OASIS Trust Elevation Elevate Trust in Electronic Identities www.oasis-open.org Abbie Barbir, Ph.D Co-Chair OASIS Trust Elevation TC.

Slides:



Advertisements
Similar presentations
FFIEC Agency Supplement to Authentication in an Internet Banking Environment
Advertisements

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide
Multi-factor Authentication Methods Taxonomy Abbie Barbir.
Digital Certificate Installation & User Guide For Class-2 Certificates.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Functional component terminology - thoughts C. Tilton.
15 Tactical Improvements to IT Security Virtual Keyboard, Two Factor Authentication, Active Confirmation and FAA Access to CPS Online Ganesh Reddy.
The SAFE-BioPharma Identity Proofing Process Author of Record SWG (Digital Credentials) October 3, 2012 Peter Alterman, Ph.D. Chief Operating Officer,
Authentication & Kerberos
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
FIT3105 Smart card based authentication and identity management Lecture 4.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
E-Authentication: What Technologies Are Effective? Donna F Dodson April 21, 2008.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
Intra-ASEAN Secure Transactions Framework Project Progress Report
Geneva, Switzerland, September 2014 Introduction of ISO/IEC Identity Proofing Patrick Curry Director, British Business Federation Authority.
Biometrics: Identity Verification in a Networked World
Security-Authentication
Geneva, Switzerland, September 2014 Step-up authentication a key enabler of mobile on-line trust Progress report of ITU-T and OASIS Trust Elevation.
Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.
Large-Scale, Cost-Effective, Progressive Authentication and Identify Management Solutions Enabling Security, Efficiency and Collaboration through Technology.
Chapter 10: Authentication Guide to Computer Network Security.
Author of Record Digital Identity Management Sub-Workgroup October 24, 2012.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 20,
HIT Standards Committee Hearing on Trusted Identity of Patients in Cyberspace November 29, 2012 Jointly sponsored by HITPC Privacy and Security Tiger Team.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
BUSINESS B1 Information Security.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin Business Plug-In B6 Information Security.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
“Stronger” Web Authentication: A Security Review Cory Scott.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
NIST Update: Part Deux Elaine Newton, PhD NIST
Levels of Assurance in Authentication Tim Polk April 24, 2007.
Ning Zhang, the University of Manchester, UK David Groep, National Institute for Nuclear and High Energy Physics, NL Blair Dillaway, OGF Security Area.
Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant
Privacy and Security Tiger Team Meeting Discussion Materials Today’s Topic Recommendations on Trusted Identities for Providers in Cyberspace August 6,
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
0 1 WHAT KEEPS USERS AWAY? 2 47% 46% 43% 39% 40% 50% 45% 34% 21% 15% 20% 19% 13% 26% 20% 12% I fear that my account information will be viewed by an unauthorized.
McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved INFORMATION SECURITY SECTION 4.2.
OASIS Trust Elevation Elevate Trust in Electronic Identities Gershon Janssen, Member OASIS Trust Elevation TC
1 Data Access Control, Password Policy and Authentication Methods for Online Bank Md. Mahbubur Rahman Alam B. Sc. (Statistics) Dhaka University M. Sc.
Networking Network Classification, by there: 3 Security And Communications software.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Securing Online Banking By Ben White CS 591. Who Federal Financial Institutions Examination Council What To authenticate the identity of retail and commercial.
COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.
Chapter 17: Information Management in Treasury Outline: Basics of E-Commerce EDI Infrastructure Treasury Management Systems (TMSes) Other Issues in Treasury.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.
LEARNING AREA 1 : INFORMATION AND COMMUNICATION TECHNOLOGY PRIVACY AUTHENTICATION VERIFICATION.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
Challenge/Response Authentication
Mastercard Identity Check Mobile
Identity on the Internet
ESign Aashutosh.
System Access Authentication
Challenge/Response Authentication
Authentication.
Tokens & Proofing De-Mystified
Security Barriers Asset Proper Access Attack Security System
Office 365 Identity Management
Setting up an online account
E-Authentication: What Technologies Are Effective?
Installation & User Guide
Introduction of ISO/IEC Identity Proofing
COEN 351 Authentication.
Presentation transcript:

OASIS Trust Elevation Elevate Trust in Electronic Identities Abbie Barbir, Ph.D Co-Chair OASIS Trust Elevation TC

2 Goal OASIS Trust Elevation TC Goal is to define a set of methods or standardized protocols that service providers may use to elevate the trust in an electronic identity presented to them for authentication purposes

3 Why are we doing this work? Few consumers have high LOA-credentials. User Name and Password is not good enough More organizations look to implement systems that require authentication at higher Levels of Assurance When dealing with consumers and citizens, there is a clear need for dynamic authentication a customer should only be asked to do multi-factor authentication when they want to do “a high value transaction”, not as a prerequisite to visiting a website. There is an increased interest in transaction-based assurance: “authentication” based on the necessary current conditions of specified, validated attributes and agreements. Use of a step-up approach to multi-factor authentication. Recommendations by the Federal Financial Institutions Examination Council (FFIEC) and the highly publicized breaches in 2011 have made trust elevation a more urgent topic. Responding to suggestions from the public sector, including the U.S. National Strategy for Trusted Identities in Cyberspace (NSTIC).

4 Approach 1.Phase I: Catalog of Trust Elevation Methods Create a comprehensive list of methods being used currently to authenticate identities online to the degree necessary to transact business where material amounts of economic value or personally identifiable data are involved. Status: phase is completed – Committee Note pending publication 2.Phase II: Analysis of Trust Elevation Methods Analysis of identified methods to determine their ability to provide a service provider with assurance of the submitter's identity sufficient for elevation between each pair of assurance levels, to transact business where material amounts of economic value or personally identifiable data are involved. Status: phase ending, final stages of delivering work 3.Phase III: Establish Trust Elevation Protocol Propose a protocol for Trust Elevation Status: phase starting

5 Definition of Trust Elevation Trust elevation: Increasing the strength of trust by adding factors from the same or different categories of trust elevation methods that don’t have the same vulnerabilities. There are five categories of trust elevation methods who you are, what you know, what you have, what you typically do and the context. What you typically do consists of behavioral habits that are independent of physical biometric attributes. Context includes, “but is not limited” to, location, time, party, prior relationship, social relationship and source. Elevation can be within the classic four X.1254 ITU-T LoA (ISO (NIST ))

6 Categories of Trust Elevation Methods Who you are – biometrics, behavioral attributes What you know – shared secrets, public and relationship knowledge What you have – devices, tokens - hard, soft, OTP What you typically do – described by ITU-T x1254 – behavioral habits that are independent of physical biometric attributes Context – e.g. location, time, party, prior relationship, social relationship and source

7 Levels of Assurance Trust Elevation Paths between Levels of Assurance

8 Trust Elevation Method List Methods sorted by trust elevation method category What you are – Biometric -- use of distinctive measurements about your physical body and or your behavior that are unique Physical Biometric – considered immutable and unique – Facial recognition – Iris Scan – Retinal Scan – Fingerprint Palm Scan – Voice – Liveliness biometric factors include: » Pulse. » CAPTCHA; » Temperature. Behavioral Biometric -- person’s physical behavioral activity patterns – Keyboard signature – Voice

9 Trust Elevation Method List What you know – User Name and Password (UN/PW) – Knowledge Based Authentication (KBA) User is asked one or more (sometimes 3 to 5) challenge questions User-data procured at enrollment time Static KBA – Questions and answers that do not change Dynamic KBA – questions that are user-specific and/or change over time and/or the answers to the questions change over time (e.g., asking the value of the customer’s last VISA transaction)

10 Trust Elevation Method List What you have – End Point Identity Landline number; Mobile phone number and or SIM and or OS; IP address, router, provider; Cookie, OS, browser, chip. – Token Hardware tokens – Proprietary tokens – USB tokens – Smart Cards – Mobile phone and or SIM. Software tokens – Digital certificates – Cookies

11 Trust Elevation Method List What you have – Out of Band User calls service provider from a registered phone; Response to a phone call from the service provider; Response to an from the service provider; Response to an SMS message from the service provider; Response to a mobile application transaction initiated by the service provider; Response to a post card; Response to a letter, registered or otherwise. – One Time Password (OTP) ; Mobile phone voice message; Mobile phone SMS message; Mobile phone application; Landline voice message; Mail (postcard, letter, registered mail, etc.); Proprietary hardware token with password generation capability.

12 Trust Elevation Method List What You Typically Do -- an individual’s repeated behaviors or behavioral habits – Browsing patterns (order in which pages are accessed, duration of access, links accessed, etc.); – Time of access; – Type of access, etc.

13 Trust Elevation Method List Context -- attributes relevant to the user or situation – Location; – Time of access; – Frequency of access; – Party; – Prior relationship ; – Social relationship; – Source and endpoint identity attributes such as Date of last virus scan IP address Subscriber identity module (SIM) Device basic input/ouput system (BIOS) Virus scan software version CallerID Cookie (presence and or contents); – Multi-channel combination; – Credential lifecycle attributes; – Certificate binding and or other chain of trust attributes; – Secure device with user specific disk allocation.

14 Method Examples (Use Cases) Reuse of Primary Authenticator Method Example Customer Retention Method Example Cloud Access Method Example Static KBA Method Example Session Elevation to Level of Identity Proofing Method Example Hub Provider of Pseudonymous Identity Method Example Step-Up Authorization Method Example Multi-channel by Phone Method Example Generic KBA Method Example Address Verification Service Method Example Split Large (Risky) Transactions into Multiple Smaller Transactions Method Example Use of Tokenized Device/Network Attributes Method Example Trust Elevation by Hard Token (OTP Generator) Method Example Multi-Attribute-Based Trust Elevation Service Method Example (AKA Fraud Detection) Emergency Access to Patient Healthcare Information – a European Method Example

15 Resources OASIS Trust-El Technical Committee Homepage