as an electronic credential - oasis › committees › download.php... · salesforce.com, etc....
TRANSCRIPT
Cyphercor Incorporated. All rights reserved ® v Q412A Page 1
Technical Discussion
Trust Elevation using the LoginTC
as an Electronic Credential
Presented by Cyphercor Inc.
Cyphercor Incorporated. All rights reserved ® v Q412A Page 2
Cyphercor Inc.
Cyphercor is a technical start-up focused on enabling widespread 2FA adoption
Founded in 2011
Headquarters: Kanata, Ontario, Canada
Founders:
Hernan Matute, CEO with 25 years of Security and IT experience, and 22 years with BCE
Diego Matute, CTO with 6 years of start up experience and 3 years with Microsoft
Team:
Dedicated group of developers, engineers, sales and IT Professionals
Vision: “To provide universal strong authentication to online users”
Cyphercor Incorporated. All rights reserved ® v Q412A Page 3
The State of 2FA: OTP, PKI and SMS
Method Advantages Disadvantages
Hardware OTP Tokens Simple to use. Timely Authentication User Authentication only on simple
models. Cost of tokens and
distribution
Software OTP Tokens Simple to Use. Many users carry
capable smart phones. Timely
authentication. Low Cost
User Authentication only on simple
models. Applications can be
compromised
SMS User authentication. Timely
authentication. Low initial cost. Most
users already carry smart phones
Customer management expensive.
Availability of coverage. Ongoing
cost of SMS messages to SPs and
customers. Forwarded numbers
may compromise SMS delivery
Smart Cards Effective security and
authentication. Portable and reliable.
Can integrate with PKI
Cost of card readers. Possible card
re-issuing costs. Usability for some
customers. Distribution
PKI Certificate Non-repudiation of transaction. Can
expand to be used for e-signing
High cost at both launch and
ongoing operations. Specialized
personnel to operate. Certificate file
could be compromised
Cyphercor Incorporated. All rights reserved ® v Q412A Page 4
The LoginTC Approach to 2FA
Secure Point-to-Point communication
Certificate-based push notification
Security-as-a-Service delivered in the cloud or on-premise
Don’t re-invent the wheel, leverage widely adopted authentication protocols
Easy to use and administer
Non-cost prohibitive
Elastic, scalable and highly available
Available for all mobile platforms
Enable smart transactions
Enable 2FA for any network and/or mobile applications
Enable 2FA for existing mobile apps
Cyphercor Incorporated. All rights reserved ® v Q412A Page 5
ARCHITECTURE OVERVIEW
Integration of LoginTC 2FA services with Service Providers
Cyphercor Incorporated. All rights reserved ® v Q412A Page 6
Authentication Actors
Service Providers
Bank of America
Salesforce.com, etc.
LoginTC Cloud
LoginTC Manager Appliance
Administrator Control Panel
Manage domains, users, tokens
Licensing, logs, auditing
Cloud or On-premise
Push Tier
Push to smartphone apps (certs
live here)
Confirmation Code DNS
Licensing
DB
Running MySQL 5.1
LoginTC Apps
iOS, BlackBerry and Android
Free to download
Support multiple tokens
Can also be embedded into
existing apps
Cyphercor Incorporated. All rights reserved ® v Q412A Page 7
Authentication Actors Diagram
Cyphercor Incorporated. All rights reserved ® v Q412A Page 8
AUTHENTICATION WITH
SERVICE PROVIDERS
How the LoginTC authenticates with Service Providers using
OAuth, SAML or RADIUS-based protocols
Cyphercor Incorporated. All rights reserved ® v Q412A Page 9
LoginTC Authentication Characteristics
Robust and secure credential provisioning and recovery
Protects against man-in-the-middle attacks
Certificate based out-of-band notifications:
Stronger than SMS or phone call. Example: If the attacker knows the user’s cell
phone number they can easily spoof an SMS or phone call and simulate
access on a phished site and retrieve a user's password!
Phishing, keyboard logging, spoofing can be prevented since the
notification is out-of-band, and the user enters their PIN/Passcode on their
smartphone not the web browser
SMS and OTP notifications rely on users entering information on web forms,
exposing users to various attacks
Cyphercor Incorporated. All rights reserved ® v Q412A Page 10
LoginTC SAML – SP Initiated: Google
Cyphercor Incorporated. All rights reserved ® v Q412A Page 11
LoginTC SAML – IDP Initiated: salesforce.com
Cyphercor Incorporated. All rights reserved ® v Q412A Page 12
LoginTC Connect – OAuth API
Cyphercor Incorporated. All rights reserved ® v Q412A Page 13
LoginTC and RADIUS-based Authentication
Cyphercor Incorporated. All rights reserved ® v Q412A Page 14
ELEVATED TRUST WITH
SERVICE PROVIDERS
How the LoginTC Elevates Trust with Service Providers
Cyphercor Incorporated. All rights reserved ® v Q412A Page 15
SP Elevated Trust - 1
User
LoginTC Cloud
IDP
Content A
Needs
1-factor
Content B
Needs
2-factor
Service
Provider
A User attempts to access Content protected by SP
• Content A requires 1-factor authentication
• Content B requires 2-factor authentication
Cyphercor Incorporated. All rights reserved ® v Q412A Page 16
SP Elevated Trust - 2
User
LoginTC Cloud
IDP
Content A
Needs
1-factor
Content B
Needs
2-factor
Service
Provider
Service Provider determines User attempts to access Content B: • Content B requires 2-factor authentication and may require an elevated level of
trust of electronic credential to be presented
• SP may require additional assertion information from IDP
• SP may initiate an Authentication Context declaration (similar to SAML)
Cyphercor Incorporated. All rights reserved ® v Q412A Page 17
User
LoginTC Cloud
IDP
Service
Provider
SP Elevated Trust - 3
Service
Provider
Initiates IDP
session with
Authentication
Context
request
Content B
Needs
2-factor
Service Provider identifies LoginTC as the Authentication Authority: • SP initiates Authentication Request session with LoginTC Cloud IDP
• SP may additionally request Authentication Context
• The context class requested may reflect a mobile contract customer registration
procedure, i.e. explicit proof of user identity with a PIN
• SP may additionally request specific assertions of User from the LoginTC
Cyphercor Incorporated. All rights reserved ® v Q412A Page 18
User
LoginTC Cloud
IDP
Service
Provider
SP Elevated Trust - 4
Content B
Needs
2-factor
LoginTC Cloud IDP initiates secure notification with User’s smartphone: • User receives wireless notification out-of-band into LoginTC app (1st factor)
• User accepts notification and is prompted for a PIN (2nd factor)
• LoginTC Cloud validates PIN and initiates Authentication Response to SP
Cyphercor Incorporated. All rights reserved ® v Q412A Page 19
User
LoginTC Cloud
IDP
Service
Provider
SP Elevated Trust - 5
Content B
Needs
2-factor
LoginTC Cloud redirects the User to SP with Authentication Response: • LoginTC IDP may use Extensions elements to deliver additional authentication context
details of assertions requested, either inserted directly or referenced within the
authentication assertion that the LoginTC IDP provides to the Service Provider
• SP parses authentication context declarations and assesses quality of assertions
• SP makes a determination if allows or rejects user access to Content B
Cyphercor Incorporated. All rights reserved ® v Q412A Page 20
The Future of Online Authentication
2FA will become mainstream
2FA should be easier and more secure to administer, use and
deploy than username/password
Smartphones will become universal 2FA
Organizations will standardize with BYOD
Credential Registration and Provisioning must be secure and
standards-based
SPs should be able to consume 2FA on-demand from IDPs
Cyphercor Incorporated. All rights reserved ® v Q412A Page 21
Contact Information
Corporate Headquarters
Cyphercor Inc.
555 Legget Drive, Suite 130
Kanata, Ontario
Canada K2K-2X3
Phone: 613-592-5800
Fax: 613-592-5119
Partner and Investor Relations Technology Inquiries
Hernan Matute
Phone: 613-859-4490
Diego Matute
Phone: 613-859-5756
Sales General Information
Brian Panteledes
Phone: 603-817-9606
https://www.logintc.com