Strong Authentication

«Clavid gives his SAML, OAUTH and OpenID customers the possibility to move from weak username and passwords to strong authentication»

«Security and flexibility without a compromise in usability!»

 

 

 

NIST Levels

 

Username / Password

OTP Generators (OTPs)

Certificates (Swiss Post Certificate)

Biometrical Methods (finger print)

 

 

There is no global authentication standard appected by every service provider or web site. Many service provider, ecpecially big firms in the financial or insurance industry have set up a own PKI (Public Key Infrastructure) to provide every user a unique access mean to access IT systems.

 

There are three credentials for verifcation a link between a physical person and a digital identity:

 

Knowledge - Something the user knows (password, pass phrase, PIN-Code)

Assets - Something the user has (ID-card, cell phone, security token)

Biometric feature - Something the user is (fingerprint, eyes, DNA)

 

Clavid allows unified digital identity exchange between application service providers and end users without loosing data protection. Depending on the strength of authentication, Clavid supports the following authentication methods (combinations are possible).

 

NIST Levels

 

NIST (National Institute of Standards and Technology) is a non-regulatory agency of the United States Departement of Commerce (USA). The recommendation provides technical guidance to Federal agencies implementing electronic authentication. The recommendation covers remote authentication of users over open networks. It defines technical requirements for each of four levels of assurance in the areas of idenitiy proofing, registration, tokens, authentication protocols and related assertions.

 

NIST - Electronic Authentication Guideline provides you more information about this topic.

 

 

 

 Description

 

NIST Level

Authentication Method

Password

User got verified by a password

 

2

OTP 1 Factor

User got verified by an OTP (One Time Password) such as:

- SMS Mobile

- OATH-HOTP

- OATH-TOTP

- Google Authenticator

 

2

OTP 2 Factor

User got verified by a password an OTP (One Time Password) such as:

- SMS Mobile

- OATH-HOTP

- OATH-TOTP

- Google Authenticator

 

3

YubiKey 1 Factor

User got verified by a YubiKey

2

YubiKey 2 Factor

User got verified by a password AND a YubiKey

3

TiQR

User got verified by TiQR

3

SyferLock

User got verified by a MySyferLock OTP

3

AGSES

User got verified by a AGSES card (biometric fingerprint, previously called AXSionics)

3

x509 Soft Certificate

User got verified by a x509 soft certificate (inclusive self signed certificates)

3

Swisscom MobileID

User got verified by Swisscom Mobile ID

4

x509 Hard Certificate

User got verified by a x509 certificate stored on a hardware token

4

SuisseID

User got verified by a x509 certificate stored on a hardware token

4

 

Username / Password

 

Password

 

The 'classic' authentication method based on username/password allows a user to freely choose a username/password pair. Such a combination gets created when signing up for a password based clavid.com user account. Even though this method is due to its easy-of-use very popular to end users, lacks this method in security. However, this authentication method can be a good entry point to OpenID using the clavid.com platform allowing to increase the security at a later time/stage by getting to a more secure authentication method such as OTP, SSL client certificates or even biometrical authentication.

 

One Time Password (OTP)

 

Password

 

A One Time Password is a password that can only be used once and is usually used in addition to a username / password pair. A OTP is only valid for one single authentication transaction and can not be used a second time. Every authentication using OTP is therefore 'unique'.

 

The general methods for generating and transferring OTP's are:

 

• E-Mail

• Cross-off list or TAN list (e.g. transaction number list used for online banking)

• One-time password generators (RSA-Token, YubiKey, RFC 2289, RFC 4426, OATH HOTP, OATH TOTP, Mobile Phones, etc.

• Mobile SMS (Short Message Service to mobile phones)

 

SSL Client Certificates

 

SSL Certificate

 

If you own a SSL Client Certificate, you can add the certificate to your clavid

account and use it for user authentication to the clavid server . Look for the SSL certificate logo.

Using a certificate avoids the need for entering sensitive data such as your password. The certificate is like your username and password: Protect it!

Description

 

Digital certificates confirm the relationship of electronic key pairs to a person, company, institution or system and associate a physical relationship to digital identities. Digital certificates allow the protection of confidentiality, authenticity and integrity of data to third parties using the correctness of the electronic key

 

• The structure of digital certificates is defined based on standards (e.g. x.509 standard)

 

• Secure Sockets Layer (SSL) protects service providers as well as end users

 

• SSL certificates allow encryption of confidential data in online transactions

 

• Every SSL certificate contains unique, validated information of the owner of the certificate

 

• Every SSL certificate is issued by a specific issuer that validates the identity of the certificate owner

Certificates contain usually the following information:

 

1. The name (or unique identification) of the issuer of the certificate

2. Information on rules and policies under which the certificate has been issued

3. Information on validity duration of the certificate

4. The electronic key of the certificate

5. The name (or unique identification) of the owner of the electronic key

6. Additional information of the owner

7. Information on policy and validity

8. A digital signature of the issuer across all information

 

Accredited providers of qualified certificates according to Swiss signature regulation ZertES/ETSI are the Swiss Post, SwissSign, QuoVadis Trustlink AG as well as the Federal Office for Information Technology, Systems and Telecommunication.

 

More Information about SSL Client Certificates you will get here

 

Biometrical Method (Fingerprint)

 

Biometric

 

Biometric fingerprint identification is one of the most famous Authentiserungs methods in the field of IT security. Because of their uniqueness, and consistency over time, are fingerprints for the identification of people in the computer industry has become imperative.

One of the most innovative producer of biometric security tokens, the company AGSES with its AGSES card .

 

 

 

Top

 

Back