User authentication two-factor authentication

superfluitysmackoverΑσφάλεια

23 Φεβ 2014 (πριν από 3 χρόνια και 3 μήνες)

123 εμφανίσεις



W
hole
o
f
V
ictorian
G
overnment

Standard

Identity and Access Management

User authentication


two
-
factor
authentication

Standard

Sets the minimum conditions for using two
-
factor authentication, and directs users to
government
-
preferred supply points for se
cond factor devices/systems. The standard assumes
that the decision to use two
-
factor authentication has already been made.


Keywords:

IDAM, user authentication; two
-
factor authentication; SMS; OTP
.

Identifier:

IDAM/STD/0
4

Version no.:

2.1

Status:

Final

Issue date:

1 November 2009

Date of effect

(this version)
:

1 December 2010

Next review date:

1 December 2012

Owner:

Government Services Division

Department of Treasury and Finance

Victorian Government

Issuing authority:

Government Services Division

Depart
ment of Treasury and Finance

Victorian Government


© The State of Victoria 201
1

Copyright in this publication is reserved to the Crown in right of the State of Victoria. Other than for the
purposes of and subject to the conditions prescribed under the Cop
yright Act, no part of it may in any form or
by any means (electronic, mechanical, microcopying, photocopying, recording or otherwise) be reproduced,
stored in a retrieval system, or transmitted without prior written permission. Inquiries should be address
ed to:

Government Services Division

Department of Treasury and Finance

Government of Victoria

Melbourne


WoVG Standard

IDAM
-

User Authentication


呷T
-
䙡捴F爠䅵瑨en瑩捡t楯i
 䑁䴯DT䐯〴0


嘠㈮V

www⹤瑦tv楣⹧iv⹡u⽣楯

2


Standard

Each agency will use one of the required second
-
factor authentication methods (in addition to one
-
factor
authentication) in situations where t
wo
-
factor authentication is required.

Required two
-
factor authentic
ation methods

The credentials used for online access are to comprise two factors of authentication.

First authentication factor

Refer to IDAM/STD/03


IDAM: User authentication


one
-
factor

authentication.

Second authentication factor

One of the following authentication mechanisms (the mechanisms below are ordered by increasing security
effectiveness):

1.

A one
-
time password system providing an out
-
of
-
band authentication credential (e.g. mobile

phone
based SMS);

2.

A software token that requires per
-
session local activation with a password or biometric (e.g. a mobile
phone based OTP Java applet); or

3.

A hardware token that requires per
-
session local activation with a password or biometric (e.g. RSA
t
oken, Smartcard).

Where pragmatic, the source of these mechanisms is to be CenITex.

Overview

Information, and to some extent identity information, is increasingly being shared within and across the
Victorian Government. This necessary practice may expose t
he Victorian Government to the risk of
inappropriate information release or access.

The government
-
wide adoption of common policy, standards and processes for identity and access
management (IDAM) will enable the Victorian Government to reduce this risk.

T
his standard is fourth in a group of four IDAM standards for the authentication of users
1

.

Context

The standard supports the WoVG IDAM policy: IDAM/POL/01


Identity and Access Management.

The standard assumes that decisions have already been made regardi
ng:



information classification, see security standard:




1

Refer ‘Scope’ section for further explanation / definition of a ‘user’.


WoVG Standard

IDAM
-

User Authentication


呷T
-
䙡捴F爠䅵瑨en瑩捡t楯i
 䑁䴯DT䐯〴0


嘠㈮V

www⹤瑦tv楣⹧iv⹡u⽣楯

3


o

SEC/STD/02


Information security


data classification and management



what evidence of identity documentation is applicable, see IDAM standard:

o

IDAM/STD/01


IDAM: user authentication


evidence of id
entity;



what authentication mechanism strength is required, see IDAM standard:

o

IDAM/STD/02


IDAM: user authentication


authentication mechanism strength.

The diagram shows the requirements of this standard (dark blue boxes) within this broader framework
.
















It can be seen from the above diagram that the standards that may have some relevance next in this sequence
are:



IDAM/STD/03


IDAM: User authentication


one
-
factor authentication standard; and



IDAM/STD/15


IDAM: User authentication


ne
twork login
-
id naming standard.

Information
Classification
Evidence of Identity
IDAM/STD/01
Authentication
Mechanism Strength
SEC/STD/02
IDAM/STD/02
IDAM/STD/04
Two Factor
Authentication
One Factor
Authentication
IDAM/STD/03
Network Login
-
ID
Naming
IDAM/STD/15
One Factor
Authentication
IDAM/STD/03
Network Login
-
ID
Naming
IDAM/STD/15
Information
Classification
Evidence of Identity
IDAM/STD/01
Authentication
Mechanism Strength
SEC/STD/02
IDAM/STD/02
IDAM/STD/04
Two Factor
Authentication
One Factor
Authentication
IDAM/STD/03
Network Login
-
ID
Naming
IDAM/STD/15
Information
Classification
Evidence of Identity
IDAM/STD/01
Authentication
Mechanism Strength
SEC/STD/02
IDAM/STD/02
IDAM/STD/04
Two Factor
Authentication
One Factor
Authentication
IDAM/STD/03
Network Login
-
ID
Naming
IDAM/STD/15
One Factor
Authentication
IDAM/STD/03
One Factor
Authentication
IDAM/STD/03
Network Login
-
ID
Naming
IDAM/STD/15
One Factor
Authentication
IDAM/STD/03
Network Login
-
ID
Naming
IDAM/STD/15

WoVG Standard

IDAM
-

User Authentication


呷T
-
䙡捴F爠䅵瑨en瑩捡t楯i
 䑁䴯DT䐯〴0


嘠㈮V

www⹤瑦tv楣⹧iv⹡u⽣楯

4


Rationale

There are three kinds of authentication factor: something you know (e.g. a password); something you have
(e.g. an RSA token, credit card or mobile phone); and something you are (e.g. a biometric, such as fingerprin
ts
or retina scans).

The more factors employed, the greater the security. However, even within the factors themselves, there are
more and less secure options. For example, when using:



single factor authentication


something you know


e.g. a login
-
id pass
word: the more characters
employed in the password, and the more meaningless the jumble of letters and characters are, the
less likely someone else is likely to guess the password


and therefore the more secure that password
is.



two
-
factor authentication


e.g. something you know combined with something you have: a hardware
token is more secure than a software token, which may be easier to gain access to and/or replicate.

The rationale for sourcing this factor from CenITex is to increase usage of existing,

common Victorian
Government infrastructure, resulting in lower overall capital and operational costs across government.

Scope

This standard applies to all departments, the four inner budget agencies (Environment Protection Authority,
State Revenue Office,

VicRoads and Victoria Police) and CenITex.

This standard applies where two factor authentication is required, as described by WoVG Standards
-

IDAM


user authentication


authentication mechanism strength (IDAM/STD/02).

Applicability

This standard applies

to:



new applications; or



major changes to existing systems.

Only credentials which comply with this standard can be considered for SSO capability in accessing information
at similar information security classification levels (PSM) elsewhere within or acr
oss departments and agencies
in the Victorian Government.

At the discretion of the Department or Agency, this standard may be applied retrospectively (i.e. to existing
information systems).

Compliance date and reporting requirement

Compliance is requred si
x months from the ‘date of effect’ (see front page). All departments and agencies will
notify DTF (GSD) of their intended level of compliance and the associated timeframes. Less than full compliance
requires an accompanying rationale.

Please note that thi
s is a refreshed standard. The previous version of this standard (version 1.1, covering
internal users) applies until the compliance date of this new standard is reached. Agencies may move to
compliance earlier than the compliance date.


WoVG Standard

IDAM
-

User Authentication


呷T
-
䙡捴F爠䅵瑨en瑩捡t楯i
 䑁䴯DT䐯〴0


嘠㈮V

www⹤瑦tv楣⹧iv⹡u⽣楯

5


Annual reporting (d
ue 30 June, commencing 2012) on ‘Actual Vs Plan’ against the previously proposed
compliance level and timeframe is required.

Guideline, toolkits and references

This standard supports the WoVG IDAM policy (IDAM/POL/01). This standard aligns with:



IDAM/STD/0
1


IDAM: User authentication


evidence of identity standard;



IDAM/STD/02


IDAM: User authentication


authentication mechanism strength standard;



IDAM/STD/03


IDAM: User authentication


one
-
factor authentication standard; and



IDAM/STD/15


IDAM: Use
r authentication


network login
-
id naming standard.

IDAM is closely related to the broader subject of information security. As such, it is also related to and supports
the approved WoVG Information Security Management policy (SEC/POL/01) and standards.

Th
is standard aligns with the following Australian Commonwealth Government initiatives:



National Identity Security Strategy, April 2007

o

Attorney General’s Office

o

http://www.ag.gov.au/www/agd/agd.nsf/Page/Publications_ReporttotheCouncilofAustralian
GovernmentsontheelementsoftheNationalIdentitySecurityStrategy
-
April2007



National e
-
Authenticat
ion Framework (NeAF), January 2009

o

Australian Government Information Management Office

o

http://www.finance.gov.au/e
-
government/security
-
and
-
authe
ntication/authentication
-
framework.html



Gatekeeper PKI Framework, Evidence of Identity Policy, December 2007

o

Australian Government Information Management Office

o

http://www.finance.gov.au/e
-
government/security
-
and
-
authentication/gatekeeper/index.html

Further information

For further information regarding this standard, please contact the Government Services Division, Department
of Treasury and Fina
nce on
info.cio@dtf.vic.gov.au

Glossary

of terms and abbreviations

Term

Meaning

Access management

The capability and processes that permit or deny access to systems, thus

WoVG Standard

IDAM
-

User Authentication


呷T
-
䙡捴F爠䅵瑨en瑩捡t楯i
 䑁䴯DT䐯〴0


嘠㈮V

www⹤瑦tv楣⹧iv⹡u⽣楯

6


Term

Meaning

controlling the ability to read, modify or r
emove information.

Authentication

The process of verifying the identity of a user, process, or device, often as a
prerequisite to allowing access (Authorisation) to resources in an information
system, and often via a credential.



There are three kinds of

authentication factor: something you know (e.g. a
login
-
id and/or password); something you have (e.g. an RSA token; credit card
or mobile phone); and something you are (e.g. a biometric, such as
fingerprints or retina scans). The more factors employed, th
e greater the
security...

Entity

A real
-
world thing.


Categories include objects, animals, artefacts, natural persons, and legal
persons (such as corporations, trusts, superannuation funds, and incorporated
associations).


For example, John Smith is a rea
l person. He is also the treasurer of his local
football club; the father to three daughters and the CEO of a software
company. The actual person, John Smith, is an entity.

VicGov Connect

A mobile phone
-
based credentialing service. This service was develo
ped under
the project name
-

External Party Credentials.

Evidence of identity

A predetermined process whereby an entity establishes the right to use an
identity, by presenting appropriate documentation supporting that right.

Identity

A particular present
ation of an entity. An identity may correspond to a role
played by the entity.


An identity may be used by the entity in its dealings with one other entity, or
with many other entities. An organisation may maintain an account within its
records that corres
ponds to an identity.


For example, John Smith is a real person. He is also the treasurer of his local
football club; the father to three daughters and the CEO of a software
company. John Smith, (the entity), has three identities.

Identity management

The
policies, rules, processes and systems involved in ensuring that only
known, authorised users gain access to systems and information.


Identity management is an integrated system of business processes, policies
and technologies that enable organisations to

facilitate and control their users'
access to critical online applications and resources

wh楬i⁰牯瑥捴楮朠
捯cf楤en瑩t氠le牳on慬a慮d⁢uVineVV⁩ fo牭慴楯i⁦牯m⁵n慵瑨o物red⁵Ve牳⸠


䥴⁲ep牥Ven瑳⁡⁣ 瑥杯特f⁩ te牲r污led Vo汵瑩tnV⁴h慴⁡牥⁥mp汯led⁴o
慤m
楮楳瑥爠tuVe爠慵瑨en瑩捡tionH,⁡捣cVV⁲i杨瑳,⁡捣cVV⁲eV瑲楣瑩tnV,⁡捣潵n琠

WoVG Standard

IDAM
-

User Authentication


呷T
-
䙡捴F爠䅵瑨en瑩捡t楯i
 䑁䴯DT䐯〴0


嘠㈮V

www⹤瑦tv楣⹧iv⹡u⽣楯

7


Term

Meaning

profiles, HpasswordsH, and other attributes supportive of users' roles/profiles
on one or more applications or systems.
2

IDAM

Identity and access management.

Identity and access
m
anagement

The combination of access management and identity management.

Out
-
of
-
band

On an alternative communications channel. For example the phone system is
an alternative on the online channel.

SSO Single (or Simplified) Sign
On

SSO

is a property of ac
cess control of multiple, related, but independent
software systems. With this property a user logs in once and gains access to all
systems (that they are authorised to access), without being prompted to log in
again at each of them.

Victorian Government
LAN /
WAN

A Victorian Government LAN/WAN is defined as any Victorian Government
owned ICT network infrastructure (excluding mobile access and wireless
technologies)

WoVG

Whole of Victorian Government


fo爠pu牰oVeVf⁴hiV⁳瑡 d慲d,⁴h慴⁰or瑩tn
of⁧ ve牮
men琠Vpe捩f楥d⁩ ⁴he⁳ opef⁴h楳⁳瑡 d慲d.


Version history

Version

Date

GSD TRIM ref

Details

1.0

28 July 2009

D09/36624

First promulgated

1.1

2 June 2010

D09/39523

Specification of reporting dates and template

2.0

28 October 2010

D10/427530

New ver
sion for all user authentication


for
endorsement by CIO Council

2.1

24 March 2011

D11/41429

Aligning reporting to 30 June






2

As per WoVG standard SEC/STD/01


Information Securi
ty Management Framework.