Parul Jain, Architect, Intuit India, on binary state of authentication and maintaining a balance between security and ease of access. Presented at the #GIDS17 conference, Bangalore.
1. More than just being
signed-in or signed-out
Parul Jain, Architect, Intuit
@ParulJainTweety
2. Why do we care?
TRUST &
SECURITY
EASE OF
ACCESS
Can’t eliminate
friction? Delay it
Authentication
Levels to
balance security
and usability
Delightful
product
experience
4. Authentication – Signed In or Not –
Example1
Sell an item
Place Ad
Username
Password
Signed In
Not Signed
In
Sign In
Browse OLX for used products
5. Authentication – Signed In or Not –
Example2
Browse apps on App Store
Install App
New App on Device
Username
Password
Signed In
Not Signed
In
Install App
Sign In
6. Why Authenticate?
Authentication is required to establish trust
Is trust binary - Trust you fully or Not at all
Degrees of trust - Factor of time and
situation
Trust you for this but not for that
Didn’t trust you earlier but trust you now
9. AAL – Example1
Authentication Level 1
Authentication Level 2
My bank account
Transfer Money
Payment
Authentication Level 0
Usernam
ePasswor
d
Sign In
My bank portal
Sign In
10. AAL – Example2
Authentication Level 1
Authentication Level 2
Transfer Money
New Payment Instrument
Authentication Level 0
Usernam
ePasswor
d
Sign In
Mint application
Sign In
Enter OTP
Submit
Access my personal finances
11. AAL – Example3
Authentication Level 1
Authentication Level 2
Browse products on Amazon
Track Order
Or
Checkout
View/Place Order
Username
Password
Sign In
12. MFA and AAL Relationship
AAL is the outcome.
MFA is the mechanism
MFA provides layered defense
Binary Authentication
Multiple Authentication Assurance Levels
17. How to determine the AALs?
REQUIRE
Based on
sensitivity of
the APIs
ADAPT
Based on
trust in the
user with
time
ASSIGN
Based on
factors of
authentication
18. ASSIGN an AAL
ASSIGN REQUIRE
ADAPT
• What I know
• password
• What I have
• OTP
• What I am
• fingerprint
• Other
• Federated
Based on factors of authentication
19. ADAPT to an AAL
ADAPT
Based on trust in user with time
REQUIRE
Change in
• Device
• Geolocation
• IP address
• Velocity of use
• Behavioral Biometrics
• Anomalous behavior
ASSIGN
20. REQUIRE an AAL
REQUIRE
ADAPT
Based on sensitivity of the APIs
• Secret
• OAuth Client Secret
• Highly Sensitive
• Money movement
• Financial data
• Sensitive
• Personal
information
• Other
• Public information
ASSIGN
28. FIDO Protocols
Public Key cryptography
UAF – Universal Authentication Framework
• Password less UX
• Local device with UAF stack installed
• User presents a local authentication
U2F – Universal Second Factor
• Standalone U2F device - USB/NFC/Bluetooth
• Physical keychain with multiple keys – one for each
origin
• Built-in support in web browsers
33. Summary
As developers we
have thought of
authentication as
a binary switch
We need to start
thinking about
the degree and
levels of trust
Incorporate AAL
into the design
thinking
AAL will help us
in balancing
security vs
usability
Deliver delightful
experience to
customers
I am Parul, Arch for Ident and Secu at Intuit.
We have thought of authentication as a binary – signed in or signed out,
Come out of that mindset and treat authentication as a step ladder, as multiple levels.
Why do we care?
Don’t care about deep trust in certain experiences but care for stronger trust in certain other scenarios. We as a developer have dealt with authentication as a binary, think of it as a step ladder, it will enable us to create delightful user experience.
Speak about an example from real life here
Speak about an example from real life here
Authentication levels is not one to one to authentication factors
Binary – SF (Example)
Binary – MF
AAL – SF
AAL - MF
Add AAL0. Go from AAL 0 to AAL1 using password
OTP for next level
Add AAL0. Go from AAL 0 to AAL1 using password
OTP for next level
Move captcha to another slide
Split it into three
Split it into three
Split it into three
Split it into three
Split it into three
AAL at Intuit reusable components at Identity.
onSuccess
APIs – ticket validation with AAL
Helps you balance
Bot vs human
AAL at Intuit reusable components at Identity.
onSuccess
APIs – ticket validation with AAL
Helps you balance
Bot vs human
AAL at Intuit reusable components at Identity.
onSuccess
APIs – ticket validation with AAL
Helps you balance
Bot vs human
AAL at Intuit reusable components at Identity.
onSuccess
APIs – ticket validation with AAL
Helps you balance
Bot vs human