More than just being signed-in or signed-out - …€¦ · More than just being signed-in or...
Transcript of More than just being signed-in or signed-out - …€¦ · More than just being signed-in or...
![Page 1: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/1.jpg)
More than just being
signed-in or signed-out
Parul Jain, Architect, Intuit
@ParulJainTweety
![Page 2: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/2.jpg)
Why do we care?
TRUST &
SECURITY
EASE OF
ACCESS
Can’t eliminate friction? Delay it
Authentication Levels to
balance security and usability
Delightful product
experience
![Page 3: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/3.jpg)
Authentication
Username
Password
Sign In
Signed In
Not Signed In
![Page 4: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/4.jpg)
Authentication – Signed In or Not –
Example1
Sell an item
Place Ad
Username
Password
Signed In
Not Signed
In
Sign In
Browse OLX for used products
![Page 5: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/5.jpg)
Authentication – Signed In or Not –
Example2
Browse apps on App Store
Install App
New App on Device
Username
Password
Signed In
Not Signed
In
Install App
Sign In
![Page 6: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/6.jpg)
Why Authenticate?
Authentication is required to establish trust
Is trust binary - Trust you fully or Not at all
Degrees of trust - Factor of time and situation
Trust you for this but not for that
Didn’t trust you earlier but trust you now
![Page 7: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/7.jpg)
Authentication Levels
Authentication is not binary
Authentication Assurance Levels (AAL)
Adaptive - Change with time and situation
![Page 8: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/8.jpg)
Authentication Assurance Levels (AAL)
Less Trust
Submit
Enter OTP
Authentication Level 1
Authentication Level 2 More Trust
![Page 9: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/9.jpg)
AAL – Example1
Authentication Level 1
Authentication Level 2
My bank account
Transfer Money
Payment
Authentication Level 0
Usernam
e Passwor
d Sign In
My bank portal
Sign In
![Page 10: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/10.jpg)
AAL – Example2
Authentication Level 1
Authentication Level 2
Transfer Money
New Payment Instrument
Authentication Level 0
Usernam
e Passwor
d Sign In
Mint application
Sign In
Enter OTP
Submit
Access my personal finances
![Page 11: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/11.jpg)
AAL – Example3
Authentication Level 1
Authentication Level 2
Browse products on Amazon
Track Order
Or
Checkout
View/Place Order
Username
Password
Sign In
![Page 12: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/12.jpg)
MFA and AAL Relationship
AAL is the outcome.
MFA is the mechanism
MFA provides layered defense
Binary Authentication
Multiple Authentication Assurance Levels
![Page 13: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/13.jpg)
LIC: Binary without MFA
![Page 14: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/14.jpg)
Google: Binary with MFA
![Page 15: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/15.jpg)
Amazon: Multiple Levels with MFA
![Page 16: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/16.jpg)
Intuit: Multiple Levels with MFA
![Page 17: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/17.jpg)
How to determine the AALs?
REQUIRE
Based on
sensitivity of
the APIs
ADAPT
Based on
trust in the
user with
time
ASSIGN
Based on
factors of
authentication
![Page 18: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/18.jpg)
ASSIGN an AAL
ASSIGN REQUIRE
ADAPT
• What I know
• password
• What I have
• OTP
• What I am
• fingerprint
• Other
• Federated
Based on factors of authentication
![Page 19: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/19.jpg)
ADAPT to an AAL
ADAPT
Based on trust in user with time
REQUIRE
Change in
• Device
• Geolocation
• IP address
• Velocity of use
• Behavioral Biometrics
• Anomalous behavior
ASSIGN
![Page 20: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/20.jpg)
REQUIRE an AAL
REQUIRE
ADAPT
Based on sensitivity of the APIs
• Secret
• OAuth Client Secret
• Highly Sensitive
• Money movement
• Financial data
• Sensitive
• Personal
information
• Other
• Public information
ASSIGN
![Page 21: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/21.jpg)
AAL Determination
Good
Step-up
Step-up
Good
Good
Step-up
Good
Good
Good
Trust in user
authentication
Sensitivity
of the APIs
Low High
Low
High
![Page 22: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/22.jpg)
Component Interaction
Identity
Service
s
APIs
Client
1. Sign in
2. Session with an
AAL
4. Verify
3. Access
Resource
5. Step-up URL
6. Redirect for Step-
up
7. Step-up
8. Higher AAL
Determine
AAL
Remembe
r the state
Check
expected
AAL
![Page 23: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/23.jpg)
Client
Widget
Configuration
![Page 24: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/24.jpg)
APIs
Create the verify request
Verify with expected AAL
![Page 25: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/25.jpg)
Identity Services
Authn Service
Risk Engine
Sign-in
Verify
Device,
IP, geo,
time, …
Get Risk
Score
Feedbac
k
ML Model
Real time Risk Score
![Page 26: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/26.jpg)
UNIVERSAL STRONG AUTHENTICATION –
FIDO AS A STANDARD
![Page 27: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/27.jpg)
Fast Identity Online (FIDO)
![Page 28: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/28.jpg)
FIDO Protocols
Public Key cryptography
UAF – Universal Authentication Framework
• Password less UX
• Local device with UAF stack installed
• User presents a local authentication
U2F – Universal Second Factor
• Standalone U2F device - USB/NFC/Bluetooth
• Physical keychain with multiple keys – one for each origin
• Built-in support in web browsers
![Page 29: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/29.jpg)
UAF
Src: https://fidoalliance.org/specifications/overview/
![Page 30: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/30.jpg)
UAF - Registration
User Device
FIDO Client
Win, Mac,
iOS,
Android, …
FIDO Authenticators
User
Agent
Browser
, App,
…
Identity Provider
Web
App
FIDO
Server
1. Legacy Auth +
Initiate Registration
2. Registration
request
+ Policy
3. Enroll user
+ New Key Pair
4. Registration
response +
Attestation
+ User’s public key
5.
Validate Response +
Attestation
Store user’s Public Key
![Page 31: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/31.jpg)
UAF - Authentication
User Device
FIDO Client
Win, Mac,
iOS,
Android, …
FIDO Authenticators
User
Agent
Browser
, App,
…
Identity Provider
Web
App
FIDO
Server
1. Initiate Authn
2. Authn request
+ Challenge +
Policy
3. Verify User and
unlock private key
4. Authn response
signed by user’s
private key
5.
Validate Response using
user’s Public Key
![Page 32: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/32.jpg)
U2F
Src: https://fidoalliance.org/specifications/overview/
![Page 33: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/33.jpg)
Summary
As developers we have thought of
authentication as a binary switch
We need to start thinking about the degree and levels of trust
Incorporate AAL into the design
thinking
AAL will help us in balancing security vs usability
Deliver delightful experience to
customers
![Page 34: More than just being signed-in or signed-out - …€¦ · More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety . Why do we care? TRUST & SECURITY](https://reader030.fdocuments.in/reader030/viewer/2022021718/5b6f0d587f8b9aad128ba218/html5/thumbnails/34.jpg)
Thank you