TIIME 2015 Session 8: Quality of Authentication and identification

Convener: Peter Pichler

Abstract: IDPs of last resort: user-centric identity - unique challenges.
What are IDP's of last resort, what different models are available? What can ORCID deliver and what not, and is ORCID an IDP?

Bullet points:

• introducing to the Austrian authentication and security requirements

• low and higher LoA, 3 security classes are 10 years old already, modernization going on

• single factor and two factor auth. for higher level

• in addition network level security or working place security (some resources can be accessed only from intranet)

• eIDAS has 3 level LoA for citizen authentication (the presenter’s use case concerns Austrian civil servants)

• eIDAS 3 level LoA based on ISO standard

• low passwords
• substantial two factor auth soft
• highest two factor hard
• https://www.igtf.net/ap/loa/
• "The IGTF Authentication Profiles de-facto describe a technology-agnostic assurance level that represent the IGTF consensus on achievable trustworthy authentication seen from both the relying party point of view as well as being a feasible level for identity service providers to achieve for a variety of scenarios."

• of those present most have not implemented LoA

• IGTF has defined levels of assurance

• Kantara IAF (Identity Assurance Framework)

Main issues discussed

Introduction to discussion:

Austrian eGov federation - a project for many services, authorization, security requirements with high assurance

Security classes from 1 to 3 - this system is 10 years old - we try to further develop it

1. the type of network

2. the quality of authentication - how the used is authenticated (low- just a password, higher with another authentication, for example a call or extra code)

3. resources combined

This qualification is called in Austria "security classes".

To be discussed: classes and problems (government to government services)

For governmental use cases and also business cases.

Comment from the audience:

The eIDAS 2015/1502 Implementing regulation - seasonal authentication http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2015.235.01.0007.01.ENG

Implementation acts

• 1st layer password
• 2nd tokens, delivered to the user
• 3rd (highest) - extra, tokens or other authentication delivered to the user face to face

Question to the group: Are there examples on any form of a classification? Or plans to do something like this?

Audience: IGTF has defined levels of insurance

• see: https://www.igtf.net/ap/loa/

(Example: for scientific calculations for research work)

Summer federation based on protocols "authentication context"

- Possibilities to describe (in the case when the users forgets the password) - in a larger federation it is difficult, the higher (1,2,3) classification is a better solution.

Service providers have different security standards/policies - the classificated level of insurance should simplify this.

Kantara IAF SAC (Identity Assurance Framework) is also a75 framework, 4 layers called assurance levels (organization maturity)

(this was discussed in another session - K2 09:45 Wednesday - Tom Barton "Trust and assurance" & Identity Assurance Framework - building critical trust)

Conclusion

Classifying (levels) could/should simplify the handling of different authentication qualities in an identity federation.

(Peter Pichler is working on improving the Austrian framework.)