CIS13: Bringing the User Back into User-Centric Identity
1 like1,068 views
Intel Labs is exploring a new user-centric identity model through its Client-Based Authentication Technology (CBAT), which aims to enhance security and usability by trusting a client-side authentication agent. The technology includes features like strong multi-factor authentication, presence monitoring, and secure attestation, significantly reducing issues like session timeouts for active users. Ongoing research includes device collaboration, provisioning, and improving authentication sensors.
CIS13: Bringing the User Back into User-Centric Identity
- 1. Intel Labs Bringing the User Back into User Centric Identity Conor P Cahill Principal Engineer Intel Labs
- 2. Intel Labs Legal Disclaimer INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. A "Mission Critical Application" is any application in which failure of the Intel Product could result, directly or indirectly, in personal injury or death. SHOULD YOU PURCHASE OR USE INTEL'S PRODUCTS FOR ANY SUCH MISSION CRITICAL APPLICATION, YOU SHALL INDEMNIFY AND HOLD INTEL AND ITS SUBSIDIARIES, SUBCONTRACTORS AND AFFILIATES, AND THE DIRECTORS, OFFICERS, AND EMPLOYEES OF EACH, HARMLESS AGAINST ALL CLAIMS COSTS, DAMAGES, AND EXPENSES AND REASONABLE ATTORNEYS' FEES ARISING OUT OF, DIRECTLY OR INDIRECTLY, ANY CLAIM OF PRODUCT LIABILITY, PERSONAL INJURY, OR DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION, WHETHER OR NOT INTEL OR ITS SUBCONTRACTOR WAS NEGLIGENT IN THE DESIGN, MANUFACTURE, OR WARNING OF THE INTEL PRODUCT OR ANY OF ITS PARTS. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined". Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information. The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm CBAT and other code names featured are used internally within Intel to identify projects and/or products that are in development and not yet publicly announced for release. Customers, licensees and other third parties are not authorized by Intel to use code names in advertising, promotion or marketing of any product or services and any such use of Intel's internal code names is at the sole risk of the user Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries. *Other names and brands may be claimed as the property of others. Copyright ©2013 Intel Corporation.
- 4. Intel Labs Research Question How does the existing authentication model change if we can trust an authentication agent on the client?
- 5. Intel Labs Vision Hi Jane! Knows that it is talking to Jane and she is still there Auto-login
- 6. Intel Labs Protected Client Based Authentication Technology (CBAT) App/Web Server Service Provider TIM Single Sign On (SSO) Protect Much More Secure, Much More Usable User’s Identity Server (not 3rd Party) Trusted Execution Environment (TEE) Direct User Auth Malware Resistant Maintains Authn while user present Lock computer if user leaves Assertion of User ID from Trusted Client Eliminates Phishing Used Together, SP knows user is involved in transaction
- 7. Intel Labs • Local, strong, multi-factor authentication of the user • Presence Monitoring & Session protection – Extends User Authentication Session – Protect user’s auth session even if they walk away • Secure attestation of user identity – Local and remote service providers • Service Provider knows who/what they are interacting with – CBAT is a trusted endpoint • Gets rid of Conor’s Pet Peeve… – No more “timeouts for my protection” when I’ve been sitting at the computer the entire time. CBAT Richness
- 8. Intel Labs Prototype • Desktop, Laptop & Tablet • Core Engine functionality – Authentication, Presence, SAML SSO Provider, seamless login to demo web sites • Auth Factors: – Facial Recognition, Voice Recognition, Finger Vein, Palm Vein, Password • Presence Factors – Accelerometer, Facial recognition, proximity, Voice recognition
- 9. Intel Labs CBAT and Standards • Base Steady-State SSO fits into existing models – OpenID Connect, SAML, etc. – Client is IdP • Use of Presence not anticipated – Seems to require some level of extension • Attestation of CBAT client – Typically during provisioning – Closely related to TEE technologies – Standardization would be good
- 10. Intel Labs Ongoing Research • Device Constellation – How do devices work together? • Provisioning – CBAT to SP Pairing (initial and multiple device) • Authentication & Presence aggregation – Multiple factor fusion • Trusted Path to Authentication & Presence Sensors – Data injection resistance on sensor input • Authentication & Presence factors – Better sensors/capabilities
- 11. Intel Labs Q&A