The document discusses user authentication technologies used by the US federal government. It outlines policies like HSPD-12 that mandate authentication standards and describes NIST standards for different assurance levels. PKI and one-time passwords are the primary technologies, with PKI providing additional security capabilities. Level 3 assurance is a common target level. Symantec provides both PKI and OTP cloud services to help government agencies meet requirements.
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
User Authentication for Government
1. Symantec Government Technology Summit
User Authentication for Government
20 March 2012
Nick Piazzola
Sr. Director, Government
Authentication Solutions
Nick_Piazzola@symantec.com
443-604-4069
2. E-Authentication in the Federal Government
Players: President, OMB, Federal CIO/CIO Council, FICAM
Policies/Mandates:
• HSPD-12
• OMB: M-04-04, M-07-16, M-11-11
• Federal CIO Memo
Technical Standards:
• FIPS 201
• FIPS 199
• NIST SP 800-63-1
Implementation Standards/Guidance:
• Federal PKI Certificate Policy
• Trust Frameworks (Non-PKI)
3. OMB M-04-04 E-Authentication Guidance
Electronic authentication (E-Authentication) is the process of
establishing confidence in identities presented remotely over an
open network to an information system.
OMB M-04-04 defines four levels of identity assurance for electronic
transactions requiring authentication, where the required level of
assurance is defined in terms of the consequences of authentication
errors and the misuse of credentials.
Level 1 – Little or no confidence in the asserted identity
Level 2 - Some confidence in the asserted identity
Level 3 - High confidence in the asserted identity
Level 4 - Very high confidence in the asserted identity
4. OMB M-04-04 E-Authentication Guidance
• Requires agencies to review new and existing electronic transactions to
ensure that authentication processes provide the appropriate level of
assurance.
1. Conduct a risk assessment of the e-government system.
2. Map identified risks to the applicable assurance level.
3. Select technology based on e-authentication technical guidance.
4. Validate that the implemented system has achieved the required
assurance level.
5. Periodically reassess the system to determine technology refresh
requirements.
5. Maximum Potential Impacts
FIPS 199 Risk/Impact Profiles Assurance Level Impact
Profiles
Potential Impact Categories for
1 2 3 4
Authentication Errors
Inconvenience, distress or damage to standing or Low Mod Mod High
reputation
Financial loss or agency liability Low Mod Mod High
Harm to agency programs or public interests N/A Low Mod High
Unauthorized release of sensitive information N/A Low Mod High
Personal Safety N/A N/A Low Mod
High
Civil or criminal violations N/A Low Mod High
6. NIST Special Publication SP 800-63-1
Electronic Authentication Guideline
• Provides technical guidelines for Federal agencies implementing
electronic authentication.
• Defines electronic authentication (e-authentication) as the process of
establishing confidence in identities electronically presented to an
information system.
• Applies to remote electronic authentication of users over open
networks.
• Defines four levels of increasing assurance: Levels 1,2,3,4 and the
threats to be mitigated at each of these levels.
• Defines technical requirements in the areas of identity proofing,
registration, tokens, management processes, authentication
protocols and related assertions.
7. Strong Authentication
A Combination of Two or More Authentication Factors
Something You Know Something You Have Something You Are
Username/Passwords Hardware OTP Token
Mother’s Maiden Name Fingerprint
Digital Certificate
Transaction History Iris Pattern
Smart Card
8. E-Authentication Assurance Levels (OMB M-04-04)
HSPD-12 PIV Card
Increased Strength
Multi-Factor Token
PKI/ Digital Signature
Biometrics
One-Time Password Very
High
Knowledge-Based
High
PIN/User ID Medium
Low
Access to Applying Obtaining Employee
for a Loan Govt. Screening
Protected
Website Online Benefits for a High
Risk Job
Increased Need for Identity Assurance
9. User Authentication Product Family
Public Key Infrastructure Symantec Identity Protection Fraud Detection Service
Rules Eng. Behavior Eng.
RISK SCORE
PKI service issues certificates Shared cloud-based two-factor
for strong authentication, authentication solution offering Risk-Based authentication and
encryption and digital signing multiple token choices software-based fraud detection
Government Enterprise
eCommerce Financial Services
10. Symantec Solutions for Authentication
OTP Card
SMS and Voice
Browser
Toolbar
OTP Tokens Mobile OTP
OTP
USB PKI Tokens
Smartcards
Strong
Authentication
Digital (User and Site)
Certificates SSL Cert
Secure Seal
VIP Fraud Detection Service
VeriSign® Identity Protection Network
(fraud intelligence and shared authentication)
11. What PKI Enables…
• Prevent unauthorized access
Strong through enhanced authentication
Authentication
• Primary integration points: Web applications,
remote access, desktop logon, and wireless
• Provides data integrity and enable non-
Digital
repudiation for electronic transactions
Signatures • Primary integration points: Email, Adobe,
and custom applications
• Protect sensitive information whether
data is in transit or at rest
Encryption
• Primary integration points: Email, disk,
file/folder, and databases
12. Managed PKI Services for the Public Sector
– Federal Shared Service Provider PKI Enables Federal agencies
to comply with HSPD-12. VeriSign SSP PKI services and Card
Management System are certified and on the GSA FIPS-201
Approved Products List (APL)
– Non-Federal Shared Service Provider PKI Enterprise PKI for
any organization needing interoperability with the Federal
government. Provides interoperability with the Federal PKI at
multiple assurance levels through cross-certification with the
Federal Bridge Certification Authority (FBCA).
– ECA Certificates Enable organizations, contractors and
individuals to securely communicate with Federal, state and
local government agencies.
13. Non-Federal SSP PKI Customers
U.S. Government
– U.S. Nuclear Regulatory Commission
– U.S. Senate
– Dept of State (Millennium Challenge Corporation)
State Government
– State of Kansas
– State of Colorado
– State of California (CA Prison Healthcare Systems)
– State of Virginia (Fairfax County Government)
Universities
– University of Houston
Government Contractors
– Booz Allen & Hamilton -General Dynamics
– Noblis (Mitretek) -Dyncorp
14. Symantec Validation and ID Protection
User with Enterprise VIP Authentication
Symantec VIP Service
Token
Consumer Portal,
Business Partner
Extranet
Government Network
16. Symantec/Experian Two Factor Authentication Solution
Symantec
Experian Symantec OTP
OTP Token
Precise ID Authentication
(NIST 800-63-1 Level 3)
Service
User Online Government
Application
1. NIST Level 3 Remote Identity Proofing using Experian Precise ID.
2. Multiple form-factors for OTP tokens for multiple platforms.
3. Two-Factor Authentication with PIN, OTP and in-the-cloud validation service.
17. Summary
• The two primary user authentication technologies in use today are PKI and
OTP. Symantec delivers/supports both of these for government customers
via cloud services.
• While both PKI and OTP are used for e-authentication, only PKI can deliver a
full suite of security services including confidentiality, integrity and non-
repudiation.
• OTP solutions are more likely to be used for remote access and external
constituent access to government services because of their reduced cost and
complexity.
• NIST SP 800-63-1 Level 3 assurance is the target for most applications
involving personally identifiable information and/or valuable transactions.
• Experian and Symantec have collaborated to provide a suite of integrated
identity proofing and authentication services that supports NIST SP 800-63-1.
• In the future government agencies are expected to transition from being
providers of credentials to accepting identity credentials issued by external
identity providers.
Notes de l'éditeur
The best practice for authentication, and the solution required by many regulatory and industry mandates, is to deploy a strong authentication solution. But what is strong authentication? Strong authentication is a way of identifying a user or device using more that one authentication factor.An authentication factor can be something you know, something you have, or something you are:“Something you know” is the category into which traditional passwords fall. You know your username and password; however, it can be other information known only to you and the organization to which you need to authenticate.“Something you have” is the category of authentication factors that includes traditional one-time-password tokens but can also include a digital certificate installed on a user’s machine or on a smart card.“Something you are” is a way of authenticating based on a trait inextricably tied to the user, such as a fingerprint. More generically, “something you are” can also refer to the sum total of past behaviors and interactions the user has had with the organization – a user who behaves in a different way from you and the organization’s interactions with you in the past is probably not you.Strong authentication combines two or more of these factors, dramatically increasing the difficulty of impersonating an individual. If, for example, an enterprise requires a username/password with a one-time-password token to access the network, then someone would now need to steal both the user’s password and their token in order to be able to impersonate the user. This is far more difficult than simply stealing a password, and is therefore more resilient to attack.
PKI requires several security elements to be working in concert in one complete solution.First, it’s Strong Authentication—two factor authentication that prevents unauthorized access to apps and remote access for your mobile workers—it’s part of that visible security profile that builds trust.Next, it’s Encryption—protecting data in transit or at rest.And finally, it’s about digital signatures—validating the integrity of the transaction by verifying that the user is who they say they are and validates document integrity—these digital credentials are very hard to spoof, break, or forge.PKI is all about trust. In fact, PKI is a hierarchical trust model. And PKI solutions can be trusted only as much as the implementation of PKI itself can be trusted. And that is where it is critical to understand that a successful, trustworthy PKI is far more than a piece of software that generate certificates.NEXT SLIDE