Presentation is loading. Please wait.

Presentation is loading. Please wait.

Stronger Authentication in a Federated World Bill Young Government Technology Services NZ State Services Commission.

Published byAngela McCarthy Modified over 8 years ago

Similar presentations

Presentation on theme: "Stronger Authentication in a Federated World Bill Young Government Technology Services NZ State Services Commission."— Presentation transcript:

1 Stronger Authentication in a Federated World Bill Young Government Technology Services NZ State Services Commission

2 NZ State Services Commission Crown Copyright Quick Background of NZ Authentication n “Commercial” IdP for any government Agency n Policy Driven l Privacy l Security l Standards n Evolutionary Development - Web Applications First

3 NZ State Services Commission Crown Copyright Our Big Drivers n Privacy n May not Disenfranchise any part of the Public n Breadth of Scale in govt Departments

4 NZ State Services Commission Crown Copyright NZ AuthN & IdM Services

5 NZ State Services Commission Crown Copyright What’s our Challenge? n Continuous Improvement of Services n Risk-Based Approach to Security l Adapt to Evolving Threats l Match Pace with the New Services Provided to End Users n Limit Barriers to Uptake

6 NZ State Services Commission Crown Copyright Typical Responses to the Need for Stronger Authentication n Conventional l ‘Better’ Passwords l OTP Tokens n Less Conventional l PKI l Biometrics

7 NZ State Services Commission Crown Copyright Passwords “We need Stronger Passwords. Let’s Improve our Password Policy” n Longer more complex passwords, system generated passwords, password history, force frequent changes, etc. And the Result? n Un-usable, Un-Fit, Un-Friendly, Un-Supportable n Support Costs n Social Engineering There are Ways to Improve Passwords (just rarely used)

8 NZ State Services Commission Crown Copyright One Time Passwords (OTP) n Tokens l $$ - Token Cost & Logistics n Bingo cards & TAN sheets l More Cost-Effective, but Frequently Copied n Soft Tokens l Security & Usability Issues n SMS l Good, Except for High Volume Use

9 NZ State Services Commission Crown Copyright PKI n Soft Certificates l Issues with Usability and Security l Support Cost n Centrally Stored l Ok, But not Really 2FA n Smartcards, USB tokens l Hardware & OS Support is Incomplete l High Support Cost

10 NZ State Services Commission Crown Copyright Biometrics More Questions than Answers… ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?

11 NZ State Services Commission Crown Copyright That’s all fine, but… …how does it contribute to a Risk-Based approach?

12 NZ State Services Commission Crown Copyright Run-Time Smartcard Risk Assessment Information Architecture AuthN Topology User Navigates Low ValueModerate Value High Value TokenUserId/Passwd Application/Resources Development Federated Identifier

13 NZ State Services Commission Crown Copyright Context Sensitive Authentication Definition: “Authentication based on Real Time Risk Analysis”

14 NZ State Services Commission Crown Copyright Run-Time Requested AuthN Context 5% High Value/risk 70% Low value/risk Real-time Risk Assessment Continue With Application User Enters Application OTP AuthN Application/ Resources Federated Identifier & Risk ‘Advice’ “Strong” AuthN No Action Required 25% Increased value/risk Device Detection UID/Password or Higher Requested AuthN Context Context Sensitive Approach

15 NZ State Services Commission Crown Copyright OOB Authentication Definition: Out of Band Authentication requires that separate information channels are used for authentication and access.

16 NZ State Services Commission Crown Copyright Run-Time AuthnContext User Enters Application Application/ Resources Federated Identifier & Risk ‘Advice’ UID/Password or Higher OOB AuthN Application Continues Perceived Channel Risk Email Phone AuthnContext SMS Out of Band Authentication

17 NZ State Services Commission Crown Copyright Transaction Authentication/Verification Definitions: “Transaction Authentication Verifies that the Correct User is Requesting a Transaction” “Transaction Verification Verifies that the Correct Transaction is Performed for the User” I’m combining both under the term “Transaction Authentication”

18 NZ State Services Commission Crown Copyright Run-Time Transaction Context/Details User Enters Application/ Resources Federated Identifier & Risk ‘Advice’ UID/Password or Higher “You are about Transfer $2384.89 to Account #BNZ927846738. Enter OTP to Continue” Application Continues Perceived Transaction Risk Transaction Authentication

19 NZ State Services Commission Crown Copyright Run-Time Transaction Context 5% High risk 70% Low value/risk Real-time Risk Assessment Continue With Application User Enters Step Up AuthN Application/ Resources OOB AuthN Transaction AuthN No Action Required 20% Increased value/risk 5% Perceived threat Device Detection UID/Password or Higher AuthN Context Federated Identifier & Risk ‘Advice’ Putting it all Together

20 NZ State Services Commission Crown Copyright Question? Should Transaction AuthN be done using SAML Web SSO? It’s an AuthZ problem too…

21 NZ State Services Commission Crown Copyright SAML Considerations How do these techniques look from a SAML point of view?

22 NZ State Services Commission Crown Copyright Context Sensitive Authentication Step Up Authentication SAML SpecWell Supported Liberty InteropNot Specified – Optional in US eAuth profile eGov ProfileSupported Vendor SupportBecoming Well Supported

23 NZ State Services Commission Crown Copyright Context Sensitive Authentication Returning Risk Context to SP SAML SpecWell Supported Liberty InteropNot Specified eGov ProfileNot Specified Vendor SupportMixed

24 NZ State Services Commission Crown Copyright OOB Authentication Passing to IdP SAML SpecWell Supported Liberty InteropNot Specified eGov ProfileNot Specified or Restricted Vendor SupportUnknown, but doubtful

25 NZ State Services Commission Crown Copyright Transaction Authentication Transaction Details and Context SAML SpecUnanticipated – Some options available Liberty InteropNot Specified eGov ProfileNot Specified Vendor SupportUnknown, but doubtful

26 NZ State Services Commission Crown Copyright Moving Forward n Look at Real Time Risk Analysis l Need an easy model for agencies n Establish Conventions for SAML usage n Update NZSAMS & eGov profile n Lab Implementation n Work with Vendors

27 NZ State Services Commission Crown Copyright Questions? Bill.Young@ssc.govt.nz http://www.e.govt.nz/services/authentication

Download ppt "Stronger Authentication in a Federated World Bill Young Government Technology Services NZ State Services Commission."

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
McAfee One Time Password

McAfee One Time Password
Strong Mobile Authentication in Finland (MPKI, WPKI) Special Discussion Topic Kantara Initiative Telco Identity Working Group Prepared by: Keith Uber Ubisecure.

Strong Mobile Authentication in Finland (MPKI, WPKI) Special Discussion Topic Kantara Initiative Telco Identity Working Group Prepared by: Keith Uber Ubisecure.
Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
NZ igovt/RealMe proposed consent service: overview Kantara eGov Working Group April 8 th 2013 CROWN COPYRIGHT © This work is licensed under the Creative.

NZ igovt/RealMe proposed consent service: overview Kantara eGov Working Group April 8 th 2013 CROWN COPYRIGHT © This work is licensed under the Creative.
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
Xavier Verhaeghe Vice President Oracle Security Solutions

Xavier Verhaeghe Vice President Oracle Security Solutions
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.

Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.
DRAGOLJUB NESIC 08/12/2013 DOES IDENTITY MANAGENT REALLY HAVE TO BE DIFFICULT?

DRAGOLJUB NESIC 08/12/2013 DOES IDENTITY MANAGENT REALLY HAVE TO BE DIFFICULT?
15 Tactical Improvements to IT Security Virtual Keyboard, Two Factor Authentication, Active Confirmation and FAA Access to CPS Online Ganesh Reddy.

15 Tactical Improvements to IT Security Virtual Keyboard, Two Factor Authentication, Active Confirmation and FAA Access to CPS Online Ganesh Reddy.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Online Identity Authentication and Data Broker SNAP Director’s Conference September 23, 2013.

Online Identity Authentication and Data Broker SNAP Director’s Conference September 23, 2013.
State Services Commission New Zealand Government Crown Copyright 2007 www.ssc.govt.nz “Standards are only the beginning.. …of the beginning.. … of interoperability”

State Services Commission New Zealand Government Crown Copyright “Standards are only the beginning.. …of the beginning.. … of interoperability”
Digital DNA Server Login People ®. Login People ˃ IT security vendor ˃ Patented Digital DNA ® technology innovation Digital DNA Server Multi-factor Authentication.

Digital DNA Server Login People ®. Login People ˃ IT security vendor ˃ Patented Digital DNA ® technology innovation Digital DNA Server Multi-factor Authentication.
EDUCAUSE Fed/Higher ED PKI Coordination Meeting

EDUCAUSE Fed/Higher ED PKI Coordination Meeting
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Chapter 12 Network Security.

Chapter 12 Network Security.
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.

About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.

Similar presentations

Ads by Google