Difference between revisions of "Proof of Presence"
(→Windows) |
(→Windows) |
||
| Line 22: | Line 22: | ||
===Apple=== | ===Apple=== | ||
===Windows=== | ===Windows=== | ||
| + | When the user sets up Windows Hello on his or her machine, it generates a new public–private key pair on the device. The [https://docs.microsoft.com/en-us/windows/keep-secure/trusted-platform-module-overview trusted platform module] (TPM) generates and protects this private key. If the device does not have a TPM chip, the private key is encrypted and protected by software. In addition TPM-enabled devices generate a block of data that can be used to attest that a key is bound to TPM. This attestation information can be used in your solution to decide if the user is granted a different authorization level for example. | ||
| + | |||
| + | To enable Windows Hello on a device, the user must have either their Azure Active Directory account or Microsoft Account connected in Windows settings. | ||
| + | |||
* [https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password Why a PIN is better than a password] Windows 2017-10-23 | * [https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password Why a PIN is better than a password] Windows 2017-10-23 | ||
* [https://docs.pingidentity.com/bundle/pingid/page/vok1564020450231.html Using Windows Hello for authentication] Ping ID 2020-12-07 | * [https://docs.pingidentity.com/bundle/pingid/page/vok1564020450231.html Using Windows Hello for authentication] Ping ID 2020-12-07 | ||
Revision as of 14:49, 3 April 2021
Contents
Full Title
Proof of Presence of user and app: This is a proposed work item pending funding.
Context
- Decentralized ID presents a problem with assurance of the trustworthiness of the wallet apps.
Goal: to convert a verifiable credential into a verifiable presentation that includes online proof of presence of the subject of the Verifiable Presentation.
Orie Steele (Transmute) 5:46 AM @Tom Jones I did some work on biometric verifiable presentations a while ago. I used BioID Face Recognition & Liveness Detection Software. BioID provides software-based biometric authentication with presentation attack detection using face recognition and liveness detection. Most likely you would make a presentation that included a short lived liveness credential and the credential of primary concert to the Verifiable Presentation, for example: {DriversLicense, BiometricLivenessCheck}.
Tom Jones 7:42 AM @Orie Steele (Transmute) thanks - I guess you are saying that some other element in the phone must be trusted to create creds.
Stephen Curran (Cloud Compass) 7:55 AM I think that's a great use case and it would be good to make that possible. But you've nailed it that for such a credential to work, there has to be an element on the phone that is a "trusted" issuer -- something that the verifier can trust. In theory an open source, signed wallet might be able to do that, I suspect it will need to be at the phone OS level.
Solution
there are two ways to get a trusted signer on the phone or other user computing device.
- register an app that is trusted. If that is the method the easiest way is to register the actual instance of the wallet itself to the user.
- depend on the trusted element in the phone to boot up an assurance element - the TPM code in the TEE could do that, but it depends on a trusted server in the could. All of these depend on a web of trust that is not based on any human intervention. Not sure what the rWOT guys think about that? (nb this could be accomplished with a webauthn token like that from Yubikey)
Android
Apple
Windows
When the user sets up Windows Hello on his or her machine, it generates a new public–private key pair on the device. The trusted platform module (TPM) generates and protects this private key. If the device does not have a TPM chip, the private key is encrypted and protected by software. In addition TPM-enabled devices generate a block of data that can be used to attest that a key is bound to TPM. This attestation information can be used in your solution to decide if the user is granted a different authorization level for example.
To enable Windows Hello on a device, the user must have either their Azure Active Directory account or Microsoft Account connected in Windows settings.
- Why a PIN is better than a password Windows 2017-10-23
- Using Windows Hello for authentication Ping ID 2020-12-07
Government
The IATA traveler Identification process is compliant with ICAO standards. The process that a passenger would take to securely identify themselves in the IATA Travel Pass uses government issued ePassports to create a digital travel credential as per the standards developed through ICAO. The process has six steps:
- Download the free IATA Travel Pass to their Smart phone and login
- Take a selfie with the smart phone
- Complete a liveness test as instructed by the phone – i.e., move their head, close their eyes in front of the camera as instructed
- Scan the data on the two lines at the bottom of the passport photo page with their smart phones and scan the data-chip on the passport as prompted by the phone
- The IATA Travel Pass then matches the photo with the passport data (which contains a digital biometric photo of the passport holder) to verify that:
- the passport belongs to the person in front of the phone and
- that the passport is genuine and has not been tampered with.
- The verified digital travel credential is then stored on the passenger's phone and can be used as their ‘digital passport/ ID’.
References
- This wiki is part of the larger problem of Apps on User Devices.
- A related problem is described in the Over 21 with Proof of Presence Use Case.
