Future Directions in User Authentication

1
Future Directions in User Authentication

• Burt Kaliski, RSA Laboratories
• Presented at Beijing UniversityApril 10, 2006

2
Introduction

• User authentication is a cornerstone of IT
  security, one that is changing rapidly
• Many areas of technology developmentwill have a
  significant impact on user authentication over
  the next decade

• Here, Ill offer a researchers perspective on
  five of those areas, with examples among RSA
  Securitys products
• Well also envision a day in the life of a future
  user, Sally Surfer
• Based on presentation given at IT-Defense 2005

3
1 Trusted Computing
Users will authenticate through trusted computing
platforms, which will in turn represent the user
to the network

• PDAs, WLAN cards, and DRM devices are good
  examples today of user authentication built upon
  device authentication
• Trusted computing offers the promise that the
  device can authenticate the user on behalf of
  the network

• Will trusted computing platforms be sufficiently
  trusted to authenticate futureusers directly, or
  will some network verification still be involved?
• How will the many associations between users and
  devices be managed?

4
1 Trusted Computing
Users will authenticate through trusted computing
platforms, which will in turn represent the user
to the network

• PDAs, WLAN cards, and DRM devices are good
  examples today of user authentication built upon
  device authentication
• Trusted computing offers the promise that the
  device can authenticate the user on behalf of
  the network

• RSA Sign-On Manager, RSA SecurID for Microsoft
  Windows are initial steps toward the trusted
  desktop concept

5
2 RFID and Other Wireless Authenticators
Users will authenticate via RFID and other
wireless devices, as logical and physical
authentication technologies converge

• e-Passports incorporate RFID chips NISTs
  Personal Identity Verification card combines
  smart card, ISO 14443 prox. card
• RFID for the supply chain tracking is already
  leadingto wireless user authenticators, e.g.,
  VeriChipTM

• Users will authenticate to buildings via
  wireless will they also authenticate directly
  via wireless to the desktop?
• Will mobile phones be the wireless authenticators
  of the future, or will they just be another
  device to unlock? Or both?

6
2 RFID and Other Wireless Authenticators
Users will authenticate via RFID and other
wireless devices, as logical and physical
authentication technologies converge

• e-Passports incorporate RFID chips NISTs
  Personal Identity Verification card combines
  smart card, ISO 14443 prox. card
• RFID for the supply chain tracking is already
  leadingto wireless user authenticators, e.g.,
  VeriChipTM

• RSA SecurID 5100 smart card supports proximity
  authentication
• RSA Professional Services has launched an RFID
  security privacy consulting service

7
Belly-Button Ring Identifiers

• If your mobile phone is your future
  authenticator, how do you authenticate to your
  mobile phone?
• One possibility is based on MITs beeper-based
  signature concept (R. Rivest, A. Lysyanskaya)
• Beeper that you wear maybe a belly button
  ring? sends low-power signal to your phone
• Fresh signal required for phone to generate
  digital signatures otherwise phone wont sign
• Beeper can authenticate you to your phone, and/or
  you and your phone to the network

8
Privacy Considerations

• If a beeper authenticates you to your phone, how
  do you keep it from identifying you to someone
  else?
• Problem is quite similar to that for RFID tags,
  and solutions developed there may apply here as
  well
• Basic privacy design principles
• Simple devices like belly button rings should
  only identify themselves to ones local, personal
  devices, e.g. mobile phone
• More powerful devices like phones can then make
  informed decisions about whether to identify the
  user elsewhere
• Practical privacy and authentication solutions
  for these settings remain a research challenge

9
Application Proximity Cards

• Electronic belly button rings arent here yet,
  but wireless proximity devices are becoming
  widespread
• Without appropriate protections, a proximity card
  will identify itself to any reader that
  interfaces with it
• Significant privacy and security risks, depending
  on what the identity contains
• Even with a random identifier, tracking and
  cloning are still a concern
• ISO 14443, basic RFID tag specifications offer
  little protection, but privacy-enhancing
  technologies are available
• Examples foil pouches, blocker tags, minimalist
  cryptography

10
3 Knowledge-Based Authentication
Users will authenticate based on what they know
and what theyre able to do in new and
sophisticated ways

• Life questions are quite common already for
  password reset, as well as account enrollment
• Human-computer interfaces offer newpossibilities
  for authentication, e.g., PassfaceTM

• How will the security of knowledge be measured
  and who will be the keepers of the knowledge?
• What other HCI can be relied on, as knowledge and
  biometrics converge?

11
3 Knowledge-Based Authentication
Users will authenticate based on what they know
and what theyre able to do in new and
sophisticated ways

• Life questions are quite common already for
  password reset, as well as account enrollment
• Human-computer interfaces offer newpossibilities
  for authentication, e.g., PassfaceTM

• IntelliAccessTM technology in RSA Sign-On Manager
  embodies several early results of our research on
  life questions

12
Life Questions from Art to Science

• Few metrics have been established on the security
  of answers to specific life questions, which
  depends on factors such as
• User demographics
• Attackers resources
• Attackers relationship to the user
• Further research on the security of life
  questions and other forms of KBA is needed to
  have a solid foundation
• Also to be considered How to verify the answers,
  while minimizing their exposure at the verifier
• Ideally, without seeing or storing them

13
4 Anonymity
Users will authenticate anonymously in many
cases as to their privileges, not necessarily
their identities

• Trusted Computing Groups Direct Anonymous
  Attestation (Brickell et al.) is an important
  step in this direction device proves group
  membership without revealing its identity
• Chaumian constructs still hold much promise!

• Identity federation provides simple anonymity
  via pseudonyms will more sophisticated solutions
  be needed?
• Will anonymous authentication be the norm
  (perhaps revocable in case of dispute), or will
  it be the exception?

14
4 Anonymity
Users will authenticate anonymously in many
cases as to their privileges, not necessarily
their identities

• Trusted Computing Groups Direct Anonymous
  Attestation (Brickell et al.) is an important
  step in this direction device proves group
  membership without revealing its identity
• Chaumian constructs still hold much promise!

• Identity federation in RSA ClearTrust provides
  simple anonymity via pseudonyms, following SAML

15
5 Password Protection
Users will authenticate with passwords sometimes,
but the passwords will be better protected, and
it will be mutual

• Though better password protocols are available
  (EKE, SPEKE, SNAPI, etc., ), passwords are still
  typically sent in the clear to applications that
  request them whether trustworthy or not
• Hashing is also an option (Stanford PwdHash
  plug-in)

• Will password authentication be standardized, so
  that better protocols can be applied by default?
  How will such protocols be integrated with server
  certificates and SSL?
• Will desktop password managers obviate the need
  for direct user knowledge of passwords?

16
5 Password Protection
Users will authenticate with passwords sometimes,
but the passwords will be better protected, and
it will be mutual

• Though better password protocols are available
  (EKE, SPEKE, SNAPI, etc., ), passwords are still
  typically sent in the clear to applications that
  request them whether trustworthy or not
• Hashing is also an option (Stanford PwdHash
  plug-in)

• Phishing countermeasures have been a major focus
  of research in the CTOs office
• RSA Sign-On Manager offers a platform for this
  better kind of password protection

17
5 Password Protection
Users will authenticate with passwords sometimes,
but the passwords will be better protected, and
it will be mutual

• Though better password protocols are available
  (EKE, SPEKE, SNAPI, etc., ), passwords are still
  typically sent in the clear to applications that
  request them whether trustworthy or not
• Hashing is also an option (Stanford PwdHash
  plug-in)

• RSA/Cyota risk-based authentication, eFraud
  NetworkTM enhance passwords auth. via profiling,
  challenge questions, call-back, etc.
• eStampTM offers simple mutual authentication

18
Summary of the Five Areas

• Future users will authenticate
• through trusted computing platforms, which will
  in turn represent the user to the network
• via RFID and other wireless devices, as logical
  and physical authentication technologies converge
• based on what they know and what theyre able
  to do in new and sophisticated ways
• anonymously in many cases as to their
  privileges, not necessarily their identities
• with passwords sometimes, but the passwords will
  be better protected, and the authentication will
  be mutual

19
Many Other Areas

• Ive highlighted some of the technologies that
  will affect user authentication. There are many
  others that one could cover
• Identity federation
• One-time passwords and PKI authentication
• Biometrics
• Age-group recognition (e.g., i-Mature)
• CAPTCHATMs (Completely Automated Public Turing
  tests to tell Computers and Humans Apart)
• Additional options will emerge for user
  authentication as information technology matures.
  What will tomorrows users experience?

20
Aside Business Futures

• Four complementary trends will also affect the
  landscape as the diverse set of authentication
  technologies matures
• Hardware manufacturers will compete with an array
  of different containers as particular
  technologies become commoditized
• Identity providers will add a menu of related
  services from fulfillment to help desk support
• Application providers will establish all kinds of
  markets on the foundation of strongly
  authentication identities
• Business models will become the focus as
  authentication transforms from a technology into
  a standardized service

21
A Day in the Life of Sally Surfer
22
At Home in the Morning

• Sally signs into her home computer
• She authenticates with her RFID beeper
• She checks her personal e-mail
• The computer authenticates Sally to her Internet
  service provider, and downloads her mail

• Sally pays a bill at BanksRUs.com
• Sallys ISP federates her authentication to the
  bank
• Her computer signs her off automatically when
  she leaves

23
On the Road

• Sally drives to work, pays tolls by the km
• She authenticates to her car via her beeper
• Her car authenticates her and pays the toll
  (anonymously?) via a wireless protocol
• She parks in the underground parking lot
• Her car again authenticates her to the parking
  lot
• She enters the office building and takes the
  elevator to her office
• She authenticates to security checkpoints with
  her employee badge via RFID

24
At the Office

• Sally signs into her office computer
• She authenticates with her employee badge,which
  unlocks her passwords and credentials
• Its a typical days work sending e-mail,
  running applications, accessing corporate
  resources
• Her computer authenticates her seamlessly via
  passwords, credentials, identity federation
• Her badge is checked occasionally for extra
  assurance
• She prints her itinerary for tomorrows trip
• The airline site isnt yet linked to her
  corporate identity, so she authenticates with
  her knowledgedates, cities, freq. flyer number

25
The End of Another Day

• Sally drops by Alta Beach Club to visit with
  friends
• She authenticates to the VIP area with an RFID
  tag
• At home, she checks her old account at Retro Bank
• She authenticates with a better protected password

• Sally requests investment advice
  fromNoBubble.com
• She authenticates anonymously, proving her
  prepaid subscription
• Sally sleeps peacefully confident that her
  electronic identity is protected by strong,
  convenient user authentication

26
Conclusions

• As strong user authentication becomes more
  important, technologies to achieve it will become
  more convenient
• Much research is still needed on these
  technologies, and how theyll be put into
  practice
• Managing the various approaches in a way that is
  a seamless, reliable and measurable will be a key
  to successful future user authentication
• With that success, well all experience the ease
  of Sally Surfer, making the most of the
  information technologies available for us to do
  our work

27
Contact Information

• Burt KaliskiVice President of Research, RSA
  SecurityChief Scientist, RSA Laboratoriesbkalisk
  i_at_rsasecurity.comwww.rsasecurity.com/rsalabs

28
(No Transcript)