A look at the National Cybersecurity Center of Excellence reference design project for mobile application single sign-on for public safety first responders.
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
Mobile Application Single Sign-On for Public Safety First Responders
1. Mobile Application Single Sign-On
Achieving a secure, reliable, accessible SSO solution for
Public Safety & First Responders
FIDO Webinar
12/7/2017
Bill Fisher, National Cybersecurity Center of Excellence
3. 3nccoe.nist.govNational Cybersecurity Center of Excellence
Mission
Accelerate adoption of secure
technologies: collaborate with
innovators to provide real-world,
standards-based cybersecurity
capabilities that address business needs
4. 4nccoe.nist.govNational Cybersecurity Center of Excellence
Public Safety Communications Research Lab
The Public Safety Communications
Research (PSCR) Division is housed
within the Communications Technology
Laboratory (CTL) at the National Institute
of Standards and Technology (NIST)
PSCR is the primary federal laboratory
conducting research, development,
testing, and evaluation for public safety
communications technologies
6. 6nccoe.nist.govNational Cybersecurity Center of Excellence
Project Challenge
• Mobile platforms offer a significant operational advantage to public
safety stakeholders by providing access to mission critical information.
• These advantages can be limited if complex authentication
requirements hinder Public Safety First Responder (PSFR) personnel,
especially when delay – even seconds – is a matter of containing or
exacerbating an emergency situation.
8. 8nccoe.nist.govNational Cybersecurity Center of Excellence
Core Capabilities
p@$$w0rd +Multifactor Authentication (MFA) to Mobile Resources
• Biometrics, external hardware authenticators and other
authentication options
Single Sign-on (SSO) to Mobile Resources
• Authenticate once with mobile native app or web apps
• Leverage initial MFA when accessing multiple
applications
10. 10nccoe.nist.govNational Cybersecurity Center of Excellence
NCCoE Benefits – Industry Collaboration
Mobile SSO Technology Vendor Build Team:
NCCoE brings in Industry experts to design and build the reference
design:
11. 11nccoe.nist.govNational Cybersecurity Center of Excellence
NCCoE Benefits – Standards Based
NCCoE solutions implement standards and best practices:
Using modern commercially available technology:
12. 12nccoe.nist.govNational Cybersecurity Center of Excellence
NCCoE Benefits – Practical Guidance
• Project will result in a freely available NIST Cybersecurity Practice
Guide (SP 1800-x) including:
Technical Decisions
Trade-offs
Lessons Learned
Build Instructions
Functional Tests
13. 13nccoe.nist.govNational Cybersecurity Center of Excellence
Applicable Across Sectors
Though we developed this solution for Public Safety communities…
• This architecture applies to any entity needing to solve MFA and SSO for mobile
applications
15. 15nccoe.nist.govNational Cybersecurity Center of Excellence
Challenges – Passwords
Passwords:
• Complexity - hard to remember
• Hard to type on mobile phone
• Need one for each application
• They are often re-used
• Can be phished
16. 16nccoe.nist.govNational Cybersecurity Center of Excellence
Challenges – App Developer
Role your own solutions:
• Custom authentication is difficult, leading to
insecure implementations
• Challenge of storing and maintaining user
credentials securely
Source: https://xkcd.com/844/
17. 17nccoe.nist.govNational Cybersecurity Center of Excellence
Challenges – Identity & Credential Management
More credentials, more problems:
• Separate credentials for each resource must be
issued, maintained and revoked
• Expensive – increased # of help desk calls
• Risk of credential re-use, especially when
credentials are exposed to mobile applications
Source: https://xkcd.com/792/
19. 19nccoe.nist.govNational Cybersecurity Center of Excellence
Demonstration – What you’ll see, MFA + SSO
FIDO UAF Authentication
• Leverages fingerprint registered to device
• No Password Input
FIDO U2F Authentication
• Using FIDO key as second factor
• Public key pair on the device
p1n +
+
Private Key
Mobile App Single Sign-On
• Access to Motorola Mapping and Chat apps without
need to re-authenticate
• Done Via IETF RFC for SSO on Native Mobile Apps
20. 20nccoe.nist.govNational Cybersecurity Center of Excellence
Ideally…
Public Safety First Responders…
• Authenticates once per day, at the beginning of their shift
• Leverages that initial authentication for access to subsequent mobile apps without the need
to re-authenticate.
22. 22nccoe.nist.govNational Cybersecurity Center of Excellence
General Benefits
• The amount of authentication time and attempts for PSFR personnel
• The number of credentials that PSFR personnel and organizations need
to manage
• Requirements for complex passwords
• Interoperability through the use of open, standards based architecture
• Identity providers can leverage their current active directory
• Authenticator flexibility through the FIDO ecosystem
• External hardware authenticators, biometrics, etc…
Reduces:
Increases:
23. 23nccoe.nist.govNational Cybersecurity Center of Excellence
Security Benefits
• Multifactor authentication in line with NIST 800-63-3 Requirements
• No secrets (private keys or biometric templates) are stored server-side
• Phishing resistance
FIDO:
IETF BCP for Mobile SSO:
• User's password and other credentials are never exposed to the SaaS
provider or mobile app
• Apps get an OAuth Token with limited scope of authorization - apps only
get access to back-end systems they should be accessing
• Reduced number of credentials decreased risk of credential re-use
25. 25nccoe.nist.govNational Cybersecurity Center of Excellence
Next Steps
Publication of NIST SP-1800-X
• iOS/Apple demonstration
• Support for shared devices – working with
Google to determine best solution on Android
platforms
Potential Future Build Additions
• Technical decisions, trade-offs, lessons learned, etc…
• Discussions around technical trade offs not chosen for this demo
• Guidance for other areas outside the scope of the demo such as credential recovery,
revocation, identity proofing, federation, etc…
Source: http://southworthlibrary.org/
Talking points:
We do not create standards
We apply standards to current challenges
We use best practices and commercially available technologies to solve challenges
Vision: A secure cyber infrastructure that inspires technological innovation and fosters economic growth
Goals:
1. Provide practical cybersecurity: Help people secure their data and digital infrastructure by equipping them with practical ways to implement standards-based cybersecurity solutions that are modular, repeatable and scalable
2. Increase rate of adoption: Enable companies to rapidly deploy commercially available cybersecurity technologies by reducing technological, educational and economic barriers to adoption
3. Accelerate innovation: Empower innovators to creatively address businesses’ most pressing cybersecurity challenges in a state-of-the-art, collaborative environment