more than just being signed-in or signed-out - …€¦ · more than just being signed-in or...
TRANSCRIPT
More than just being
signed-in or signed-out
Parul Jain, Architect, Intuit
@ParulJainTweety
Why do we care?
TRUST &
SECURITY
EASE OF
ACCESS
Can’t eliminate friction? Delay it
Authentication Levels to
balance security and usability
Delightful product
experience
Authentication
Username
Password
Sign In
Signed In
Not Signed In
Authentication – Signed In or Not –
Example1
Sell an item
Place Ad
Username
Password
Signed In
Not Signed
In
Sign In
Browse OLX for used products
Authentication – Signed In or Not –
Example2
Browse apps on App Store
Install App
New App on Device
Username
Password
Signed In
Not Signed
In
Install App
Sign In
Why Authenticate?
Authentication is required to establish trust
Is trust binary - Trust you fully or Not at all
Degrees of trust - Factor of time and situation
Trust you for this but not for that
Didn’t trust you earlier but trust you now
Authentication Levels
Authentication is not binary
Authentication Assurance Levels (AAL)
Adaptive - Change with time and situation
Authentication Assurance Levels (AAL)
Less Trust
Submit
Enter OTP
Authentication Level 1
Authentication Level 2 More Trust
AAL – Example1
Authentication Level 1
Authentication Level 2
My bank account
Transfer Money
Payment
Authentication Level 0
Usernam
e Passwor
d Sign In
My bank portal
Sign In
AAL – Example2
Authentication Level 1
Authentication Level 2
Transfer Money
New Payment Instrument
Authentication Level 0
Usernam
e Passwor
d Sign In
Mint application
Sign In
Enter OTP
Submit
Access my personal finances
AAL – Example3
Authentication Level 1
Authentication Level 2
Browse products on Amazon
Track Order
Or
Checkout
View/Place Order
Username
Password
Sign In
MFA and AAL Relationship
AAL is the outcome.
MFA is the mechanism
MFA provides layered defense
Binary Authentication
Multiple Authentication Assurance Levels
LIC: Binary without MFA
Google: Binary with MFA
Amazon: Multiple Levels with MFA
Intuit: Multiple Levels with MFA
How to determine the AALs?
REQUIRE
Based on
sensitivity of
the APIs
ADAPT
Based on
trust in the
user with
time
ASSIGN
Based on
factors of
authentication
ASSIGN an AAL
ASSIGN REQUIRE
ADAPT
• What I know
• password
• What I have
• OTP
• What I am
• fingerprint
• Other
• Federated
Based on factors of authentication
ADAPT to an AAL
ADAPT
Based on trust in user with time
REQUIRE
Change in
• Device
• Geolocation
• IP address
• Velocity of use
• Behavioral Biometrics
• Anomalous behavior
ASSIGN
REQUIRE an AAL
REQUIRE
ADAPT
Based on sensitivity of the APIs
• Secret
• OAuth Client Secret
• Highly Sensitive
• Money movement
• Financial data
• Sensitive
• Personal
information
• Other
• Public information
ASSIGN
AAL Determination
Good
Step-up
Step-up
Good
Good
Step-up
Good
Good
Good
Trust in user
authentication
Sensitivity
of the APIs
Low High
Low
High
Component Interaction
Identity
Service
s
APIs
Client
1. Sign in
2. Session with an
AAL
4. Verify
3. Access
Resource
5. Step-up URL
6. Redirect for Step-
up
7. Step-up
8. Higher AAL
Determine
AAL
Remembe
r the state
Check
expected
AAL
Client
Widget
Configuration
APIs
Create the verify request
Verify with expected AAL
Identity Services
Authn Service
Risk Engine
Sign-in
Verify
Device,
IP, geo,
time, …
Get Risk
Score
Feedbac
k
ML Model
Real time Risk Score
UNIVERSAL STRONG AUTHENTICATION –
FIDO AS A STANDARD
Fast Identity Online (FIDO)
FIDO Protocols
Public Key cryptography
UAF – Universal Authentication Framework
• Password less UX
• Local device with UAF stack installed
• User presents a local authentication
U2F – Universal Second Factor
• Standalone U2F device - USB/NFC/Bluetooth
• Physical keychain with multiple keys – one for each origin
• Built-in support in web browsers
UAF
Src: https://fidoalliance.org/specifications/overview/
UAF - Registration
User Device
FIDO Client
Win, Mac,
iOS,
Android, …
FIDO Authenticators
User
Agent
Browser
, App,
…
Identity Provider
Web
App
FIDO
Server
1. Legacy Auth +
Initiate Registration
2. Registration
request
+ Policy
3. Enroll user
+ New Key Pair
4. Registration
response +
Attestation
+ User’s public key
5.
Validate Response +
Attestation
Store user’s Public Key
UAF - Authentication
User Device
FIDO Client
Win, Mac,
iOS,
Android, …
FIDO Authenticators
User
Agent
Browser
, App,
…
Identity Provider
Web
App
FIDO
Server
1. Initiate Authn
2. Authn request
+ Challenge +
Policy
3. Verify User and
unlock private key
4. Authn response
signed by user’s
private key
5.
Validate Response using
user’s Public Key
U2F
Src: https://fidoalliance.org/specifications/overview/
Summary
As developers we have thought of
authentication as a binary switch
We need to start thinking about the degree and levels of trust
Incorporate AAL into the design
thinking
AAL will help us in balancing security vs usability
Deliver delightful experience to
customers
Thank you