Stronger Authentication in a Federated...
Transcript of Stronger Authentication in a Federated...
![Page 1: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/1.jpg)
Stronger Authentication in a Federated World
Bill YoungGovernment Technology ServicesNZ State Services Commission
![Page 2: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/2.jpg)
NZ State Services CommissionCrown Copyright
Quick Background of NZ Authentication
� “Commercial” IdP for any government Agency
� Policy Driven� Privacy
� Security
� Standards
� Evolutionary Development - Web Applications First
![Page 3: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/3.jpg)
NZ State Services CommissionCrown Copyright
Our Big Drivers
� Privacy
� May not Disenfranchise any part of the Public
� Breadth of Scale in govt Departments
![Page 4: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/4.jpg)
NZ State Services CommissionCrown Copyright
NZ AuthN & IdM Services
![Page 5: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/5.jpg)
NZ State Services CommissionCrown Copyright
What’s our Challenge?
� Continuous Improvement of Services
� Risk-Based Approach to Security
� Adapt to Evolving Threats
� Match Pace with the New Services Provided to End Users
� Limit Barriers to Uptake
![Page 6: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/6.jpg)
NZ State Services CommissionCrown Copyright
Typical Responses to the Need for Stronger Authentication
� Conventional
� ‘Better’ Passwords
� OTP Tokens
� Less Conventional
� PKI
� Biometrics
![Page 7: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/7.jpg)
NZ State Services CommissionCrown Copyright
Passwords
“We need Stronger Passwords. Let’s Improve our Password Policy”
� Longer more complex passwords, system generated passwords, password history, force frequent changes, etc.
And the Result?� Un-usable, Un-Fit, Un-Friendly, Un-Supportable
� Support Costs
� Social Engineering
There are Ways to Improve Passwords (just rarely used)
![Page 8: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/8.jpg)
NZ State Services CommissionCrown Copyright
One Time Passwords (OTP)
� Tokens� $$ - Token Cost & Logistics
� Bingo cards & TAN sheets� More Cost-Effective, but Frequently Copied
� Soft Tokens� Security & Usability Issues
� SMS� Good, Except for High Volume Use
![Page 9: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/9.jpg)
NZ State Services CommissionCrown Copyright
PKI
� Soft Certificates� Issues with Usability and Security
� Support Cost
� Centrally Stored� Ok, But not Really 2FA
� Smartcards, USB tokens� Hardware & OS Support is Incomplete
� High Support Cost
![Page 10: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/10.jpg)
NZ State Services CommissionCrown Copyright
Biometrics
More Questions than Answers…
??
??
?
?
?
?
?
?
?
?
?
?
![Page 11: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/11.jpg)
NZ State Services CommissionCrown Copyright
That’s all fine, but…
…how does it contribute to a Risk-Based approach?
![Page 12: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/12.jpg)
NZ State Services CommissionCrown Copyright
Run-Time
Smartcard
RiskAssessment
Information Architecture
AuthN Topology
User Navigates
Low Value Moderate Value
High Value
TokenUserId/Passwd
Application/Resources
Development
Federated
Identifier
![Page 13: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/13.jpg)
NZ State Services CommissionCrown Copyright
Context Sensitive Authentication
Definition:
“Authentication based on
Real Time Risk Analysis”
![Page 14: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/14.jpg)
NZ State Services CommissionCrown Copyright
Run-Time
Requested AuthN
Context5%
High Value/risk
70%
Low value/riskReal-time
Risk Assessment
ContinueWith
Application
User Enters Application
OTP AuthN
Application/ Resources
Federated
Identifier &
Risk ‘Advice’
“Strong”AuthN
No Action Required
25%
Increased value/risk
Device Detection
UID/Passwordor Higher
Requested AuthN
Context
Context Sensitive Approach
![Page 15: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/15.jpg)
NZ State Services CommissionCrown Copyright
OOB Authentication
Definition:
Out of Band Authentication requires that separate information channels are used for authentication and access.
![Page 16: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/16.jpg)
NZ State Services CommissionCrown Copyright
Run-Time
AuthnContext
User Enters Application
Application/ Resources
Federated
Identifier &
Risk ‘Advice’
UID/Passwordor Higher
OOBAuthN
ApplicationContinues
Perceived
Channel Risk
Phone
AuthnContext
SMS
Out of Band Authentication
![Page 17: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/17.jpg)
NZ State Services CommissionCrown Copyright
Transaction Authentication/Verification
Definitions:
“Transaction Authentication Verifies that the Correct User is Requesting a Transaction”
“Transaction Verification Verifies that the Correct Transaction is Performed for the User”
I’m combining both under the term “Transaction Authentication”
![Page 18: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/18.jpg)
NZ State Services CommissionCrown Copyright
Run-Time
Transaction Context/Details
User Enters
Application/ Resources
Federated
Identifier &
Risk ‘Advice’
UID/Passwordor Higher
“You are about Transfer $2384.89 to Account #BNZ927846738. Enter OTP
to Continue”
ApplicationContinues
Perceived
Transaction Risk
Transaction Authentication
![Page 19: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/19.jpg)
NZ State Services CommissionCrown Copyright
Run-Time
Transaction Context5%
High risk
70%
Low value/risk
Real-timeRisk
Assessment
ContinueWith
Application
User Enters
Step Up AuthN
Application/ Resources
OOB AuthN
Transaction AuthN
No Action Required
20%
Increased value/risk
5%
Perceived threat
Device Detection
UID/Passwordor Higher
AuthN Context
AuthN Context
Federated
Identifier &
Risk ‘Advice’
Putting it all Together
![Page 20: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/20.jpg)
NZ State Services CommissionCrown Copyright
Question?
Should Transaction AuthN be done using SAML Web SSO?
It’s an AuthZ problem too…
![Page 21: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/21.jpg)
NZ State Services CommissionCrown Copyright
SAML Considerations
How do these techniques look from
a SAML point of view?
![Page 22: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/22.jpg)
NZ State Services CommissionCrown Copyright
Context Sensitive Authentication
Step Up Authentication
Becoming Well SupportedVendor Support
SupportedeGov Profile
Not Specified – Optional in US eAuth profile
Liberty Interop
Well SupportedSAML Spec
![Page 23: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/23.jpg)
NZ State Services CommissionCrown Copyright
Context Sensitive Authentication
Returning Risk Context to SP
MixedVendor Support
Not SpecifiedeGov Profile
Not SpecifiedLiberty Interop
Well SupportedSAML Spec
![Page 24: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/24.jpg)
NZ State Services CommissionCrown Copyright
OOB Authentication
Passing <Subject> to IdP
Unknown, but doubtfulVendor Support
Not Specified or RestrictedeGov Profile
Not SpecifiedLiberty Interop
Well SupportedSAML Spec
![Page 25: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/25.jpg)
NZ State Services CommissionCrown Copyright
Transaction Authentication
Transaction Details and Context
Unknown, but doubtfulVendor Support
Not SpecifiedeGov Profile
Not SpecifiedLiberty Interop
Unanticipated – Some options availableSAML Spec
![Page 26: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/26.jpg)
NZ State Services CommissionCrown Copyright
Moving Forward
� Look at Real Time Risk Analysis
� Need an easy model for agencies
� Establish Conventions for SAML usage
� Update NZSAMS & eGov profile
� Lab Implementation
� Work with Vendors
![Page 27: Stronger Authentication in a Federated Worldevents.oasis-open.org/home/sites/events.oasis-open... · Soft Certificates Issues with Usability and Security Support Cost Centrally Stored](https://reader033.fdocuments.in/reader033/viewer/2022052006/6019c58d11e2895aa028df0f/html5/thumbnails/27.jpg)
NZ State Services CommissionCrown Copyright
Questions?
http://www.e.govt.nz/services/authentication