This first speech of the day is by Gemalto’s Asad Ali, about adaptive authentication, which I would define as authentication that adapts to the current situation. For instance, if something is unusual, like if you are very far from home, it will ask you for more information, such as authentication from a second factor.
Basically, you step up authentication when something happens, which can be related to device forensics (like the example above), or on your activity (reading your bank balance requires a password, but transfering money requires stronger authentication).
Asad uses a model in which a service provider delegates authentication to an identity provider, who uses some information about the user’s identity and attributes. This is easy to do when there is a single service provider talking to a single identity provider, leveraging a single database. Of course, when we get in a n-n-n relationship, things get much more complex, if not untractable. Of course, Gemalto suggests to get in a n-1-n relationship, with a single identity provider as middleman. Naturally, that makes things simpler, bcause this unique identity provider can make things easier.
Of course, this raises several questions:
- How to get more tokens in there? How to use biometry? How to use Facebook Connect? The demononly showed tokens coming from one company.
- Should the service provider be left entirely with the respnsibility ofnselecting the authentication level required? How can the identity provider help in taking these dcisions?
Of course, with my new Oracle identity, I am temptee to believe that the best actor to provide this identity service is the company that provides the backend, but I don’t expect this view to be adopted by all security vendors.
No Comments