Difference between revisions of "Progressive Authentication"
(→Problems) |
(→Problems) |
||
| Line 13: | Line 13: | ||
==Problems== | ==Problems== | ||
| − | NIST in now in the | + | NIST in now in the third update to their ''Digital Identity Guidelines'' <ref>NIST ''Digital Identity Guidelines'' https://doi.org/10.6028/NIST.SP.800-63-3</ref> where they still insist, against all evidence to the contrary that "digital identity is the unique representation of a subject engaged in an online transaction." It is a fact, acknowledged in that publication that user will have different personas for email versus banking. Imposition of privacy obligations makes it clear that users must not be expected to offer detailed attributes of their life which are not needed for the transaction at hand, so there can be no expectation that any online representation of a user is anything other that what they are willing to release. While any [[Relying Party]] may insist on a high level of assurance as to the validity of the attributes provided by the user, in most cases those parties are willing to accept whatever assurances the user may offer, or the user will just go elsewhere. |
==Solutions== | ==Solutions== | ||
==References== | ==References== | ||
Revision as of 14:15, 15 June 2018
Full Definition or Meme
When the exact nature of the user request is unknown, it is best to try Authentication in the least obtrusive manner, which is typically not at the highest level they might need later in the interchange.
Context
Then general use case[1] is where trust elevation must occur during the
An anti-use case was discovered when the NSA funded the Blacker
When mobile device became common it was early realized that the blacker solution was not feasible and progressive authentication was proposed[2] for mobile y devices and later specifically for Android devices.[3]
An alternative definition of progressive authentication is a suite of authentication tests which can be selected to be run at a single time with a Trust Vector that can be tested by the authorization service.
Problems
NIST in now in the third update to their Digital Identity Guidelines [4] where they still insist, against all evidence to the contrary that "digital identity is the unique representation of a subject engaged in an online transaction." It is a fact, acknowledged in that publication that user will have different personas for email versus banking. Imposition of privacy obligations makes it clear that users must not be expected to offer detailed attributes of their life which are not needed for the transaction at hand, so there can be no expectation that any online representation of a user is anything other that what they are willing to release. While any Relying Party may insist on a high level of assurance as to the validity of the attributes provided by the user, in most cases those parties are willing to accept whatever assurances the user may offer, or the user will just go elsewhere.
Solutions
References
- ↑ Tom Jones Trust Elevation Use Case https://wiki.idesg.org/wiki/index.php?title=Trust_Elevation_Use_Case
- ↑ Oriana Riva +3 Progressive authentication: deciding when to authenticate on mobile phones Published in: Proceedings Security'12 Proceedings of the 21st USENIX conference on Security symposium Pages 15-15 Bellevue, WA August 08 - 10, 2012, http://feihu.eng.ua.edu/NSF_CPS/year1/SP_paper1.pdf
- ↑ Jeffrey Warren, +3, Progressive Authentication on Android https://css.csail.mit.edu/6.858/2013/projects/jtwarren-vkgdaddy-vedha-vvelaga.pdf
- ↑ NIST Digital Identity Guidelines https://doi.org/10.6028/NIST.SP.800-63-3
