Pam Dingle, Ping Identity
Walk-through of simple changes in approach—away from the traditional stateless authentication model—that can have radical effect on what a user might be asked to do, and how they are asked to do it, with demonstration of recommended methods.
22. Our Lexicon must grow to Encompass Hints
• What is a hint?
– Statement based on probability but lacking authority
– Multiple evolutions evolving into the concept of a
Hint
• Passive Factors / Real-time analytics
• Cached previous data
• Account Chooser
23.
24. Security Posture should never be OSFA again
• It isn’t 1995 anymore
• The device to user ratio has
inverted
• In the 1st world at least, 5-year
olds have iPads
• You can’t abandon the 1995
flow but you can choose who to
offer it to
29. Session bound with Context
allows us to help “friendlies”
But what tooling allows
contextual collaboration
across domains?
30. Two Flow Elements
• Continuation Flow
– Is there some context that can forecast an identifier
and/or idp?
• Bootstrap flow
– No continuation exists
– Is there a way to introduce the user & idp to the flow?
31. Hint Spectrum
Login Hint Refresh Token
Previously Issued IDToken
Shared Signal
Expired Token & context
assertion embedded in
signed AuthnRequest
32. Login Hint
• Exactly the information the user would have to
type themselves anyway
– User Identifier
– IDP
• Equivalent to
“Remember me”
(but crossing domains)
33. How can an RP derive a Login Hint?
• Continuation Flow
– Check the expired session
cookie
– Dig up the previous id_token
• Bootstrapping Flow
– Ask for it (NASCAR, OpenID)
(ie – stranger flow)
– Query a common authority
• CDC,Account Chooser
Dave
Carter
h*ps://www.flickr.com/photos/david_s_carter/3041065755