Presentation is loading. Please wait.

Presentation is loading. Please wait.

Next Steps toward More Trustworthy Interfaces Burt Kaliski, RSA Laboratories 1 st Workshop on Trustworthy Interfaces for Passwords and Personal Information.

Published byAbraham Snow Modified over 9 years ago

Similar presentations

Presentation on theme: "Next Steps toward More Trustworthy Interfaces Burt Kaliski, RSA Laboratories 1 st Workshop on Trustworthy Interfaces for Passwords and Personal Information."— Presentation transcript:

1 Next Steps toward More Trustworthy Interfaces Burt Kaliski, RSA Laboratories 1 st Workshop on Trustworthy Interfaces for Passwords and Personal Information June 13, 2005

2 Market Problem Users don’t have a convenient way of gaining confidence that the applications they’re interacting with are the correct ones —especially when entering passwords and personal information User interface is typically not trustworthy, so can’t tell if application can be trusted —“WYSINWYG” – what you see isn’t necessarily what you get An important and relatively separable part of the broader trustworthy computing issue

3 Not Just Passwords … More trustworthy interfaces benefit other authentication types besides traditional passwords, e.g.: —PIN entry for smart cards and other security tokens —one-time passwords (challenge-response, event-sync, time-sync) —passwords to unlock software credentials Trustworthy interfaces can be a platform for transitioning to stronger authentication, starting with passwords

4 Multiple Stakeholders Market problem brings together multiple parties involved in the interfaces and supporting protocols: —Application developers —Browser, OS and desktop software vendors —Identity providers and certificate authorities —User experience designers —Research community None can address the full problem alone – stakeholders must work together

5 Some Related Work All of this workshop, of course … Kim Cameron’s “Laws of Identity,” at the system level Carl Ellison and Jesse Walker’s “Ceremonies” —protocol interaction involving humans 1.User control and consent 2.Minimal disclosure for a constrained use 3.Justifiable parties 4.Directed identity 5.Pluralism of operators and technologies 6.Human integration 7.Consistent experience across contexts

6 Proposed Criteria for a Trustworthy Interface for Passwords and Personal Information 1. User can tell when interacting with an application through a trustworthy interface (e.g., via reserved “real estate”) 2. Interface provides a “trusted path” for data entry, protecting against other software 3. User can activate interface, or it can be activated automatically 4. User can verify identity of application through interface 5. Authentication is mutual – application must also demonstrate knowledge of password (or other authentication credential) 6. Personal information is protected – trusted interface won’t provide to incorrect application

7 Presumptions 1. Market problem is important 2. Collaboration of multiple stakeholders is essential to solve it Industry goal: Provide trustworthy interfaces that give users confidence that their online interactions are with parties they trust, especially when entering passwords and personal information

8 Potential Collaborations: Putting TIPPI into Practice 1. Publish workshop summaries and propose concepts in other forums 2. Prepare an open letter challenging the industry to improve interfaces 3. Promote industry standards efforts: user interface criteria and specific user experience designs supporting protocols and APIs 4. Provide reference implementations browser plug-ins, OS extensions 5. Plan on 2 nd TIPPI Workshop, June 2006!

9 For More Information Burt Kaliski Chief Scientist, RSA Laboratories VP Research, RSA Security bkaliski@rsasecurity.com bkaliski@rsasecurity.com Magnus Nyström Technical Director, Office of the CTO RSA Security (Stockholm Office) mnystrom@rsasecurity.com mnystrom@rsasecurity.com www.rsasecurity.com

10

Download ppt "Next Steps toward More Trustworthy Interfaces Burt Kaliski, RSA Laboratories 1 st Workshop on Trustworthy Interfaces for Passwords and Personal Information."

Similar presentations

© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.

© Copyrights 1998 Algorithmic Research Ltd. All rights Reserved D a t a S e c u r i t y A c r o s s t h e E n t e r p r i s e Algorithmic Research a company.
Passwords Don’t Get No Respect – Or, How to Make the Most of Weak Shared Secrets Burt Kaliski, RSA Laboratories DIMACS Workshop on Theft in E-Commerce.

Passwords Don’t Get No Respect – Or, How to Make the Most of Weak Shared Secrets Burt Kaliski, RSA Laboratories DIMACS Workshop on Theft in E-Commerce.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
PKCS #15 v1.1 Magnus Nyström RSA Laboratories PKCS Workshop, 1999.

PKCS #15 v1.1 Magnus Nyström RSA Laboratories PKCS Workshop, 1999.
SINGLE SIGN-ON. Definition - SSO Single sign-on (SSO) is a session/user authentication process that permits a user to enter one name and password in order.

SINGLE SIGN-ON. Definition - SSO Single sign-on (SSO) is a session/user authentication process that permits a user to enter one name and password in order.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft

Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft
Some New Applications of One-Time Passwords Burt Kaliski, RSA Laboratories October 2006.

Some New Applications of One-Time Passwords Burt Kaliski, RSA Laboratories October 2006.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
User Managed Privacy Using Distributed Trust Privacy and Security Research Workshop Carnegie Mellon University May 29-30, 2002 Lark M. Allen / Wave Systems.

User Managed Privacy Using Distributed Trust Privacy and Security Research Workshop Carnegie Mellon University May 29-30, 2002 Lark M. Allen / Wave Systems.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
The Laws of Identity and Cardspace Charles Young Solidsoft.

The Laws of Identity and Cardspace Charles Young Solidsoft.
Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  

Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  
Secure Element Access from a Web browser W3C Workshop on Authentication, Hardware Tokens and Beyond 11 September 2014 1 Oberthur Technologies – Identity.

Secure Element Access from a Web browser W3C Workshop on Authentication, Hardware Tokens and Beyond 11 September Oberthur Technologies – Identity.
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.

User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
Certificate and Key Storage Tokens and Software

Certificate and Key Storage Tokens and Software
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
A Robust Health Data Infrastructure P. Jon White, MD Director, Health IT Agency for Healthcare Research and Quality 2014-06-10.

A Robust Health Data Infrastructure P. Jon White, MD Director, Health IT Agency for Healthcare Research and Quality

Similar presentations

Ads by Google