![Page 1: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/1.jpg)
#RSAC
1
![Page 2: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/2.jpg)
#RSAC
Obama says use two factors…
2
https://nakedsecurity.sophos.com/2016/02/12/obama-says-passwords-arent-strong-enough-urges-use-of-2fa/
![Page 3: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/3.jpg)
#RSAC
Progress = Obliviousness
3
2FA = two-factor authentication
![Page 4: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/4.jpg)
#RSAC
Authentication tradeoffs…
4
![Page 5: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/5.jpg)
#RSAC
Protect your money!
5
Issued guidance in 2005 entitled “Authentication in an Internet Banking Environment“
Source: https://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf
“… the techniques employed should be commensurate with therisks associated with the products and services offered ”
![Page 6: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/6.jpg)
#RSAC
What is Trust Elevation?
6
![Page 7: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/7.jpg)
#RSAC
Agenda
7
Background on authentication technology: where are we today?
Deep Dive into OAuth2: what features does it have to support Trust Elevation
Trust Elevation across domain boundaries
GOAL: Make you aware of some of the challenges we face to enable Trust Elevation
![Page 8: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/8.jpg)
#RSAC
What is Multi-Factor Authentication?
8
NIST defines this as two or more of …
Something you know
Something you have
Something you are
Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
![Page 9: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/9.jpg)
#RSAC
Risk Scores
9
![Page 10: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/10.jpg)
#RSAC
Contextual Combinations Complicate
10
Is the IP address a known hacker? Was the device rooted? Is a
browser cookie present? Is the device running virus protection? Is
the location recognized? When was credential issued? What is the
time of the day?
![Page 11: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/11.jpg)
#RSAC“…every scheme does worse than passwords on deployability”
11
http://research.microsoft.com/pubs/161585/QuestToReplacePasswords.pdf
![Page 12: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/12.jpg)
#RSAC
OAuth2 will make 2FA more “deployable”
12
Applications should use Standard API’s for authentication and Trust Elevation!
No “one-offs”
http://nordicapis.com/api-security-oauth-openid-connect-depth/Good Intro to OAuth2:
![Page 13: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/13.jpg)
#RSAC
Enter OAuth2
13
i.e. API’s
i.e. Website or mobile app
i.e. Secure Token Service
![Page 14: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/14.jpg)
#RSAC
OpenID Connect
14
Resource Server = user_info API
To call this API, you need an Access Token
TOKENTOKEN
![Page 15: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/15.jpg)
#RSAC
Importance of Audience
15
https://hanszandbelt.wordpress.com/2015/12/14/the-importance-of-audience-in-web-sso/
BEFORE AFTER
![Page 16: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/16.jpg)
#RSACOpenID Connect: Client Registration, Discovery too!
16
http://openid.net/connect
![Page 17: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/17.jpg)
#RSAC
Overview of Authorization Code Flow
17
Relying Party (RP) redirects person to OpenID Provider (OP) for authorization
Authentication happens only once!
OP returns code to RP
RP uses code to get tokens from OP
RP uses access token to obtain user claims from /user_info API:{“given_name”: “Mike”,“family_name”: “Schwartz”}
![Page 18: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/18.jpg)
#RSAC
OpenID Connect id_token
18
Information about authentication event
{"iss": "https://server.example.com",“sub": "248289761001","aud": "3214244","iat": 1311195570,"exp": 1311281970,“auth_time”: 131195001,“acr”: http://example.com/basic_bio”“amr”: [‘eye’, ‘pwd’, ‘12’]}
![Page 19: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/19.jpg)
#RSAC
ACR and AMR
19
How does the app know what kind of authentication happened?
![Page 20: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/20.jpg)
#RSAC
OpenID Provider Discovery
20
GET host + /.well-known/openid-configuration
![Page 21: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/21.jpg)
#RSAC
OpenID Dynamic Client Registration
21
![Page 22: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/22.jpg)
#RSAC
Authentication Request
22
In the request, acr_valuesis actually a space delimited string…
![Page 23: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/23.jpg)
#RSAC
id_token
23
Returned id_tokenconfirms acr and amr
values
{"iss": "https://server.example.com",“sub": "248289761001","aud": "3214244","iat": 1311195570,"exp": 1311281970,“auth_time”: 131195001,“acr”: http://example.com/basic_bio”“amr”: [‘eye’, ‘pwd’, ‘12’]}
![Page 24: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/24.jpg)
#RSAC
App Policy
24
GET https://example.com/finance
Just an example…using OpenID Connect alone,you could require a certain
type of authentication
![Page 25: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/25.jpg)
#RSACBest Practice: Centralize Policy Management
25
![Page 26: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/26.jpg)
#RSAC
UMA
26
Protect any API: require an RPT Token
![Page 27: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/27.jpg)
#RSAC
UMA In 60 seconds
27
Client Calls API without RPT Token
RS obtains Permission Ticket from AS and returns it to Client
Client presents ticket to AS
AS evaluates polices. If ok, issues RPT token (bearer)
Client calls API with RPT Token
RS introspects Token: if ok, returns content
![Page 28: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/28.jpg)
#RSACSubtle difference…Scope references policy
28
Scope based access:Level of abstraction that
enables the central policy decision point to decide which
acr is required
![Page 29: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/29.jpg)
#RSAC
What kind of policies can you make?
29
![Page 30: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/30.jpg)
#RSAC
Elevating Trust using UMA
30
You are Forbidden because you need
acr…
![Page 31: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/31.jpg)
#RSAC
Re-Authenticate!
31
![Page 32: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/32.jpg)
#RSAC
Part III: Intedomain trust elevation
32
Infrastructure and security is not (usually) basis for competition between firms in the same industry.
![Page 33: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/33.jpg)
#RSAC
SAML Federations
33
Normalize legal/technical
![Page 34: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/34.jpg)
#RSAC
Many SAML Federations publish user schema.
34
http://www.incommon.org/federation/attributesummary.html
![Page 35: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/35.jpg)
#RSAC
OAuth2 schema: not just user claims…
35
![Page 36: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/36.jpg)
#RSAC
Collaboration on ACR / AMR values
36
So what values should we use for amr and acr?
https://tools.ietf.org/html/draft-jones-oauth-amr-values-05
This IETF draft defines some AMR’s… but its inadequate
![Page 37: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/37.jpg)
#RSAC
ACR alignment
37
Domains need to collaborate on the values for acr’s and amr’s
![Page 38: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/38.jpg)
#RSAC
OTTO – Kantara Initiative Work Group
38
http://kantarainitiative.org/confluence/display/OTTO/Home
Open Trust Taxonomy for OAuth2
![Page 39: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/39.jpg)
#RSAC
SAML federations
39
![Page 40: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/40.jpg)
#RSAC
OAuth2 has new entities and new jargon
40
![Page 41: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/41.jpg)
#RSAC
Where do we need federations
41
![Page 42: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/42.jpg)
#RSAC
Summary
42
We don’t lack ways to identify people, but we lack agreement on the relative strength of these mechanisms.
OAuth2 enables centralized risk based trust elevation, driving down the cost of deployment—the main impediment to 2FA adoption.
To enable trust elevation across domains, federations are needed.
![Page 43: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/43.jpg)
#RSAC
Action items
43
Don’t limit your planning to two-factor authentication. Make a plan for trust elevation!
Start architecting your applications to leverage central policy decision point—not for all fine grained authorization, but for key security escalations.
If you work in an ecosystem, consider collaborating (even with your competitors) to drive down the cost of security.
![Page 44: DON'T Use Two-Factor Authentication...Unless You Need It!](https://reader034.vdocument.in/reader034/viewer/2022051405/58a2baa61a28ab724d8b4724/html5/thumbnails/44.jpg)
#RSAC
44