Presentation at GIDS 2017. Traditionally identity is thought through as a mere username and password authentication mechanism that results into a user session with just two states (binary) - on and off (active or expired) The idea is to reinforce that in todays connected world, there is a growing need of integration with many Services that differ in risk and sensitivity of data and operations. Hence, just a binary state of authentication is not enough, and that it needs to be seen as a sliding scale (with multiple levels). The talk will reiterate the concept of Authentication Assurance Levels (AAL) and Identity Assurance Levels (IAL) with a fresh lens of: How many are enough? How does one even determine the AAL/IAL level of the user? How do these levels (instead of binary) open possibilities for designing newer interactions for the user? What changes are required in the architecture to handle these levels and where does big data processing and ML fit into the scene? How does multiple levels influence the product behavior to remove friction for the user? I will be presenting some examples both from inside Intuit and the industry to demonstrate each of the above apart from walking the audience through the concept and architecture.

1. More than just being
signed-in or signed-out
Parul Jain, Architect, Intuit
@ParulJainTweety

2. Why do we care?
TRUST &
SECURITY
EASE OF
ACCESS
Can’t eliminate
friction? Delay it
Authentication
Levels to
balance security
and usability
Delightful
product
experience

3. Authentication
Username
Password
Sign In
Signed In
Not Signed In

4. Authentication – Signed In or Not –
Example1
Sell an item
Place Ad
Username
Password
Signed In
Not Signed
In
Sign In
Browse OLX for used products

5. Authentication – Signed In or Not –
Example2
Browse apps on App Store
Install App
New App on Device
Username
Password
Signed In
Not Signed
In
Install App
Sign In

6. Why Authenticate?
Authentication is required to establish trust
Is trust binary - Trust you fully or Not at all
Degrees of trust - Factor of time and
situation
Trust you for this but not for that
Didn’t trust you earlier but trust you now

7. Authentication Levels
Authentication is not binary
Authentication Assurance Levels (AAL)
Adaptive - Change with time and situation

8. Authentication Assurance Levels (AAL)
Less Trust
Submit
Enter OTP
Authentication Level 1
Authentication Level 2 More Trust

9. AAL – Example1
Authentication Level 1
Authentication Level 2
My bank account
Transfer Money
Payment
Authentication Level 0
Usernam
ePasswor
d
Sign In
My bank portal
Sign In

10. AAL – Example2
Authentication Level 1
Authentication Level 2
Transfer Money
New Payment Instrument
Authentication Level 0
Usernam
ePasswor
d
Sign In
Mint application
Sign In
Enter OTP
Submit
Access my personal finances

11. AAL – Example3
Authentication Level 1
Authentication Level 2
Browse products on Amazon
Track Order
Or
Checkout
View/Place Order
Username
Password
Sign In

12. MFA and AAL Relationship
AAL is the outcome.
MFA is the mechanism
MFA provides layered defense
Binary Authentication
Multiple Authentication Assurance Levels

13. LIC: Binary without MFA

14. Google: Binary with MFA

15. Amazon: Multiple Levels with MFA

16. Intuit: Multiple Levels with MFA

17. How to determine the AALs?
REQUIRE
Based on
sensitivity of
the APIs
ADAPT
Based on
trust in the
user with
time
ASSIGN
Based on
factors of
authentication

18. ASSIGN an AAL
ASSIGN REQUIRE
ADAPT
• What I know
• password
• What I have
• OTP
• What I am
• fingerprint
• Other
• Federated
Based on factors of authentication

19. ADAPT to an AAL
ADAPT
Based on trust in user with time
REQUIRE
Change in
• Device
• Geolocation
• IP address
• Velocity of use
• Behavioral Biometrics
• Anomalous behavior
ASSIGN

20. REQUIRE an AAL
REQUIRE
ADAPT
Based on sensitivity of the APIs
• Secret
• OAuth Client Secret
• Highly Sensitive
• Money movement
• Financial data
• Sensitive
• Personal
information
• Other
• Public information
ASSIGN

21. AAL Determination
Good
Step-up
Step-up
Good
Good
Step-up
Good
Good
Good
Trust in user
authentication
Sensitivity
of the APIs
Low High
Low
High

22. Component Interaction
Identity
Service
s
APIs
Client
1. Sign in
2. Session with an
AAL
4. Verify
3. Access
Resource
5. Step-up URL
6. Redirect for Step-
up
7. Step-up
8. Higher AAL
Determine
AAL
Remembe
r the state
Check
expected
AAL

23. Client
Widget
Configuration

24. APIs
Create the verify request
Verify with expected AAL

25. Identity Services
Authn
Service
Risk
Engine
Sign-in
Verify
Device,
IP, geo,
time, …
Get Risk
Score
Feedbac
k
ML Model
Real time Risk
Score

26. UNIVERSAL STRONG
AUTHENTICATION –
FIDO AS A STANDARD

27. Fast Identity Online (FIDO)

28. FIDO Protocols
Public Key cryptography
UAF – Universal Authentication Framework
• Password less UX
• Local device with UAF stack installed
• User presents a local authentication
U2F – Universal Second Factor
• Standalone U2F device - USB/NFC/Bluetooth
• Physical keychain with multiple keys – one for each
origin
• Built-in support in web browsers

29. UAF
Src: https://fidoalliance.org/specifications/overview/

30. UAF - Registration
User Device
FIDO Client
Win, Mac,
iOS,
Android, …
FIDO Authenticators
User
Agent
Browser
, App,
…
Identity Provider
Web
App
FIDO
Server
1. Legacy Auth +
Initiate Registration
2. Registration
request
+ Policy
3. Enroll user
+ New Key Pair
4. Registration
response +
Attestation
+ User’s public key
5.
Validate Response +
Attestation
Store user’s Public Key

31. UAF - Authentication
User Device
FIDO Client
Win, Mac,
iOS,
Android, …
FIDO Authenticators
User
Agent
Browser
, App,
…
Identity Provider
Web
App
FIDO
Server
1. Initiate Authn
2. Authn request
+ Challenge +
Policy
3. Verify User and
unlock private key
4. Authn response
signed by user’s
private key
5.
Validate Response using
user’s Public Key

32. U2F
Src: https://fidoalliance.org/specifications/overview/

33. Summary
As developers we
have thought of
authentication as
a binary switch
We need to start
thinking about
the degree and
levels of trust
Incorporate AAL
into the design
thinking
AAL will help us
in balancing
security vs
usability
Deliver delightful
experience to
customers

34. Thank you