New Paradigms of Digital Identity:

Similar documents
Identity & security CLOUDCARD+ When security meets convenience

Using Biometric Authentication to Elevate Enterprise Security

Mobile: Purely a Powerful Platform; Or Panacea?

Mobile Devices prioritize User Experience

Identity Management as a Service

Choosing the right two-factor authentication solution for healthcare

Authentication Technology for a Smart eid Infrastructure.

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

Solution. Imagine... a New World of Authentication.

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

FIDO Alliance: Standards-based Solutions for Simpler, Strong Authentication

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

A NEW MODEL FOR AUTHENTICATION

Exploring the potential of Mobile Connect: From authentication to identity and attribute sharing. Janne Jutila, Head of Business Development, GSMA

white paper SMS Authentication: 10 Things to Know Before You Buy

The Internet of Things

EMERGING TRENDS AROUND AUTHENTICATION

Protect Yourself Against VPN-Based Attacks: Five Do s and Don ts

Overview. Premium Data Sheet. DigitalPersona. DigitalPersona s Composite Authentication transforms the way IT

NFC Identity and Access Control

Google Identity Services for work

BlackBerry Enterprise Identity

Keep the Door Open for Users and Closed to Hackers

User Authentication Best Practices for E-Signatures Wednesday February 25, 2015

Authentication Methods

USE CASES. See how Polygon s Biometrid can be used in different usage settings

How I Learned to Stop Worrying and Love the Internet of Things

Dissecting NIST Digital Identity Guidelines

Safelayer's Adaptive Authentication: Increased security through context information

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

How to Evaluate a Next Generation Mobile Platform

White Paper. The Impact of Payment Services Directive II (PSD2) on Authentication & Security

Cross-Operator Identity Services. 13. January 2012, Telekom Innovation Laboratories

Trusted Identities. Foundational to Cloud Services LILA KEE CHIEF PRODUCT OFFICER GLOBALSIGN

Identity and Authentication PKI Portfolio

Put Identity at the Heart of Security

PKI Credentialing Handbook

Prof. Christos Xenakis

Prof. Christos Xenakis

BlackBerry WorkLife Persona. The Challenge. The Solution. Datasheet

SAP Security in a Hybrid World. Kiran Kola

Security Strategy for Mobile ID GSMA Mobile Connect Summit

LinQ2FA. Helping You. Network. Direct Communication. Stay Fraud Free!

Identity Management: Setting Context

The new standard for user authentication

The Mobile World Introduction

BYOD Success Kit. Table of Contents. Current state of BYOD in enterprise Checklist for BYOD Success Helpful Pilot Tips

SMB Cloud InsightsTM

Security Architecture Models for the Cloud

Identity Ecosystem Design challenges. Wim Coulier eidas Expert Belgian Mobile ID

Next Generation Authentication

Certificate Enrollment- and Signing Services for the Cloud. A behind-the-scenes presentation of a successful cooperation between

BlackBerry 2FA. Datasheet. BlackBerry 2FA

FIDO AS REGTECH ADDRESSING GOVERNMENT REQUIREMENTS. Jeremy Grant. Managing Director, Technology Business Strategy Venable LLP

Innovative Authentication method for boosting Mobile Connect global roll-out

Authlogics for Azure and Office 365

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Deprecating the Password: A Progress Report. Dr. Michael B. Jones Identity Standards Architect, Microsoft May 17, 2018

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Integrated Access Management Solutions. Access Televentures

Trust Services for Electronic Transactions

Challenges and. Opportunities. MSPs are Facing in Security

Related Labs: Introduction to Universal Access and F5 SAML IDP (Self-paced)

AS emas emudhra Authentication Solution

Citizen Biometric Authentication based on e-document verification. e-government perspective. Mindshare Ruslans Arzaniks Head of Development

Singapore s National Digital Identity (NDI):

Five Reasons It s Time For Secure Single Sign-On

Yubico with Centrify for Mac - Deployment Guide

IBM Security Access Manager

Two-Factor Authentication User FAQ s

Identity Management. Rolf Blom Ericsson Research

WHITE PAPER AUTHENTICATION YOUR WAY SECURING ACCESS IN A CHANGING WORLD

PSD2 webinar session - Q&A

DigitalPersona Altus. Solution Guide

Technical Overview. Version March 2018 Author: Vittorio Bertola

Securing Multiple Mobile Platforms

Hassle-free banking in the DIGITAL AGE through NEXT-GEN. Technologies W H I T E PA P E R

PSD2 Compliance - Q&A

Verizon Software Defined Perimeter (SDP).

THREE-PART GUIDE TO DEVELOPING A BYOD STRATEGY WHITE PAPER FEBRUARY 2017

Octopus Online Service Safety Guide

Implementing Your BYOD Mobility Strategy An IT Checklist and Guide

Unlocking Office 365 without a password. How to Secure Access to Your Business Information in the Cloud without needing to remember another password.

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

Meeting the requirements of PCI DSS 3.2 standard to user authentication

Make security part of your client systems refresh

Launch Smart Products With End-to-End Solutions You & Your Customers Can Trust

1.1. HOW TO START? 1.2. ACCESS THE APP

A Practical Step-by-Step Guide to Managing Cloud Access in your Organization

White Paper. EVERY THING CONNECTED How Web Object Technology Is Putting Every Physical Thing On The Web

Fencing the Cloud. Roger Casals. Senior Director Product Management. Shared vision for the Identity: Fencing the Cloud 1

Single Secure Credential to Access Facilities and IT Resources

INNOVATIVE IT- SECURITY FOR THE BANKING AND PAYMENT INDUSTRY

Cloud-Security: Show-Stopper or Enabling Technology?

The Orbit Travel App. An innovative travel solution to provide Orbit World Travel clients with a seamless business travel experience.

Enabling Compliance for Physical and Cyber Security in Mobile Devices

Cracking the Access Management Code for Your Business

Storage Made Easy. SoftLayer

How Next Generation Trusted Identities Can Help Transform Your Business

PKI is Alive and Well: The Symantec Managed PKI Service

Transcription:

A Telefonica White Paper New Paradigms of Digital Identity: Authentication and Authorization as a Service (AuthaaS) February 2016

1. Introduction The concept of identity has always been the key factor when it comes to establishing a relationship between individuals. Identification as a way to ensure someone is who they claim to be gains even greater relevance in an increasingly digitized world. This also brings a host of new challenges, including: Multidimensionality of digital identities. Their management and how this impacts on the definition of Corporate Identity (Social Identity vs Validated Identity). Attribution. Validation of the data (attributes) that make up and define a digital identity. Identity proofing. Validation of the relationship of an identity in the digital world with an identity in the real world. 3 The aim of this document is to discuss the concept of digital identity in the current ecosystem, talk about IAM solutions (Identity and Access Management) and IDaaS (IAM as a Service) and propose a model that will reduce complexity in the process of authenticating and authorizing identity management.

2. The Digital Identity Ecosystem For many years, the way of moving an individual s identity into the digital world has involved the creation of a digital representation of the individual. The manner in which this individual s digital identity is formulated depends on where it is to be used. From the perspective of the public sector, the validation of the relationship between this digital identity and the real world identity (identification/identity proofing) is vital. Typically, this identification process concludes with the generation of a set of credentials which links the individual with their identity in the digital world. This is the case of the processes that allow to register an individual within the society by issuing a unique number or physical token (e.g. national identifiers, social security numbers, digital certificate passwords, etc.). This issuance, managed by public authorities, constitutes a legally validated record, and it can be affirmed that these credentials correspond uniquely to a single individual. In addition, during the process of generating these credentials, certain attributes, which define the individual (such as name, surname, date of birth, nationality, gender, etc) will be validated. This set of identifiers, along with the validated attributes, whilst taking into account this 1:1 relationship with the individual which they identify, may be called Physical Identity. In private companies the scenario is slightly different. Companies have a need to validate the existence of an individual and their attributes in order to create another type of identity: Corporate Identity. To that end, it is possible to delegate the physical responsibility for carrying out the identification of individuals to the issuers of these identities. This is the case for a service provider who, in order to convert individuals into users of their systems or services, create their own credentials (e.g. an online banking user, a company employee or a consumer of services of a retail outlet). They require, to a greater or lesser degree, the submission of the corresponding physical identities so as to incorporate the attributes, which have already been validated, into the new identity. By creating these corporate digital identities, in addition to the attributes already validated by third parties, it is possible to add new attributes which can be validated by the service provider (e.g. postal address, bank account or phone number) or, even, attributes that it was not possible to validate but which have been provided by the individual themself now the user. This type of digital identity, unlike physical identities, does not have a unique relationship with the individual. That is to say, the same person may have multiple identities with a single service provider (e.g. in the case of a provider that identifies its users by their account number, a user may have multiple accounts with the same provider). These digital identities have traditionally been managed by IAM (Identity and Access Management) systems. With the advent of Social Media and the emergence of Social Identities, there is no longer a need for identification to link digital identities to a physical identity. It is now possible for individuals to assign themselves an identity on a Social Media site and, although they are asked to provide attributes, there is no robust process of identification to validate the authenticity of those attributes. The creation of an identity on a social network such as Facebook is a case where, unlike the previously mentioned, the information which an individual will be asked for during the identification process is not directly validated. When a new user joins Facebook, identification is established by requesting a prior digital identity (i.e. an email account). It could be argued that this identification is verified by an identification request made to the email account provider. However, there is no certainty that this provider actually validates the attributes of the individual. 4

Figure 1 How to obtain the best balance between usability, security and verification when authenticating and identifying users? PHYSICAL IDENTITY CORPORATE IDENTITY SOCIAL IDENTITY add VERACITY SECURITY B2B B2C USABILITY add SECURITY Digital Certificate Physical Check IAM Social Login User/Password - 2FA (token SMS, @) - IDAAS solutions are key factors in the evolution of traditional IAM management models. Whilst the benefits of social identities means better usability (fewer passwords, login and registration steps, improved and easy support) and improved intelligence (which make it easier to use these OTT solutions), there are disadvantages concerning privacy or identity theft. This, in turn, is leading to hybrid models which link digital identities generated by service providers with the identities that users provide. This need, together with the emergence of federated identity management, has given rise to complex scenarios in which identity management is carried out in a fragmented and adaptable way. This fragmentation means that now whoever issues and validates the credentials of a digital identity does not necessarily have to be the owner of the resource. This means being able to provide identity, as well as its management, as a service (IDaaS). Figure 2 How does Identity & Access Management work? 5

3. New Models of Authentication/ Authorization as a Service: AuthaaS Following this trend (IDaaS), in which companies or service providers increasingly delegate certain aspects of identity management to a third party, it is fundamental to focus on verifying that an individual is who they claim to be and therefore authorize their access to a resource. User authentication must be able to validate that the credentials a user provides have not been altered and thus enable verification that the user who owns them is, in fact, a legitimate user of the system. User authorization must be able to establish how users can gain access to certain resources, and who is authorized to do so at any given time. AuthaaS solutions should adapt how users authenticate, access and interact with the business. Within this proposal the mobile device is the key: Maximizes universality, allowing any user to interact anywhere using any technology. The mobile device is the only physical device that nowadays can be considered universal. Maximizes usability, allowing user interactions with no barriers (anywhere, anytime) Identification, with solutions that give the ability to individuals, businesses and governments to trust and have confidence in the identities of people with whom they interact. The use of mobile device requires a SIM card which distribution is highly regulated by the market (Telcos) and in that process a validation of the identity holder is carried out prior to activation controlled; Evolving security. Mobile device allows companies to create authentication/authoritation adaptatives schemes over traditional IAM models. Figure 3 Mobile devices key factors in the search for convergence between physical identity and digital identity. Network Connectivity 3G 4G Wifi Internet, apps and data ID-related Technologies Camera GPS Screen NFC Bluetooth Biometric Sensors Security elements to protect user data SIM (Suscriber Identity Module) MICRO SD (Micro Secure Digital) ese (Embedded Secure Element) Your mobile, your identity. 6

1. Mobile Device = Authentication Device There are a huge number of types of credentials that are being explored in order to create a way of preserving the unchanged relationship of digital identities. The various solutions that exist on the market today are based on something that the individual knows (e.g. passwords), something that the individual possesses (e.g. physical tokens: smartcards, NFC tokens, etc.), something that the individual is (e.g. fingerprints, voice signature, iris signature, etc.), or something that tells you how the individual behaves (e.g. behavioural analysis). In fact, in order to ensure the usability of authentication solutions, hybrid systems are often devised involving several of these methods, and providing differing degrees of authentication. Mobile devices as authenticators: They act as alternative channels for the verification of access to services (enabled for OTP service implementation via SMS, or automatic notification via APP). They are a good method to protect users against malicious acts, such as phishing or identity theft. They provide different degrees of authentication: Simple Authentication: Single factor: Something I have. Click OK (SMS URL or SIM click OK) Strong Authentication: Two factors: Something I have and something I know. PIN Two factors: Something I have and something I am. Biometrics 2. Mobile Devices as Authorization Devices The most frequent use of the authentication mechanisms mentioned above is usually related to the control of access to the resources of a system. This enables authorization mechanisms to establish how users can gain access to certain resources, and who is authorized to do so at any given time. In this regard, as is the case with authentication, mobile devices can be used as elements of interaction with users which can apply global strategies (Mandatory Access Control MAC) or discretionary strategies (DAC). As a part of those strategies, different methods are defined: RBAC, capabilities, as a couple of examples. In a complementary manner, the use of mobile devices would enable the role of who defines access policy to be widened, so that it is not only the owner of the resource. This would enable the mobile user to set controls on the use of resources when such a use is made using their credentials. 3. Mobiles Devices as Signature Devices Mobile devices incorporated as part of business processes can be used to perform digital signature processes, either by using a digital certificate stored on the device itself, through the use of a PIN encrypted in the SIM card, or by using a handwritten signature (biometrics). It is clear that mobile devices used as identity tokens offer companies or service providers the following benefits: A secure element for the authentication and identification of users thanks to the use of the operator s infrastructure: mobile network + SIM as a secure container. A link between physical identity and digital identity. Phone numbers enable us to establish this link between identities, by enabling the identification of an individual in services, both public and private, thanks to authentication and the sharing of attributes. 7 Global reach. Mobile devices (Smartphones) have undoubtedly become the most used and widely adopted form of technology which keeps digital users connected. More frequent log-ins by removing passwords while improving security, at the time it improves customer insights by receiving a persistent, unique, User ID across any device used by the same user. Creation of adaptive models. Mobile identity management as part of IAM solutions enables authentication/adaptive authorization systems to be configured based on context. This enables risk-based policies to be defined and so improves the end user experience (mobility, elimination of the password). Show innovation and leadership by supporting a mobile first strategy. A link between physical identity and digital identity. Phone numbers enable us to establish this link between identities, by enabling the identification of an individual in services, both public and private, thanks to authentication and the sharing of attributes. Global reach. Mobile devices (Smartphones) have undoubtedly become the most used and widely adopted form of technology which keeps digital users connected. More frequent log-ins by removing passwords while improving security, at the time it improves customer insights by receiving a persistent, unique, User ID across any device used by the same user. Creation of adaptive models. Mobile identity management as part of IAM solutions enables authentication/adaptive authorization systems to be configured based on context. This enables risk-based policies to be defined and so improves the end user experience (mobility, elimination of the password). Show innovation and leadership by supporting a mobile first strategy.

4. An integrated vision Based on the mobile device as the key to set authentication and authorization, Telefonica go for a combined model Authentication/ Authorization as a Service that allows companies to: a) Enjoy different levels of authentication (multifactor adaptive authentication) depending on the context and the risks that the company are ready to assume: from basic authentication to strong authentication. b) Be able to apply an effective access control strategy (Authorization) across traditional IT environments and over current IAM environments: OTP and digital latch. c) In addition, under the same approach, the integration of the solution with business processes will allow the Enterprise to turn the mobile device company in a security tool to sign. Telefónica has increased its Security offering with the generation of brand new and innovative products focused on Identity and Privacy. Our Identity and Access solutions adapt to the way users authenticate, access and interact with businesses, based on a vision that maximizes four key vectors: Identification; solutions that give the ability to individuals, businesses and governments to have confidence in the identities of people with whom they interact. Universality; allowing any user to interact anywhere using any technology. Compliance; making security a companion for your business, not a barrier. Usability; solutions that allow user interactions with no barriers (mobility and avoiding the use of passwords). Figure 4 AuthaaS reduces complexity when authenticating and authorizing combined with Enterprise current IAM solutions. SERVICE PROVIDER TELEFÓNICA SERVICE Enable users to authenticate to your applications and to authorize access to resources via their phone AUTHENTICATION AUTHORIZATON AUTHENTICITY Basic Authentication Strong Authentication Otp Digital Signature Seamless Click OK SMS Url Click OK SMS Applet SIM Applet + PIN TEE + Biometrics SIM / SMS Digital Latch SIM + Certificate Biometric signature - Fingerprint - Handwritten 8

Secure digital identity is now in our hands Mobile Connect an operator service for secure authentication and identification Uses a mobile phone for authentication (i.e. no passwords). Easy to use, anonymous and many uses including second factor authentication. Develops a secure way of sharing attributes putting the user in control. Leverages existing operator assets there is no user name and password to make a phone call or send SMS. Offered as APIs for service providers to integrate into their digital services. A digital Switch Latch protect your business and provide your users with an extra security layer Latch lets you implement a safety latch on your online services. By minimizing the time during which services are accessible the risk of theft or unauthorized usage is reduced. Reduces the risk of attacks directed at your online services by letting the users lock the service account or selected features conveniently, when they don t want to use them. Independent of other authentication mechanisms, as it supports most platforms and programming languages through APIs, SDKs and plugins. Available for Android, Blackberry, iphone, Firefox OS devices and Windows Phone. Sign your documents using your mobile phone SealSign digital and biometric signature to securely sign electronic documents through your mobile phone Scalable, modular and full enterprise platform for electronic document signatures compatible with digital certificates, biometric systems, OTP systems and long-term archiving of signed documents. Reduces costs associated with hardcopy management (printing, digitalization, transfer, archiving). Improves productivity and efficiency of business processes. Accessible from business applications and mobile devices. Generates electronic documents with full legal validity. Possibility of service via cloud or on-premise platform to meet enterprise needs. For more information see Telefonica Security Services portfolio at www.security.telefonica.com 9

5. About Telefonica Business Solutions Telefonica Business Solutions, a leading provider of a wide range of integrated communication solutions for the B2B market, manages globally the Enterprise (Large Enterprise and SME), MNC (Multinational Corporations), Wholesale (fixed and mobile carriers, ISPs and content providers) and Roaming businesses within the Telefonica Group. Business Solutions develops an integrated, innovative and competitive portfolio for the B2B segment including digital solutions (m2m, Cloud, Security, e-health or Digital Marketing) and telecommunication services (international voice, IP, bandwidth capacity, satellite services, mobility, integrated fixed, mobile, IT services and global solutions). Telefonica Business Solutions is a multicultural organization, working in over 40 countries and with service reach in over 170 countries. www.business-solutions.telefonica.com @TelefónicaB2B Telefónica Business Solutions Telefónica Business Solutions 10

6. Contact us For further information about our Security Services contact us at: business-solutions@telefonica.com or visit our website: www.business-solutions.telefonica.com 11

This document is the property of Telefonica. Any reproduction, distribution or public communication without the express written consent of Telefonica is forbidden. T9358

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback