1 / 0

Author of Record Digital Identity Management Sub-Workgroup

Author of Record Digital Identity Management Sub-Workgroup. October 24, 2012. Meeting Etiquette. Please announce your name each time prior to making comments or suggestions during the call Remember: If you are not speaking keep your phone on mute

glenna
Download Presentation

Author of Record Digital Identity Management Sub-Workgroup

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Author of Record Digital Identity Management Sub-Workgroup

    October 24, 2012
  2. Meeting Etiquette Please announce your name each time prior to making comments or suggestions during the call Remember: If you are not speaking keep your phone on mute Do not put your phone on hold – if you need to take a call, hang up and dial in again when finished with your other call Hold = Elevator Music = very frustrated speakers and participants This meeting, like all of our meetings, is being recorded Another reason to keep your phone on mute when not speaking! Feel free to use the “Chat” or “Q&A” feature for questions or comments From S&I Framework to Participants: Hi everyone: remember to keep your phone on mute  NOTE: This meeting is being recorded and will be posted on the esMD Wiki page after the meeting
  3. Agenda

  4. Authentication Credentials LOA3/LOA4

    Oct 24, 2012
  5. Authentication Authentication is the process of establishing confidence that an individual who uses a credential that is known to the system (e.g., login name, digital certificate) is indeed the person to whom the credential was issued Three types of authenticators: Something you know (e.g., password) Something you have (e.g., smartcard, hard token, mobile phone) Something you are (e.g., fingerprint) Multi-factor authentication requires more than one type Authentication is performed when a user logs into a system and may be required again within a given session Credential – binds the identity to the token
  6. 800-63-1 Matrix
  7. Memorized Secret Tokens Shared secret between user and credential provider Something you know Examples Active Directory Passwords WiFi Passphrases PIN
  8. Pre Registered Knowledge Tokens Challenge/Response Pre-registered responses or images Set of shared secrets Something you know Examples I forgot my password setup Transaction information - “what was the amount of your last payment to your phone company”
  9. Look-up secret Tokens Electronic or physical set of shared secrets often printed on paper or plastic the user is asked to provide a subset of characters printed on the card Something you have Examples Entrust Grid Cards DualShieldGridID
  10. Out of Band Tokens Physical token that can receive a secret for one time use Something you have Examples SMS message on a registered cell phone
  11. Single Factor One-Time Password (OTP) Device Hardware device Something you have Examples RSA key fob token Credit card password generator
  12. Single Factor Cryptographic Device Hardware device that performs crypto operation on input provided to the device Does not require a second factor Generally a signed message Something you have Examples PKI certificate
  13. Multi-Factor Cryptographic Device Key is stored on a disk or soft media and requires activation Does not require a second factor Generally a signed message Something you have and something you know Examples PKI certificate + PIN
  14. Multi-Factor OTP OTP hardware device that requires activation via PIN or biometric Something you have and something you know /or something you are Examples Verizon or Symmantec OTP offering DAON IdentityX
  15. Multi-Factor Cryptographic Device Hardware device that contains protected key that requires activation through a second factor Possession of device and control of key Something you have and something you know or something you are Examples PIV PIV-I ATM cards
  16. DEA Interim Rule Requires the practitioner to authenticate to the application using an authentication protocol that uses two of the following three factors: Something only the practitioner knows, such as a password or response to a challenge question. Something the practitioner is, biometric data such as a fingerprint or iris scan. Something the practitioner has, a device (hard token) separate from the computer to which the practitioner is gaining access.
  17. DEA Interim Rule Biometrics Consulted extensively with NIST for recommendation DEA did not specify type as to allow for greatest flexibility and adaptation for new technologies in the future Hard token must meet FIPS 140-2 New hard token or provide credential for an existing token Must be separate from the machine used to access application Delivered thru 2 channels (mail, telephone, email) Would consider an alternative that does not diminish safety and security of the system Not to be confused with certificates needed to dispense controlled substances although that DEA number/certificate information needs to be associated with the signing
More Related