication 2. Phase II: Analysis of Trust Elevation Methods • Analysis of identified methods to determine their ability to provide a service provider with assurance of the submitter's identity sufficient for elevation between each pair of assurance levels, to transact business where material amounts of economic value or personally identifiable data are involved. • Status: phase ending, final stages of delivering work 3. Phase III: Establish Trust Elevation Protocol • Propose a protocol for Trust Elevation • Status: phase starting 4
  • 5. Definition of Trust Elevation Trust elevation: • Increasing the strength of trust by adding factors from the same or different categories of trust elevation methods that don’t have the same vulnerabilities. • There are five categories of trust elevation methods • who you are, • what you know, • what you have, • what you typically do and • the context. • What you typically do consists of behavioral habits that are independent of physical biometric attributes. • Context includes, “but is not limited” to, location, time, party, prior relationship, social relationship and source. • Elevation can be within the classic four X.1254 ITU-T LoA (ISO 29115 (NIST 800-063)) 5
  • 6. Categories of Trust Elevation Methods • Who you are – biometrics, behavioral attributes • What you know – shared secrets, public and relationship knowledge • What you have – devices, tokens - hard, soft, OTP • What you typically do – described by ITU-T x1254 – behavioral habits that are independent of physical biometric attributes • Context – e.g. location, time, party, prior relationship, social relationship and source 6
  • 7. Levels of Assurance • Trust Elevation Paths between Levels of Assurance 7
  • 8. Trust Elevation Method List • Methods sorted by trust elevation method category • What you are – Biometric -- use of distinctive measurements about your physical body and or your behavior that are unique • Physical Biometric – considered immutable and unique – Facial recognition – Iris Scan – Retinal Scan – Fingerprint Palm Scan – Voice – Liveliness biometric factors include: » Pulse. » CAPTCHA; » Temperature. • Behavioral Biometric -- person’s physical behavioral activity patterns – Keyboard signature – Voice 8
  • 9. Trust Elevation Method List • What you know – User Name and Password (UN/PW) – Knowledge Based Authentication (KBA) • User is asked one or more (sometimes 3 to 5) challenge questions • User-data procured at enrollment time • Static KBA – Questions and answers that do not change • Dynamic KBA – questions that are user-specific and/or change over time and/or the answers to the questions change over time (e.g., asking the value of the customer’s last VISA transaction) 9
  • 10. Trust Elevation Method List • What you have – End Point Identity • Landline number; • Mobile phone number and or SIM and or OS; • IP address, router, provider; • Cookie, OS, browser, chip. – Token • Hardware tokens – Proprietary tokens – USB tokens – Smart Cards – Mobile phone and or SIM. • Software tokens – Digital certificates – Cookies 10
  • 11. Trust Elevation Method List • What you have – Out of Band • User calls service provider from a registered phone; • Response to a phone call from the service provider; • Response to an email from the service provider; • Response to an SMS message from the service provider; • Response to a mobile application transaction initiated by the service provider; • Response to a post card; • Response to a letter, registered or otherwise. – One Time Password (OTP) • Email; • Mobile phone voice message; • Mobile phone SMS message; • Mobile phone application; • Landline voice message; • Mail (postcard, letter, registered mail, etc.); • Proprietary hardware token with password generation capability. 11
  • 12. Trust Elevation Method List • What You Typically Do -- an individual’s repeated behaviors or behavioral habits – Browsing patterns (order in which pages are accessed, duration of access, links accessed, etc.); – Time of access; – Type of access, etc. 12
  • 13. Trust Elevation Method List • Context -- attributes relevant to the user or situation – Location; – Time of access; – Frequency of access; – Party; – Prior relationship ; – Social relationship; – Source and endpoint identity attributes such as • Date of last virus scan • IP address • Subscriber identity module (SIM) • Device basic input/ouput system (BIOS) • Virus scan software version • CallerID • Cookie (presence and or contents); – Multi-channel combination; – Credential lifecycle attributes; – Certificate binding and or other chain of trust attributes; – Secure device with user specific disk allocation. 13
  • 14. Method Examples (Use Cases) • Reuse of Primary Authenticator Method Example • Customer Retention Method Example • Cloud Access Method Example • Static KBA Method Example • Session Elevation to Level of Identity Proofing Method Example • Hub Provider of Pseudonymous Identity Method Example • Step-Up Authorization Method Example • Multi-channel by Phone Method Example • Generic KBA Method Example • Address Verification Service Method Example • Split Large (Risky) Transactions into Multiple Smaller Transactions Method Example • Use of Tokenized Device/Network Attributes Method Example • Trust Elevation by Hard Token (OTP Generator) Method Example • Multi-Attribute-Based Trust Elevation Service Method Example (AKA Fraud Detection) • Emergency Access to Patient Healthcare Information – a European Method Example 14
  • 15. Resources • OASIS Trust-El Technical Committee Homepage https://www.oasis-open.org/committees/trust-el abarbir@live.ca 15