Overview

End user authentication in the context of electronic communication is the process of the remote end user presenting some form of credential to an on-line service to inform the service who they are.  If the credential presented by the remote end user is successfully submitted and validated, services are provided to the remote end user.  The credential submitted by the end user typically takes the form of an Identifier that uniquely maps to the individual, often termed the user’s login-id, and an Authenticator which is often a secret or secrets called the user’s passwords.  The identifier is typically public information.  The authenticator must be kept confidential, known only to the end user but with mechanisms in place to enable the server to validate the authenticator.

The CIFER Authentication Workstream focuses on the whole scope of authentication ranging from how identifiers are initially bound to end users and how passwords are issued, through more specialized requirements for single-sign-on and authentication based on federation and social networks, to multi-factor authentication where a higher level of confidence of the remote user’s identity can be asserted.

This document provides a general description of the components and functions of the authentication component of an institutional-scale Identity and Access Management (IAM) suite.  It also suggests touch points with other subsystems in such a suite.  Requirements for authentication functionality and operation can be written based on the terms and concepts presented in this model.

Terms and Definitions
  1. Identifier
  2. Authenticator (secret)
  3. Credential
  4. Level of Assurance
  5. Keypair / Private Key / PKI
  6. Federation
  7. Social Identity
  8. Kerberos
  9. Active Directory
  10. One Time Password (OTP) 2FA
  11. Many more to be added
Components of Authentication Solutions
  1. Identity Proofing
    The processes, standards, and documentation associated with binding an identifier to an individual.  The identity proofing process includes some mechanism for the issuance of a full credential (identifier and authenticator) with a specified level of confidence about the quality and integrity of the binding of the issued credential to the end user.  The amount of confidence in the binding is called the Level of Assurance of the credential.
    1. Proofing event process
      1. Retention of proofing event documentation (typically bar-code data, proofer, etc)
      2. Accepted credentials
    2. Credential issuance
    3. In-person vs. remote proofing
    4. Threat models
    5. CIFER integration points
  2. Password-based Authentication
    1. Password issuance and binding to identifier/end-user
    2. Password entropy
    3. Password storage location(s)
    4. Password validation
    5. Password maintenance (password issuance, synchronization, and reset by LoA)
    6. Threat models
    7. CIFER integration points
  3. Certificate-based Authentication
    1. Digital certificate issuance and binding to end-user
    2. Certificate verification
    3. Private key storage
    4. Threat models
    5. CIFER integration points
  4. Multi-factor Authentication
    1. Definition
    2. Relationship to multiple single-factor authentication
    3. Some specific technologies: (each needs issuance, threat model, and CIFER integration point subsections)
      1. Text-message based solutions
      2. One Time Password devices / applications
      3. Digital certificates with private key stored on end user devices
      4. Digital certificates with private key stored in special purpose hardware
  5. Level of Assurance (LoA)
    Levels of Assurance form a set of vertical requirements that span the different CIFER-supported authentication technologies.  Each LoA has a specific set of requirements and integration touch points.  CIFER LoAs are drawn from InCommon and NIST 800-63.  Each LoA has requirements for items such as:
    1. Identity Proofing Requirements (local and remote) including storage/retention of the documentation of the proofing event.
    2. Strength of authentication
    3. Credential maintenance
    4. Potential for LoA degradation on password reset
  6. Centralized Authentication
    1. LDAP
    2. NIS
    3. RADIUS
  7. Single-Sign-On
    1. Web SSO
    2. Kerberos / AD
  8. Federated Authentication
    1. Federation: technology, policy, LoA
    2. InCommon
    3. eduRoam
  9. Leveraging Social Identity
    1. LoA
    2. Social-to-SAML
    3. Threat Models
    4. CIFER integration points
  10. Remaining Functionality
    1. Account Linking
    2. OATH
    3. SAML-ECP
    4. Mobile Authentication and InCert
    5. Guest identity
Implementation and Deployment Scenarios

 Logical groupings of functionality that build an appropriate campus authentication infrastructure based on campus business requirements.

TBD (to be drafted)

References
  • No labels