Multifactor Authentication in CAS and Shib (Apereo 2013)

Transcript

1. June 04, 2013 Factoring the Authentication Equation: Integrating Multi-factor Authentication

   into CAS/Shibboleth 1 Tuesday, June 4, 13

2. Factoring the Authentication Equation: Integrating Multi-factor Authentication into CAS/ Shibboleth

   04 June 2013 Mike Grady Andrew Petro Tuesday, June 4, 13

3. Agenda 1. Introduction 2. Multi-factor Authentication (MFA): What, Why &

   How 3. MFA integration with Shibboleth IdP today 4. Assurance & MFA Enhancements for Shibboleth 5. Multi-factor authentication in CAS today 6. Future CAS MFA support 7. Discussion and Questions Tuesday, June 4, 13

4. Introduction • Mike Grady: Senior IAM Consultant, ~1 year at

   Unicon • IAM, Shibboleth, CAS, Internet2 Scalable Privacy • Technical Lead, Cooperative Support for Shib program • 36 years at University of Illinois prior to Unicon • Andrew Petro: Software Developer, 7 years at Unicon • IAM, CAS, Shib, CAS Cooperative Support • Technical Lead, Cooperative Support for CAS program • Jasig CAS committer, CAS work since before CAS 3 Tuesday, June 4, 13

5. Introduction to Unicon • Focused on making organizations/institutions successful through

   the use of open source technologies • In business since 1993, helped hundreds of schools adopt open source solutions from Apereo • Implementation and development services • Unique maintenance program called "Open Source Support" that significantly contributes to the core community projects. This program is available for Sakai, uPortal, uMobile, CAS, Shibboleth, Grouper, and SSP. • Customized hosting and managed services for all of the above Tuesday, June 4, 13

6. This session is being recorded • All sessions live-streamed as

   a Google+ Hangout- On-Air that will be available on the Apereo YouTube channel (youtube.com/apereo) both live and recorded. • Will post slides to Lanyard page for session Tuesday, June 4, 13

7. Multi-factor Authentication (MFA): What, Why & How Tuesday, June 4,

   13

8. MFA: The “What” Something you know **password** Something you have

   Something you are Tuesday, June 4, 13

9. MFA: The “What” • Security tokens (hardware, USB, software) •

   Smart cards • Biometrics • “Second channel authn” - Phone-based https://spaces.internet2.edu/x/2gAwAg • See: Information Security Guide: Effective Practices and Solutions for Higher Education Tuesday, June 4, 13

10. MFA: The “Why” • Passwords are increasingly problematical • Phishing

    • Cracking technologies • Password reuse and “weakest link” • Password policies are (too small) a bandage • Use cases for Higher Levels of Assurance Tuesday, June 4, 13

11. MFA: The “Why” • Passwords are increasingly problematical • Phishing

    • Cracking technologies • Password reuse and “weakest link” • Password policies are (too small) a bandage • Use cases for Higher Levels of Assurance Growing understanding that passwords alone can't be fixed. No matter what strength, lifetime, use, protocol, etc. policies we put in place, and security & safeguards we implement. They are broken, and beyond effective repair. Tuesday, June 4, 13

12. MFA: The “Why” Achieving InCommon Silver Assurance Tuesday, June 4,

    13

13. MFA: The “Why” • InCommon Silver doesn’t require MFA •

    But retrofitting current IdM & credentials to satisfy can be a lot of work • Start over (at least with credentials) and use MFA • Perhaps more affordable if only need for select people/roles today, and/or if we decide MFA is our general future anyways • Provides a potential start on “Gold” Tuesday, June 4, 13

14. MFA: The “Why” Effectiveness of password credentials Time Today? Effectiveness

    of MFA Tuesday, June 4, 13

15. MFA: The “How” • Is that graph true? What are

    the costs and advantages of using MFA? What are our use cases, plans, deployment strategies, support needs, etc.? • Internet2 Scalable Privacy MFA activities • MFA Pilot institutions • MFA Cohortium: https://spaces.internet2.edu/ display/mfacohortium Tuesday, June 4, 13

16. MFA: The “How” • Few select individuals/roles with elevated privileges

    • Any access to this service • Opt-in for anyone • Integration into SSO framework would provide “big bank for the buck” Some possible deployment strategies: Tuesday, June 4, 13

17. MFA integration with Shibboleth IdP today Tuesday, June 4, 13

18. MFA & Shibboleth • Flexible MFA support would allow leveraging

    MFA for any federated service, local or external • Limited support for MFA in Shibboleth today • Duo Security (phone-based plus) • For all authentications • On Demand • Yubico’s Yubikey recipe for Shib Tuesday, June 4, 13

19. MFA & Shibboleth DEMO: Duo Security with Shibboleth On-Demand Tuesday,

    June 4, 13

20. MFA & Shibboleth Tuesday, June 4, 13

21. MFA & Shibboleth Tuesday, June 4, 13

22. MFA & Shibboleth Tuesday, June 4, 13

23. Assurance & MFA Enhancements for Shibboleth Tuesday, June 4, 13

24. Assurance & MFA with Shib • Request for Proposal -

    Assurance and MFA Enhancements to Shibboleth Identity Provider • Shibboleth Identity Provider plugin to address the technical requirements outlined in Assurance Enhancements for the Shibboleth Identity Provider • Responses due May 31, 2013 • Code by end of August 2013, acceptance by December 1, 2013 Tuesday, June 4, 13

25. Assurance & MFA with Shib • IdP is configured to

    support one or more Authentication Contexts • IdM maintains Authn Contexts user eligible for • IdP tracks user’s eligible Authn Contexts that have been authenticated and which have not • SP is specifying the Authn Context it will accept Use cases that should be supported Assumptions: Tuesday, June 4, 13

26. Assurance & MFA with Shib 1. User First Login; No

    Active Session 1.1. Option: Username/password first, then options which satisfy context and for which user is eligible 1.2. Option: Any supported authn method that satisfies 2. Active IdP session; Further authentication required 3. Active IdP session; SP sends a list of acceptable Authentication Contexts Use cases that should be supported Tuesday, June 4, 13

27. Assurance & MFA with Shib Tuesday, June 4, 13

28. Multi-factor authentication in CAS today Tuesday, June 4, 13

29. UC Berkeley • Don’t need to enhance CAS server much

    if you simply deploy and configure multiple :) Tuesday, June 4, 13

30. Tuesday, June 4, 13

31. Tuesday, June 4, 13

32. “Second-level CAS” • Two separate CAS servers • a normal

    CAS server, • a higher-LOA CAS server • Only some users can log in to the higher LOA CAS server • Entails first logging in via normal CAS (first factor) • and a second credential (second factor) Tuesday, June 4, 13

33. No relying party customizations • Plain old CAS protocol •

    Applications choose LOA requirement simply by configuring which CAS server to use Tuesday, June 4, 13

34. Ryerson • 2fa using Google Authenticator • Decisions by web

    services out of Ryerson’s custom SIS Tuesday, June 4, 13

35. Tuesday, June 4, 13

36. Tuesday, June 4, 13

37. Available code for CAS • Authentication handlers for OTP credentials

    Tuesday, June 4, 13

38. Yubikey Authentication Handler • https://github.com/Unicon/cas-addons/tree/ master/src/main/java/net/unicon/cas/addons/ authentication/strong/yubikey Tuesday, June 4,

    13

39. OATH TOPT Tuesday, June 4, 13

40. Theme • Mapping of Yubikey or OATH token to user

    is an exercise left to the reader. Tuesday, June 4, 13

41. Future CAS MFA support Tuesday, June 4, 13

42. CAS4 Tuesday, June 4, 13

43. Evergreen cas-mfa project • Developing multifactor support extensions for CAS

    3.5, out loud and in public, per successful response to Evergreen State RFP • Will cherry pick in backports of CAS 4 code as appropriate, of course • https://github.com/unicon/cas-mfa Tuesday, June 4, 13

44. What needs developing? • How strong required for this authentication?

    • How to remember how strongly authenticated? • Concrete Web flow components, flows to implement UI Tuesday, June 4, 13

45. https://wiki.jasig.org/display/CAS/Second+Level+Of+Assurance+Specification Tuesday, June 4, 13

46. Strategy • Do something • Do it out loud and

    in public, producing free software, adoptable with CAS 3.5 • Lather, rinse, repeat Tuesday, June 4, 13

47. NSTIC • Scalable privacy project will probably result in CAS

    LOA-aligned features along the lines of those intended in Shibboleth • Dovetail right into Evergreen effort? • Gotta love that GitHub. GitHub + open source license = radical openness. Tuesday, June 4, 13

48. Tuesday, June 4, 13

49. Discussion & Questions Tuesday, June 4, 13

50. Possible topics 1. MFA & Assurance: What about Shib layered

    over CAS? • How would MFA/assurance information (authn context & more?) be communicated from CAS to Shib? 2. Other? Tuesday, June 4, 13

51. (License) This work is licensed under the Creative Commons Attribution-NonCommercial

    3.0 United States License. To view a copy of this license, visit: http://creativecommons.org/ licenses/by-nc/3.0/us/. Tuesday, June 4, 13

52. Photo credits • Personal photos of Mike and Andrew: all

    rights reserved. • Microphone: http://www.flickr.com/photos/deanhp/3711222265/ cc-by • Composition books: http://www.flickr.com/photos/ 83251575@N04/7639841596 cc-by • Soap: http://www.flickr.com/photos/ 21222992@N00/353215962 cc-by-nc-sa • Benevocats (c) GitHub, all rights reserved, used only in reference to and to evoke the awesomeness of GitHub. Tuesday, June 4, 13