Download presentation
Presentation is loading. Please wait.
Published byEthan Hensley Modified over 9 years ago
1
Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007
2
Agenda Disclaimer Disclaimer About Penn State About Penn State Level Set on Levels of Assurance Level Set on Levels of Assurance –Delivering of the package Uses for LOA Uses for LOA –Both Internal and External to the university Points to Ponder Points to Ponder Discussion, Q&A Discussion, Q&A
3
Penn State
4
Established 1855, PA’s Land Grant Established 1855, PA’s Land Grant 24 campus locations 24 campus locations 80K students, 10K faculty, 10K staff 80K students, 10K faculty, 10K staff $640M annual research expenditure $640M annual research expenditure
5
Penn State IAM - Technology Kerberos, DCE, Active Directory Kerberos, DCE, Active Directory LDAP (eduPerson) LDAP (eduPerson) Cosign (WebAccess) Cosign (WebAccess) Shibboleth Shibboleth Member of InCommon Member of InCommon 2 nd Factor Authentication 2 nd Factor Authentication “Access Account” - branding for Penn State identity ~120K “Access Account” - branding for Penn State identity ~120K “Short Term Access Accounts” “Short Term Access Accounts” “Friends of Penn State” - branding for external identity, ~450K “Friends of Penn State” - branding for external identity, ~450K
6
Level Set - Delivering of the Package….
7
It’s all about how certain you are…
8
And how Certain you need to be…
9
Scenario 1… deleted image of favorite web site here…
10
deleted photo of well known delivery vehicle.
11
deleted photo of individual from well known delivery service
12
deleted image of nicely wrapped gift here….
13
Scenario 2… deleted image of favorite website
18
Risk Identity Proofing Logical & Physical Control Indemnification Liability Laws & Regulations Data Intellectual Property Transaction Identifying and Mitigating Risk
19
Uses for Levels of Assurance
21
eCommerce Compliance Payment Card Industry Questionnaire 8.11 Payment Card Industry Questionnaire 8.11 –Is there an account-lockout mechanism that blocks a malicious user from obtaining access to an account by multiple password retries or brute force? Yes No Card Industry following bank industry requirement for 2 nd Factor Authentication Card Industry following bank industry requirement for 2 nd Factor Authentication
22
Business Transactions Electronic Signatures Promissory Notes
23
W-2 Information Online
24
“THE” Demo (at least the boss’s part) Internet2 FastLane Demo
25
Points to Ponder Decreasing of LOA Password Resets
26
In Person Proofing
27
It’s a big, big world Not all university affiliates are located on the campus In fact, there are some we never see
28
Remote Proofing Notary Forms of Id
29
Self Service - Ask Questions? ? ? ? ? ? ? ? ? ? Mother’s Maiden Name Favorite Color Favorite Pet’s Name Create own Q & A Spouse’s Nickname First Concert Attended
30
www.londonstimes.us Distribution At times snail mail is still preferred and more trusted…
31
Points to Ponder Multiple Registration Authorities
32
Multiple Registration Authorities World Campus Registrar Admissions Human Resources Accounts Office Hershey Medical
33
Multiple Registration Authorities Registration Authority’s need to change their requirements to meet identity provider requirements. Registration Authority’s need to change their requirements to meet identity provider requirements. Understand processes tied to business such as the activation of accounts, resetting of passwords, etc Understand processes tied to business such as the activation of accounts, resetting of passwords, etc Applications relying on these processes Applications relying on these processes –Applications need to change –Processes for proofing, notification, etc all need to be changed –Activation of accounts and resetting of passwords needs to change
34
Multiple Registration Authorities Multi-factor Authentication multi-factor remote network authentication. identity proofing procedures require verification of identifying materials and information. based on proof of possession of a key or a one-time password through a cryptographic protocol.
35
Points to Ponder Changing the Culture
36
Changing the Culture Identifying & Adding new applications and services Identifying & Adding new applications and services Risk Assessment Risk Assessment –Ownership –Data, Transaction, Function Access control = authentication + LoA + attributes Access control = authentication + LoA + attributes
37
To Summarize: It’s All about how certain you are… And How Certain you need to be…
38
Questions/Comments Contact Information Renee Shuey ITS Emerging Technologies Group Pennsylvania State University RSHUEY@PSU.EDU
39
Copyright Renee Shuey 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.