Identification Management System is very important component for both enterprise and consumer.
Especially, MFA is very hot topic. Anyone know about MFA. But do you know MFA clearly? It is NOT MFA to just use SMS or biometrics.
Let me explain the technology trend for Identification Management System like MFA, Risk-based authentication, CAAC and SSO.
As you know Auth has two mean — Authentication and Authorization. These are very similar word. But different is simple.
Authentication is Identify. This mean "Who are you?". Authorization is Access Control. This mean "What is permitted for you?"
For example, OpenID is a technology for Identify and OAuth is a technology for Access Control.
MFA/2FA is very hot technology. But it doesn't mean to use SMS or biometrics. And please be careful about difference with two-step verification.
According to NIST Special Publication 800-63-3 Digital Identity Guidelines, there is three factor of authentication.
- Something you know
- Something you have
- Something you are
"Something you know" is knowledge which is known only right user. Password or PIN are typically examples.
"Something you have" is property which is had only right user. SMS(Phone Number), mail address, token generator, hardware key/card, IP address and Geo-location are typically examples.
"Something you are" is biometrics. Fingerprint, face and iris are typically examples. Smartphone and AI help this area today.
MFA is a combination of over two factor. This mean 2nd password is NOT 2FA. It's only two-step verification with single factor. Because password and 2nd password are both "Something you know" .
Single factor is easy to hack by same way. So combination is important.
Especially almost attacker already knows about right ID and password. Then we need to additional factor for important operation.
Monitoring and Fraud detection is very important part for Identification Management. Because attacker already knows about right ID and password . But we need defect fraud.
Internet Protocol Address (IPA) Location, Geo-Location and time are important information for this.
Because if someone accessed in USA five minutes after being accessed in Japan, maybe it's illegal access. Such a access should be rejected.
Risk-based authentication is improvement of fraud detection. Sometime we use new PC and we move to another location.
If it's only provided fraud detection, we can't log-in in such a situation. It is NOT user-friendly.
So Risk-based authentication manages such a irregular access patterns as risk. And it requires more additional authentication like SMS, e-Mail and so on. This is very useful function.
In general, smartphone industry call this behavior as two-step verification with SMS authentication.
Context-aware access control is mainly for enterprise system. It is a extetnion of role-based access control (RBAC).
It dynamically determines access capability according to the following factors.
- Target system
- Target operation
For example, we can control access level by office or home. And it is able to require additional authentication factor like hardware-key when user is on their home.
Azure AD Conditional Access and Google Cloud IAP provide this feature. It's key component for Zero Trust Security. This is only way for security control for SaaS. Because Cloud Age is every access is Remote Access . VPN is NOT enough now.
SSO is not new technology for Enterprise. LDAP and Acitive Direcotry and each cloud vendor's IAMs provide this function. It's natural way for enterprise systems.
Maybe someone may think that SSO is for usability for employee. But it's NOT correct.
SSO is for security. As you already know, Identification Management is very complex system. It's required a lot of features like MFA, Fraud Detection and monitoring and Context-aware access.
If we don't use SSO, individual system has own account. And user needs to manage their password. It looks secure.
But it's difficult to make the best auth features for individual systems and it's not realistic scenario to be managed many passwords properly by every user. Maybe they use same password for every system to help their brain memory. It's not secure.
So we use SSO for security with trusted ID systems. This is the best practices!
This diagram is summary of Identification Management System.
Most importantly, Identification Management System is very complex. We shouldn't make by ourself.
If you make a system for consumer, you should use Social Service ID like Google, GitHub, Twitter and Facebook with OpenID Connect.
And if you make a system for business, you should use IDaaS like AzureAD with SAML 2.0 or OpenID Connect.
It's the best practice and only way to avoid Identify Issues, I believe.
Happy Hacking !