The Road to Identity 2.0
-
Upload
adam-lewis -
Category
Technology
-
view
37 -
download
0
Transcript of The Road to Identity 2.0
![Page 1: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/1.jpg)
![Page 2: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/2.jpg)
Adam LewisOffice of the CTO
Mike KorusOffice of the CTO
![Page 3: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/3.jpg)
IDENTITY 101
3
IDENTIFICATION
WHO ARE YOU?
AUTHENTICATION
CAN YOU PROVE IT? WHAT DEGREE OF ASSURANCE?
AUTHORIZATION
OK, I BELIEVE YOU. I GET TO DECIDE WHAT YOU GET TO DO OR NOT.
![Page 4: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/4.jpg)
4
IDENTITY 1.0AND WHY IT DOESN’T WORK ANYMORE
![Page 5: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/5.jpg)
Identity Today: Application SILOS
5
APPLICATION 1 APPLICATION 2
IDENTITY = ALICE.SMITH
PASSWORD = 2DAQREF4ERQL
PASSWORD CHANGE MANAGEMENT = 30 DAYS
Application / Service Provider Application logic
APPLICATION 3
IDENTITY = Alice-22
Password = ABC123PASSWORD CHANGE MANAGEMENT = NEVER
Application / Service Provider Application logic
IDENTITY = ALICE PASSWORD = ABC123
PASSWORD CHANGE MANAGEMENT = 90 DAYS
Application / Service Provider Application logic
Each application = Identity provider, Service provider
![Page 6: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/6.jpg)
Why Identity 1.0 is Broken
6
THE USER THE ADMIN THE DEVELOPER
![Page 7: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/7.jpg)
It gets worse.
![Page 8: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/8.jpg)
Credentials
Users
Mobile.
Cloud.
The Perimeter has Dissolved.
Sharing of Information& Resources.
The Good ol’ Days. Users, their credentials,and the information they accessed wereall within the secure perimeter of the Enterprise.
![Page 9: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/9.jpg)
WHERE WE HAVE BEEN
9
Home AgencyApps
![Page 10: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/10.jpg)
10
REGIONAL APPLICATIONS
HOME AGENCY APPS
![Page 11: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/11.jpg)
11
REAL LIFE IDENTITY… AND WHAT WE CAN LEARN FROM IT
![Page 12: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/12.jpg)
REAL-LIFE IDENTITY
12
BOB
IDENTIFY: “HI, I’M BOB”AUTHENTICATE: “PROVE IT”
1.DMV
“I HAVE AUTHENTICATED YOUHERE IS A TOKEN ASSERTING MY AUTHENTICATION OF YOU AS WELL AS SOME ATTRIBUTES OF YOU”
2.
![Page 13: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/13.jpg)
![Page 14: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/14.jpg)
REAL-LIFE IDENTITY
STATEBORDERS
![Page 15: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/15.jpg)
IDENTITY 2.0… BUILT FOR A DEPERIMITERIZED WORLD
![Page 16: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/16.jpg)
Identity 2.0
IDENTITY: “I AM OFFICER BOB”AUTHENTICATE: “PROVE IT”
CREDENTIALREPOSITORY
AgencyIdM FUNCTION
1.
BIOMETRIC
***********
PASSWORD SMART CARD
I HAVE AUTHENTICATED YOU, BOB. HERE IS A TOKEN ASSERTING MY AUTHENTICATION OF YOU …AS WELL AS SOME ATTRIBUTES OF YOU.
2.
Name: Officer BobAgency: Schaumburg Police DepartmentRole: SergeantLanguages: English, Spanish, RussianQualifications: Firearms, CPRContact-mobile: 847-555-1234Contact-email: [email protected]
User Authentication: RSA 2-factorSigned by: Village of Schaumburg IdM
![Page 17: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/17.jpg)
Identity 2.0
17
Separation of Identity Provider and Service Provider functionality
Identity 2.0 is the separation of the Identity Provider from the Service Provider
![Page 18: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/18.jpg)
Centralized Credential
Management
Single Sign-On
FederationStrong
Authentication
IDENTITY 2.0
![Page 19: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/19.jpg)
Centralized Credential Management
19
IDENTITY PROVIDER APPLICATION 1
Service Provider Application logic
Focuses strictly on the service the app is looking to provide Leverages identity & credentials provisioned in Identity Provider
APPLICATION 2
Service Provider Application logic
Focuses strictly on the service the app is looking to provide Leverages identity & credentials provisioned in Identity Provider
Identity = Alice Password = abc123
Attribute-1 (e.g. email)Attribute-2 (e.g. phone number)Attribute-3 (e.g. dept. no)
Password change management = 90 days
Password complexity rulesPassword reuse rules
Activate accountSuspend accountDelete account
INTEGRATES WITH AGENCY’S EXISTING IDENTITY MANAGEMENT SYSTEM (E.G. ACTIVE DIRECTORY)
![Page 20: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/20.jpg)
Centralized Credential
Management
Single Sign-On
FederationStrong
Authentication
IDENTITY 2.0
![Page 21: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/21.jpg)
Enter your password
***********
![Page 22: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/22.jpg)
Centralized Credential
Management
Single Sign-On
FederationStrong
Authentication
IDENTITY 2.0
![Page 23: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/23.jpg)
23© 2014 Motorola Solutions, Inc.
IDENTITY FEDERATION
LOCAL POLICE AGENCY REGIONAL OR NATIONWIDE APPLICATIONS & SERVICES
CAD VIDEOPTT
LOCAL AUTHORIZATION CONTROL
![Page 24: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/24.jpg)
Centralized Credential
Management
Single Sign-On
FederationStrong
Authentication
IDENTITY 2.0
![Page 25: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/25.jpg)
• Strong Authentication
Strong Authentication
25
76% of 2012 network intrusions exploited weak or stolen credentials
In 2007, ~30 vendors in authentication. Approximately 12 new vendors have been added per year. Today there are over 100 vendors.
![Page 26: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/26.jpg)
Source: PingIdentity
AT WORK AT HOME
Memorization
One Constant: CHANGE
Re-Use
Avoid Change
The average corporate user maintains 15
passwords within both private and corporate
spheres
![Page 27: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/27.jpg)
• Like the cockroach…
…passwords will outlive us all
• But that does not mean ….
…. we shouldn’t try to exterminate them
![Page 28: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/28.jpg)
STRONG AUTHENTICATION
28
SOMETHING I AMSOMETHING I HAVESOMETHING I KNOW
CJIS REQUIRES STRONG AUTHENTICATION – MSI HAS SOLUTIONS TO MEET THOSE NEEDS TODAY
![Page 29: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/29.jpg)
• The Identity problem– Who are you
– Prove it
– how confident are we in the “proofing”
• Federal Standards defined “how certain”– Level Of Assurance (LoA)
– Defined in M-04-04 (Dec 16, 2003)
• EXECUTIVE OFFICE OF THE PRESIDENT, OFFICE OF MANAGEMENT AND BUDGETOMB LoA Description
Level 1 Little or no confidence in the asserted identity’s validity.
Level 2 Some confidence in the asserted identity’s validity.
Level 3 High confidence in the asserted identity’s validity.
Level 4 Very high confidence in the asserted identity’s validity.
![Page 30: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/30.jpg)
Centralized Credential
Management
Single Sign-On
FederationStrong
Authentication
IDENTITY 2.0
![Page 31: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/31.jpg)
AROUND THE WORLD IN 80 DAYS… GLOBAL TRENDS IN IDENTITY
![Page 32: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/32.jpg)
UNITED STATES
32
![Page 33: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/33.jpg)
INTERNATIONAL
33
![Page 34: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/34.jpg)
34
CLOSING THOUGHTS… AND THINGS TO REMEMBER
![Page 35: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/35.jpg)
PILLARS OF IDENTITY 2.0
35
WHAT DO YOU GET?
MOBILE FRIENDLY
CLOUDREADY
INDUSTRY DOMINANT
OPEN STANDARDS
CENTRALIZED CREDENTIAL
MANAGEMENT
SINGLESIGNON
FEDERATION:PORTABLE &
INTEROPERABLE
STRONGAUTHENTICATION
![Page 36: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/36.jpg)
36
In a deperimiterized mobile & cloud world, where first responders are accessing information – located anywhere – from anywhere – Identity *IS* the new perimeter
![Page 37: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/37.jpg)
37
![Page 38: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/38.jpg)
July 17, 1996: Emergency services personnel from Suffolk County, NY and the United States Coast Guard respond to a report of a catastrophic explosion and the crash of a passenger airliner over the ocean off the southern coast of Long Island. The initial assumption is a nexus to terrorism. The East Moriches Coast Guard Station is designated as the operations command post, staging area, and evidence collection point. As the incident shifts from response to recovery, personnel from various response disciplines and levels of government stream into the station. Among them is Lieutenant Colonel David Williams of the U.S. Army Reserve. LTC Williams, dressed in his U.S. Army Reserve flight suit, presents identification, enters the site, and assists in the operation by landing helicopters on the designated helipads. On the third day of his work, LTC Williams is questioned concerning his identity and affiliation. Following a brief investigation, LTC Williams is identified as an impostor, escorted from the property, and charged by the Suffolk County Police.
September 11, 2001: When the Pentagon was struck it resulted in a massive response of public safety personnel from fire, EMS, and police. Given the technology used at the time, it was impossible to authenticate and validate emergency responders at a pace necessitated by the disaster. While the majority of emergency responders already had identification cards, their credentials were not recognized at all levels of government or by the various jurisdictions. The incident commanders on site either had to assume that people were who they said they were, or they had to deny or delay access of critical emergency personnel to the crash scene. This same scenario could be applied to any disaster at any secured building in any city or state.
![Page 39: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/39.jpg)
• Single Factor: Choose ONE OFSOMETHING I
AMSOMETHING I
HAVESOMETHING I
KNOW
Strong Authentication
Advanced Authentication
• Multi Factor: Choose TWO OR MORESOMETHING I
AMSOMETHING I
HAVESOMETHING I
KNOW
![Page 40: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/40.jpg)
• User Authentication - FactorsSomething I Know Something I Have Something I Am
Pin Smart badge Brainwave (EEG)
Password/Phrase OTP Token Heart Rhythm (ECG)
Gesture Key Fob (Yubico) Voice
Shape Smartphone/Tablet Fingerprint
Pattern Bio-stamp/Tattoo Finger/hand vein
Wearable Iris scan
Facial scan
NFC Ring
PIVOTP
![Page 41: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/41.jpg)
• 1. REMOTE ACCESS
• CJIS MANDATES STRONG AUTHENTICATION
• 2. PHYSICAL ACCESS
• FRAC CARDS FOR INTEROPERABILITY
• 3. DEVICE ACCESS
• SENSITIVE DATA ON DEVICES & OPEN SESSIONS
Authentication for Public Safety
![Page 42: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/42.jpg)
• Think To Authenticate– Started as “brain fitness”
– Your brainwave is unique
– Focus on a thought
– Some Difficulties• Slow
• Focus
• Very early research
NeuroSky
![Page 43: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/43.jpg)
• Key Stroke to authenticate– Something I know (simplified Password)
– Something I am• Dwell time
• Flight time
– Stops password sharing
![Page 44: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/44.jpg)
• EKG to authenticate– Your EKG is unique
– Not affected by caffeine or exercise• Heart rate, yes
• EKG characteristics, no.
– How many sensors?• Hospital = 12
• Authentication = 2
– Communicates to your device • Bluetooth
• NFC
Bionym
![Page 45: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/45.jpg)
• Smartbadge Tap to authenticate – Uses NFC Technology
• Standard supported by most smartphones
– Federal PIV card standards• Personal Identity Verification card
• FIPS PUB 201-2
– PIV-I/FRAC cards• First Responder Authentication Credential
• Future capability– Smartbadge turns your phone into a badge
– Draft NIST SP 800-157 Card emulation on radio
Tap Smart Card
LOGON
![Page 46: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/46.jpg)
• Continuous authentication– Is it “still you”
– Is it “still you”
– …
– Is it “still you”
![Page 47: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/47.jpg)
Feature extraction &Template creation Database
BE BE’
Database
Matching Function
ID
BA BA’UserBE’
ID
User
Enrollment
Authentication
Feature extraction &Template creation
Decision (Y/N)
Database
Matching FunctionBI BI’User
Identification
Feature extraction
Identity
Sensor
Sensor
Sensor
![Page 48: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/48.jpg)
SubmitBiometric
Verifying Access secret
Verifies
Success =Access secret
Application server: “prove you can lock
this” with secretSubmit factor 1e.g. biometric
biometric never leaves device Challenge/response handshake
![Page 49: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/49.jpg)
Security Cost
UX
• Tiered to needs• Policies• Federation• Secure elements (TEE, uSD…)
• Key for adoption• Unobtrusive/stealthy• Shared Devices (load profiles)
• Leverage commercial Tech• Standards
Security isn’t an afterthought; it’s a stream of consciousness.
![Page 50: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/50.jpg)
– Back to beginning• It ties into identity management
• It’s the “primary authentication”
• What you use at work, can be applied to home
![Page 51: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/51.jpg)
SubmitBiometric
Access secret
Verifies
Success =Access secret
Application server: “prove you can lock
this” with secretSubmit factor 1e.g. biometric
biometric comparison on device or on card
Challenge/response handshake
Verifying
![Page 52: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/52.jpg)
• Assets require “user” access controls?– Records management
– CAD
– CJIS
– Location
– Messaging
– Logging
– PTT services (?)
– …
• Single Factor or Multifactor
• Device or User Authentictaion
![Page 53: The Road to Identity 2.0](https://reader030.fdocuments.in/reader030/viewer/2022032717/55b6ab4cbb61eba90d8b4725/html5/thumbnails/53.jpg)
• Most of this is standards– Standards
• NIST
• FIDO
• Global Platform
• Technology Enablers• Secure elements (CRYPTR micro)
• TEE
• Wireless tokens/secure elements
• Wearable Biometrics