Date post: | 24-Dec-2015 |
Category: |
Documents |
Upload: | luke-simon |
View: | 301 times |
Download: | 0 times |
Security today
Endpoints: unrealistic Users care about convenience
Data: straightforward AuthN/Z: hard and important
2
Identity remains badly broken; nobody has solved it Inconvenient: 100’s of
usernames/passwords Insecure: Today’s security paradigms
are fundamentally flawed leading to never ending breaches and forced password changes
Will get worseas EMV rolls out
Unsustainable # of pwd # of breaches
3
My 300+ usernames and passwords
Two largest causes of never ending security breaches1. Use of shared secrets (for >50
years): Passwords Credit card numbers, CVV OTP including RSA SecurID Voltage Identity Based Encryption (IBE) KBA Misc: “Safety images”/Passmark,
biometrics
2. Centralized storage of sharedsecrets creates centralized risk
4
Number of consumer websites allowing login w/o a shared secret
05
We are still nowhere 30 years after the invention ofpublic key crypto!
User authentication: TodayShared secrets
6
Enterprise Apps
External Websites
Desktop, Mobile Apps
Offline (QR or NFC ID)
Steve
I have >300 different usernames and passwords!This is unsustainable
Digital identity done right: no shared secrets
7
Convince your device
URU
Steve
Websites
Enterprise Apps
Desktop, Mobile Apps
Offline (QR or NFC ID)Your device digitally asserts
your ID to everyone else using PK
(with your express approval)
8
DEMO
OneID Login Signature Flow
9
1
2
3
✓ Signature A 4✓
5
✓ Signature B✓ ✓
✓ Signature C✓ ✓ ✓
6
WebsiteVerifiesSignatures
After verification, user is logged in
Pairing technology
10
End to end secure transfer of crypto secrets between devices
End-to-end secure credit card transactions w/o PCI risk
11User
OneIDpaymentgateway
Issuer(OneIDcompatible)
“INVOICE:Pay JC Penney$32.42”
“INVOICE:Pay JC Penney$32.42”Using “Steve’s Personal VISA card”--a438ef3103439afe20…
Send signed invoice to participating Issuer as credit or debit ; else verify signature, lookup card and send “old fashioned way” as credit card
Verifies signature against public keys of user
Benefits
Consumers Merchants Reduce user frustration
Eliminate need for uname/password
No more lost pwd Eliminate manual form fill,
CAPTCHA
Increase security Can even use public terminals w/o
risk Attacks (phish, malware, MITM,
…) and identity theft difficult Credit cards number isn’t given
out
Increase privacy RP can’t see repo and vice-versa No PII on user device
Put user in control Identity can’t be asserted w/o user
participation
Higher sales Since easy to login and
register w/o typeing
Better security Public keys on file aren’t a
security risk AuthN/Z no longer relies on
shared secrets
Lower costs Reduce lost password support
costs
Reduced PCI liability No need to handle credit
cards
Reduced charge backs Burden is on the consumer
12
Integrated touch points
OneID allows a unified customer experience across multiple touch points: On-line In-store Mobile Over the phone
13
Mobile app authN/Z
14
Log into OneID app => all other apps logged in
OneID in-store
Tap to Identify Confirm on Phone
15
Pay Starbucks$9.45?
Over the phone authN/Z
1. Punch in 3 digit number on phone
2. Confirm on mobile
16
Confirm youridentity
OR
In-person AuthN
Tap static NFC tag at hotel check-in disk Confirm on mobile
17
OK to releasecontact info?
Confirm youridentity
Mobile pay
“Identify” to merchant E.g., tap phone to static NFC tag at register
Confirm on phone
18
OK to pay?
$15.24
OneID capabilities
Authentication Filling out forms Secure credit card transactions Authorization Information sharing including
updates Proving digital claims (age>x,
student, …) Repository of non-forgeable “digital
proof” (software RTU, music licenses, physical good receipts, proof of purchase)
On-line In-personOver the phone
Key features
Easy to use Convenient Secure against most all attacks:
physical, phishing, malware Private User-centric/User in control No shared secrets with cloud repository Portable “Have it your way” security vs.
convenience: Device, Site, Transaction (+type). Max
{user,RP}
20
Two-Factor Auth: More secure & convenient than SecurID
21
Insecure• In-band (vulnerable to MITM)• Vulnerable shared secret• Can’t see what you are approving
Inconvenient• Another device to carry• Hard to use• Wastes time• Everyone hates them• Terrible GUI/UX
vs
OneID mobile phone app
Recipient: Sasha OrloffAmount: $5,000 USDBank: CitiBank
Outgoing Wire Transfer“Blank check”
OneID is unique
Username: OPTIONAL Password: OPTIONAL
Even I do not define a password, you cannot break into my account
It has to be that way since we know passwords are too easily divulged through social engineering, phishing, key logging, and guessing
22
Very difficult to attack
23
AD
CD
Dev1
Dev2
Pwd PIN Total
Phish x x 2
Malware x x x 3
Physical (one device)
x x 2
Physical (all devices)
x x x x 4
Need 6 secrets to win
$1M if you can log in as me!
24
I’ll even give you my username, password, and PIN
to make it easier
About OneID
Founded: May 2011 18 employees CEO: Alex Doll, former COO PGP San Jose, CA and Austin, TX $7M in funding
25
“I believe OneID will be one of the most significant platforms to be built in the next 10 years” Jonathan Heiliger
former VP OperationsFacebook
26
Simple & Secure Digital Identity