Post on 18-May-2015
description
transcript
Scaling Authen.ca.on
Policy
Persistent Authen.ca.on
Mobile AuthN Pla7orm
Mance Harmon Head of Labs
Josh Alexander CEO
Karl Mar.n CEO
CONTINUOUS AUTHENTICATION DON’T EVEN THINK ABOUT IT!
Copyright © 2013 Ping Identity Corp. All rights reserved. 2
Mance Harmon Head of Labs
The Smartphone: An Authentication Platform
Copyright © 2014 Ping Identity Corp. All rights reserved. 3
What You Know
What You Know
What You Have
Biometrics
What You Have
Biometrics
TREND
The Smartphone: An Authentication Platform
Copyright © 2014 Ping Identity Corp. All rights reserved. 4
What You Know
What You Have
Biometrics Addi.onal Iden.fying Data Items • Geoloca.on • IP address • Opera.ng System • User Agent Model / Version • Session Cookie • User Data:
• Contacts List • Music Library
• Usage PaSerns: • Time of Day • Frequency of Access
• 100s more ….
Copyright © 2014 Ping Identity Corp. All rights reserved. 5
The Smartphone: An Authentication Platform
PASSIVE
An Authentication Taxonomy AC
TIVE
Passwords
KBA OTP
Physical Keys
USB Token
Fingerprint
PIN
CONTINUOUS CONTEXT
DIRECT INDIRECT
Copyright © 2014 Ping Identity Corp. All rights reserved. 6
EKG Monitoring
Keystroke Dynamics
Voice Print Walking Gait GeolocaJon
User-‐Agent Version
IP Address
UID
Session Cookie
-‐ Time of Day -‐ Frequency
Behavioral Stats Face Scan
User Authentication: Reducing Risk
Copyright © 2014 Ping Identity Corp. All rights reserved. 7
Time
Risk
IniJal Login
Cookie Expiry: 3 hours
Resource Threshold
Re-‐AuthN
8am
0
100
40
11am 2pm 5pm
Continuous Authentication
Copyright © 2014 Ping Identity Corp. All rights reserved. 8
Time
Risk
IniJal Login
Resource Threshold
Repeated sampling of Passive factors (Context and ConJnuous)
0
100
40
GOAL: Improve Security AND Convenience
AuthN Policy: The Traditional Approach
Copyright © 2014 Ping Identity Corp. All rights reserved. 9
AuthN Methods Resources Gmail
Box
Concur
SalesForce
Splunk
Basecamp
VPN
Finance DB
Password Hard Token
Fingerprint
Geoloca.on IP address
Session Cookie
UID
User Agent Version
Time of Day
Login Frequency
OS Version
AuthN Policy: Risk-Based Authentication
Copyright © 2014 Ping Identity Corp. All rights reserved. 10
AuthN Methods Resources Gmail
Box
Concur
SalesForce
Splunk
Basecamp
VPN
Finance DB
Password Hard Token
Fingerprint
Geoloca.on IP address
Session Cookie
UID
User Agent Version
Time of Day
Login Frequency
OS Version
Risk Score
AuthN Policy: Threat-Based Authentication
Copyright © 2014 Ping Identity Corp. All rights reserved. 11
AuthN Methods Resources Gmail
Box
Concur
SalesForce
Splunk
Basecamp
VPN
Finance DB
Password Hard Token
Fingerprint
Geoloca.on IP address
Session Cookie
UID
User Agent Version
Time of Day
Login Frequency
OS Version
Threat Cat -‐ A
Threat Cat -‐ B
Threat Cat -‐ C
Threat Cat -‐ D
Threat Cat -‐ E
Vulnerability Mi.ga.on
AuthN Policy: Threat-Based Authentication
Copyright © 2014 Ping Identity Corp. All rights reserved. 12
AuthN Methods Resources Gmail
Box
Concur
SalesForce
Splunk
Basecamp
VPN
Finance DB
Password Hard Token
Fingerprint
Geoloca.on IP address
Session Cookie
UID
User Agent Version
Time of Day
Login Frequency
OS Version
Threat Cat -‐ A
Threat Cat -‐ B
Threat Cat -‐ C
Threat Cat -‐ D
Threat Cat -‐ E
Vulnerability Mi.ga.on
Risk-Based Authentication • “Risk Score”
– Assumes a broad, general THREAT – the world is generally antagonistic
– The “Risk Score” is the same for all ASSETS
– For a given ASSET, there is coarse-grain expression of VULNERABILITY to the general threat (“Risk” Threshold)
Copyright © 2014 Ping Identity Corp. All rights reserved. 13
Calculating Risk
Threat-Based Authentication • Risk is calculated based on
– A specific ASSET – A specific THREAT – How VULNERABLE the ASSET is
to a specific THREAT
– To what degree the AuthN methods reduce probability of success for the specific THREAT
Risk = AuthN Results + Asset + Threat + Vulnerability “Risk” = AuthN Results
Threat-Based Authentication: Benefits
Copyright © 2014 Ping Identity Corp. All rights reserved. 14
• SCALE – easy to add new Resources and Authentication Methods
• SECURITY – directly addresses known Threats, chooses authN methods appropriately
• CONVENIENCE – minimizes Active authentication