Transcript slides
Next Steps toward More Trustworthy Interfaces,
continued
Burt Kaliski, RSA Security
2nd TIPPI Workshop
June 19, 2006
Also includes presentations from
FSTC and W3C
Agenda
•
•
•
Recent industry activities around user authentication
How to get more trustworthy user interfaces
Next steps
Recent Industry Activities
•
•
•
•
•
•
•
A growing chorus (and calendar) …
June 2005: 1st TIPPI Workshop
October 2005 – May 2006: FSTC Better Mutual Authentication
project
October 2005: FFIEC guidance on user authentication
March 2006: W3C workshop on Web authentication
June 2006: 2nd TIPPI Workshop
July 2006: Proposed IETF session on Web Authentication
Resistant to Phishing (WARP)
FSTC Better Mutual Authentication Project
•
•
The Financial Services Technology Consortium (FSTC) ran a
project on Better Mutual Authentication (BMA) from October
2005 – May 2006
Dan Schutzer, executive director of FSTC, has summarized the
findings in a presentation he prepared for this workshop:
BMA Roadmap: A Summary of the BMA Findings
•
FSTC is considering a second phase of the project
W3C Workshop on Web Authentication
•
•
The World Wide Web Consortium (W3C) organized a workshop
on Web authentication in March 2006
The team has summarized its work in another presentation
prepared for this workshop:
W3C Engagement in Web Security
•
Follow-on work is also being considered in this organization
IETF Web Authentication Initiative
•
•
Sam Hartman, co-Security Area director in the IETF, is
proposing a new project on Web Authentication Resistant to
Phishing (WARP)
From his Internet-Draft at http://www.ietf.org/internetdrafts/draft-hartman-webauth-phishing-00.txt:
“This memo proposes requirements for protocols between web
identity providers and users … Websites must never receive
information such as passwords that can be used to
impersonate the user to third parties. Browsers should perform
mutual authentication and flag situations when the target
website is not authorized to accept the identity being offered …”
•
Session proposed for July 2006 IETF meeting
FFIEC Guidance
•
•
The Federal Financial Institutions Examination Council (FFIEC)
in October 2005 issued general guidance that banks should
employ more than “single-factor authentication” for high-risk
transactions
Quoting from the guidance at
http://www.ffiec.gov/pdf/authentication_guidance.pdf:
“… Where risk assessments indicate that the use of single-factor
authentication is inadequate, financial institutions should
implement multifactor authentication, layered security, or
other controls reasonably calculated to mitigate those risks.”
•
Guidance is not technology-specific; organizations are expected
to comply by end of 2006
How to Get More Trustworthy Interfaces
•
An authentication agent observes what the application and user
are doing and protects the user
— e.g., PwdHash
•
•
An authentication service also responds to (authorized)
requests by an application
Proposal: Establish a trustworthy user authentication service as
the primary interface between the user and applications w.r.t.
user authentication
— Trustworthy = User has assurance that
(a) this service is interacting with user
(b) on behalf of an authorized resource
• minimum: authentication data are protected from misuse
How to Get There
•
Architecture:
— Where should it go?
— What should it do?
•
Standards:
— How do you use it?
• service interfaces, e.g., “Run authentication mechanism”
• authentication mechanism types: “username/password,” “OTP
token,” “PKI token”, etc.
•
•
Requirements and use cases
Analogy: Media players
User Authentication Architecture Today
PC or
mobile
phone
browser
VPN
other apps.
generic operating
system services
user
interface
device
interfaces
credential
store
User Authentication Architecture Today
PC or
mobile
phone
browser
VPN
other apps.
PKCS #11, CAPI
user
interface
device
interfaces
credential
store
A Better Architecture for User Authentication
PC or
mobile
phone
browser
VPN
other apps.
trustworthy user authentication service
user
interface
device
interfaces
credential
store
In Conclusion
•
•
•
•
Industry should standardize on a single authentication
mechanism
Industry should support multiple authentication mechanisms,
but standardize on the user interface
Industry should support multiple authentication mechanisms
and user interfaces, and standardize on the service interface
Result: A platform for innovation in trustworthy interfaces for
user authentication, and better security
Next Steps for TIPPI Proponents
1. Continue to advance trustworthy interface concepts within the
various industry initiatives
2. Collaborate on architecture and standards proposals
3. Contribute to the 3rd TIPPI Workshop next June!
Contact Information
•
Burt Kaliski
Vice President of Research, RSA Security
Chief Scientist, RSA Laboratories
[email protected]
http://www.rsasecurity.com/rsalabs
Additional Presentations
•
•
BMA Roadmap: A Summary of the BMA Findings
W3C Engagement in Web Security
FINANCIAL SERVICES TECHNOLOGY CONSORTIUM
BMA Roadmap: A Summary
of the BMA Findings
Daniel Schutzer, Executive Director FSTC
Copyright © 2006 Financial Services Technology Consortium—All rights reserved
FINANCIAL SERVICES TECHNOLOGY CONSORTIUM
Summary: Key Themes
Mutual authentication is vital
• A necessary first step to improving online safety
• The best way to improve customer confidence in the online channel
Mutual authentication is strategic
• Not just a technology or operational play
• Understand you own posture with regard to risk, operational outsourcing,
cooperation with other FIs
The consumer/customer is the main story
•
•
•
•
Consumer fears drive regulatory pressure
Consumer confidence essential for success of online channel
Consumer convenience drives or inhibits adoption of new solutions
Customer support costs are significant now and in the future
FINANCIAL SERVICES TECHNOLOGY CONSORTIUM
Talking to consumers about authentication
“You need better security for online financial services”
• “Why? I’m not liable!”
• “You mean this online stuff isn’t safe enough already?”
• “Fine, as long as it doesn’t cost me anything and is just as convenient”
“We’re changing our approach to online security”
• “Are you really my FI? Your message sounds like a phishing scam to me”
• “What was wrong with the old way?”
• “I just want to get to my account—why are you making me jump through all
these hoops?”
• “Is this because of the latest merger? You’ve already messed up my old
services and made me change things”
“Here’s your new secure authentication device.”
•
•
•
•
•
•
•
“What am I supposed to do with it?”
“What does this do for me?”
“What if I don’t want to use it?”
“No way—have you seen what I already have to carry around?”
“I already have a handful of these things—can’t I just use one I’ve already got?”
“But I need one for my computer at the office”
“This is more of a hassle than it used to be—can I go back to the old way?”
FINANCIAL SERVICES TECHNOLOGY CONSORTIUM
Four Directions to Approach Authentication
Alternative
Channels
N
Electronic
W
Credentials
E
S
Contextual
Analysis
Shared
Secrets
FINANCIAL SERVICES TECHNOLOGY CONSORTIUM
Authentication challenges associated with
delegation of authority
Informal delegation of authority by retail customers (e.g., sharing
passwords or auth devices) leads to a variety of exposures
• FIs cannot distinguish the principal customer from a delegate
• All-or-nothing access for delegates—i.e., customer can’t restrict what their
delegate can do via online services
• Rescinding authority granted to a delegate is difficult
• In the real world, fraud by “friends and family” is a significant problem
Delegation of authority to third party services presents other challenges
• Introducing new authentication measures can “break” legitimate access by third
party financial services
• Some existing access by third party services may represent compliance
challenges with current regulatory guidance
Sharing of authentication mechanisms across multiple FIs can significantly
increase exposures when customers delegate authority to others
FINANCIAL SERVICES TECHNOLOGY CONSORTIUM
Near-term steps for the vendor community
Incorporate mutual authentication into products and services
• Wherever possible, provide options to support two-way authentication
• Where not possible, integrate products or services into solutions that facilitate mutual
authentication
Improve interoperability of products and services
• Authentication techniques and devices that interoperate with standard services
• Services that support various authentication techniques and devices
• Adopt standards that facilitate interoperability
Introduce services that integrate multiple authentication techniques into
comprehensive solutions
Address customer support for the consumer population at large
For vendors of OSs, browsers, and other Internet applications
• Overhaul and substantially improve usability of security measures at all levels
• Simplify security configuration management for end users
• Substantially improve security of computing platforms used by consumers
W3C Engagement in Web Security
●
Public Workshop March 15/16, NYC, on
Usability and Transparency of Web
Authentication
–
●
http://www.w3.org/2005/Security/usabilityws/report
41 position papers, 70+ attendees
–
All major browser vendors
–
Security vendors
–
Large content providers (financial services and
others)
–
Researchers (including some speaking at TIPPI)
Workshop Goal & Lessons
●
Practical security: What can help users make
the right decisions?
–
●
... when you can't avoid letting them decide ...
Lessons
–
Web authentication is broken today.
–
The problem isn't solved by any player alone.
–
There are both short-term and long-term
contributions.
Suggested Approaches
●
●
●
Tame the browser: Restrict content's ability to
manipulate the user interface.
Authenticate the interface to the user.
–
Trusted paths and login ceremonies
–
Customized user interfaces
Richer metadata
–
Logotypes
–
Trust seals with browser support
–
Content labeling
Suggested Approaches (2)
●
Let software, not users, manage credentials.
–
User-centric Identity management.
–
Or maybe just better password managers?
●
Zero-knowledge password proofs.
●
Use context known to software to assist users.
–
Distinguish known and unknown sites
–
Petnames
Requirements
●
The Web runs on more than just Personal
Computers
–
●
Device independence – how to do security
indicators on constrained devices?
Mash-ups and RESTful web services
–
Today, they just ask for passwords they shouldn't
know.
–
Delegate authorization decisions.
Please join the conversation
●
Workshop follow-up list:
http://lists.w3.org/Archives/Public/public-usable-authentication/
●
W3C is pursuing discussions in several
directions:
–
Taming the browser -- “secure chrome”
–
Richer security context information
–
Enabling client-side password management
●
You should expect to hear more from us soon.
●
For more information, contact:
–
Karen Myers, Development Officer, [email protected]