OASIS Trust Elevation

collarlimabeansSécurité

23 févr. 2014 (il y a 3 années et 5 mois)

68 vue(s)

OASIS Trust Elevation


Elevate Trust in Electronic Identities





www.oasis
-
open.org

Abbie Barbir, Ph.D

Co
-
Chair OASIS Trust Elevation TC


2

Goal OASIS Trust Elevation TC


Goal is



to define a set of methods or
standardized protocols that service
providers may use to elevate the trust
in an electronic identity presented to
them for authentication purposes



3

Why are we doing this work?


Few consumers have high LOA
-
credentials.


User Name and Password is not good enough


More organizations look to implement systems that require
authentication at higher Levels of Assurance


When dealing with consumers and citizens, there is a clear need for
dynamic authentication


a customer should only be asked to do multi
-
factor authentication
when they want to do “a high value transaction”, not as a
prerequisite to visiting a website.


There is an increased interest in transaction
-
based assurance:
“authentication” based on the necessary current conditions of
specified, validated attributes and agreements.


Use of a step
-
up approach to multi
-
factor authentication.


Recommendations by the Federal Financial Institutions Examination
Council (FFIEC) and the highly publicized breaches in 2011 have made
trust elevation a more urgent topic.


Responding to suggestions from the public sector, including the U.S.
National Strategy for Trusted Identities in Cyberspace (NSTIC).


4

Approach

1.
Phase I: Catalog of Trust Elevation Methods


Create a comprehensive list of methods being used currently to
authenticate identities online to the degree necessary to transact
business where material amounts of economic value or
personally identifiable data are involved.


Status
: phase is completed


Committee Note pending
publication

2.
Phase II: Analysis of Trust Elevation Methods


Analysis of identified methods to determine their ability to provide
a service provider with assurance of the submitter's identity
sufficient for elevation between each pair of assurance levels, to
transact business where material amounts of economic value or
personally identifiable data are involved.


Status
: phase ending, final stages of delivering work

3.
Phase III: Establish Trust Elevation Protocol



Propose a protocol for Trust Elevation


Status
: phase starting




5

Definition of Trust Elevation

Trust elevation:


Increasing

the strength of
trust

by adding factors

from

the same or
different categories of
trust elevation methods

that don’t have the same
vulnerabilities.


There are
five categories of trust elevation methods


who you are,


what you know,


what you have,


what you typically do and


the context.


What you typically do consists of behavioral habits that are independent
of physical biometric attributes.


Context includes, “but is not limited” to, location, time, party, prior
relationship, social relationship and source.


Elevation can be within

the

classic four X.1254
ITU
-
T LoA (ISO 29115
(NIST 800
-
063))

6

Categories of Trust Elevation Methods


Who you are


biometrics, behavioral attributes



What you know


shared secrets, public and relationship knowledge



What you have


devices, tokens
-

hard, soft, OTP



What you typically do


described by ITU
-
T x1254


behavioral habits that are independent of physical biometric attributes



Context


e.g. location, time, party, prior relationship, social relationship and
source

7

Levels of Assurance


Trust Elevation Paths between Levels of Assurance

8

Trust Elevation Method List


Methods sorted by trust elevation method category



What you are


Biometric
--

use of distinctive measurements about your physical body and
or your behavior that are unique


Physical Biometric


considered immutable and unique


Facial recognition


Iris Scan


Retinal Scan


Fingerprint Palm Scan


Voice


Liveliness biometric factors include:

»
Pulse.

»
CAPTCHA;

»
Temperature.


Behavioral Biometric
--

person’s physical behavioral activity patterns


Keyboard signature


Voice


9

Trust Elevation Method List


What you know


User Name and Password (UN/PW)


Knowledge Based Authentication (KBA)


User is asked one or more (sometimes 3 to 5) challenge questions


User
-
data procured at enrollment time


Static KBA


Questions and answers that do not change


Dynamic KBA


questions that are user
-
specific and/or change over time and/or the answers to
the questions change over time (e.g., asking the value of the customer’s last VISA
transaction)


10

Trust Elevation Method List


What you have


End Point Identity


Landline number;


Mobile phone number and or SIM and or OS;


IP address, router, provider;


Cookie, OS, browser, chip.


Token


Hardware tokens


Proprietary tokens


USB tokens


Smart Cards


Mobile phone and or SIM.


Software tokens


Digital certificates


Cookies

11

Trust Elevation Method List


What you have


Out of Band


User calls service provider from a registered phone;


Response to a phone call from the service provider;


Response to an email from the service provider;


Response to an SMS message from the service provider;


Response to a mobile application transaction initiated by the service
provider;


Response to a post card;


Response to a letter, registered or otherwise.


One Time Password (OTP)


Email;


Mobile phone voice message;


Mobile phone SMS message;


Mobile phone application;


Landline voice message;


Mail (postcard, letter, registered mail, etc.);


Proprietary hardware token with password generation capability.



12

Trust Elevation Method List


What You Typically Do
--

an individual’s repeated behaviors or
behavioral habits


Browsing patterns (order in which pages are accessed, duration of
access, links accessed, etc.);


Time of access;


Type of access, etc.

13

Trust Elevation Method List


Context
--

attributes relevant to the user or situation


Location;


Time of access;


Frequency of access;


Party;


Prior relationship ;


Social relationship;


Source and endpoint identity attributes such as


Date of last virus scan


IP address


Subscriber identity module (SIM)


Device basic input/ouput system (BIOS)


Virus scan software version


CallerID


Cookie (presence and or contents);


Multi
-
channel combination;


Credential lifecycle attributes;


Certificate binding and or other chain of trust attributes;


Secure device with user specific disk allocation.

14

Method Examples (Use Cases)


Reuse of Primary Authenticator Method Example


Customer Retention Method Example


Cloud Access Method Example


Static KBA Method Example


Session Elevation to Level of Identity Proofing Method Example


Hub Provider of Pseudonymous Identity Method Example


Step
-
Up Authorization Method Example


Multi
-
channel by Phone Method Example


Generic KBA Method Example


Address Verification Service Method Example


Split Large (Risky) Transactions into Multiple Smaller Transactions Method Example


Use of Tokenized Device/Network Attributes Method Example


Trust Elevation by Hard Token (OTP Generator) Method Example


Multi
-
Attribute
-
Based Trust Elevation Service Method Example (AKA Fraud Detection)


Emergency Access to Patient Healthcare Information


a European Method Example

15

Resources


OASIS Trust
-
El Technical Committee Homepage


https://www.oasis
-
open.org/committees/trust
-
el










abarbir@live.ca