Measuring Authentication: NIST and Vectors of Trust

Transcription

1 SESSION ID: IDY-F01 Measuring Authentication: NIST and Vectors of Trust auth Sarah Squire Senior Identity Solution Architect Engage

2

3 Eyewitness News 3

4 A Play in Five Acts What is authentication, and why are we measuring it? Levels of Assurance Vectors of Trust NIST Digital Identity Guidelines How to help 4

5 What is authentication, and why are we measuring it? Act I

6

7

8 What is authentication, and why are we measuring it? ELI5 version: Making sure that a person or thing is the same person or thing you saw last time (which is different from them being who they say they are!) 8

9 Levels of Assurance Act II

10 Levels of Assurance 10

11 Levels of Assurance LoA 1 LoA 2 LoA 3 LoA 4 Little or no confidence Some confidence High confidence Very high confidence 11

12 Levels of Assurance LoA 4 Very high confidence Strong cryptographic authentication 12

13 Levels of Assurance LoA 4 Very high confidence Strong cryptographic authentication Strong man-in-the-middle resistance 13

14 Levels of Assurance LoA 4 Very high confidence Strong cryptographic authentication Strong man-in-the-middle resistance No bearer tokens 14

15 Levels of Assurance LoA 4 Very high confidence Strong cryptographic authentication Strong man-in-the-middle resistance No bearer tokens Account owner has physically appeared and a government-issued photo-identification document has been verified by the relevant agency. 15

16 Vectors of Trust Act III

17 Vectors of Trust P C M A Identity Proofing Primary Credential Usage Primary Credential Management Assertion Presentation 17

18 Vectors of Trust P Identity Proofing P0: No proofing, not consistent across sessions 18

19 Vectors of Trust P Identity Proofing P0: No proofing, not consistent across sessions P1: Self-asserted, possibly pseudonymous 19

20 Vectors of Trust P Identity Proofing P0: No proofing, not consistent across sessions P1: Self-asserted, possibly pseudonymous P2: Identity has been proofed remotely or in-person 20

21 Vectors of Trust P Identity Proofing P0: No proofing, not consistent across sessions P1: Self-asserted, possibly pseudonymous P2: Identity has been proofed remotely or in-person P3: Binding relationship (employee, customer, student, etc.) 21

22 Vectors of Trust C Primary Credential Usage C0 No credential 22

23 Vectors of Trust C Primary Credential Usage C0 No credential Ca Session cookies 23

24 Vectors of Trust C Primary Credential Usage C0 No credential Ca Session cookies Cb Known device 24

25 Vectors of Trust C Primary Credential Usage C0 No credential Ca Session cookies Cb Known device Cc Shared secret such as a username and password combination 25

26 Vectors of Trust C Primary Credential Usage C0 No credential Ca Session cookies Cb Known device Cc Shared secret such as a username and password combination Cd Cryptographic proof of key possession using shared key Ce Cryptographic proof of key possession using asymmetric key 26

27 Vectors of Trust C Primary Credential Usage C0 No credential Ca Session cookies Cb Known device Cc Shared secret such as a username and password combination Cd Cryptographic proof of key possession using shared key Ce Cryptographic proof of key possession using asymmetric key Cf Sealed hardware token / trusted biometric / TPM-backed keys 27

28 Vectors of Trust M Primary Credential Management Ma Self-asserted primary credentials / no additional verification for primary credential issuance or rotation 28

29 Vectors of Trust M Primary Credential Management Ma Self-asserted primary credentials / no additional verification for primary credential issuance or rotation Mb Remote issuance and rotation / use of backup recover credentials (such as verification) / deletion on user request 29

30 Vectors of Trust M Primary Credential Management Ma Self-asserted primary credentials / no additional verification for primary credential issuance or rotation Mb Remote issuance and rotation / use of backup recover credentials (such as verification) / deletion on user request Mc Full proofing required for each issuance and rotation / revocation on suspicious activity 30

31 Vectors of Trust A Assertion Presentation Aa No protection / unsigned assertion 31

32 Vectors of Trust A Assertion Presentation Aa No protection / unsigned assertion Ab Signed and verifiable assertion, passed through the browser 32

33 Vectors of Trust A Assertion Presentation Aa No protection / unsigned assertion Ab Signed and verifiable assertion, passed through the browser Ac Signed and verifiable assertion, passed through a back channel 33

34 Vectors of Trust A Assertion Presentation Aa No protection / unsigned assertion Ab Signed and verifiable assertion, passed through the browser Ac Signed and verifiable assertion, passed through a back channel Ad Assertion encrypted to the relying party s key and audience protected 34

35 Vectors of Trust Example: Whistleblower P? 35

36 Vectors of Trust Example: Whistleblower P1 36

37 Vectors of Trust Example: Whistleblower P1.C? 37

38 Vectors of Trust Example: Whistleblower P1.Cb.Cc 38

39 Vectors of Trust Example: Whistleblower P1.Cb.Cc.M? 39

40 Vectors of Trust Example: Whistleblower P1.Cb.Cc.Ma 40

41 Vectors of Trust Example: Whistleblower P1.Cb.Cc.Ma.A? 41

42 Vectors of Trust Example: Whistleblower P1.Cb.Cc.Ma.Ac 42

43 NIST Digital Identity Guidelines Act IV

44 NIST Digital Identity Guidelines IAL AAL FAL Identity Assurance Level Authenticator Assurance Level Federation Assurance Level 44

45 NIST Digital Identity Guidelines IAL Identity Assurance Level Level 1: Pseudonymous 45

46 NIST Digital Identity Guidelines IAL Identity Assurance Level Level 1: Pseudonymous Level 2: Remote or In-person identity proofing 46

47 NIST Digital Identity Guidelines IAL Identity Assurance Level Level 1: Pseudonymous Level 2: Remote or In-person identity proofing Level 3: In-person identity proofing with biometric collection for the purpose of non-repudiation 47

48 NIST Digital Identity Guidelines AAL Authenticator Assurance Level Level 1: Single factor authentication 48

49 NIST Digital Identity Guidelines AAL Authenticator Assurance Level Level 1: Single factor authentication Level 2: Two-factor authentication 49

50 NIST Digital Identity Guidelines AAL Authenticator Assurance Level Level 1: Single factor authentication Level 2: Two-factor authentication Level 3: Two-factor authentication with cryptographic device and verifier impersonation resistance 50

51 NIST Digital Identity Guidelines FAL Federation Assurance Level Level 1: Signed bearer assertion 51

52 NIST Digital Identity Guidelines FAL Federation Assurance Level Level 1: Signed bearer assertion Level 2: Signed and encrypted bearer assertion 52

53 NIST Digital Identity Guidelines FAL Federation Assurance Level Level 1: Signed bearer assertion Level 2: Signed and encrypted bearer assertion Level 3: Signed and encrypted holder-of-key assertion 53

54 NIST Digital Identity Guidelines Example: Secretary of State Identity Assurance Level? 54

55 NIST Digital Identity Guidelines Example: Secretary of State Identity Assurance Level: 3 55

56 NIST Digital Identity Guidelines Example: Secretary of State Identity Assurance Level: 3 Authenticator Assurance Level? 56

57 NIST Digital Identity Guidelines Example: Secretary of State Identity Assurance Level: 3 Authenticator Assurance Level: 3 57

58 Vectors of Trust Example: Secretary of State Identity Assurance Level: 3 Authenticator Assurance Level: 3 Federation Assurance Level? 58

59 NIST Digital Identity Guidelines Example: Secretary of State Identity Assurance Level: 3 Authenticator Assurance Level: 3 Federation Assurance Level: 2 59

60 How to Help Act V

61 How to Help 61

62 Q & A 62

63 Resources or Vectors of Trust: NIST Federal Authentication Guidelines: 63