OATH Presentation to eAuth Partnership April 7th, 2004

1
OATHPresentation to eAuth PartnershipApril 7th,
2004
Kevin TrilliDirector, Product ManagementVeriSign
, Inc.
2
EAP Requests

• What your project does or is intended to do.
• How long it has been in operation?
• What are the lessons learned from the project?
• How does it relate to the work of the EAP?

3
Agenda

• Questions to Ponder
• Definition of OATH
• Mission Statement
• Concepts
• Partners
• Milestones
• EAP Credential Standards Group Objectives
• Comparison of OATH and EAP

4
Where would we be if?
every pub needed a 100,000 system to check
IDs of everyone wanting to buy a pint or glass
of wine?
5
Where would we be if?

• a drivers license cost 100 per year and could
  not be used outside of the state in which it was
  issued?

6
Well.wed be right where we are today on the
Internet

• We take for granted a ubiquitous system like
  drivers licenses in our real world lives
• no deployment cost
• Cheap for everyone to obtain and use.
• But, what about on the Internet?
• Corresponding two-factor authentication tokens
  are
• 5-10x more expensive than a drivers license
• systems needed to validate them range from
  50,000-1MM
• Strong Authentication is stuck in a cement and
  needs a large scale change in the approach in
  which it is offered

7
Mission - OATH

• Remove barriers to adoption by enabling open
  authentication solutions
• Industry collaborate to provide interoperable
  credentials that leverage existing standards
• Create an open reference architecture based on
  standards for both standalone (tokens,
  smartcards) and embedded credentials (cell
  phones, PDAs, Laptops)
• Increase market adoption by enabling an
  ubiquitous solution
• Deliver best-of-breed choices to customers for
  authentication solutions
• Easy to deploy and manage
• Lower TCO than what is available today

8
Concepts

• Standardize and Improve Provisioning
• Smart-card based passwords SIM, PKI or OTP
• Standardized OTP algorithm
• Integrate provisioning tightly with directory to
  eliminate additional components and cost
• Aggregation
• Multiple authentication methods on a single
  flexible device
• Multiple credentials on a single device
• Interoperability
• Across leading application and infrastructure
  platforms
• Built-in integration

9
OATH Partners
10
Proposed Milestones
11
Proposed Milestones
12
EAP Credential Objectives

• Objective 2 Develop common standards to
  evaluate and approve Credential Providers (CP).
• Establish roles and responsibilities
• Processes for CP application and assessment
• Requirements for specific levels of assurance
  using criteria for specific authentication
  methods (PIN, password, PKI, etc)
• Guidance for assessors, to ensure consistency,
  policy compliance and conformance to standards
• Roadmap for CPs applying for assessment

• Objective 1 Establish assurance levels that
  correspond to risks, potential harm or impact,
  and likelihood of occurrence for each
  transaction.
• Define scope and applicability (who what)
• Specify assurance levels, risks and impacts
• Assessment of CPs against assurance levels
• Elements of authentication process
• Privacy considerations

13
EAP and OATH

• OATH will focus on the strong authentication
  credential levels
• PKI, Token, OTP
• Will not address username/password
• OATH will complement EAP by focusing on
  deployment of strong authentication solutions
• Will help EAP gain adoption, especially in newer
  consumer applications previously unserved by
  strong auth
• OATH will promote strong authentication as basis
  for higher-value federation deployments

14
Conclusion

• OATH is complementary to the EAP goals
• Focus on reducing deployment cost and complexity
  and creating standards similar to PKI
• Strives to open new markets for strong
  authentication, e.g., mass market/consumer
  markets
• Promotes strong authentication for federated
  environments where deemed necessary according to
  corresponding assurance level