More than just being signed-in or signed-out Parul Jain, Architect, Intuit @ParulJainTweety
Why do we care? TRUST & SECURITY EASE OF ACCESS Can t eliminate friction? Delay it Authentication Levels to balance security and usability Delightful product experience
Authentication Not Signed In Username Password Sign In Signed In
Authentication Signed In or Not Example1 Not Signed In Browse OLX for used products Username Password Sell an item Sign In Signed In Place Ad
Authentication Signed In or Not Example2 Not Signed In Browse apps on App Store Username Password Install App Sign In Signed In New App on Device
Why Authenticate? Authentication is required to establish trust Is trust binary - Trust you fully or Not at all Degrees of trust - Factor of time and situation Trust you for this but not for that Didn t trust you earlier but trust you now
Authentication Levels Authentication is not binary Authentication Assurance Levels (AAL) Adaptive - Change with time and situation
Authentication Assurance Levels (AAL) Authentication Level 1 Less Trust Enter OTP Submit Authentication Level 2 More Trust
AAL Example1 Authentication Level 0 Usernam e Passwor d Sign In My bank portal Sign In Authentication Level 1 My bank account Transfer Money Authentication Level 2 Payment
AAL Example2 Authentication Level 0 Usernam e Passwor d Sign In Mint application Sign In Authentication Level 1 Access my personal finances Enter OTP Submit Transfer Money Authentication Level 2 New Payment Instrument
AAL Example3 Authentication Level 1 Browse products on Amazon Username Password Sign In Track Order Or Checkout Authentication Level 2 View/Place Order
MFA and AAL Relationship AAL is the outcome. MFA is the mechanism MFA provides layered defense Binary Authentication Multiple Authentication Assurance Levels
LIC: Binary without MFA
Google: Binary with MFA
Amazon: Multiple Levels with MFA
Intuit: Multiple Levels with MFA
How to determine the AALs? ASSIGN Based on factors of authentication REQUIRE Based on sensitivity of the APIs ADAPT Based on trust in the user with time
ASSIGN an AAL Based on factors of authentication ASSIGN ADAPT REQUIRE What I know password What I have OTP What I am fingerprint Other Federated
ADAPT to an AAL Based on trust in user with time ASSIGN ADAPT REQUIRE Change in Device Geolocation IP address Velocity of use Behavioral Biometrics Anomalous behavior
REQUIRE an AAL Based on sensitivity of the APIs ASSIGN ADAPT REQUIRE Secret OAuth Client Secret Highly Sensitive Money movement Financial data Sensitive Personal information Other Public information
AAL Determination High Step-up Step-up Good Sensitivity of the APIs Step-up Good Good Low Good Good Good Low High Trust in user authentication
Component Interaction 1. Sign in 2. Session with an AAL Identity Service s Determine AAL 7. Step-up Client Remembe r the state 8. Higher AAL 4. Verify 5. Step-up URL 6. Redirect for Stepup 3. Access Resource APIs Check expected AAL
Client Widget Configuration
APIs Create the verify request Verify with expected AAL
Identity Services Device, IP, geo, time, Sign-in Verify Authn Service Get Risk Score Risk Engine ML Model Real time Risk Score Feedbac k
UNIVERSAL STRONG AUTHENTICATION FIDO AS A STANDARD
Fast Identity Online (FIDO)
FIDO Protocols Public Key cryptography UAF Universal Authentication Framework Password less UX Local device with UAF stack installed User presents a local authentication U2F Universal Second Factor Standalone U2F device - USB/NFC/Bluetooth Physical keychain with multiple keys one for each origin Built-in support in web browsers
UAF Src: https://fidoalliance.org/specifications/overview/
UAF - Registration FIDO Client Win, Mac, ios, Android, User Device User Agent Browser, App, FIDO Authenticators 3. Enroll user + New Key Pair 1. Legacy Auth + Initiate Registration 2. Registration request + Policy 4. Registration response + Attestation + User s public key Identity Provider Web App 5. FIDO Server Validate Response + Attestation Store user s Public Key
UAF - Authentication User Device Identity Provider FIDO Client Win, Mac, ios, Android, User Agent Browser, App, FIDO Authenticators 1. Initiate Authn 2. Authn request + Challenge + Policy 4. Authn response signed by user s private key Web App FIDO Server 5. 3. Verify User and unlock private key Validate Response using user s Public Key
U2F Src: https://fidoalliance.org/specifications/overview/
Summary As developers we have thought of authentication as a binary switch We need to start thinking about the degree and levels of trust Incorporate AAL into the design thinking AAL will help us in balancing security vs usability Deliver delightful experience to customers
Thank you
www.modsummit.com www.developersummit.com