You are here

Video list

Tuesday 2, October 2018

The Age Verification Pilot is based on the new Age Gate solution, an online age verification service, with the purpose of granting or denying access to age-restricted resources, without revealing or disclosing any other personal and/or sensitive data of the user. An age-restricted online resource could be any of the following: an age-restricted website (e.g. porn or violence related), specific age-restricted content (e.g. an NC-17 movie), age-restricted online services (e.g. gambling) or purchases (e.g. alcohol or tobacco). The providers of those resources do not need to know any personal information about their visitors. They only need to be able to guarantee that the visitors are above a certain age, which can be defined as a policy. The age verification pilot includes three flows: end-user registration, website registration, age verification. End-user Registration: Α new user visits your website and is presented with an option to access it using the Age Gate solution, along with a link to download the Age Gate mobile app from the respective store. After downloading and opening the mobile app for the first time, the user can choose an authentic source (government, bank, mobile operator, etc.), and permits Age Gate to obtain her date of birth from the selected source. After that, the user’s date of birth is safely stored in Age Gate and associated with the unique ID of his mobile device. At the same time, the user can choose to use a fast and easy way to authenticate to the device (fingerprint, pattern, face recognition, etc.). Website Registration: A website owner needs to register with Age Gate, before being able to register his websites, by filling in a simple web form. Then, the website owner can register one or more websites, and for each website, he needs to define: the website’s title, a short description, the URL, and the age policy (e.g. over 18). An Age Gate operator review each request for website registrations, and after he approves it, a notification is sent to the website owner, with details on how to embed Age Gate to their website. After that, the new visitors are able to use the Age Gate solution in order to access the website. Age Verification: Each time an Age Gate user wants to visit a supported website from her mobile device, the Age Gate mobile app opens, and the user will need to authenticate using the selected method (e.g. fingerprint). If the visit is from a desktop browser, the user also needs to scan a QR code with the mobile device. In both cases, Age Gate can verify that the user is the legitimate owner of the mobile device, it evaluates her age against the age policy that you have set (e.g. age over 18) and it lets the website know whether she is above or below the required age.

Attributed-based Age Verification Online Gateway and Physical Identity Acquisition - Κεντρική Εικόνα
Tuesday 2, October 2018

ReCRED successfully deployed the Wi-Fi and web services access control pilot at CUT, CNIT, IMDEA and CSGN premises. CNIT Wi-Fi pilot demonstration represents the basic function of this pilot where the user first registers a new account to the ReCRED services using the Wi-Fi Pilot android-based application, and then requests access to the Wi-Fi of the campus. ReCRED leverages the ubiquity of smart-phones to design a device-centric authentication and authorization scheme, where a Campus Access mobile application is used to gain access to the campus network resources. The user launches the mobile application to select the desired university resources and after being informed about the revealed attributes it will start the authentication process. The ReCRED campus-wide Wi-Fi and web services access pilot aims to move the burden of traditional authentication methods from the user to the device itself, taking full advantage of the smartphones’ inherent capabilities. The pilot carries two main advantages: (a) the advantage of Device Centric Authentication (DCA), which enables the user to authenticate using biometrics (e.g., fingerprint) instead of having to remember a username and a complex password; and (b) enables users to prove part of their identity in order to access the universities' campus Wi-Fi and web services without the need to reveal their complete profile (Privacy-preserving Attribute-based Authentication). Among the core security technologies employed by the Wi-Fi pilot, there are protocols like FIDO UAF and a ReCRED tailored version of OpenID Connect/OAuth2. The Wi-Fi pilot has a modular structure, with separate authentication, authorization and network access structures along with the ReCRED services, thus it can be easily adapted to custom security requirements.

Wi-Fi and web services access control pilot - Κεντρική Εικόνα
Tuesday 2, October 2018

This video demonstrates the failure recovery offered by the Authentication Management module (AuthMM), which offers to the users various ways to authenticate such as FIDO UAF, Mobile Connect, and behavioral authentication. ReCRED offers the appropriate failure recovery mechanisms that are required to solve the problems that emerge when moving the authentication to the mobile device. The first problem is the single point of failure problem and the second is that in the case the device is stolen the thief has physical access to the device that stores the cryptographic keys. The second problem is addressed via FIDO on devices, which is the human-to-device biometric factor. The first problem is harder to address, yet ReCRED resolves it by leveraging the multiple authentication factors it incorporates. The IDC federates multiple independent authentication factors offered by Mobile Connect (MC) and BAA to offer a secure and efficient failure recovery mechanism. These independent factors can easily be used in conjunction with a single secure backup password or physical identity verification to reliably authenticate the user during recovery. The user has to first login to the IDC using her secure backup password, which is used only in case of failure recovery. By doing so, the user is granted only temporary and tentative access (AAL1), which provides limited functionality. In particular, the user cannot view, restore or manage credentials and identity attributes. Subsequently, the IDC requires from the user to authenticate with a higher AAL in order to regain full access to her IDC account. In this case the IDC acts as an SP authenticating the user through a Telco IdP via MC. Since the user cannot use FIDO to authenticate, the IDC allows the user to authenticate via SMS using her newly issued by the Mobile Network Operator (MNO) SIM card. In case of device theft or loss and to ensure that the authentication attempt is performed by the legitimate user, the IDC needs to confirm with the MC IdP that the given device was reported as lost and a new SIM card was issued. Additionally, in case the user is not registered with MC then she can use any other OIDC/FIDO-compliant IdP. For increased assurance and to further verify the identity of the user, the IDC requires from the user to verify her behavior by using one of her trusted BAAs before regaining full access to her IDC account. The user can choose to authenticate to her BAA using a backup password that is specific to the BAA selected by the user during registration with the BAA. Importantly, the user does not have to memorize this BAA backup password since she is able to backup all her BAA backup passwords to the IDC. In addition, BAAs can have insecure and easy to memorize backup passwords as their authentication modality is behavioral and the backup password is used only to prevent denial of service attacks. After the user has authenticated with the BAA (using the BAA backup password), she is still in tentative access and she is not allowed to manage her behavioral profile. With the user having tentative access, the device sends behavioral records to the BAA, while all the records after the device has been reported as stolen or lost are not considered for the authentication. The IDC acts as an SP while the BAA acts as an IdP authenticating the user based on her behavior. The IDC keeps the user under tentative access until she successfully proves to the BAA that he/she behaves as she always does. Once the BAA has collected sufficient records to give a verdict on whether the user behaves as usual (that is, similar to how the device was behaving before it was reported lost or was behaviorally detected as stolen) the result is returned to the IDC via OIDC. If the verdict is negative the BAA locks that device out of its IdP. If the verdict is positive, then the user is granted with full access (AAL3 ) to the IDC and the BAA issues new FIDO credentials for his/ her account to the new device. Both MC and BAA authentication is needed because BAA does not increase formally the user’s NIST authenticator assurance level but it is just an extra assurance. If the user does not desire to use any backup password, then she is able to recover from failure with physical identity verification. In this case the user is requested to scan her eID or ePassport using her mobile device. Taking advantage of the NFC capabilities of the device we are able to acquire the verified identity of the user. If the acquired identity matches the one that she had proven to the IDC prior to the failure then she is granted with full access to the IDC.

Authentication Management Module - Failure Recovery Mechanisms - Κεντρική Εικόνα
Tuesday 17, April 2018

The webinar about the third ReCRED pilot - the age verification pilot - took place on Friday 13/4/2018 and it was presented by Vangelis Mpagiatis from UPCOM.

ReCRED age verification webinar - Κεντρική Εικόνα
Thursday 22, March 2018

The webinar about the first ReCRED pilot - the WiFi pilot - took place on Thursday 15/3/2018 and it was presented by Antonis Papasavva from CUT.

ReCRED Wi Fi Pilot Webinar - Κεντρική Εικόνα
Sunday 18, March 2018

ReCRED had a strong presence in MWC2018. Fruitful discussions took place with FIDO alliance, Service Providers, developers and investors.
More details can be found here.

ReCRED at MWC 2018 in Barcelona. Interacting with FIDO alliance - Part3 - Κεντρική Εικόνα