Conor Cahill, Principal Engineer, Intel
New platform security and sensing capabilities are enabling a paradigm shift in how users are authenticated and how their identities are asserted to local and remote services, while improving both usability and security. In this session, we will show how these advanced technologies can be used to create seamless—and secure—user experiences as they access all of their local applications and remote services.
6. Intel Labs
Protected
Client Based Authentication Technology
(CBAT)
App/Web
Server
Service Provider
TIM
Single Sign On (SSO)
Protect
Much More Secure, Much More Usable
User’s Identity Server
(not 3rd Party)
Trusted Execution
Environment (TEE)
Direct User Auth
Malware Resistant
Maintains Authn
while user present
Lock computer
if user leaves
Assertion of User ID
from Trusted Client
Eliminates Phishing
Used Together, SP
knows user is involved
in transaction
7. Intel Labs
• Local, strong, multi-factor authentication of the user
• Presence Monitoring & Session protection
– Extends User Authentication Session
– Protect user’s auth session even if they walk away
• Secure attestation of user identity
– Local and remote service providers
• Service Provider knows who/what they are interacting with
– CBAT is a trusted endpoint
• Gets rid of Conor’s Pet Peeve…
– No more “timeouts for my protection” when I’ve been sitting
at the computer the entire time.
CBAT Richness
9. Intel Labs
CBAT and Standards
• Base Steady-State SSO fits into existing models
– OpenID Connect, SAML, etc.
– Client is IdP
• Use of Presence not anticipated
– Seems to require some level of extension
• Attestation of CBAT client
– Typically during provisioning
– Closely related to TEE technologies
– Standardization would be good
10. Intel Labs
Ongoing Research
• Device Constellation
– How do devices work together?
• Provisioning
– CBAT to SP Pairing (initial and multiple device)
• Authentication & Presence aggregation
– Multiple factor fusion
• Trusted Path to Authentication & Presence Sensors
– Data injection resistance on sensor input
• Authentication & Presence factors
– Better sensors/capabilities