The Beginner's Guide to Alternative Authentication

Slide 1

Slide 1 text

The Beginners Guide to Alternative Authentication Chris Cornutt : @enygma - ConFoo 2015

Slide 2

Slide 2 text

Authentication Authorization

Slide 3

Slide 3 text

Authentication Authorization

Slide 4

Slide 4 text

Identity Management

Slide 5

Slide 5 text

Usual Suspects Access Control? What’s that? Permissions Access Control Lists Role-Based Access Controls

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

Attribute-Based Flexible… …to a fault. XACML

Slide 8

Slide 8 text

Resource Subject Environment Action Attribute-Based Attribute-Based

Slide 9

Slide 9 text

Resource Subject Environment Action Decider/Enforcer Policy Attribute-Based

Slide 10

Slide 10 text

SampleServer login 09:00:00 17:00:00

Slide 11

Slide 11 text

Resource Subject Environment Action Policy /user/view/1 username1 production GET /user/view/1 username1 production GET

Slide 12

Slide 12 text

Resource Subject Environment Action Policy /user/view/1 username1 production GET /user/view/1 username1 production GET

Slide 13

Slide 13 text

Resource Subject Environment Action Policy /user/view/1 username1 production GET /user/view/42 username1 dev GET

Slide 14

Slide 14 text

Resource Subject Environment Action Policy /user/view/1 username1 production GET /user/view/42 username1 dev GET

Slide 15

Slide 15 text

Multifactor Something you have Something you know Something you are Someplace

Slide 16

Slide 16 text

Multifactor

Slide 17

Slide 17 text

Multifactor Stolen shared secret Steal the thing Copy the thing Intercept/masquerade Hijack after use

Slide 18

Slide 18 text

Federated Identity Portable, standards-based Do you need to host? Removes the burden

Slide 19

Slide 19 text

Federated Identity

Slide 20

Slide 20 text

Federated Identity IDP

Slide 21

Slide 21 text

Federated Identity IDP Uniﬁcation

Slide 22

Slide 22 text

Federated Identity User-to-user User-to-application Application-to-application Levels of trust

Slide 23

Slide 23 text

Federated Identity But isn’t that just Single-Sign On? One word…context.

Slide 24

Slide 24 text

Federated Identity Credentials User attributes Access levels Provisioning Auditing Domain

Slide 25

Slide 25 text

Single Sign On Credentials Multiple services, one login Interface requirements Not always username & password

Slide 26

Slide 26 text

Single Sign On Primary Domain

Slide 27

Slide 27 text

Single Sign On Subset of Federation Intranets Remove authentication burden Makes users happy…as long as it works.

Slide 28

Slide 28 text

SAML Security Assertion Markup Langauge Cross-service Passes needed info Version 2 XML based

Slide 29

Slide 29 text

SAML Security Assertion Markup Langauge

Slide 30

Slide 30 text

SAML Security Assertion Markup Langauge Assertions Statements used in IdP decisions Protocols How elements are packaged Bindings Mapping of protocol to standard format Profiles Combines assertions, protocols and bindings

Slide 31

Slide 31 text

SAML Security Assertion Markup Langauge

Slide 32

Slide 32 text

SAML Security Assertion Markup Langauge Authentication Context Schemas Intranet, MobileTwoFactor, PublicKey, SSL/TLS Certificate, etc. Identification information How “secret” is defined

Slide 33

Slide 33 text

So, which to use? Level of protection needed Current systems and integration Defense in depth Risk (Frequency, Probability, Cost) Don’t have to pick just one…

Slide 34

Slide 34 text

Thanks! Questions? @enygma http://securingphp.com - @securingphp http://websec.io