Stronger Authentication in a Federated World Bill Young Government Technology Services NZ State Services Commission

NZ State Services Commission Crown Copyright Quick Background of NZ Authentication n “Commercial” IdP for any government Agency n Policy Driven l Privacy l Security l Standards n Evolutionary Development - Web Applications First

NZ State Services Commission Crown Copyright Our Big Drivers n Privacy n May not Disenfranchise any part of the Public n Breadth of Scale in govt Departments

NZ State Services Commission Crown Copyright NZ AuthN & IdM Services

NZ State Services Commission Crown Copyright What’s our Challenge? n Continuous Improvement of Services n Risk-Based Approach to Security l Adapt to Evolving Threats l Match Pace with the New Services Provided to End Users n Limit Barriers to Uptake

NZ State Services Commission Crown Copyright Typical Responses to the Need for Stronger Authentication n Conventional l ‘Better’ Passwords l OTP Tokens n Less Conventional l PKI l Biometrics

NZ State Services Commission Crown Copyright Passwords “We need Stronger Passwords. Let’s Improve our Password Policy” n Longer more complex passwords, system generated passwords, password history, force frequent changes, etc. And the Result? n Un-usable, Un-Fit, Un-Friendly, Un-Supportable n Support Costs n Social Engineering There are Ways to Improve Passwords (just rarely used)

NZ State Services Commission Crown Copyright One Time Passwords (OTP) n Tokens l $$ - Token Cost & Logistics n Bingo cards & TAN sheets l More Cost-Effective, but Frequently Copied n Soft Tokens l Security & Usability Issues n SMS l Good, Except for High Volume Use

NZ State Services Commission Crown Copyright PKI n Soft Certificates l Issues with Usability and Security l Support Cost n Centrally Stored l Ok, But not Really 2FA n Smartcards, USB tokens l Hardware & OS Support is Incomplete l High Support Cost

NZ State Services Commission Crown Copyright Biometrics More Questions than Answers… ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?

NZ State Services Commission Crown Copyright That’s all fine, but… …how does it contribute to a Risk-Based approach?

NZ State Services Commission Crown Copyright Run-Time Smartcard Risk Assessment Information Architecture AuthN Topology User Navigates Low ValueModerate Value High Value TokenUserId/Passwd Application/Resources Development Federated Identifier

NZ State Services Commission Crown Copyright Context Sensitive Authentication Definition: “Authentication based on Real Time Risk Analysis”

NZ State Services Commission Crown Copyright Run-Time Requested AuthN Context 5% High Value/risk 70% Low value/risk Real-time Risk Assessment Continue With Application User Enters Application OTP AuthN Application/ Resources Federated Identifier & Risk ‘Advice’ “Strong” AuthN No Action Required 25% Increased value/risk Device Detection UID/Password or Higher Requested AuthN Context Context Sensitive Approach

NZ State Services Commission Crown Copyright OOB Authentication Definition: Out of Band Authentication requires that separate information channels are used for authentication and access.

NZ State Services Commission Crown Copyright Run-Time AuthnContext User Enters Application Application/ Resources Federated Identifier & Risk ‘Advice’ UID/Password or Higher OOB AuthN Application Continues Perceived Channel Risk Phone AuthnContext SMS Out of Band Authentication

NZ State Services Commission Crown Copyright Transaction Authentication/Verification Definitions: “Transaction Authentication Verifies that the Correct User is Requesting a Transaction” “Transaction Verification Verifies that the Correct Transaction is Performed for the User” I’m combining both under the term “Transaction Authentication”

NZ State Services Commission Crown Copyright Run-Time Transaction Context/Details User Enters Application/ Resources Federated Identifier & Risk ‘Advice’ UID/Password or Higher “You are about Transfer $ to Account #BNZ Enter OTP to Continue” Application Continues Perceived Transaction Risk Transaction Authentication

NZ State Services Commission Crown Copyright Run-Time Transaction Context 5% High risk 70% Low value/risk Real-time Risk Assessment Continue With Application User Enters Step Up AuthN Application/ Resources OOB AuthN Transaction AuthN No Action Required 20% Increased value/risk 5% Perceived threat Device Detection UID/Password or Higher AuthN Context Federated Identifier & Risk ‘Advice’ Putting it all Together

NZ State Services Commission Crown Copyright Question? Should Transaction AuthN be done using SAML Web SSO? It’s an AuthZ problem too…

NZ State Services Commission Crown Copyright SAML Considerations How do these techniques look from a SAML point of view?

NZ State Services Commission Crown Copyright Context Sensitive Authentication Step Up Authentication SAML SpecWell Supported Liberty InteropNot Specified – Optional in US eAuth profile eGov ProfileSupported Vendor SupportBecoming Well Supported

NZ State Services Commission Crown Copyright Context Sensitive Authentication Returning Risk Context to SP SAML SpecWell Supported Liberty InteropNot Specified eGov ProfileNot Specified Vendor SupportMixed

NZ State Services Commission Crown Copyright OOB Authentication Passing to IdP SAML SpecWell Supported Liberty InteropNot Specified eGov ProfileNot Specified or Restricted Vendor SupportUnknown, but doubtful

NZ State Services Commission Crown Copyright Transaction Authentication Transaction Details and Context SAML SpecUnanticipated – Some options available Liberty InteropNot Specified eGov ProfileNot Specified Vendor SupportUnknown, but doubtful

NZ State Services Commission Crown Copyright Moving Forward n Look at Real Time Risk Analysis l Need an easy model for agencies n Establish Conventions for SAML usage n Update NZSAMS & eGov profile n Lab Implementation n Work with Vendors

NZ State Services Commission Crown Copyright Questions?