Conventional wisdom tells us to use two-factor authentication—and it does help to improve security. But the best way to reduce user-friction is to never require a person to authenticate. This talk will provide a modern solution to reconcile these two divergent imperatives by leveraging standard profiles of OAuth2 for “trust elevation.” Its not just the front door that needs protection! (Source: RSA USA 2016-San Francisco)

1. #RSAC
1

2. #RSAC
Obama says use two factors…
2
https://nakedsecurity.sophos.com/2016/02/12/obama-says-passwords-arent-strong-enough-urges-use-of-2fa/

3. #RSAC
Progress = Obliviousness
3
2FA = two-factor authentication

4. #RSAC
Authentication tradeoffs…
4

5. #RSAC
Protect your money!
5
Issued guidance in 2005 entitled “Authentication in an Internet
Banking Environment“
Source: https://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf
“… the techniques employed should
be commensurate with the
risks associated with the products
and services offered ”

6. #RSAC
What is Trust Elevation?
6

7. #RSAC
Agenda
7
Background on authentication technology: where are we today?
Deep Dive into OAuth2: what features does it have to support
Trust Elevation
Trust Elevation across domain boundaries
GOAL: Make you aware of some of the challenges we face to
enable Trust Elevation

8. #RSAC
What is Multi-Factor Authentication?
8
NIST defines this as two or more of …
Something you know
Something you have
Something you are
Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf

9. #RSAC
Risk Scores
9

10. #RSAC
Contextual Combinations Complicate
10
Is the IP address a known hacker?
Was the device rooted? Is a
browser cookie present? Is the
device running virus protection? Is
the location recognized? When
was credential issued? What is the
time of the day?

11. #RSAC
“…every scheme does worse than passwords on
deployability”
11
http://research.microsoft.com/pubs/161585/QuestToReplacePasswords.pdf

12. #RSAC
OAuth2 will make 2FA more “deployable”
12
Applications should use Standard API’s for
authentication and Trust Elevation!
No “one-offs”
http://nordicapis.com/api-security-oauth-openid-connect-depth/
Good Intro to OAuth2:

13. #RSAC
Enter OAuth2
13
i.e. API’s
i.e. Website or mobile app
i.e. Secure Token Service

14. #RSAC
OpenID Connect
14
Resource Server =
user_info API
To call this API,
you need an
Access Token
TOKENTOKEN

15. #RSAC
Importance of Audience
15
https://hanszandbelt.wordpress.com/2015/12/14/the-importance-of-audience-in-web-sso/
BEFORE AFTER

16. #RSAC
OpenID Connect:
Client Registration, Discovery too!
16
http://openid.net/connect

17. #RSAC
Overview of Authorization Code Flow
17
Relying Party (RP) redirects person to OpenID Provider (OP) for
authorization
Authentication happens only once!
OP returns code to RP
RP uses code to get tokens from OP
RP uses access token to obtain user claims from /user_info API:
{“given_name”: “Mike”,
“family_name”: “Schwartz”}

18. #RSAC
OpenID Connect id_token
18
Information about
authentication event
{
"iss": "https://server.example.com",
“sub": "248289761001",
"aud": "3214244",
"iat": 1311195570,
"exp": 1311281970,
“auth_time”: 131195001,
“acr”: http://example.com/basic_bio”
“amr”: [‘eye’, ‘pwd’, ‘12’]
}

19. #RSAC
ACR and AMR
19
How does the app know what kind
of authentication happened?

20. #RSAC
OpenID Provider Discovery
20
GET host + /.well-known/openid-configuration

21. #RSAC
OpenID Dynamic Client Registration
21

22. #RSAC
Authentication Request
22
In the request, acr_values
is actually a space
delimited string…

23. #RSAC
id_token
23
Returned id_token
confirms acr and amr
values
{
"iss": "https://server.example.com",
“sub": "248289761001",
"aud": "3214244",
"iat": 1311195570,
"exp": 1311281970,
“auth_time”: 131195001,
“acr”: http://example.com/basic_bio”
“amr”: [‘eye’, ‘pwd’, ‘12’]
}

24. #RSAC
App Policy
24
GET https://example.com/finance
Just an example…
using OpenID Connect alone,
you could require a certain
type of authentication

25. #RSAC
Best Practice:
Centralize Policy Management
25

26. #RSAC
UMA
26
Protect any API:
require an
RPT Token

27. #RSAC
UMA In 60 seconds
27
Client Calls API without RPT Token
RS obtains Permission Ticket from AS
and returns it to Client
Client presents ticket to AS
AS evaluates polices. If ok, issues RPT
token (bearer)
Client calls API with RPT Token
RS introspects Token: if ok, returns
content

28. #RSAC
Subtle difference…
Scope references policy
28
Scope based access:
Level of abstraction that
enables the central policy
decision point to decide which
acr is required

29. #RSAC
What kind of policies can you make?
29

30. #RSAC
Elevating Trust using UMA
30
You are Forbidden
because you need
acr…

31. #RSAC
Re-Authenticate!
31

32. #RSAC
Part III: Intedomain trust elevation
32
Infrastructure and
security is not (usually)
basis for competition
between firms in the
same industry.

33. #RSAC
SAML Federations
33
Normalize legal/technical

34. #RSAC
Many SAML Federations publish user schema.
34
http://www.incommon.org/federation/attributesummary.html

35. #RSAC
OAuth2 schema: not just user claims…
35

36. #RSAC
Collaboration on ACR / AMR values
36
So what values should we
use for amr and acr?
https://tools.ietf.org/html/draft-jones-oauth-amr-values-05
This IETF draft defines some AMR’s… but its inadequate

37. #RSAC
ACR alignment
37
Domains need to collaborate
on the values for acr’s and
amr’s

38. #RSAC
OTTO – Kantara Initiative Work Group
38
http://kantarainitiative.org/confluence/display/OTTO/Home
Open Trust Taxonomy for OAuth2

39. #RSAC
SAML federations
39

40. #RSAC
OAuth2 has new entities and new jargon
40

41. #RSAC
Where do we need federations
41

42. #RSAC
Summary
42
We don’t lack ways to identify people, but we lack agreement on
the relative strength of these mechanisms.
OAuth2 enables centralized risk based trust elevation, driving
down the cost of deployment—the main impediment to 2FA
adoption.
To enable trust elevation across domains, federations are
needed.

43. #RSAC
Action items
43
Don’t limit your planning to two-factor authentication. Make a
plan for trust elevation!
Start architecting your applications to leverage central policy
decision point—not for all fine grained authorization, but for
key security escalations.
If you work in an ecosystem, consider collaborating (even with
your competitors) to drive down the cost of security.

44. #RSAC
44