Slide 0 - tiqr

Download PDF
11 downloads 145 Views 12MB Size Report
Comment
Feb 16, 2012 - Page 7. SURFnet. We make innovation work cb. 2-factor AuthN in one slide. 7. +. = ☑. +. = ☑ ... Avail
tiqr: OSS 2-factor AuthN for everyone APAN 33, Chiang Mai, Thailand

cb

Roland van Rijswijk [email protected]

About SURFnet National Research and Educational Network 11000+ km ultra-high bandwidth fibre-optic network ‘Shared ICT innovation centre’ ≥ 160 connected institutions ±1 million end users

2

SURFnet. We make innovation work

Recognize this?

3

United Federation of Passwords

4

Well-known drawbacks - The woesDoes of username/password are wellanybody remember these guys? known...

5

SURFnet. We make innovation work

cb

Endless patches and ‘solutions’

6

SURFnet. We make innovation work

cb

2-factor AuthN in one slide

7

+

=

+

=

SURFnet. We make innovation work

☑ ☑ cb

The 2-factor AuthN landscape SMS from SURFnet your login code is 32vj6k ok

8

SURFnet. We make innovation work

cb

Drawbacks of ‘traditional’ 2-factor AuthN solutions - Often involve additional physical tokens that users need to carry around - May require driver software on end-user workstations - Are proprietary in nature and incompatible with each other - Are usually single purpose (e.g. you cannot use bank A’s token for bank B as well) 9

SURFnet. We make innovation work

cb

Something we all have (right?) - (Almost) everybody owns a mobile phone - A 2007 study in The Netherlands showed 19 million subscribers in a country with 16.5 million people

- Most people always carry their mobile phone with them - A recent study by SecurEnvoy shows that one in three people notice their phone is missing in under an hour

- There are already several options: - Mobile PKI (which we tried, http://bit.ly/mobile-pki) - SMS authentication - A host of ‘Apps’ - SIM add-ons like Vasco DigiPass Nano

10

SURFnet. We make innovation work

cb

One Friday afternoon... - As these things go, we started brainstorming... - What we most dislike about almost all solutions: Having to re-type complicated codes - So one Friday afternoon in September we started thinking...

+ 11

SURFnet. We make innovation work

+

= cb

Seeing is believing ;-)

DEMONSTRATION 12

SURFnet. We make innovation work

cb

How does it work? ➀ ➅ ➂

➁ ➄ ➃

13

Design and implementation - Fully based on Open Standards (OATH, OCRA, HOTP, QR codes, ...) - AES 256-bit encryption - Uses the ZXing QR-code library by Google http://code.google.com/p/zxing/ - Designed to do one thing and do it well (Keep It Simple Stupid) - Spent serious time working on the user experience with skilled UX designers 14

SURFnet. We make innovation work

cb

Comparison of AuthN tech. Method

Hardware Indep.

Software Indep.

Cost

Open Standards

Security

Ease-of-use

Username/ Password

++

++

--

++

=

+/-

OTP token

-

-

++

--

-/=

+

C/R token

-

-

++

--

-/=

+

PKI Token

--

--

++

--

=

+

Mobile PKI

+

+

++

?

+

++

SMS OTP

+

=



-

--

-

OTP Apps

+

+/=

+

+/=

+/=

=

+

+/=

+

+

++

++

15

SURFnet. We make innovation work

cb

roadmap

16

- Available on Apple’s App Store



- Available on Android Market



- Release as Open Source



- Security & code audit



- Support more languages

you?

- Other mobile platforms

not yet...

- Pilot with “real users”

Q1 2012

SURFnet. We make innovation work

cb

Ready to deploy (mostly) - Ready to grab off our shelf: - Apps for Android & iOS - Server-side reference implementation in PHP - Soon: SimpleSAMLphp + LDAP integration

- Required to deploy yourself: - Enrollment strategy - Integration into stand-alone web application

17

SURFnet. We make innovation work

cb

Ready to deploy (mostly) - Define your user base - Do they all have compatible mobile handsets? - Is tiqr going to replace an authentication method (like username/password) or augment it?

- Define your enrollment strategy - Choose a means of integration - Direct integration into a web application requires some development - Integration in an identity federation is possible using SimpleSAMLphp (full module to be released Q1 2012, example already available)

- Consider working with one of our partners 18

SURFnet. We make innovation work

cb

Partners - Egeniq - http://www.egeniq.com/

- RCDevs - Have integrated tiqr into their OpenOTP solution (server-side framework for enterprise authentication), available for free for small deployments http://www.rcdevs.com

- Galois - Have designed a similar solution and are going to collaborate with us to standardise the tiqr protocol, are planning to provide commercial support 19

http://corp.galois.com

Looking for partners

- To help with translations into non-European languages

- For integration into the Shibboleth IdP

- For feedback from the field and success stories 20

SURFnet. We make innovation work

cb

Questions? Comments? Please contact me or visit https://tiqr.org/

cb

[email protected] nl.linkedin.com/in/rolandvanrijswijk @reseauxsansfil