Video list

This video demonstrates the failure recovery offered by the Authentication Management module (AuthMM), which offers to the users various ways to authenticate such as FIDO UAF, Mobile Connect, and behavioral authentication. ReCRED offers the appropriate failure recovery mechanisms that are required to solve the problems that emerge when moving the authentication to the mobile device. The first problem is the single point of failure problem and the second is that in the case the device is stolen the thief has physical access to the device that stores the cryptographic keys. The second problem is addressed via FIDO on devices, which is the human-to-device biometric factor. The first problem is harder to address, yet ReCRED resolves it by leveraging the multiple authentication factors it incorporates. The IDC federates multiple independent authentication factors offered by Mobile Connect (MC) and BAA to offer a secure and efficient failure recovery mechanism. These independent factors can easily be used in conjunction with a single secure backup password or physical identity verification to reliably authenticate the user during recovery. The user has to first login to the IDC using her secure backup password, which is used only in case of failure recovery. By doing so, the user is granted only temporary and tentative access (AAL1), which provides limited functionality. In particular, the user cannot view, restore or manage credentials and identity attributes. Subsequently, the IDC requires from the user to authenticate with a higher AAL in order to regain full access to her IDC account. In this case the IDC acts as an SP authenticating the user through a Telco IdP via MC. Since the user cannot use FIDO to authenticate, the IDC allows the user to authenticate via SMS using her newly issued by the Mobile Network Operator (MNO) SIM card. In case of device theft or loss and to ensure that the authentication attempt is performed by the legitimate user, the IDC needs to confirm with the MC IdP that the given device was reported as lost and a new SIM card was issued. Additionally, in case the user is not registered with MC then she can use any other OIDC/FIDO-compliant IdP. For increased assurance and to further verify the identity of the user, the IDC requires from the user to verify her behavior by using one of her trusted BAAs before regaining full access to her IDC account. The user can choose to authenticate to her BAA using a backup password that is specific to the BAA selected by the user during registration with the BAA. Importantly, the user does not have to memorize this BAA backup password since she is able to backup all her BAA backup passwords to the IDC. In addition, BAAs can have insecure and easy to memorize backup passwords as their authentication modality is behavioral and the backup password is used only to prevent denial of service attacks. After the user has authenticated with the BAA (using the BAA backup password), she is still in tentative access and she is not allowed to manage her behavioral profile. With the user having tentative access, the device sends behavioral records to the BAA, while all the records after the device has been reported as stolen or lost are not considered for the authentication. The IDC acts as an SP while the BAA acts as an IdP authenticating the user based on her behavior. The IDC keeps the user under tentative access until she successfully proves to the BAA that he/she behaves as she always does. Once the BAA has collected sufficient records to give a verdict on whether the user behaves as usual (that is, similar to how the device was behaving before it was reported lost or was behaviorally detected as stolen) the result is returned to the IDC via OIDC. If the verdict is negative the BAA locks that device out of its IdP. If the verdict is positive, then the user is granted with full access (AAL3 ) to the IDC and the BAA issues new FIDO credentials for his/ her account to the new device. Both MC and BAA authentication is needed because BAA does not increase formally the user’s NIST authenticator assurance level but it is just an extra assurance. If the user does not desire to use any backup password, then she is able to recover from failure with physical identity verification. In this case the user is requested to scan her eID or ePassport using her mobile device. Taking advantage of the NFC capabilities of the device we are able to acquire the verified identity of the user. If the acquired identity matches the one that she had proven to the IDC prior to the failure then she is granted with full access to the IDC.

The webinar about the first ReCRED pilot - the WiFi pilot - took place on Thursday 15/3/2018 and it was presented by Antonis Papasavva from CUT.