Step-up

1
Step-up authentication a key enabler of mobile
on-line trustProgress report of ITU-T and OASIS
Trust Elevation work
ITU Workshop on ICT Security Standardizationfor
Developing Countries (Geneva, Switzerland,
15-16 September 2014)

• Abbie Barbir Ph.D.,
• Chair OASIS Trust Elevation TC
• abarbir_at_live.ca

2
Mobile Authentication

• Talk/slides represents findings From OASIS and
  ITU work
• Mobile going main stream
• Adoption of mobile devices for business is on the
  rise
• Organizations are rushing to mobile their
  applications
• Mobile devices are used for providing
  authentication to applications
• Threats to Mobile
• Data exposure from lost, stolen, or returned
  devices
• Mobile malware / Zero day attacks
• Security risks from 3rd party applications
• OS vulnerabilities
• Network exposure (Wifi, NFC etc..)
• App stores issues
• Immature tools and debugging s/w
• Mobile Authentication
• Contextual based Authentication is emerging
• Adoption of cloud based services continuous to
  grow
• Biometric Authentication is on the rise
• Using the device as a token

3
Trends of Mobile Authentication

• Emerging Needs and Capabilities
• Support of context based access
• Fine(r) access control
• Map user (including device) identity and (may be
  per app) authentication credentials to SLA
• Need to understand and compare user behavior
  across many devices
• Ability to categorize user access to different
  devices
• Be able to set access control based on degrees of
  validated device identity
• Fine grain endpoint IdM
• Ability to identify, terminate and restrict
  access per application/device and other factors.

4
Challenges of Mobile Authentication

• Mobile App Considerations
• Application architecture
• Offline vs. online access
• Storage of information on device
• Various mobile OS
• Device ownership BYOD or Corp Liable
• Challenges to SSO on Mobile
• No standardized SSO
• Native Mobile apps vs. Web
• Better user experience
• Leverage local device capabilities
• SaaS vendor-provided apps authenticate to SaaS
  backend systems
• Web App
• Browsers lack access to native device E.g.
  Camera,
• Browsers tend to be underpowered UI for small
  form factor devices

• Mobile app security challenges
• Broader coverage beyond VPN needed
• Check for malicious behavior and threats at app
  layer
• Continuous data monitoring and auth

5
OASIS Trust ElevationTC

• Defining a set of standardized protocols to
  elevate trust in an electronic identity

• Trust Elevation
• Increasing the trust a relying party has that the
  online entity accessing its resources is the
  (person or device) it claims to be
• Reducing the risk that a relying party assumes
  that the online entity accessing its resources is
  not the person or device it claims to be
• TC Deliverables
• Deliverable One Collect current and imminent
  trust elevation methods
• Deliverable Two Analysis of collected methods
• Deliverable Three General principles and
  techniques to elevate trust in a transaction
• Deliverable Four Trust Elevation Protocol and
  Markup Language

6
Authentication Categories

• It is a big mistake to assume that strong
  authentication always result when combining
  multiple authentication attributes/factors.
• Only by combining attributes of different kinds
  (that is, different factors) with different
  (non-overlapping) sets of vulnerabilities is
  there a significant increase in resistance to
  attack and, thus, in authentication strength

• Trust elevation (step-up Authentication)
• Increasing the strength of trust (Auth) by adding
  factors from the same or different categories of
  trust elevation methods that dont share the same
  vulnerabilities
• There are five categories of trust elevation
  methods
• who you are (biometrics, behavioral attributes),
• what you know (shared secrets, public and
  relationship knowledge),
• what you have (devices, tokens - hard, soft,
  OTP),
• what you typically do (described by ITU-T x1254,
  behavioral habits that are independent of
  physical biometric attributes)a nd
• the context (location, time, party, prior
  relationship, social relationship and source).
• Elevation can be within the classic four X.1254
  ITU-T LoA

7
Mobile Application Threat Model

• Spoofing Users to the Mobile App
• Borrowed/Stolen Device
• Other Malicious Application
• Spoofing Web Services to Mobile App
• Borrowed Device
• Other Malicious App
• Tampering Mobile App
• Borrowed/Stolen Device
• Other Malicious Application

• Disclosure Device Data Stores or Residual Data
• Borrowed/Stolen Device
• Malicious App Functionality
• Attacks from Mobile Web Services
• Disclosure Mobile App to Web Service
• Attacks from Local Network
• Other Malicious App
• Denial of Service Mobile App
• Elevation of Privilege Mobile App or WS

8
Tackling mobile security risks
Balancing act between risk and convenience
9
Trust Elevation Core Model
10
4th Deliverable TE Protocol and Markup Language

• What we considered so far?
• OAuth, OpenID Connect, UMA, OATH, SAML
• What we found
• OAuth, OpenID and UMA are services that manage
  authorization. These services may utilize Trust
  Elevation before or after executing their
  service.
• SAML can Support Step UP also
• OATH is an open framework for strong
  authentication primarily focused on device
  credential and authentication interfaces. It does
  not have a standard format for trust elevation
  (or am I missing something?)
• What we proposed
• Would support existing authentication and
  authorization specification but will remain
  independent of them.
• Would ensure existing identity assertion
  frameworks are supported
• Would be in XML and JSON formats

11
Trust Elevation Sequence
12
OASIS Trust Elevation Story

1. End-User accesses online resource using a device
   with an asserted identity and/or attributes.
2. Device sends End-Users identity and/or attribute
   data to Relying Party (RP)
3. RP requests an Identity Provider (IdP) to assess
   the asserted identity.
4. RP validates each and every asserted attributes,
   if they are available, using an Attribute
   Provider (AP). The AP could be independent, part
   of RP or part of a third party. RP may involve
   multiple APs in a single transaction to validate
   various attributes.
5. RP engages LoA Assessor (LA) to assess LoA for
   the verified identity and/or attributes strength.
   
6. RP determines if the asserted identity and
   attributes offer sufficient trustworthiness. For
   sufficient trustworthiness, present the resource
   13, 14. For insufficient trustworthiness,
   follow Trust Elevation steps 7 - 12. If there
   is no opportunity to elevate trust, then reject
   the request 13, 14
7. RP engages Trust-Elevation Method Determiner (MD)
   to determine the best possible type of method be
   used for Trust Elevation. The MD is a repository
   of predetermined Trust Elevation methods for
   transactions involving various combinations of
   type of devices, RPs, IdPs, APs and LAs. The MD
   could be independent, part of RP or part of a
   third party.
8. RP, based on feedback from MD, requests valid
   authentication factors through the device. The
   device could provide factors with/without
   End-User Intervention.

13
Trust Elevation Sequence - Story

1. RP requests an Identity Provider (IdP) to assess
   the asserted identity.
2. RP validates each and every asserted attributes,
   if they are available, using an Attribute
   Provider (AP). The AP could be independent, part
   of RP or part of a third party. RP may involve
   multiple APs in a single transaction to validate
   various attributes.
3. RP engages LoA Assessor (LA) to assess LoA for
   the verified identity and/or attributes strength.
   
4. RP determines if the asserted identity and
   attributes offer sufficient trustworthiness. For
   sufficient trustworthiness, present the resource
   . For insufficient trustworthiness, follow Trust
   Elevation steps If there is no opportunity to
   elevate trust, then reject the request
5. RP presents information to device
6. Device present information to End-User

14
Conclusions and Recommendations

• Step up Authentication will play a critical role
  in mobile space
• OASIS and ITU are working to Create a
  generalizable framework for implementing
  non-credential-based, online authentication best
  practices based on current and near-future
  implementations
• Expands and extends options for multi-factor
  authentication implementations

• Mobility
• It is all about App security
• Application fine grain Auth N/Z for one or more
  Apps
• Move from static to continuous Auth
• Fine grain policy enforcement
• Cloud Cloud .Cloud
• Challenging but in progress
• More opportunities for simplification and
  innovation