cis14: knowing vs. asking: innovation in user recognition
DESCRIPTION
Pam Dingle, Ping Identity Walk-through of simple changes in approach—away from the traditional stateless authentication model—that can have radical effect on what a user might be asked to do, and how they are asked to do it, with demonstration of recommended methods.TRANSCRIPT
KNOWING VS ASKING INNOVATION IN USER RECOGNITION
Pamela Dingle @pamelarosiedee Office of the CTO, Ping Identity
day one
day two
day five-hundred eighty five
State of the Industry
Compartmentalization
http
s://w
ww
.flic
kr.c
om/p
hoto
s/be
nson
kua/
2754
3129
51
The
US
Arm
y ht
tps:
//flic
.kr/p
/bE
xfoR
Leo
Rey
nold
s ht
tps:
//flic
.kr/p
/nfx
qQG
Gin
ny h
ttps:
//flic
.kr/p
/5V
9Viy
https://ww
w.flickr.com
/photos/bensonkua/2754312951/in/photostream
/
The
US
Arm
y ht
tps:
//flic
.kr/p
/bE
xfoR
IDP
Today: Stranger Flow
RP
We need one more representation
Our Lexicon must grow to Encompass Hints
• What is a hint? – Statement based on probability but lacking authority – Multiple evolutions evolving into the concept of a
Hint • Passive Factors / Real-time analytics • Cached previous data • Account Chooser
Security Posture should never be OSFA again
• It isn’t 1995 anymore • The device to user ratio has
inverted • In the 1st world at least, 5-year
olds have iPads • You can’t abandon the 1995
flow but you can choose who to offer it to
IDP
Tomorrow: Friendly Flow
RP
That must be dangerous!
Because, Security
Xavi
Talle
da h
ttps:
//flic
.kr/p
/997
LWw
v
Session bound with Context allows us to help “friendlies”
But what tooling allows contextual collaboration
across domains?
Two Flow Elements • Continuation Flow
– Is there some context that can forecast an identifier and/or idp?
• Bootstrap flow – No continuation exists – Is there a way to introduce the user & idp to the flow?
Hint Spectrum
Login Hint Refresh Token
Previously Issued IDToken
Shared Signal
Expired Token & context assertion embedded in signed AuthnRequest
Login Hint
• Exactly the information the user would have to type themselves anyway – User Identifier – IDP
• Equivalent to “Remember me” (but crossing domains)
How can an RP derive a Login Hint?
• Continuation Flow – Check the expired session
cookie – Dig up the previous id_token
• Bootstrapping Flow – Ask for it (NASCAR, OpenID) (ie – stranger flow) – Query a common authority
• CDC, Account Chooser
Dave Carter h*ps://www.flickr.com/photos/david_s_carter/3041065755
Bootstrapping == Discovery?
Choosers FTW
• d
Bootstrapping
HTTP/1.1 302 Found! Location: https://server.example.com/authorize!! ?response_type=code!
&scope=openid%20profile%20email! &client_id=s6BhdRkqt3! &state=af0ifjsldkj! &redirect_uri=https%3A%2F%2Fclnt.example.org%2Fcb!
&login_hint=patty%40integralcurve.com!
Continuation
{! "iss": "s6BhdRkqt3",! "aud": "https://server.example.com",! "response_type": "code id_token",! "client_id": "s6BhdRkqt3",! "redirect_uri": "https://client.example.org/cb",! "scope": "openid",! "state": "af0ifjsldkj",! "nonce": "n-0S6_WzA2Mj",! "max_age": 86400,!"id_token_hint": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzc!K5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg"! }!
An attacker who emulates the login hint only gets this far
https://ww
w.flickr.com
/photos/bensonkua/2754312951/in/photostream
/
Thanks!
@pamelarosiedee http://pingidentity.com
http://eternallyoptimistic.com