scalable 2-factor authentication work item - terena · scalable 2-factor authentication work item...
TRANSCRIPT
Scalable 2-factor authentication work itemTERENA TF-MNM
16 February 2011
Joost van Dijk, SURFnet
Wednesday, February 16, 2011
Aim
2
-Explore 2-factor authentication solutions and assess their applicability, flexibility and scalability for identity federation size deployments.
-Specifically including the use of mobile phone handsets as a second factor in innovative ways, distinct from SMS authentication services.
Wednesday, February 16, 2011
Proposal for Activities
3
- Collect use cases- Collect Solutions used (hardware tokens, software tokens, integration kits, frameworks, ...)
Deliverables- wiki?
- Send your ideas to [email protected]
Wednesday, February 16, 2011
Use cases / PoCs- NREN community
- Feide/UNINETT:
- PoC for login with second factor, either PIN sent by SMS or Mobile App (http://www.encap.no/)
- SURFnet:
- X.509 certificate on PKI token (Aladdin eToken) for access to TCS portals
- OTP sent by SMS for login to self-service applications (e.g. DNS portal)
- VASCO OTP tokens for e.g. SSH access (for SURFnet employees)
- pilots/PoCs: mobile PKI, VASCO DIGIPASS Nano
4
Wednesday, February 16, 2011
2-factor authentication using a mobile phone application
TERENA TF-MNM15 February 2011
Joost van Dijk, Roland van Rijswijk, SURFnet
Wednesday, February 16, 2011
Comparison
6
Method Usability Cost Security Software Independ.
HardwareIndepend.
Signing
Username/Password +/- ++ -- ++ ++ noOTP/SMS + +/- + - ++ + no
OTP/Token + - ++ - - noPKI Token + - ++ -- - yesMobile PKI ++ ? ++ ++ + yesMobile App ++ + + + + no
X
Wednesday, February 16, 2011
codename: Moby Dick- Use your mobile phone as a challenge/response
token
- Secure:
- two factor (user-defined PIN)
- OATH Challenge-Response Algorithms (OCRA)response = HMAC_SHA1(secret, challenge)
- store secrets encrypted with PIN-derived key
- more likely to be missed missed when lost or stolen
- User-friendly:
- no codes to transcribe (use your phone’s camera and IP connectivity)
- no extra dongles to carry (just your phone)7
Wednesday, February 16, 2011
Use cases- Multiple use cases:
- Login on public computers (single factor)
- Two-factor (using PIN) authentication
- Step-up authentication in Id. Federation
- Authorization with Transation Authentication Number (TAN)
- Open Source:
- Build-your-own (rebranded) authenticator
- Server-side library, simpleSAMLphp authsource and authproc modules
- Currently iPhone and Android prototypes
- More info on TNC2011 and NDN20118
Wednesday, February 16, 2011
9
Wednesday, February 16, 2011
10
...
Wednesday, February 16, 2011
11
Wednesday, February 16, 2011