Presentation is loading. Please wait.

Presentation is loading. Please wait.

Geneva, Switzerland, 15-16 September 2014 Step-up authentication a key enabler of mobile on-line trust Progress report of ITU-T and OASIS Trust Elevation.

Published byPeregrine Tate Modified over 9 years ago

Similar presentations

Presentation on theme: "Geneva, Switzerland, 15-16 September 2014 Step-up authentication a key enabler of mobile on-line trust Progress report of ITU-T and OASIS Trust Elevation."— Presentation transcript:

1 Geneva, Switzerland, 15-16 September 2014 Step-up authentication a key enabler of mobile on-line trust Progress report of ITU-T and OASIS Trust Elevation work Abbie Barbir Ph.D., Chair OASIS Trust Elevation TC abarbir@live.ca ITU Workshop on “ICT Security Standardization for Developing Countries” (Geneva, Switzerland, 15-16 September 2014)

2 Mobile Authentication Talk/slides represents findings From OASIS and ITU work Mobile going main stream Adoption of mobile devices for business is on the rise Organizations are rushing to mobile their applications Mobile devices are used for providing authentication to applications Threats to Mobile Data exposure from lost, stolen, or returned devices Mobile malware / Zero day attacks Security risks from 3 rd party applications OS vulnerabilities Network exposure (Wifi, NFC etc..) App stores issues Immature tools and debugging s/w Mobile Authentication Contextual based Authentication is emerging Adoption of cloud based services continuous to grow Biometric Authentication is on the rise Using the device as a toke n Geneva, Switzerland, 15-16 September 20142

3 Trends of Mobile Authentication Emerging Needs and Capabilities Support of context based access Fine(r) access control Map user (including device) identity and (may be per app) authentication credentials to SLA Need to understand and compare user behavior across many devices Ability to categorize user access to different devices Be able to set access control based on degrees of validated device identity Fine grain endpoint IdM Ability to identify, terminate and restrict access per application/device and other factors. Geneva, Switzerland, 15-16 September 20143

4 Challenges of Mobile Authentication Mobile app security challenges: Broader coverage beyond VPN needed Check for malicious behavior and threats at app layer Continuous data monitoring and auth Mobile App Considerations Application architecture Offline vs. online access Storage of information on device Various mobile OS Device ownership: BYOD or Corp Liable Challenges to SSO on Mobile No standardized SSO Native Mobile apps vs. Web Better user experience Leverage local device capabilities SaaS vendor-provided apps authenticate to SaaS backend systems Web App Browsers lack access to native device E.g. Camera, Browsers tend to be underpowered UI for small form factor devices Device Profile User Behaviour Profile Results Pass Fail Verify Perform Step up AuthN Possible Fraud Risk Analysis User experience Authentication Convenience Risk based polices

5 OASIS Trust ElevationTC Defining a set of standardized protocols to elevate trust in an electronic identity Trust Elevation Increasing the trust a relying party has that the online entity accessing its resources is the (person or device) it claims to be Reducing the risk that a relying party assumes that the online entity accessing its resources is not the person or device it claims to be TC Deliverables Deliverable One: Collect current and imminent trust elevation methods Deliverable Two: Analysis of collected methods Deliverable Three: General principles and techniques to elevate trust in a transaction Deliverable Four: Trust Elevation Protocol and Markup Language

6 Authentication Categories 6 Who You Are Biometric Physical Biometric immutable and unique Facial recognition Iris Scan/Retinal Scan Fingerprint Palm Scan/Voice Liveliness biometric factors include: Pulse. CAPTCHA; etc Behavioral Biometric based on person’s physical behavioural activity patterns Keyboard signature Voice what you know User Name and Password (UN/PW), A passphrase, a PIN Very often used combinations with KBA methods. Knowledge Based Authentication (KBA) Static/Dynamic KBA what you have One Time Password (OTP) Smart card X.509 and PKI Rarely used alone Used in combination with UN/PW and a PIN what you Do Context Browsing patterns Time of access Type of device Used in Combination with other methods Location; Time of access; Subscriber identity module (SIM) Frequency of access; Source and endpoint identity attributes Mostly used to provide Secondary Attributes It is a big mistake to assume that strong authentication always result when combining multiple authentication attributes/factors. Only by combining attributes of different kinds (that is, different factors) with different (non-overlapping) sets of vulnerabilities is there a significant increase in resistance to attack and, thus, in authentication strength Trust elevation (step-up Authentication): Increasing the strength of trust (Auth) by adding factors from the same or different categories of trust elevation methods that don’t share the same vulnerabilities There are five categories of trust elevation methods who you are (biometrics, behavioral attributes), what you know (shared secrets, public and relationship knowledge), what you have (devices, tokens - hard, soft, OTP), what you typically do (described by ITU-T x1254, behavioral habits that are independent of physical biometric attributes)a nd the context (location, time, party, prior relationship, social relationship and source). Elevation can be within the classic four X.1254 ITU-T LoA

7 Mobile Application Threat Model Spoofing Users to the Mobile App Borrowed/Stolen Device Other Malicious Application Spoofing: Web Services to Mobile App Borrowed Device Other Malicious App Tampering: Mobile App Borrowed/Stolen Device Other Malicious Application Disclosure: Device Data Stores or Residual Data Borrowed/Stolen Device Malicious App Functionality Attacks from Mobile Web Services Disclosure: Mobile App to Web Service Attacks from Local Network Other Malicious App Denial of Service: Mobile App Elevation of Privilege: Mobile App or WS Enterprise Server and Services User External Services (Can be Malicious) Malicious user bypassing Mobile client Can be Malicious Mobile Device MobileApp Device File System Malicious Mobile App Local App Storage Local Key Chain

8 Tackling mobile security risks Device Centric MDM Device Policy Data Encryption Containers Data Centric Limit Data on Device Traffic Encryption Virtualization Application Centric Server Side protection Development App Store Platforms Balancing act between risk and convenience

9 Trust Elevation Core Model User Accesses Online Resource with identity and/or attribute data (may consist of credential) rejection reapplication of yet another trust elevation cycle access resource for the transaction Resource Assesses Trustworthiness of Asserted Identity According to Policy Resource Determines Insufficient Trustworthin ess Resource Engages Previously- Determined Trust Elevation Process 9

10 4 th Deliverable “TE” Protocol and Markup Language What we considered so far? OAuth, OpenID Connect, UMA, OATH, SAML What we found ❖ OAuth, OpenID and UMA are services that manage authorization. These services may utilize Trust Elevation before or after executing their service. ❖ SAML can Support Step UP also ❖ OATH is an open framework for strong authentication; primarily focused on device credential and authentication interfaces. It does not have a standard format for trust elevation (or am I missing something?) What we proposed ❖ Would support existing authentication and authorization specification but will remain independent of them. ❖ Would ensure existing identity assertion frameworks are supported ❖ Would be in XML and JSON formats

11 Trust Elevation Sequence

12 OASIS Trust Elevation Story 1.End-User accesses online resource using a device with an asserted identity and/or attributes. 2.Device sends End-User’s identity and/or attribute data to Relying Party (RP) 3.RP requests an Identity Provider (IdP) to assess the asserted identity. 4.RP validates each and every asserted attributes, if they are available, using an Attribute Provider (AP). The AP could be independent, part of RP or part of a third party. RP may involve multiple APs in a single transaction to validate various attributes. 5.RP engages LoA Assessor (LA) to assess LoA for the verified identity and/or attributes strength. 6.RP determines if the asserted identity and attributes offer sufficient trustworthiness. For sufficient trustworthiness, present the resource [13, 14]. For insufficient trustworthiness, follow Trust Elevation steps [7 - 12]. If there is no opportunity to elevate trust, then reject the request [13, 14] 7.RP engages Trust-Elevation Method Determiner (MD) to determine the best possible type of method be used for Trust Elevation. The MD is a repository of predetermined Trust Elevation methods for transactions involving various combinations of type of devices, RPs, IdPs, APs and LAs. The MD could be independent, part of RP or part of a third party. 8.RP, based on feedback from MD, requests valid authentication factors through the device. The device could provide factors with/without End-User Intervention.

13 Trust Elevation Sequence - Story 9.RP requests an Identity Provider (IdP) to assess the asserted identity. 10.RP validates each and every asserted attributes, if they are available, using an Attribute Provider (AP). The AP could be independent, part of RP or part of a third party. RP may involve multiple APs in a single transaction to validate various attributes. 11.RP engages LoA Assessor (LA) to assess LoA for the verified identity and/or attributes strength. 12.RP determines if the asserted identity and attributes offer sufficient trustworthiness. For sufficient trustworthiness, present the resource. For insufficient trustworthiness, follow Trust Elevation steps If there is no opportunity to elevate trust, then reject the request 13.RP presents information to device 14.Device present information to End-User

14 Conclusions and Recommendations Step up Authentication will play a critical role in mobile space OASIS and ITU are working to Create a generalizable framework for implementing non-credential-based, online authentication best practices based on current and near-future implementations Expands and extends options for multi-factor authentication implementations Geneva, Switzerland, 15-16 September 2014 14 Mobility It is all about App security Application fine grain Auth N/Z for one or more Apps Move from static to continuous Auth Fine grain policy enforcement Cloud … Cloud ….Cloud Challenging but in progress More opportunities for simplification and innovation

Download ppt "Geneva, Switzerland, 15-16 September 2014 Step-up authentication a key enabler of mobile on-line trust Progress report of ITU-T and OASIS Trust Elevation."

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
© 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013 www.secureauth.com.

© 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5,
Multi-factor Authentication Methods Taxonomy Abbie Barbir.

Multi-factor Authentication Methods Taxonomy Abbie Barbir.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
Oracle IDM at First National Bank

Oracle IDM at First National Bank
Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,
Xavier Verhaeghe Vice President Oracle Security Solutions

Xavier Verhaeghe Vice President Oracle Security Solutions
9/11/2012Pomcor 1 Techniques for Implementing Derived Credentials Francisco Corella Karen Lewison Pomcor (http://pomcor.com/)

9/11/2012Pomcor 1 Techniques for Implementing Derived Credentials Francisco Corella Karen Lewison Pomcor (
Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.

Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.
Functional component terminology - thoughts C. Tilton.

Functional component terminology - thoughts C. Tilton.
0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.

0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Core Web Service Security Patterns

Core Web Service Security Patterns
Microsoft Ignite /16/2017 4:55 PM

Microsoft Ignite /16/2017 4:55 PM
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
User Managed Privacy Using Distributed Trust Privacy and Security Research Workshop Carnegie Mellon University May 29-30, 2002 Lark M. Allen / Wave Systems.

User Managed Privacy Using Distributed Trust Privacy and Security Research Workshop Carnegie Mellon University May 29-30, 2002 Lark M. Allen / Wave Systems.
Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.

Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.
Geneva, Switzerland, 15-16 September 2014 Introduction of ISO/IEC 29003 Identity Proofing Patrick Curry Director, British Business Federation Authority.

Geneva, Switzerland, September 2014 Introduction of ISO/IEC Identity Proofing Patrick Curry Director, British Business Federation Authority.
Cloud Usability Framework

Cloud Usability Framework

Similar presentations

Ads by Google