Searching for the second factor (The Identity OS)

That should be a catchy title for this post!

I have been thinking lately about multi-factor authentication. Two factor authentication (a requirement for many critical systems) is frequently described as ’something you know’ and ’something you have’. On the Internet most applications apply single factor authentication in the form of username/password.

There are some examples of two factor authentication out there though. Banks have issues their customers with hardware tokens, while network operators use SIMs to access the network (in the SIM case the physical SIM is ’something you have’ while the PIN serves as ’something you know’).

All those second factors have one thing in common: it’s hardware dedicated to a limited set of applications on a ‘closed’ and proprietary platform. Wouldn’t it be great to have a single reusable platform for second factors?

This is where Microsoft Cardspace and Intel’s Identity Capable Platform come into the picture. I think both can be considered platforms for second factors, and both have different approaches. A second factor has to be ’something you have’, which can be interpreted as ’something that can’t be copied or stolen to some other place’. It basically implies that our customizable second factor platform is an environment where we can insert and remove credentials (the second factors), in a secure way.

• Cardspace qualifies as such an environment as it is able to add ‘Information Cards’ (second factor) and store/execute these securely. Cardspace also allows local user authentication through username/password (first factor) and in the future biometrics (third factor!). Microsoft were in an (obviously) unique position to do this the right way because they own the OS. A ‘normal’ application would be vulnerable to a large range of virus and malware threats, where an OS native application has more protections in place. Still, Cardspace is as secure as the operating system it is built in and time will tell if this is good enough to provide a second factor. It will definitely take some time to convince critical applications like online banking that Cardspace is trustworthy for multi-factor authentication.
• Intel’s ICP (and also ARM Trustzone) are hardware environments with a limited operating system that allow the inserting, executing and removing of credentials. These hardware platforms are able to do the same things as Cardspace but are implemented in silicon (therefore potentially more secure than Cardspace). These technologies rely on the security of hardware with a limited software functionality instead of the more general purpose operating system that is Windows.

In both cases the security of the whole credential life-cycle (protocols!) determines the level of trust people will have in the second factors provided by their platforms. Microsoft allows users to manually import their Information Card into the Cardspace Client, while the ICP is based on Liberty Alliance Advanced Client protocols.

This has lead me to believe that there should actually be an Identity OS, which is a set of functions that is just able to provide the right amount of identity related services (more on this in later posts). By keeping the functionality small, the risk of a vulnerability will be mitigated. This Identity OS could then be implemented either in silicon, on a USB dongle, an SD card or in the OS.

The Identity OS could solve interoperability issues with two-factor authentication and provide a uniform and extensible (mooooore factors) platform for identity management. Let me know what you think..

Remote provisioning of a soft credential

It’s about time for me to follow up on my previous post (by the way, thanks Paul and Robin for welcoming me to this corner of the Internet). While many people are currently preparing for their May bank holiday weekend I thought I’d take the opportunity to mention a couple of things regarding ‘Software SIMs’ and the Advanced Client specification of Liberty Alliance.

The whole idea of a software SIM comes from the following two points:

• First of all, SIM cards are an extremely convenient way to do authentication as they require minimal user interaction during the process of authentication; only a PIN suffices in most cases. We only use SIM cards to authenticate us to a network provider though.
• A SIM is basically an authentication application that is implemented in silicon during manufacturing. Because of this, the SIM’s functionality in under control by the manufacturers and the mobile operators. These parties have traditionally been very protective about their technology.

You’d say it makes a lot of sense to leverage its user friendliness for other purposes (e.g. online payment). In order to do that however we have to find ways of opening up or bypassing the manufacturing process. The big question is: how can we do that?

The answer is actually quite simple: delay the implementation of a SIM application in silicon until it is under the customer’s control.

To make this work we need a silicon-based (or similar) security environment that is customizable at any time. At the RSA conference Liberty Alliance workshop in February Intel, HP and two of my managers at BT demonstrated a proof-of-concept where a software credential was provisioned over the Internet to a user’s device. More importantly, the user device made use of a technology from Intel called Identity Capable Platform (ICP) that enabled the software credential to be protected by a silicon environment..

The provisioned software credential was ultimately used to access BT’s Wi-Fi network. The provisioning protocols are implemented by Intel and HP and are based on Liberty Alliance’s Advanced Client specifications. A technology like Intel’s ICP, coupled with secure provisioning protocols, enables an open SIM solution described before while sticking to the strict security requirements necessary.

More information on this and the demo can be found at:

• You can find BT’s (and Intel’s ICP) RSA conference slideset at the bottom of this Liberty Alliance page.
• Conor Cahill (Intel) frequently blogs about this.
• Telco2.0 with an interesting article.
• MWD Advisors with a post on Advanced Client.
  
• Network World coverage of Liberty Alliance’s Advanced Client and the RSA demo.

Identity sauna in Brussels

I am currently blogging from my hotel room at the Crowne Plaza in Brussels where I have been staying for 6 days to attend both a Liberty Alliance plenary session (I also attended the previous one in Redwood City, CA in January) and an Identity Open Space event.

Loads of interesting discussion going on over the past couple of days and I’ve met a whole load of nice people. The good thing (for me!) is that I am finally starting to find my way around the verious issues and standards in the identity management area.  A lot of the people I’ve been working with in Liberty Alliance and people attending the Open Space are renowned bloggers and post regularly about all kinds of technical issues, about their work in IdM.. It more or less inspired me to try and do the same thing.

Therefore from this post onward the occasional work related items will show up in the midst of my travel pictures.. Let’s see how that goes

Oh yeah, regarding the subject of this post: it’s WARM here and air-conditioning is difficult..