The Hydra of Modern Identity

Transcript

1. The Hydra of Modern Identity Who am I?

2. What is an Identity? Modern? Create accounts, authenticate users. Strong

   auth, MFA, 2FA, etc… Identity Challenges Life of an Identity The concept of identifier, identity and account are closely related but subtly different.

3. Who am I? Randson! I’m a software engineer, blogger and

   editor. Interested in cartoon drawing. - Back-end with Elixir; - Always learning. Trying to make the world a better place to live, through technology.

4. Identity Challenges The application is ready. Now we need to

   create accounts, authenticate users, provide multi-factor authentication, and make all this work smoothly across multiple devices.

5. We usually think only about our flows ❖ A blogging

   platform may have administrators, editors, authors and contributors.

6. We usually think only about our flows ❖ A company

   may have many services which users can login with the same account.

7. It’s very simple (in theory) ❖ It requires carefully planning,

   designing and development to work well.

8. It’s very simple (in theory) ❖ All of them while

   balancing the business requirements.

9. It’s very simple (in theory) ❖ Not to mention the

   user experience.

10. The social login ❖ A person can login to your

    website using Facebook, Google or any other third-party service and be recognised as the same person.

11. The social login ❖ On the other hand, employees want

    to use a single account to login on all the company services.

12. Strong Authentication ❖ An application with sensitive content might require

    more forms of strong authentication than a simple password.

13. Strong Authentication ❖ Strong forms of authentication can vary from

    one-time password through mobile push, sms or hardware security tokens with private cryptography keys.

14. Single Sign On ❖ If you have multiple applications it’s

    good to offer one place to login and be authenticated in every service.

15. Single Sign On ❖ Be aware that SSOs need to

    be highly available.

16. Single Sign On ❖ If doesn’t have high availability, it

    will suddenly become an obstacle rather than a gateway.

17. May need to accommodate various constraints ❖ On the web,

    a user may expect a browser redirect to a sign in page to authenticate.

18. May need to accommodate various constraints ❖ Desktop may prefer

    login flows embedded within the application or leverage a session provided by the OS.

19. May need to accommodate various constraints ❖ Different mobile devices

    can use different approaches.

20. We need to answer all these questions while taking into

    account the sensitivity of our apps and satisfy all the business requirements.

21. Sometimes we need to deal with everything at once.

22. And this is the Hydra! ❖ A mythical beast from

    Greek mythology with nine heads; ❖ If you cut a head, two more grew. Solving one identity challenge can lead to more if you don’t have a good plan.

23. Properly designed, it simplifies your overall architecture ❖ Allows your

    application to delegate responsibility to other components; ❖ Provides a single view of the user.

24. ❖ Unify access control to simplify access issues; ❖ Provide

    auditing capabilities, and more… Properly designed, it simplifies your overall architecture

25. To bear in mind… • Who are my users? •

    How will users login? • How sensitive is the data we handle?

26. To bear in mind… • Is there more than one

    application?(SSO) • How long should a session last? • What should happen when a user logs out?

27. Modern users expect a frictionless experience. Identity management should help

    them access what they want quickly. Not be in their way.

28. Life of an Identity The concept of Identifier, Identity and

    Account are closely related, but subtly different.

29. Identifier, Identity, Account! Identifier Attribute basically used to identify Identity

    Collection of identifiers that defines an identity Account Is associated with an identity based on the context

30. The “identifier” term ❖ Is used to refer to a

    single attribute whose purpose is to uniquely identify a person. They are essential to Identity Management.

31. The “identifier” term ❖ Human entities can use email, passports,

    ID cards and more. They are essential to Identity Management.

32. The “identifier” term ❖ Non human entities such as agent

    bot, devices, etc… May be identified with a alphanumeric character. They are essential to Identity Management.

33. The “identity” term ❖ Defined as a collection of attributes

    associated with a specific person or entity. It can be used to start an authentication or authorization process.

34. The “identity” term ❖ It may contains one or more

    identifiers associated. It can be used to start an authentication or authorization process.

35. The “identity” term ❖ Human entities includes email, first &

    last name, age, address and more. It can be used to start an authentication or authorization process.

36. The “identity” term ❖ Non human entities may include owner,

    IP address, model, version and many more. It can be used to start an authentication or authorization process.

37. The “account” term ❖ Is used when referring an account

    as a construct within an app or service that has an identity associated with it. Could have many attributes associated with it, which enable them to perform actions.

38. The “account” term ❖ Non human accounts can also have

    an identity associated with it.

39. An Identity Management Service(IDM) is a set of services that

    support creating, modification, and removal of identities associated with accounts. It’s also used to authorise resources. As you might guess…

40. Life of an Identity! Provisioning Authorization Single Sign On Stronger

    Authentication Authentication Log out Access Policy Enforcement Account Management Sessions Deprovisioning

41. Provision ❖ The act of creating an account is often

    seen as provision. Alice wants to open a bank account by filling a registration form.

42. Authorisation ❖ When an account is created, is often necessary

    to specify what the account can do, in terms of privilege. After Alice created her account, she now can see her checking account, do transfers and many more.

43. Authentication ❖ To access content that is not public available,

    an user provides identifiers to signify they wish to use and enter login credentials for the account. To view her balance, Alice first need to sign in on the app.

44. Access Policy Enforcement ❖ Even user logged in, every time

    we have a new request we need to check the privileges of the account. Alice accesses the trade section and it’s denied because she is not authorised.

45. Sessions ❖ Once a user is authenticated, they can perform

    many actions for an amount of time (timeout). ❖ We can put as many attributes in the session as we want. Alice can only access the app for 5 minutes. Then it asks her to log in again.

46. Single Sign On ❖ The account can be reused across

    many services within the context. Alice logs in with her account for a newsletter that the bank provides.

47. Strong Authentication ❖ Two-Factor Auth (2Fa) and Multi-Factor Auth (MFA)

    both involve authenticating a user with stronger forms of authentication.

48. Strong Authentication Sometimes it can include at least two of

    the following aspects: ❖ Something the user knows - such as a password; ❖ Something the user owns - such as keyfob; ❖ Something the user is - such as a biometric input.

49. Strong Authentication Alice might initially log in with a username

    and password to see her account balance.

50. Log out ❖ After the user has finished using the

    application they can log out, which terminates their session. Alice has finished using the web app. When she logs out, it logs out just on the web app.

51. Account Management ❖ At any point in time, the user

    should be able to change their information. Alice wants to update her password to a more secure one.

52. Deprovisioning ❖ There may come a time when it’s necessary

    to close an account. An user doesn’t want to have access, an employee was deactivated, etc… If Alice at any point in time wants to close her relationship with the bank, she would request her account to be closed.

53. Next steps? Talks about types of identity servers, SSO, user

    repositories, etc… Evolution of Identity Identity Provisioning It’s just a registration form? Nah, it is literally another beast to deal with 🐉

54. Thanks! You can find me on these places: ❖ https://rands0n.com

    ❖ [email protected] ❖ twitter.com/rands0n Check out my videos ♥ Trying to make the world a better place to live, through technology.