Strong Authentication: What’s Beyond Usernames and Passwords? § Rob Zivney § Sr. Consultant § IDentification Technology Partners

Displace Ø Paper Ø Plastic Ø Photos Ø Leather

I Have Memorized My AMEX I have digitized my important info into one file

Ø Organized so I can find stuff

True Digital Wallet

Analog and Digital Like a “Wearable”

Ø Possession Auto - Pushbutton Start Backup USB

Ø Important Stuff File Ø Encrypted Ø List of UN & PW

Most Have No Batteries

Keys

Identities are Just a Record In a Database Ø Just a number string somewhere

You Can Have Many Identities Ø Each requires its own Authentication

Each Identity has Its Own Privileges Linkage is Key

Ø Link to Master Secure Identity Ø Link to Communications (including Cloud) Ø Link to Power Source

Internet of Things Can Be Less “Personal” Ø PACS Authenticates System Components

What Does It Matter?

Authentication to the OS or the App? Ø Hardware Ø GUI Ø Convenience Ø Client, Server, Workstation

Every App is Different Ø Different Rules for Authentication (Password, etc.)

Too Many Passwords Ø To Remember Ø To Manage

It’s About Who Has Control

Cryptography Ø With Some form of Keyboard Entry

Biometrics Ø Not a secret, but…

4 Factor Ø What You Have Ø What You Know Ø What You Are Ø What Someone Else Knows About You (PKI)

Strength thru Multifactor vs. Strong Passwords

Multifactor Authentication

Biometrics Ø Finger Ø Face Ø Templates

“Wearables” Physical Access How to Do Mutual Authentication? Ø  Smarter Readers Ø  Smarter PACS Ø NFC SE for Reader

Consumer Market - Mobile

PACS Industry Had Little Input Developed for eGovernment

Ø Remote IT Login via PKI Access is both Authentication & Authorization

Ø PACS takes a systems approach Ø Authentication is not always done 1st

Struggling for Interoperability Ø Gen 2 Test Cards - Finally Ø Now Industry can build Systems for PIV

Will have to get Quicker for PACS Ø Contactless

Not the Game Changer Expected Ø Not Using the Power of the Smart Card Ø Too Many “Options”

Government Market - PIV

Ultimately: A Question of Trust PIV Now Requires PKI at the Door New Processes:

Ø Signature Checking of Signer Ø Challenge/Response to Card Ø Certificate Check with Path Validation Ø All Require FIPS 140-2 Somewhere in the “System”

New Encryption Algorithms Ø RSA-2048 & ECC

Must Validate: Ø Cardholder Ø Card Ø Credential

CA

Leadership

What’s Next?

Need a Market Leader Ø Rules of the Game

Convenience – Not Price Ø Smartphones are Expensive Ø Form Factor Ø Speed Ø Sign On to OS – Not the App

Design Aesthetics Long Battery Life

Ø Short Recharge Time

One Global Market Technology Cybersecurity Reactions The Consumer Will Lead

Market Drivers

§ Smart Card Alliance § 191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828 § www.smartcardalliance.org

Rob Zivney IDentification Technology Partners rzivney@IDTP.com Office 1 301 990-9061 Mobile 1 949 283-1126