Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!

Sometimes you need to be more sure your are connected to the right person. In those cases, to mitigate the risk of identity fraud, you should consider using a technique called trust elevation. Its easy with the OAuth2 profiles: OpenID Connect and UMA.

  • Identifiez-vous pour voir les commentaires

RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!

  1. 1. #RSAC 1
  2. 2. #RSAC Obama says use two factors… 2 https://nakedsecurity.sophos.com/2016/02/12/obama-says-passwords-arent-strong-enough-urges-use-of-2fa/
  3. 3. #RSAC Progress = Obliviousness 3 2FA = two-factor authentication
  4. 4. #RSAC Authentication tradeoffs… 4
  5. 5. #RSAC Protect your money! 5 Issued guidance in 2005 entitled “Authentication in an Internet Banking Environment“ Source: https://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf “… the techniques employed should be commensurate with the risks associated with the products and services offered ”
  6. 6. #RSAC What is Trust Elevation? 6
  7. 7. #RSAC Agenda 7 Background on authentication technology: where are we today? Deep Dive into OAuth2: what features does it have to support Trust Elevation Trust Elevation across domain boundaries GOAL: Make you aware of some of the challenges we face to enable Trust Elevation
  8. 8. #RSAC What is Multi-Factor Authentication? 8 NIST defines this as two or more of … Something you know Something you have Something you are Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
  9. 9. #RSAC Risk Scores 9
  10. 10. #RSAC Contextual Combinations Complicate 10 Is the IP address a known hacker? Was the device rooted? Is a browser cookie present? Is the device running virus protection? Is the location recognized? When was credential issued? What is the time of the day?
  11. 11. #RSAC “…every scheme does worse than passwords on deployability” 11 http://research.microsoft.com/pubs/161585/QuestToReplacePasswords.pdf
  12. 12. #RSAC OAuth2 will make 2FA more “deployable” 12 Applications should use Standard API’s for authentication and Trust Elevation! No “one-offs” http://nordicapis.com/api-security-oauth-openid-connect-depth/ Good Intro to Oauth2:
  13. 13. #RSAC Enter OAuth2 13 i.e. API’s i.e. Website or mobile app i.e. Secure Token Service
  14. 14. #RSAC OpenID Connect 14 Resource Server = user_info API To call this API, you need an Access Token TOKENTOKEN
  15. 15. #RSAC Importance of Audience 15 https://hanszandbelt.wordpress.com/2015/12/14/the-importance-of-audience-in-web-sso/ BEFORE AFTER
  16. 16. #RSAC OpenID Connect: Client Registration, Discovery too! 16 http://openid.net/connect
  17. 17. #RSAC Overview of Authorization Code Flow 17 Relying Party (RP) redirects person to OpenID Provider (OP) for authorization Authentication happens only once! OP returns code to RP RP uses code to get tokens from OP RP uses access token to obtain user claims from /user_info API: {“given_name”: “Mike”, “family_name”: “Schwartz”}
  18. 18. #RSAC OpenID Connect id_token 18 Information about authentication event { "iss": "https://server.example.com", “sub": "248289761001", "aud": "3214244", "iat": 1311195570, "exp": 1311281970, “auth_time”: 131195001, “acr”: http://example.com/basic_bio” “amr”: [‘eye’, ‘pwd’, ‘12’] }
  19. 19. #RSAC ACR and AMR 19 How does the app know what kind of authentication happened?
  20. 20. #RSAC OpenID Provider Discovery 20 GET host + /.well-known/openid-configuration
  21. 21. #RSAC OpenID Dynamic Client Registration 21
  22. 22. #RSAC Authentication Request 22 In the request, acr_values is actually a space delimited string…
  23. 23. #RSAC id_token 23 Returned id_token confirms acr and amr values { "iss": "https://server.example.com", “sub": "248289761001", "aud": "3214244", "iat": 1311195570, "exp": 1311281970, “auth_time”: 131195001, “acr”: http://example.com/basic_bio” “amr”: [‘eye’, ‘pwd’, ‘12’] }
  24. 24. #RSAC App Policy 24 GET https://example.com/finance Just an example… using OpenID Connect alone, you could require a certain type of authentication
  25. 25. #RSAC Best Practice: Centralize Policy Management 25
  26. 26. #RSAC UMA 26 Protect any API: require an RPT Token
  27. 27. #RSAC UMA In 60 seconds 27 Client Calls API without RPT Token RS obtains Permission Ticket from AS and returns it to Client Client presents ticket to AS AS evaluates polices. If ok, issues RPT token (bearer) Client calls API with RPT Token RS introspects Token: if ok, returns content
  28. 28. #RSAC Subtle difference… Scope references policy 28 Scope based access: Level of abstraction that enables the central policy decision point to decide which acr is required
  29. 29. #RSAC What kind of policies can you make? 29
  30. 30. #RSAC Elevating Trust using UMA 30 You are Forbidden because you need acr…
  31. 31. #RSAC Re-Authenticate! 31
  32. 32. #RSAC Part III: Intedomain trust elevation 32 Infrastructure and security is not (usually) basis for competition between firms in the same industry.
  33. 33. #RSAC Saml Federations 33 Normalize legal/technical
  34. 34. #RSAC Many SAML Federations publish user schema. 34 http://www.incommon.org/federation/attributesummary.html
  35. 35. #RSAC Oauth2 schema: not just user claims… 35
  36. 36. #RSAC Collaboration on ACR / AMR values 36 So what values should we use for amr and acr? https://tools.ietf.org/html/draft-jones-oauth-amr-values-05 This IETF draft defines some AMR’s… but its inadequate
  37. 37. #RSAC ACR alignment 37 Domains need to collaborate on the values for acr’s and amr’s
  38. 38. #RSAC OTTO – Kantara Initiative Work Group 38 http://kantarainitiative.org/confluence/display/OTTO/Home Open Trust Taxonomy for OAuth2
  39. 39. #RSAC SAML federations 39
  40. 40. #RSAC OAuth2 has new entities and new jargon 40
  41. 41. #RSAC Where do we need federations 41
  42. 42. #RSAC Summary 42 We don’t lack ways to identify people, but we lack agreement on the relative strength of these mechanisms. OAuth2 enables centralized risk based trust elevation, driving down the cost of deployment—the main impediment to 2FA adoption. To enable trust elevation across domains, federations are needed.
  43. 43. #RSAC Action items 43 Don’t limit your planning to two-factor authentication. Make a plan for trust elevation! Start architecting your applications to leverage central policy decision point—not for all fine grained authorization, but for key security escalations. If you work in an ecosystem, consider collaborating (even with your competitors) to drive down the cost of security.
  44. 44. #RSAC 44