Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
More than just being
signed-in or signed-out
Parul Jain, Architect, Intuit
@ParulJainTweety
Why do we care?
TRUST &
SECURITY
EASE OF
ACCESS
Can’t eliminate
friction? Delay it
Authentication
Levels to
balance securi...
Authentication
Username
Password
Sign In
Signed In
Not Signed In
Authentication – Signed In or Not –
Example1
Sell an item
Place Ad
Username
Password
Signed In
Not Signed
In
Sign In
Brows...
Authentication – Signed In or Not –
Example2
Browse apps on App Store
Install App
New App on Device
Username
Password
Sign...
Why Authenticate?
Authentication is required to establish trust
Is trust binary - Trust you fully or Not at all
Degrees of...
Authentication Levels
Authentication is not binary
Authentication Assurance Levels (AAL)
Adaptive - Change with time and s...
Authentication Assurance Levels (AAL)
Less Trust
Submit
Enter OTP
Authentication Level 1
Authentication Level 2 More Trust
AAL – Example1
Authentication Level 1
Authentication Level 2
My bank account
Transfer Money
Payment
Authentication Level 0...
AAL – Example2
Authentication Level 1
Authentication Level 2
Transfer Money
New Payment Instrument
Authentication Level 0
...
AAL – Example3
Authentication Level 1
Authentication Level 2
Browse products on Amazon
Track Order
Or
Checkout
View/Place ...
MFA and AAL Relationship
AAL is the outcome.
MFA is the mechanism
MFA provides layered defense
Binary Authentication
Multi...
LIC: Binary without MFA
Google: Binary with MFA
Amazon: Multiple Levels with MFA
Intuit: Multiple Levels with MFA
How to determine the AALs?
REQUIRE
Based on
sensitivity of
the APIs
ADAPT
Based on
trust in the
user with
time
ASSIGN
Base...
ASSIGN an AAL
ASSIGN REQUIRE
ADAPT
• What I know
• password
• What I have
• OTP
• What I am
• fingerprint
• Other
• Federa...
ADAPT to an AAL
ADAPT
Based on trust in user with time
REQUIRE
Change in
• Device
• Geolocation
• IP address
• Velocity of...
REQUIRE an AAL
REQUIRE
ADAPT
Based on sensitivity of the APIs
• Secret
• OAuth Client Secret
• Highly Sensitive
• Money mo...
AAL Determination
Good
Step-up
Step-up
Good
Good
Step-up
Good
Good
Good
Trust in user
authentication
Sensitivity
of the AP...
Component Interaction
Identity
Service
s
APIs
Client
1. Sign in
2. Session with an
AAL
4. Verify
3. Access
Resource
5. Ste...
Client
Widget
Configuration
APIs
Create the verify request
Verify with expected AAL
Identity Services
Authn
Service
Risk
Engine
Sign-in
Verify
Device,
IP, geo,
time, …
Get Risk
Score
Feedbac
k
ML Model
Real...
UNIVERSAL STRONG
AUTHENTICATION –
FIDO AS A STANDARD
Fast Identity Online (FIDO)
FIDO Protocols
Public Key cryptography
UAF – Universal Authentication Framework
• Password less UX
• Local device with UAF...
UAF
Src: https://fidoalliance.org/specifications/overview/
UAF - Registration
User Device
FIDO Client
Win, Mac,
iOS,
Android, …
FIDO Authenticators
User
Agent
Browser
, App,
…
Ident...
UAF - Authentication
User Device
FIDO Client
Win, Mac,
iOS,
Android, …
FIDO Authenticators
User
Agent
Browser
, App,
…
Ide...
U2F
Src: https://fidoalliance.org/specifications/overview/
Summary
As developers we
have thought of
authentication as
a binary switch
We need to start
thinking about
the degree and
...
Thank you
Upcoming SlideShare
Loading in …5
×

Binary State of Authentication by Parul Jain

1,012 views

Published on

Parul Jain, Architect, Intuit India, on binary state of authentication and maintaining a balance between security and ease of access. Presented at the #GIDS17 conference, Bangalore.

Published in: Technology
  • Be the first to comment

Binary State of Authentication by Parul Jain

  1. 1. More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety
  2. 2. Why do we care? TRUST & SECURITY EASE OF ACCESS Can’t eliminate friction? Delay it Authentication Levels to balance security and usability Delightful product experience
  3. 3. Authentication Username Password Sign In Signed In Not Signed In
  4. 4. Authentication – Signed In or Not – Example1 Sell an item Place Ad Username Password Signed In Not Signed In Sign In Browse OLX for used products
  5. 5. Authentication – Signed In or Not – Example2 Browse apps on App Store Install App New App on Device Username Password Signed In Not Signed In Install App Sign In
  6. 6. Why Authenticate? Authentication is required to establish trust Is trust binary - Trust you fully or Not at all Degrees of trust - Factor of time and situation Trust you for this but not for that Didn’t trust you earlier but trust you now
  7. 7. Authentication Levels Authentication is not binary Authentication Assurance Levels (AAL) Adaptive - Change with time and situation
  8. 8. Authentication Assurance Levels (AAL) Less Trust Submit Enter OTP Authentication Level 1 Authentication Level 2 More Trust
  9. 9. AAL – Example1 Authentication Level 1 Authentication Level 2 My bank account Transfer Money Payment Authentication Level 0 Usernam ePasswor d Sign In My bank portal Sign In
  10. 10. AAL – Example2 Authentication Level 1 Authentication Level 2 Transfer Money New Payment Instrument Authentication Level 0 Usernam ePasswor d Sign In Mint application Sign In Enter OTP Submit Access my personal finances
  11. 11. AAL – Example3 Authentication Level 1 Authentication Level 2 Browse products on Amazon Track Order Or Checkout View/Place Order Username Password Sign In
  12. 12. MFA and AAL Relationship AAL is the outcome. MFA is the mechanism MFA provides layered defense Binary Authentication Multiple Authentication Assurance Levels
  13. 13. LIC: Binary without MFA
  14. 14. Google: Binary with MFA
  15. 15. Amazon: Multiple Levels with MFA
  16. 16. Intuit: Multiple Levels with MFA
  17. 17. How to determine the AALs? REQUIRE Based on sensitivity of the APIs ADAPT Based on trust in the user with time ASSIGN Based on factors of authentication
  18. 18. ASSIGN an AAL ASSIGN REQUIRE ADAPT • What I know • password • What I have • OTP • What I am • fingerprint • Other • Federated Based on factors of authentication
  19. 19. ADAPT to an AAL ADAPT Based on trust in user with time REQUIRE Change in • Device • Geolocation • IP address • Velocity of use • Behavioral Biometrics • Anomalous behavior ASSIGN
  20. 20. REQUIRE an AAL REQUIRE ADAPT Based on sensitivity of the APIs • Secret • OAuth Client Secret • Highly Sensitive • Money movement • Financial data • Sensitive • Personal information • Other • Public information ASSIGN
  21. 21. AAL Determination Good Step-up Step-up Good Good Step-up Good Good Good Trust in user authentication Sensitivity of the APIs Low High Low High
  22. 22. Component Interaction Identity Service s APIs Client 1. Sign in 2. Session with an AAL 4. Verify 3. Access Resource 5. Step-up URL 6. Redirect for Step- up 7. Step-up 8. Higher AAL Determine AAL Remembe r the state Check expected AAL
  23. 23. Client Widget Configuration
  24. 24. APIs Create the verify request Verify with expected AAL
  25. 25. Identity Services Authn Service Risk Engine Sign-in Verify Device, IP, geo, time, … Get Risk Score Feedbac k ML Model Real time Risk Score
  26. 26. UNIVERSAL STRONG AUTHENTICATION – FIDO AS A STANDARD
  27. 27. Fast Identity Online (FIDO)
  28. 28. FIDO Protocols Public Key cryptography UAF – Universal Authentication Framework • Password less UX • Local device with UAF stack installed • User presents a local authentication U2F – Universal Second Factor • Standalone U2F device - USB/NFC/Bluetooth • Physical keychain with multiple keys – one for each origin • Built-in support in web browsers
  29. 29. UAF Src: https://fidoalliance.org/specifications/overview/
  30. 30. UAF - Registration User Device FIDO Client Win, Mac, iOS, Android, … FIDO Authenticators User Agent Browser , App, … Identity Provider Web App FIDO Server 1. Legacy Auth + Initiate Registration 2. Registration request + Policy 3. Enroll user + New Key Pair 4. Registration response + Attestation + User’s public key 5. Validate Response + Attestation Store user’s Public Key
  31. 31. UAF - Authentication User Device FIDO Client Win, Mac, iOS, Android, … FIDO Authenticators User Agent Browser , App, … Identity Provider Web App FIDO Server 1. Initiate Authn 2. Authn request + Challenge + Policy 3. Verify User and unlock private key 4. Authn response signed by user’s private key 5. Validate Response using user’s Public Key
  32. 32. U2F Src: https://fidoalliance.org/specifications/overview/
  33. 33. Summary As developers we have thought of authentication as a binary switch We need to start thinking about the degree and levels of trust Incorporate AAL into the design thinking AAL will help us in balancing security vs usability Deliver delightful experience to customers
  34. 34. Thank you

×