SlideShare a Scribd company logo

Strong Authentication - Open Source

Download as PPT, PDF
Donald Malloy
Donald Malloy

The Initiative for Open Authentication (OATH) is a group working to drive adoption of open strong authentication technologies. OATH has developed an open reference architecture and standardized authentication algorithms like HOTP and TOTP to provide interoperable strong authentication without passwords. OATH is working to expand certification of products, define risk-based authentication interfaces, and promote authentication and identity sharing across multiple applications and networks through open standards.

Technology
1 of 53
Downloaded 21 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
Initiative for Open Authentication Secure Authentication without the need for Passwords Donald E. Malloy September 24th , 2015
Why the need for Strong Authentication? • Fraud continues to skyrocket • 10 Million Americans were victims of fraud last year • This amounts to over $3.5B of online fraud last year alone • Hacking into web sites and stealing passwords continue to be a main focus of fraudsters
Cyber Crime – A Growing Global Threat What do these companies have in common?
• https://www.pinterest.com/pin/12588975205856
Strong Authentication - Open Source
Market size & projections • Gartner says global IT spending is projected to increase to $77B • PwC reports that US information security budgets have grown at almost double the rate of IT budgets over the last two years • $1M+ cybersecurity sales to end-users are on the rise; according to FBR & Co. (Arlington, VA IB and M&A advisory firm) they have increased by 40% over last year The worldwide cybersecurity market estimates range from $77B in 2015 -- to $170B by 2020
History of Passwords • 1961 First computer generated password at MIT
Authentication Methods • Simple Passwords • Challenge Response • One time Passwords • Public Key Encryption • Single Sign On • Adaptive Authentication • Biometrics • Push Technologies • SMS • H/W Tokens • S/W Tokens Bill Gates declared the Password dead in 2004
Some Statistics • 664,065,960 RECORDS BREACHED • 76% breaches from compromised accounts • 4,188 DATA BREACHES made public since 2005 • Data credit card companies – United States represents 27% of world wide credit card volume – And anywhere from 46%->50% of the fraud
Strong Authentication - Open Source
2015: Bigger Breaches, Bigger Failures Premera BlueCross (3/18/2015) 11M Bank accounts Social Security numbers Anthem, Inc. (02/05/2015) 80M Social Security numbers Email addresses Physical addresses OPM (06/09/2015) 21.5M+ 1.1M fingerprints Personal names Date and place of birth Social Security numbers Complete background security application AshleyMadison.com (07/20/2015) 50M Personal names Email addresses Credit card numbers Physical addresses
Trends • EMV (Chip and pin) is being rolled out in the US. By October 2015, the credit card issuing companies will implement liability shift to merchants. • Fraud will move from POS and onto online transactions as it has in other countries and regions, Europe, UK, Canada. • Considering that mobile payment and e- commerce are growing exponentially….online transactions are a huge attraction to fraudsters.
Why now? Pressure is mounting to stop the leakage of secure information • Rapid growth of attacks (66% CAGR) • Information that needs protection is growing • Company reputation is at risk • Leadership reputation is at risk (it’s personal) • Customers and partners will demand it • PII regulation is coming (already in Europe) • Shareholders will demand it to protect profits • Strong security is a competitive advantage • Expense of managing exposure is no longer negligible
Issues Facing IT Managers
The Open Authentication Initiative (OATH) is a group of companies working together to help drive the adoption of open strong authentication technology across all networks. Q1
OATH History • Created 7 years ago to provide open source strong authentication. • It is an industry-wide collaboration that.. • Leverages existing standards and creates an open reference architecture for strong authentication which users and service providers can rely upon, and leverage to interoperate. • Reduces the cost and complexity of adopting strong authentication solutions. Q1
OATH : Background Networked entities face three major challenges today. •Theft of or unauthorized access to confidential data. •The inability to share data over a network without an increased security risk limits organizations. •The lack of a viable single sign-on framework inhibits the growth of electronic commerce and networked operations. Q1
OATH : Justification • The Initiative for Open Authentication (OATH) addresses these challenges with standard, open technology that is available to all. • OATH is taking an all-encompassing approach, delivering solutions that allow for strong authentication of all users on all devices, across all networks. Q1
OATH Membership (Partial)
OATH Reference Architecture: Establishing ‘common ground’ • Sets the technical vision for OATH • 4 guiding principles – Open and royalty-free specifications – Device Innovation & embedding – Native Platform support – Interoperable modules • v2.0 – Risk based authentication – Authentication and Identity Sharing Q4
Standardized Authentication Algorithms HOTP OCRA T-HOTP -Open and royalty free specifications -Proven security: reviewed by industry experts -Choice: one size does not fit all -Event-based OTP -Based on HMAC, SHA-1 -IETF RFC 4226 -Based on HOTP -Challenge-response authentication -Short digital signatures -IETF RFC 6287 -Time-based HOTP -IEF RFC 6238
OATH Roadmap CHOICE of AUTHENTICATION METHODS APPLICATION INTEGRATION & ADOPTION - HOTP - OCRA - T-HOTP CREDENTIAL PROVISIONING & LIFECYCLE - PSKC - DSKPP - Certification program - WS Validation - Auth & Identity Sharing work
Token Innovation and Choice Multi-Function Token (OTP & USB Smart Card) Soft OTP Token OTP Token OTP embedded in credit card OTP soft token on mobile phones HOTP applets on SIM cards and smart-cards OTP embedded in flash devices HOTP 100+ shipping products Q11
Certification Program • Certification Adoption – More products added in 2013 – Numerous products have been certificated from over 30 companies! • HOTP Standalone Client: 14 • TOTP Standalone Client: 12 • HOTP Validation Server: 11 • TOTP Validation Server: 9 – http://www.openauthentication.org/certification/pro ducts 24
OATH Review 25 Client OTP API OATH HTML Tags HMAC OTP (HOTP) RFC* Complete In progress/draft published Portable Symmetric Key Container Provisioning Protocols ThraudReport Validation Protocol Challenge- Response (OCRA) Time- Based (TOTP) Certification Token Identifiers Namespace TokenID Extensions
Work in 2015 • Algorithm profile update – Proposal and get RFC status • Expand the certification program – Additional profiles • Provisioning server (DSKPP) • Software token – Test enhancements • VALID specification – Adoption support and work completion • OTP usage with NFC • SAML 2.0 OTP authentication URI? 26
What about Technology beyond Passwords? • Adaptive Authentication • Biometrics – Fingerprint – Iris Scan – Voice – Facial Recognition • Biometrics are great but they are irrevocable
What about Stronger Passwords? • We have more passwords than ever before – ave. # of passwords used daily is >25. • Passwords attempt to answer the question: is this really you? • Knowing what to type doesn’t authenticate you. If that worked, fraudsters wouldn’t be successful. • Behavior analytics confirms who you are. • Eventually, you won’t have to remember a password at all – simply type a phrase, and based on your behavior, will confirm that it is really you. 60% of Internet users have the same password for more than one web account source: “Adults’ Media Use and Attitudes Report 2013” – Ofcom
The Behavioral Advantage All the Benefits, None of the Drawbacks Can’t be Stolen or Shared Identifies the Person Gradient Results Revocable Nothing to Remember No PII No Special Equipment Easy to Deploy Low Cost Usability Behavioral Biometric           Passwords           HW Tokens           SW Tokens           Fingerprint           Facial recognition           Iris Scan           Voice Recognition            Good  Okay  Poor Key Attributes
The Time is Now for Behavioral Analytics • Security technologies using white list/black list rules or signature-based strategies are failing to block increasingly sophisticated attackers • Network activity logs are generated and then ignored because human analysts capable to act on them are not available • Attackers are shifting to targeting individuals to trick or coerce them into giving up their usernames and passwords • Fraudsters are become increasingly proficient at assembling full data records from partial information stolen in earlier breaches Increase in recommendations by advocates of behavioral analytics -- but what is driving this trend?
Behavioral Login Using behavior to secure the login, the latest focal point for cyber attacks. Provides… •security without PII •frictionless user experience •control over subscription sharing With Nothing… •to possess, or lose (fobs, smartcards) •to remember (security questions) •to fail (devices/readers, cell phones, etc.) Over 300 million records breached in 2014, in the United States alone. source: data-breach.silk.co
OATH Authentication Framework 2.0 Provisioning Protocol Authentication ProtocolsAuthentication Methods Token Interface Validation Protocols Client Framework Provisioning Framework Validation Framework User Store Token Store AuthenticationToken HOTP Challenge/ Response Certificate ClientApplications Applications (VPN, Web Application, Etc.) Validation Services Provisioning Service Credential Issuer(s) Time Based Bulk Provisioning Protocols Risk Evaluation & Sharing Risk Interface Q4 AuthenticationandIdentity SharingModels
OATH and FIDO • WebOATH Client API – Draft done in Feb. 2012 • Allow vendors to provide various interoperable plug-ins • Allow web applications to control security policy – Similar initiative now by FIDO (Feb. 2013) • FIDO client – biometric or OTP credentials • Client and server protocol • Next step? Possibly work together? 33
Credential Provisioning Token manufacturer offline model • Portable Symmetric Key Container standard format (PSKC Internet-Draft) Dynamic real-time model • Dynamic Symmetric Key Provisioning Protocol (DSKPP Internet-Draft) • OTA provisioning to mobile devices, or online to PC/USB IETF KeyProv WG • Current RFC submissions Q5
Objectives • Understand the full lifecycle support needed for strong authentication integration • Learn different approaches to supporting strong authentication in your applications • Take away with the best practices for enabling strong authentication in applications
Certification Program • The OATH Certification Program – Intended to provide assurance to customers that products implementing OATH standards and technologies will function as expected and interoperate with each other. – Enable customers to deploy ‘best of breed’ solutions consisting of various OATH ‘certified’ authentication devices such as tokens and servers from different providers. • Introduced 2 Draft Certification Profiles at RSA – Tokens – HOTP Standalone Client – Servers – HOTP Validation Server • 10 Additional Profiles to be introduced throughout the year
Typical Application Scenario Transaction authentication & Signing • Log on to Bank’s web site • Give user name and password • Bank sends a challenge number used to create pin • User enters number into card and new secure pass code is generated • User then submits this new number to the bank’s web site • Transaction is then authorized by the bank
Recommended Validation Framework
Open Source Authentication
Authentication Integration Architecture • Direct authentication integration over standard protocol • Plugin based authentication integration
Plugin Based • Enable two-factor authentication in your existing third party authentication server for user password – Your application codes don’t need to change – Out of box strong authentication support in your existing third party authentication server • Integration Connectors available from authentication solution vendors, e.g. RSA, Symantec – e.g. CDAS plugin for IBM Access Manager – Develop your customized plugin for your existing third party authentication server
OATH Timeline A humble beginning! Common OTP Algorithm HOTP Steady Progress… OATH Reference Architecture 1.0 - New HOTP devices - Membership expansion - Public Roadmap release Roadmap Advances - Portable Symmetric Key Container - Challenge-Response Mutual Authentication - Provisioning Protocol - Risk-based Authentication - Authentication Sharing - IETF KeyProv - Interop Demo OATH Reference Architecture 2.0
Risk Based Authentication Architecture Validation client Validation framework Risk evaluation and sharing Fraud information exchange network User store Authentication protocol Validation protocol Risk interface Fraud Network Interface (Thraud) Validation client Validation framework Risk evaluation and sharing Fraud information exchange network User store Authentication protocol Validation protocol Risk interface Fraud Network Interface (Thraud) • Risk-based authentication – Convenient authentication for low risk transactions – Stronger authentication for higher risk transactions • OATH will define standardized interfaces – Risk Evaluation – Sharing fraud information (ThraudReport)
Authentication and Identity Sharing • Promotes use of single credential across applications – Force multiplier! • Multiple approaches – One size does not fit all • Models that leverage identity sharing technologies – Kantara, SAML, OpenID, etc. • Models to enable sharing of 2nd factor authentication only – Simpler liability models
Authentication Sharing – Centralized Token Service model • Token is validated centrally in the validation service – Same token can be activated at multiple sites • Easy integration for application web site(s). – Can leverage OATH Validation Service work! Q8
Authentication Sharing – Distributed Validation Model • Inspired by ‘DNS’ • Rich set of deployment models – Standalone system can join the network by publishing token discovery information • There needs to be a central Token Lookup Service. – OATH considering developing Token Lookup protocol. Q8
Authentication Sharing – Credential Wallet • Shared device – Multiple credentials • Credentials are dynamically provisioned onto the device. – Leverage OATH Provisioning specifications. Q8
Identity Federation & OATH • Enables user to use same identity across website(s) – Traditional federation (Liberty) – User-centric models (OpenID, CardSpace) • Single Identity becomes more valuable – Needs to protected using strong authentication OATH: promote the user of strong authentication with these technologies!
Driving a fundamental shift fromDriving a fundamental shift from proprietary to open solutions!proprietary to open solutions!  An industry-wide problem mandates an industry wide solution • Strong Authentication to stop identity theft across all the networks  A reference architecture based on open standards • Foster innovation & lower cost • Drive wider deployment across users and networks  Minimal bureaucracy to get the work done! Summary
How to Get Involved • Visit the OATH website – Download Reference Architecture v2 – Download and review draft specifications • Engage - contribute ideas, suggestions – Review public draft specifications – Get involved in developing specifications • Become a member! – 3 levels - Coordinating, Contributing, Adopting – Become an active participant
Open Source Implementation • RADIUS Client – Java • http://wiki.freeradius.org/Radiusclient – .NET – C/C++ • Authentication Server with OTP Support – Radius server • http://www.freeradius.org/ • Need to add OTP auth plugin – Triplesec • http://cwiki.apache.org/DIRxTRIPLESEC/
References and Resources • Initiative for Open AuTHentication (OATH) – http://www.openauthentication.org • HOTP: An HMAC-Based One-Time Password Algorithm – RFC 4226 – http://www.ietf.org/rfc/rfc4226.txt • TOTP: Time Based One Time Password Algorithm – RFC 6238 – http://tools.ietf.org/html/rfc6238 • OCRA: OATH Challenge/Response - RFC 6287 – http://tools.ietf.org/html/rfc6287 • OATH Reference Architecture – http://www.openauthentication.org
Questions & Answers Thank You!

More Related Content

What's hot (20)

PDF
Dealing with Fraud in E-Banking Sphere
Goutama Bachtiar
 
PDF
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Dinesh O Bareja
 
PPT
Web Application Hacking 2004
Mike Spaulding
 
PPTX
Data breach presentation
Bradford Bach
 
PPTX
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Eric Vanderburg
 
PDF
Event Guide V8
ThreatMetrix
 
PDF
Passwordless is Possible - How to Remove Passwords and Improve Security
SecureAuth
 
PDF
Bug Bounty Programs : Good for Government
Dinesh O Bareja
 
PDF
CYBER THREAT FORCAST 2016
Bolaji James Bankole CCSS,CEH,MCSA,MCSE,MCP,CCNA,
 
PDF
Cscu module 04 data encryption
Sejahtera Affif
 
PPT
Security in e-commerce
SensePost
 
PDF
Verizon 2014 data breach investigation report and the target breach
Ulf Mattsson
 
PDF
Intelligence-Driven Fraud Prevention
EMC
 
PPTX
Lessons v on fraud awareness (digital forensics) [autosaved]
Kolluru N Rao
 
PDF
Insecure magazine - 51
Felipe Prado
 
PPTX
Cyber Safety
Asim Sourav Rath
 
PDF
Securing 3-Mode Mobile Banking
Jay McLaughlin
 
PDF
The International Journal of Engineering and Science (The IJES)
theijes
 
PDF
Conducting Digital Forensics against Crime and Fraud
Goutama Bachtiar
 
PDF
Netop Remote Control Embedded Devices
Netop
 
Dealing with Fraud in E-Banking Sphere
Goutama Bachtiar
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Dinesh O Bareja
 
Web Application Hacking 2004
Mike Spaulding
 
Data breach presentation
Bradford Bach
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Eric Vanderburg
 
Event Guide V8
ThreatMetrix
 
Passwordless is Possible - How to Remove Passwords and Improve Security
SecureAuth
 
Bug Bounty Programs : Good for Government
Dinesh O Bareja
 
CYBER THREAT FORCAST 2016
Bolaji James Bankole CCSS,CEH,MCSA,MCSE,MCP,CCNA,
 
Cscu module 04 data encryption
Sejahtera Affif
 
Security in e-commerce
SensePost
 
Verizon 2014 data breach investigation report and the target breach
Ulf Mattsson
 
Intelligence-Driven Fraud Prevention
EMC
 
Lessons v on fraud awareness (digital forensics) [autosaved]
Kolluru N Rao
 
Insecure magazine - 51
Felipe Prado
 
Cyber Safety
Asim Sourav Rath
 
Securing 3-Mode Mobile Banking
Jay McLaughlin
 
The International Journal of Engineering and Science (The IJES)
theijes
 
Conducting Digital Forensics against Crime and Fraud
Goutama Bachtiar
 
Netop Remote Control Embedded Devices
Netop
 

Similar to Strong Authentication - Open Source (20)

PPT
Security and Authentication at a Low Cost
Donald Malloy
 
PDF
MACHINE LEARNING AND CONTINUOUS AUTHENTICATION A SHIELD AGAINST CYBER THREATS...
Jenna Murray
 
PDF
The Why - Keith Graham, CTO – SecureAuth+Core Security
Core Security
 
PDF
Two-factor authentication- A sample writing _Zaman
Asad Zaman
 
PDF
Intelligent Authentication
CA Technologies
 
PDF
#MFSummit2016 Secure: Mind the gap strengthening the information security model
Micro Focus
 
PPT
Cartes Asia Dem 2010 V2
Donald Malloy
 
PDF
Enhancing Authentication to Secure the Open Enterprise
Symantec
 
PPT
Authentication and strong authentication for Web Application
Sylvain Maret
 
PPTX
Authentication(pswrd,token,certificate,biometric)
Ali Raw
 
PDF
Strong authentication implementation guide
Nis
 
PPTX
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
SecureAuth
 
PDF
Taking Control of the Digital and Mobile User Authentication Challenge
EMC
 
PDF
An Introduction to Authentication for Applications
Ubisecure
 
PDF
UNIT 2 Information Security Sharad Institute
SatishPise4
 
PDF
Making User Authentication More Usable
Jim Fenton
 
PDF
Govt authentication brief ca v
Mike Kuhn
 
PDF
AnevaluationofsecurestorageofauthenticationdataIJISR.pdf
tonkung6
 
PDF
Cloud expo 2016 kevin presentation
Kevin Thiele
 
PDF
Stronger/Multi-factor Authentication for Enterprise Applications
Ramesh Nagappan
 
Security and Authentication at a Low Cost
Donald Malloy
 
MACHINE LEARNING AND CONTINUOUS AUTHENTICATION A SHIELD AGAINST CYBER THREATS...
Jenna Murray
 
The Why - Keith Graham, CTO – SecureAuth+Core Security
Core Security
 
Two-factor authentication- A sample writing _Zaman
Asad Zaman
 
Intelligent Authentication
CA Technologies
 
#MFSummit2016 Secure: Mind the gap strengthening the information security model
Micro Focus
 
Cartes Asia Dem 2010 V2
Donald Malloy
 
Enhancing Authentication to Secure the Open Enterprise
Symantec
 
Authentication and strong authentication for Web Application
Sylvain Maret
 
Authentication(pswrd,token,certificate,biometric)
Ali Raw
 
Strong authentication implementation guide
Nis
 
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
SecureAuth
 
Taking Control of the Digital and Mobile User Authentication Challenge
EMC
 
An Introduction to Authentication for Applications
Ubisecure
 
UNIT 2 Information Security Sharad Institute
SatishPise4
 
Making User Authentication More Usable
Jim Fenton
 
Govt authentication brief ca v
Mike Kuhn
 
AnevaluationofsecurestorageofauthenticationdataIJISR.pdf
tonkung6
 
Cloud expo 2016 kevin presentation
Kevin Thiele
 
Stronger/Multi-factor Authentication for Enterprise Applications
Ramesh Nagappan
 
Ad

Recently uploaded (20)

PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PDF
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
PPTX
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PDF
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
PDF
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
PDF
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PDF
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PDF
July Patch Tuesday
Ivanti
 
PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
PDF
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
PDF
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
PDF
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
July Patch Tuesday
Ivanti
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
Ad

Strong Authentication - Open Source

  • 1. Initiative for Open Authentication Secure Authentication without the need for Passwords Donald E. Malloy September 24th , 2015
  • 2. Why the need for Strong Authentication? • Fraud continues to skyrocket • 10 Million Americans were victims of fraud last year • This amounts to over $3.5B of online fraud last year alone • Hacking into web sites and stealing passwords continue to be a main focus of fraudsters
  • 3. Cyber Crime – A Growing Global Threat What do these companies have in common?
  • 6. Market size & projections • Gartner says global IT spending is projected to increase to $77B • PwC reports that US information security budgets have grown at almost double the rate of IT budgets over the last two years • $1M+ cybersecurity sales to end-users are on the rise; according to FBR & Co. (Arlington, VA IB and M&A advisory firm) they have increased by 40% over last year The worldwide cybersecurity market estimates range from $77B in 2015 -- to $170B by 2020
  • 7. History of Passwords • 1961 First computer generated password at MIT
  • 8. Authentication Methods • Simple Passwords • Challenge Response • One time Passwords • Public Key Encryption • Single Sign On • Adaptive Authentication • Biometrics • Push Technologies • SMS • H/W Tokens • S/W Tokens Bill Gates declared the Password dead in 2004
  • 9. Some Statistics • 664,065,960 RECORDS BREACHED • 76% breaches from compromised accounts • 4,188 DATA BREACHES made public since 2005 • Data credit card companies – United States represents 27% of world wide credit card volume – And anywhere from 46%->50% of the fraud
  • 11. 2015: Bigger Breaches, Bigger Failures Premera BlueCross (3/18/2015) 11M Bank accounts Social Security numbers Anthem, Inc. (02/05/2015) 80M Social Security numbers Email addresses Physical addresses OPM (06/09/2015) 21.5M+ 1.1M fingerprints Personal names Date and place of birth Social Security numbers Complete background security application AshleyMadison.com (07/20/2015) 50M Personal names Email addresses Credit card numbers Physical addresses
  • 12. Trends • EMV (Chip and pin) is being rolled out in the US. By October 2015, the credit card issuing companies will implement liability shift to merchants. • Fraud will move from POS and onto online transactions as it has in other countries and regions, Europe, UK, Canada. • Considering that mobile payment and e- commerce are growing exponentially….online transactions are a huge attraction to fraudsters.
  • 13. Why now? Pressure is mounting to stop the leakage of secure information • Rapid growth of attacks (66% CAGR) • Information that needs protection is growing • Company reputation is at risk • Leadership reputation is at risk (it’s personal) • Customers and partners will demand it • PII regulation is coming (already in Europe) • Shareholders will demand it to protect profits • Strong security is a competitive advantage • Expense of managing exposure is no longer negligible
  • 14. Issues Facing IT Managers
  • 15. The Open Authentication Initiative (OATH) is a group of companies working together to help drive the adoption of open strong authentication technology across all networks. Q1
  • 16. OATH History • Created 7 years ago to provide open source strong authentication. • It is an industry-wide collaboration that.. • Leverages existing standards and creates an open reference architecture for strong authentication which users and service providers can rely upon, and leverage to interoperate. • Reduces the cost and complexity of adopting strong authentication solutions. Q1
  • 17. OATH : Background Networked entities face three major challenges today. •Theft of or unauthorized access to confidential data. •The inability to share data over a network without an increased security risk limits organizations. •The lack of a viable single sign-on framework inhibits the growth of electronic commerce and networked operations. Q1
  • 18. OATH : Justification • The Initiative for Open Authentication (OATH) addresses these challenges with standard, open technology that is available to all. • OATH is taking an all-encompassing approach, delivering solutions that allow for strong authentication of all users on all devices, across all networks. Q1
  • 20. OATH Reference Architecture: Establishing ‘common ground’ • Sets the technical vision for OATH • 4 guiding principles – Open and royalty-free specifications – Device Innovation & embedding – Native Platform support – Interoperable modules • v2.0 – Risk based authentication – Authentication and Identity Sharing Q4
  • 21. Standardized Authentication Algorithms HOTP OCRA T-HOTP -Open and royalty free specifications -Proven security: reviewed by industry experts -Choice: one size does not fit all -Event-based OTP -Based on HMAC, SHA-1 -IETF RFC 4226 -Based on HOTP -Challenge-response authentication -Short digital signatures -IETF RFC 6287 -Time-based HOTP -IEF RFC 6238
  • 22. OATH Roadmap CHOICE of AUTHENTICATION METHODS APPLICATION INTEGRATION & ADOPTION - HOTP - OCRA - T-HOTP CREDENTIAL PROVISIONING & LIFECYCLE - PSKC - DSKPP - Certification program - WS Validation - Auth & Identity Sharing work
  • 23. Token Innovation and Choice Multi-Function Token (OTP & USB Smart Card) Soft OTP Token OTP Token OTP embedded in credit card OTP soft token on mobile phones HOTP applets on SIM cards and smart-cards OTP embedded in flash devices HOTP 100+ shipping products Q11
  • 24. Certification Program • Certification Adoption – More products added in 2013 – Numerous products have been certificated from over 30 companies! • HOTP Standalone Client: 14 • TOTP Standalone Client: 12 • HOTP Validation Server: 11 • TOTP Validation Server: 9 – http://www.openauthentication.org/certification/pro ducts 24
  • 25. OATH Review 25 Client OTP API OATH HTML Tags HMAC OTP (HOTP) RFC* Complete In progress/draft published Portable Symmetric Key Container Provisioning Protocols ThraudReport Validation Protocol Challenge- Response (OCRA) Time- Based (TOTP) Certification Token Identifiers Namespace TokenID Extensions
  • 26. Work in 2015 • Algorithm profile update – Proposal and get RFC status • Expand the certification program – Additional profiles • Provisioning server (DSKPP) • Software token – Test enhancements • VALID specification – Adoption support and work completion • OTP usage with NFC • SAML 2.0 OTP authentication URI? 26
  • 27. What about Technology beyond Passwords? • Adaptive Authentication • Biometrics – Fingerprint – Iris Scan – Voice – Facial Recognition • Biometrics are great but they are irrevocable
  • 28. What about Stronger Passwords? • We have more passwords than ever before – ave. # of passwords used daily is >25. • Passwords attempt to answer the question: is this really you? • Knowing what to type doesn’t authenticate you. If that worked, fraudsters wouldn’t be successful. • Behavior analytics confirms who you are. • Eventually, you won’t have to remember a password at all – simply type a phrase, and based on your behavior, will confirm that it is really you. 60% of Internet users have the same password for more than one web account source: “Adults’ Media Use and Attitudes Report 2013” – Ofcom
  • 29. The Behavioral Advantage All the Benefits, None of the Drawbacks Can’t be Stolen or Shared Identifies the Person Gradient Results Revocable Nothing to Remember No PII No Special Equipment Easy to Deploy Low Cost Usability Behavioral Biometric           Passwords           HW Tokens           SW Tokens           Fingerprint           Facial recognition           Iris Scan           Voice Recognition            Good  Okay  Poor Key Attributes
  • 30. The Time is Now for Behavioral Analytics • Security technologies using white list/black list rules or signature-based strategies are failing to block increasingly sophisticated attackers • Network activity logs are generated and then ignored because human analysts capable to act on them are not available • Attackers are shifting to targeting individuals to trick or coerce them into giving up their usernames and passwords • Fraudsters are become increasingly proficient at assembling full data records from partial information stolen in earlier breaches Increase in recommendations by advocates of behavioral analytics -- but what is driving this trend?
  • 31. Behavioral Login Using behavior to secure the login, the latest focal point for cyber attacks. Provides… •security without PII •frictionless user experience •control over subscription sharing With Nothing… •to possess, or lose (fobs, smartcards) •to remember (security questions) •to fail (devices/readers, cell phones, etc.) Over 300 million records breached in 2014, in the United States alone. source: data-breach.silk.co
  • 32. OATH Authentication Framework 2.0 Provisioning Protocol Authentication ProtocolsAuthentication Methods Token Interface Validation Protocols Client Framework Provisioning Framework Validation Framework User Store Token Store AuthenticationToken HOTP Challenge/ Response Certificate ClientApplications Applications (VPN, Web Application, Etc.) Validation Services Provisioning Service Credential Issuer(s) Time Based Bulk Provisioning Protocols Risk Evaluation & Sharing Risk Interface Q4 AuthenticationandIdentity SharingModels
  • 33. OATH and FIDO • WebOATH Client API – Draft done in Feb. 2012 • Allow vendors to provide various interoperable plug-ins • Allow web applications to control security policy – Similar initiative now by FIDO (Feb. 2013) • FIDO client – biometric or OTP credentials • Client and server protocol • Next step? Possibly work together? 33
  • 34. Credential Provisioning Token manufacturer offline model • Portable Symmetric Key Container standard format (PSKC Internet-Draft) Dynamic real-time model • Dynamic Symmetric Key Provisioning Protocol (DSKPP Internet-Draft) • OTA provisioning to mobile devices, or online to PC/USB IETF KeyProv WG • Current RFC submissions Q5
  • 35. Objectives • Understand the full lifecycle support needed for strong authentication integration • Learn different approaches to supporting strong authentication in your applications • Take away with the best practices for enabling strong authentication in applications
  • 36. Certification Program • The OATH Certification Program – Intended to provide assurance to customers that products implementing OATH standards and technologies will function as expected and interoperate with each other. – Enable customers to deploy ‘best of breed’ solutions consisting of various OATH ‘certified’ authentication devices such as tokens and servers from different providers. • Introduced 2 Draft Certification Profiles at RSA – Tokens – HOTP Standalone Client – Servers – HOTP Validation Server • 10 Additional Profiles to be introduced throughout the year
  • 37. Typical Application Scenario Transaction authentication & Signing • Log on to Bank’s web site • Give user name and password • Bank sends a challenge number used to create pin • User enters number into card and new secure pass code is generated • User then submits this new number to the bank’s web site • Transaction is then authorized by the bank
  • 40. Authentication Integration Architecture • Direct authentication integration over standard protocol • Plugin based authentication integration
  • 41. Plugin Based • Enable two-factor authentication in your existing third party authentication server for user password – Your application codes don’t need to change – Out of box strong authentication support in your existing third party authentication server • Integration Connectors available from authentication solution vendors, e.g. RSA, Symantec – e.g. CDAS plugin for IBM Access Manager – Develop your customized plugin for your existing third party authentication server
  • 42. OATH Timeline A humble beginning! Common OTP Algorithm HOTP Steady Progress… OATH Reference Architecture 1.0 - New HOTP devices - Membership expansion - Public Roadmap release Roadmap Advances - Portable Symmetric Key Container - Challenge-Response Mutual Authentication - Provisioning Protocol - Risk-based Authentication - Authentication Sharing - IETF KeyProv - Interop Demo OATH Reference Architecture 2.0
  • 43. Risk Based Authentication Architecture Validation client Validation framework Risk evaluation and sharing Fraud information exchange network User store Authentication protocol Validation protocol Risk interface Fraud Network Interface (Thraud) Validation client Validation framework Risk evaluation and sharing Fraud information exchange network User store Authentication protocol Validation protocol Risk interface Fraud Network Interface (Thraud) • Risk-based authentication – Convenient authentication for low risk transactions – Stronger authentication for higher risk transactions • OATH will define standardized interfaces – Risk Evaluation – Sharing fraud information (ThraudReport)
  • 44. Authentication and Identity Sharing • Promotes use of single credential across applications – Force multiplier! • Multiple approaches – One size does not fit all • Models that leverage identity sharing technologies – Kantara, SAML, OpenID, etc. • Models to enable sharing of 2nd factor authentication only – Simpler liability models
  • 45. Authentication Sharing – Centralized Token Service model • Token is validated centrally in the validation service – Same token can be activated at multiple sites • Easy integration for application web site(s). – Can leverage OATH Validation Service work! Q8
  • 46. Authentication Sharing – Distributed Validation Model • Inspired by ‘DNS’ • Rich set of deployment models – Standalone system can join the network by publishing token discovery information • There needs to be a central Token Lookup Service. – OATH considering developing Token Lookup protocol. Q8
  • 47. Authentication Sharing – Credential Wallet • Shared device – Multiple credentials • Credentials are dynamically provisioned onto the device. – Leverage OATH Provisioning specifications. Q8
  • 48. Identity Federation & OATH • Enables user to use same identity across website(s) – Traditional federation (Liberty) – User-centric models (OpenID, CardSpace) • Single Identity becomes more valuable – Needs to protected using strong authentication OATH: promote the user of strong authentication with these technologies!
  • 49. Driving a fundamental shift fromDriving a fundamental shift from proprietary to open solutions!proprietary to open solutions!  An industry-wide problem mandates an industry wide solution • Strong Authentication to stop identity theft across all the networks  A reference architecture based on open standards • Foster innovation & lower cost • Drive wider deployment across users and networks  Minimal bureaucracy to get the work done! Summary
  • 50. How to Get Involved • Visit the OATH website – Download Reference Architecture v2 – Download and review draft specifications • Engage - contribute ideas, suggestions – Review public draft specifications – Get involved in developing specifications • Become a member! – 3 levels - Coordinating, Contributing, Adopting – Become an active participant
  • 51. Open Source Implementation • RADIUS Client – Java • http://wiki.freeradius.org/Radiusclient – .NET – C/C++ • Authentication Server with OTP Support – Radius server • http://www.freeradius.org/ • Need to add OTP auth plugin – Triplesec • http://cwiki.apache.org/DIRxTRIPLESEC/
  • 52. References and Resources • Initiative for Open AuTHentication (OATH) – http://www.openauthentication.org • HOTP: An HMAC-Based One-Time Password Algorithm – RFC 4226 – http://www.ietf.org/rfc/rfc4226.txt • TOTP: Time Based One Time Password Algorithm – RFC 6238 – http://tools.ietf.org/html/rfc6238 • OCRA: OATH Challenge/Response - RFC 6287 – http://tools.ietf.org/html/rfc6287 • OATH Reference Architecture – http://www.openauthentication.org

Editor's Notes

  • #16: [Bob]
  • #17: [Bob]
  • #18: [Bob]
  • #19: [Bob]
  • #20: [Bob]
  • #26: [Siddharth] [sv] updated based on current status. This picture shows the work items that OATH plans to deliver in 2006. Each work item is discussed in detail in a future slide.
  • #27: Client OTP API – start TFG meeting, and work on it VALID spec – discuss in TFG for update
  • #33: [Siddharth] [ Talk about the 4 focus areas viz. Client Framework Validation Framework Provisioning Framework Common Data models] This slide provides a high level view of the OATH reference architecture. Client Framework: The client framework enables a range of authentication methods, tokens, and protocols to be supported when deploying strong authentication across an enterprise or service provider infrastructure. The client framework allows for standards-based integration of multiple forms of strong authentication implemented using either existing or new authentication token technologies, and communicated using standard authentication protocols. Provisioning Framework: The provisioning and management module is responsible for provisioning and managing the entire lifecycle of software modules and/or security credentials to an authentication device. The purpose of this process is to bring the device from a “clean state” to a state where it can be used as an authentication token e.g. provisioning of certificates, or provisioning of an instance of an OTP token in software or a connected token. The goal of the Provisioning architecture is to accommodate secure and reliable delivery of software and/or security credentials to any client device, using standards-based provisioning protocols or programmatic interfaces. Validation Framework: The validation framework is responsible for validation of the different types of authentication credentials. Various applications that need authentication (such as VPN gateways or web applications) communicate with the validation module using standard validation protocols to authenticate the end-user. The goal of the Validation framework is to enable vendors to write custom validation modules and enables enterprises to deploy multiple types of authenticators in the same infrastructure. User Store: User store is responsible for storing all end-user profile information. This will include information such as a unique user identifier (username); profile information such as address, first name, last name, etc.; application specific attributes; and finally it may also store some authentication information such as password, token information, etc. User store is typically an LDAP directory or in some cases it could be a database.
  • #35: [Stu, #5]
  • #39: [Siddharth] Question (before showing the picture) – How many folks in the audience have multiple authentication technologies deployed in their infrastructure??? The OATH Validation framework is an architecture that will enable vendors to write custom validation modules and enables enterprises to deploy multiple types of authenticators in the same infrastructure. Additionally, the validation framework will enable organizations to deploy multiple protocol handlers such as RADIUS, OCSP, WS-Security, etc. The OATH validation framework will benefit the organization that deploys strong authentication by enabling use of multiple authentication methods in the same infrastructure, thereby enabling phased rollout of strong authentication solutions across a wider set of applications and user groups. As shown in the figure above, the validation framework will consist of the following sub-modules: • Protocol Handler framework: This framework will enable deployment of multiple protocol handlers • Validation Handler framework: This framework will enable deployment of multiple validation handlers. Validation handlers: Each validation handler will support validation of a particular instance or flavor of an authentication method e.g. HOTP, RSA SecurID, etc. •Infrastructure Layer: The infrastructure layer will provide some of the common functionality that can be used by the various other components in the validation system. Salient Features • Multiple authentication methods • Multiple validation protocols • Multiple validation clients • Standardized Configuration • Framework for logging operational and audit events
  • #43: [Stu, Q3] Architecture purpose: technical framework and roadmap for creating a set interoperable modules for strong auth. Audience: architects and IT managers, for use by both vendor community and user organizations looking to deploy auth solutions. Questions to ask - So, how many people have heard or actually downloaded the OATH reference architecture?
  • #46: [Stu, #8]
  • #47: [Stu, #8]
  • #48: [Stu, #8]
  • #50: Adoption requires fundamental shift from proprietary to open solutions Interoperable hardware and software components Built on existing technology and protocol – 90% of the work is already done Enable customers to leverage current application and network infrastructure The only way to build a more secure internet Push complexity to the cloud and increase scalability Requires collaborative effort to address this challenge Collaboration among authentication credential providers to create an open platform for stand alone and embedded credentials Endorsed and supported by leading network and application product providers Examples of this again – PC v Mac, Token Ring v IP, more examples here
  • #53: [Bob]
  • #54: [Bob]