secure technology alliance - strong authentication: what’s … · 2020-01-16 · displace "...
TRANSCRIPT
Strong Authentication: What’s Beyond Usernames and Passwords? § Rob Zivney § Sr. Consultant § IDentification Technology Partners
Displace Ø Paper Ø Plastic Ø Photos Ø Leather
I Have Memorized My AMEX I have digitized my important info into one file
Ø Organized so I can find stuff
True Digital Wallet
Analog and Digital Like a “Wearable”
Ø Possession Auto - Pushbutton Start Backup USB
Ø Important Stuff File Ø Encrypted Ø List of UN & PW
Most Have No Batteries
Keys
Identities are Just a Record In a Database Ø Just a number string somewhere
You Can Have Many Identities Ø Each requires its own Authentication
Each Identity has Its Own Privileges Linkage is Key
Ø Link to Master Secure Identity Ø Link to Communications (including Cloud) Ø Link to Power Source
Internet of Things Can Be Less “Personal” Ø PACS Authenticates System Components
What Does It Matter?
Authentication to the OS or the App? Ø Hardware Ø GUI Ø Convenience Ø Client, Server, Workstation
Every App is Different Ø Different Rules for Authentication (Password, etc.)
Too Many Passwords Ø To Remember Ø To Manage
It’s About Who Has Control
Cryptography Ø With Some form of Keyboard Entry
Biometrics Ø Not a secret, but…
4 Factor Ø What You Have Ø What You Know Ø What You Are Ø What Someone Else Knows About You (PKI)
Strength thru Multifactor vs. Strong Passwords
Multifactor Authentication
Biometrics Ø Finger Ø Face Ø Templates
“Wearables” Physical Access How to Do Mutual Authentication? Ø Smarter Readers Ø Smarter PACS Ø NFC SE for Reader
Consumer Market - Mobile
PACS Industry Had Little Input Developed for eGovernment
Ø Remote IT Login via PKI Access is both Authentication & Authorization
Ø PACS takes a systems approach Ø Authentication is not always done 1st
Struggling for Interoperability Ø Gen 2 Test Cards - Finally Ø Now Industry can build Systems for PIV
Will have to get Quicker for PACS Ø Contactless
Not the Game Changer Expected Ø Not Using the Power of the Smart Card Ø Too Many “Options”
Government Market - PIV
Ultimately: A Question of Trust PIV Now Requires PKI at the Door New Processes:
Ø Signature Checking of Signer Ø Challenge/Response to Card Ø Certificate Check with Path Validation Ø All Require FIPS 140-2 Somewhere in the “System”
New Encryption Algorithms Ø RSA-2048 & ECC
Must Validate: Ø Cardholder Ø Card Ø Credential
CA
Leadership
What’s Next?
Need a Market Leader Ø Rules of the Game
Convenience – Not Price Ø Smartphones are Expensive Ø Form Factor Ø Speed Ø Sign On to OS – Not the App
Design Aesthetics Long Battery Life
Ø Short Recharge Time
One Global Market Technology Cybersecurity Reactions The Consumer Will Lead
Market Drivers
§ Smart Card Alliance § 191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828 § www.smartcardalliance.org
Rob Zivney IDentification Technology Partners [email protected] Office 1 301 990-9061 Mobile 1 949 283-1126