Title: Future Directions in User Authentication
1Future Directions in User Authentication
- Burt Kaliski, RSA Laboratories
- Presented at Beijing UniversityApril 10, 2006
2Introduction
- User authentication is a cornerstone of IT
security, one that is changing rapidly - Many areas of technology developmentwill have a
significant impact on user authentication over
the next decade
- Here, Ill offer a researchers perspective on
five of those areas, with examples among RSA
Securitys products - Well also envision a day in the life of a future
user, Sally Surfer - Based on presentation given at IT-Defense 2005
31 Trusted Computing
Users will authenticate through trusted computing
platforms, which will in turn represent the user
to the network
- PDAs, WLAN cards, and DRM devices are good
examples today of user authentication built upon
device authentication - Trusted computing offers the promise that the
device can authenticate the user on behalf of
the network
- Will trusted computing platforms be sufficiently
trusted to authenticate futureusers directly, or
will some network verification still be involved? - How will the many associations between users and
devices be managed?
41 Trusted Computing
Users will authenticate through trusted computing
platforms, which will in turn represent the user
to the network
- PDAs, WLAN cards, and DRM devices are good
examples today of user authentication built upon
device authentication - Trusted computing offers the promise that the
device can authenticate the user on behalf of
the network
- RSA Sign-On Manager, RSA SecurID for Microsoft
Windows are initial steps toward the trusted
desktop concept
52 RFID and Other Wireless Authenticators
Users will authenticate via RFID and other
wireless devices, as logical and physical
authentication technologies converge
- e-Passports incorporate RFID chips NISTs
Personal Identity Verification card combines
smart card, ISO 14443 prox. card - RFID for the supply chain tracking is already
leadingto wireless user authenticators, e.g.,
VeriChipTM
- Users will authenticate to buildings via
wireless will they also authenticate directly
via wireless to the desktop? - Will mobile phones be the wireless authenticators
of the future, or will they just be another
device to unlock? Or both?
62 RFID and Other Wireless Authenticators
Users will authenticate via RFID and other
wireless devices, as logical and physical
authentication technologies converge
- e-Passports incorporate RFID chips NISTs
Personal Identity Verification card combines
smart card, ISO 14443 prox. card - RFID for the supply chain tracking is already
leadingto wireless user authenticators, e.g.,
VeriChipTM
- RSA SecurID 5100 smart card supports proximity
authentication - RSA Professional Services has launched an RFID
security privacy consulting service
7Belly-Button Ring Identifiers
- If your mobile phone is your future
authenticator, how do you authenticate to your
mobile phone? - One possibility is based on MITs beeper-based
signature concept (R. Rivest, A. Lysyanskaya) - Beeper that you wear maybe a belly button
ring? sends low-power signal to your phone - Fresh signal required for phone to generate
digital signatures otherwise phone wont sign - Beeper can authenticate you to your phone, and/or
you and your phone to the network
8Privacy Considerations
- If a beeper authenticates you to your phone, how
do you keep it from identifying you to someone
else? - Problem is quite similar to that for RFID tags,
and solutions developed there may apply here as
well - Basic privacy design principles
- Simple devices like belly button rings should
only identify themselves to ones local, personal
devices, e.g. mobile phone - More powerful devices like phones can then make
informed decisions about whether to identify the
user elsewhere - Practical privacy and authentication solutions
for these settings remain a research challenge
9Application Proximity Cards
- Electronic belly button rings arent here yet,
but wireless proximity devices are becoming
widespread - Without appropriate protections, a proximity card
will identify itself to any reader that
interfaces with it - Significant privacy and security risks, depending
on what the identity contains - Even with a random identifier, tracking and
cloning are still a concern - ISO 14443, basic RFID tag specifications offer
little protection, but privacy-enhancing
technologies are available - Examples foil pouches, blocker tags, minimalist
cryptography
103 Knowledge-Based Authentication
Users will authenticate based on what they know
and what theyre able to do in new and
sophisticated ways
- Life questions are quite common already for
password reset, as well as account enrollment - Human-computer interfaces offer newpossibilities
for authentication, e.g., PassfaceTM
- How will the security of knowledge be measured
and who will be the keepers of the knowledge? - What other HCI can be relied on, as knowledge and
biometrics converge?
113 Knowledge-Based Authentication
Users will authenticate based on what they know
and what theyre able to do in new and
sophisticated ways
- Life questions are quite common already for
password reset, as well as account enrollment - Human-computer interfaces offer newpossibilities
for authentication, e.g., PassfaceTM
- IntelliAccessTM technology in RSA Sign-On Manager
embodies several early results of our research on
life questions
12Life Questions from Art to Science
- Few metrics have been established on the security
of answers to specific life questions, which
depends on factors such as - User demographics
- Attackers resources
- Attackers relationship to the user
- Further research on the security of life
questions and other forms of KBA is needed to
have a solid foundation - Also to be considered How to verify the answers,
while minimizing their exposure at the verifier - Ideally, without seeing or storing them
134 Anonymity
Users will authenticate anonymously in many
cases as to their privileges, not necessarily
their identities
- Trusted Computing Groups Direct Anonymous
Attestation (Brickell et al.) is an important
step in this direction device proves group
membership without revealing its identity - Chaumian constructs still hold much promise!
- Identity federation provides simple anonymity
via pseudonyms will more sophisticated solutions
be needed? - Will anonymous authentication be the norm
(perhaps revocable in case of dispute), or will
it be the exception?
144 Anonymity
Users will authenticate anonymously in many
cases as to their privileges, not necessarily
their identities
- Trusted Computing Groups Direct Anonymous
Attestation (Brickell et al.) is an important
step in this direction device proves group
membership without revealing its identity - Chaumian constructs still hold much promise!
- Identity federation in RSA ClearTrust provides
simple anonymity via pseudonyms, following SAML
155 Password Protection
Users will authenticate with passwords sometimes,
but the passwords will be better protected, and
it will be mutual
- Though better password protocols are available
(EKE, SPEKE, SNAPI, etc., ), passwords are still
typically sent in the clear to applications that
request them whether trustworthy or not - Hashing is also an option (Stanford PwdHash
plug-in)
- Will password authentication be standardized, so
that better protocols can be applied by default?
How will such protocols be integrated with server
certificates and SSL? - Will desktop password managers obviate the need
for direct user knowledge of passwords?
165 Password Protection
Users will authenticate with passwords sometimes,
but the passwords will be better protected, and
it will be mutual
- Though better password protocols are available
(EKE, SPEKE, SNAPI, etc., ), passwords are still
typically sent in the clear to applications that
request them whether trustworthy or not - Hashing is also an option (Stanford PwdHash
plug-in)
- Phishing countermeasures have been a major focus
of research in the CTOs office - RSA Sign-On Manager offers a platform for this
better kind of password protection
175 Password Protection
Users will authenticate with passwords sometimes,
but the passwords will be better protected, and
it will be mutual
- Though better password protocols are available
(EKE, SPEKE, SNAPI, etc., ), passwords are still
typically sent in the clear to applications that
request them whether trustworthy or not - Hashing is also an option (Stanford PwdHash
plug-in)
- RSA/Cyota risk-based authentication, eFraud
NetworkTM enhance passwords auth. via profiling,
challenge questions, call-back, etc. - eStampTM offers simple mutual authentication
18Summary of the Five Areas
- Future users will authenticate
- through trusted computing platforms, which will
in turn represent the user to the network - via RFID and other wireless devices, as logical
and physical authentication technologies converge - based on what they know and what theyre able
to do in new and sophisticated ways - anonymously in many cases as to their
privileges, not necessarily their identities - with passwords sometimes, but the passwords will
be better protected, and the authentication will
be mutual
19Many Other Areas
- Ive highlighted some of the technologies that
will affect user authentication. There are many
others that one could cover - Identity federation
- One-time passwords and PKI authentication
- Biometrics
- Age-group recognition (e.g., i-Mature)
- CAPTCHATMs (Completely Automated Public Turing
tests to tell Computers and Humans Apart) - Additional options will emerge for user
authentication as information technology matures.
What will tomorrows users experience?
20Aside Business Futures
- Four complementary trends will also affect the
landscape as the diverse set of authentication
technologies matures - Hardware manufacturers will compete with an array
of different containers as particular
technologies become commoditized - Identity providers will add a menu of related
services from fulfillment to help desk support - Application providers will establish all kinds of
markets on the foundation of strongly
authentication identities - Business models will become the focus as
authentication transforms from a technology into
a standardized service
21A Day in the Life of Sally Surfer
22At Home in the Morning
- Sally signs into her home computer
- She authenticates with her RFID beeper
- She checks her personal e-mail
- The computer authenticates Sally to her Internet
service provider, and downloads her mail
- Sally pays a bill at BanksRUs.com
- Sallys ISP federates her authentication to the
bank - Her computer signs her off automatically when
she leaves
23On the Road
- Sally drives to work, pays tolls by the km
- She authenticates to her car via her beeper
- Her car authenticates her and pays the toll
(anonymously?) via a wireless protocol - She parks in the underground parking lot
- Her car again authenticates her to the parking
lot - She enters the office building and takes the
elevator to her office - She authenticates to security checkpoints with
her employee badge via RFID
24At the Office
- Sally signs into her office computer
- She authenticates with her employee badge,which
unlocks her passwords and credentials - Its a typical days work sending e-mail,
running applications, accessing corporate
resources - Her computer authenticates her seamlessly via
passwords, credentials, identity federation - Her badge is checked occasionally for extra
assurance - She prints her itinerary for tomorrows trip
- The airline site isnt yet linked to her
corporate identity, so she authenticates with
her knowledgedates, cities, freq. flyer number
25The End of Another Day
- Sally drops by Alta Beach Club to visit with
friends - She authenticates to the VIP area with an RFID
tag - At home, she checks her old account at Retro Bank
- She authenticates with a better protected password
- Sally requests investment advice
fromNoBubble.com - She authenticates anonymously, proving her
prepaid subscription - Sally sleeps peacefully confident that her
electronic identity is protected by strong,
convenient user authentication
26Conclusions
- As strong user authentication becomes more
important, technologies to achieve it will become
more convenient - Much research is still needed on these
technologies, and how theyll be put into
practice - Managing the various approaches in a way that is
a seamless, reliable and measurable will be a key
to successful future user authentication - With that success, well all experience the ease
of Sally Surfer, making the most of the
information technologies available for us to do
our work
27Contact Information
- Burt KaliskiVice President of Research, RSA
SecurityChief Scientist, RSA Laboratoriesbkalisk
i_at_rsasecurity.comwww.rsasecurity.com/rsalabs
28(No Transcript)