Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Standards Architect, Microsoft

Published byRosaline Hampton Modified over 6 years ago

Similar presentations

Presentation on theme: "Identity Standards Architect, Microsoft"— Presentation transcript:

1 Identity Standards Architect, Microsoft
Strong Authentication using Asymmetric Keys on Devices Controlled by You Dr. Michael B. Jones Identity Standards Architect, Microsoft May 10, 2017

2 Web Authentication using Asymmetric Keys
1. User goes to Web Site User 4. User gesture authorizes use of key 2. User chooses to login with key 3. Site asks authenticator to use key Login with Key 5. Authenticator signs response with key 6. Site verifies signature and logs user in Authenticator Web Site

3 What’s an Authenticator?
An Authenticator is an abstraction that Can securely use private keys for authentication Will only use those keys when prompted by a user gesture What kinds of places might keys for an authenticator be? TPM on laptop Secure element on phone Storage on connected authenticator device Encrypted by the authenticator and held elsewhere for it What kinds of user gestures might prompt user of keys? Biometric PIN Touch

4 What’s Strong about using an Authenticator?
Authenticators don’t expose any secrets like passwords that can be stolen or guessed keep a private key private and sign with it – providing proof of possession only use the key when authorized by a user gesture

5 The Standards Making it Possible
W3C Web Authentication (WebAuthn) Enables sign-in with methods stronger than passwords with authenticators using securely held private keys that use the private key only with user permission which is given to the authenticator with a user gesture such as a biometric or PIN. FIDO 2.0 Client to Authenticator Protocol (CTAP) Can be used with WebAuthn to enable use of remote authenticators such as those on mobile phones or connected devices to be used when signing in.

6 Is WebAuthn for the first or second factor?
It is for for both use cases When first factor, user is logged in directly using authenticator Requires that the user gesture be specific to the user When second factor, authenticator augments first factor The first factor is often a traditional username/password The second factor tests user presence, but need not be user-specific This is the way that existing U2F devices are used

7 Example first factor user experience
Using Windows Hello to log into my Surface 4 This is using a Microsoft-developed protocol predating WebAuthn (Microsoft donated this protocol to the FIDO Alliance to use as they saw fit) Windows 10 implements the authenticator and stores the key The user gesture used is facial recognition Could also be a fingerprint or PIN

8 Looking for you… (camera on)

9 Hello Welcome… (camera off)

10 Signed in and transitioning to desktop

11 Example second factor user experience
Using Yubico YubiKey as second factor for a Google account This is using the FIDO U2F protocol predating WebAuthn and FIDO 2.0 The authenticator is attached by a USB port The user gesture is touching a capacitive touch sensor Note that this is not user-specific, since anyone could successfully touch it

12 Prompt for first factor (password)

13 Prompt for second factor (authenticator)

14 User touches authenticator to authorize release of cryptographic second factor

15 Standards Status On May 5, 2017, W3C WebAuthn published WD-05
Several browsers plan to update their implementations to this version FIDO 2.0 Client to Authenticator Protocol (CTAP) progressing in parallel Current drafts available to FIDO Alliance members Public drafts will be published by FIDO when deemed ready

16 Preview of Coming Attractions
Browsers implementing WebAuthn and CTAP drafts Experimental applications using these browsers with authenticators Interop testing of implementations Continuing refinements of WebAuthn and CTAP specifications Enablement of commonplace strong authentication on the Web!

17 Where can I participate & learn more?
W3C Web Authentication working group FIDO 2.0 working group My blog me

Download ppt "Identity Standards Architect, Microsoft"

Similar presentations

Mobile Devices in the DoD

Mobile Devices in the DoD
Security for Mobile Devices

Security for Mobile Devices
Not Built On Sand. IT Has Scaled $$$ Technological capabilities: (1971  2013) Clock speed x4700 #transistors x608k Structure size /450 Price: (1980 

Not Built On Sand. IT Has Scaled $$$ Technological capabilities: (1971  2013) Clock speed x4700 #transistors x608k Structure size /450 Price: (1980 
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Microsoft Ignite /16/2017 4:55 PM

Microsoft Ignite /16/2017 4:55 PM
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Passwords are not able to keep user safe.

Passwords are not able to keep user safe.
Larry Shi Computer Science Department Graduate Research Mini Talk.

Larry Shi Computer Science Department Graduate Research Mini Talk.
Openid Connect https://store.theartofservice.com/the-openid-connect-toolkit.html.

Openid Connect
“The FIDO Alliance Today”

“The FIDO Alliance Today”
The FIDO Approach to Privacy Hannes Tschofenig, ARM Limited 1.

The FIDO Approach to Privacy Hannes Tschofenig, ARM Limited 1.
Adxstudio Portals Training

Adxstudio Portals Training
OpenID Certification June 7, 2016 Michael B. Jones Identity Standards Architect – Microsoft.

OpenID Certification June 7, 2016 Michael B. Jones Identity Standards Architect – Microsoft.
Modern User and Device Authentication  Biometric Fingerprints: Moving beyond Login  TPM Key Attestation: Binding a user and machine identities  Strong.

Modern User and Device Authentication  Biometric Fingerprints: Moving beyond Login  TPM Key Attestation: Binding a user and machine identities  Strong.
Understand User Authentication LESSON 2.1A Security Fundamentals.

Understand User Authentication LESSON 2.1A Security Fundamentals.
Authentication, Authorization and Accounting Lesson 2.

Authentication, Authorization and Accounting Lesson 2.
11 | Managing User Info Jeremy Foster Michael Palermo

11 | Managing User Info Jeremy Foster Michael Palermo

Similar presentations

Ads by Google