Securing SaaS Apps with Multi-Factor Auth with MePIN and WSO2 Identity Server

info@meontrust.com

- a strong authentication company

n  MePIN / Meontrust Inc; founded 4/2010 n  Venture funded from Finland, US & HK n  R&D locations; Helsinki & Oulu, Finland n  MasterCard Start Path company n  Customers and partners globally

Passwords are not enough anymore

World is going mobile but require omnichannel experience

Legacy is slow, clumsy & expensive

Why mobile Multi-Factor Authentication?

authentication and authorization

Fast.Mobile.

Secure.

Strong security with user convenience

Strong authentication on any channel

Auth API Identity and Access

Management

Authenticate and authorize with a digital signature

MePIN server

PKI

Access anywhere

Flexible solution, for multiple use cases ...

n  Multi-factor authentication and/or secure passwordless login n  Dynamic, Service Provider set auth policy - tap, PIN, fingerprint or

face n  Patented linking to a service or passwordless login with an Access

Code

n  Secure online transaction authorization n  Subscriptions, orders, invoices, expenses, anything … n  Provides digital signatures and non-repudiation of transactions

Multi-factor authentication with

n  Works on any channel and device n  Login on PC, tablet, mobile, TV, etc, etc

n  3 optional modes / authentication methods:

n  2FA mode; username + password + authorization n  Reactive mode; username + PIN/FP authorization n  Active mode; username + active authorization

authentication: 2FA mode

n  Login with username + password n  Usernames and passwords managed

by Identity Server n  Authorize with a MePIN enabled

app n  Authorization can be a simple tap,

PIN, fingerprint or face recognition

+

authentication: Reactive mode

n  Login with username only n  Authorize a login request with a

PIN, fingerprint or face recognition on a MePIN enabled app

+ or

authentication: Active mode

n  Login with username only n  The service shows an Access Code,

valid for 60 seconds n  Authorize the login by scanning

the code with the MePIN enabled app or entering it manually

+ or

Digitally signing transactions

n  Request users to authorize transactions n  Authorization policy can be set per

transaction (a tap, PIN, fingerprint or face recognition)

n  Every authorized transaction is digitally signed by the user's private key

n  Remote revoke, lock or unlock the app n  Self service or from management

n  Re-enrollment after lost or changed device n  Self service or from management

n  Optional multi-device support n  User can confirm with any one of her devices

n  Trusted messaging inbox for user messaging n  Authenticated interactions (in-app browser)

Device lifecycle and other major features

Extendable biometrics support

n  Pick and choose your biometrics n  Fingerprints n  Face recognition n  Eye verification n  Anything the future holds …

n  Biometric info stored only locally in users´ devices

Flexible deployment and integration options

MePIN library

Customer's mobile app

Customer branded ID app

MePIN SDK

or

Client

Server

On-premise Mixed (hosted PKI)

Fully hosted

or or

or

Complete future proof authentication platform

Mobile PKI +

biometrics

FIDO U2F/UAF

Mobile & HW TOTP

SMS OTP

Paper OTP

High security + high usability

Legacy users + fallback options

Security audited solution and source code

… because passwords are evil.

WSO2 Identity Server

PrabathSiriwardena,DirectorofSecurityArchitecture

WSO2 Platform

o  5th Generation Product o  Current version 5.2.0 (Sept 2016)

o  Why did we build it? o  Federated identity and entitlement is a key part of any distributed architecture

o  Internal security threats, Partnerships o  Mergers, De-mergers o  APIs, Cloud systems

o  SSO is important but need to federate and bridge across SSOs o  Open Standards for Identity are changing the industry landscape

o  Based on WSO2 Carbon platform, which provides support for multi-tenancy, logging, clustering, and other common services

SupportforHeterogeneousUserStores.

Iden2tyFedera2onBetweenMul2pleHeterogeneousSystems

Iden2tyBroker(SAML2.0,OIDC,WS-Fed,CAS,OpenID)

Mul2-step(mul2-factor)Authen2ca2on

Mul2-op2onAuthen2ca2on

Just-in-2meProvisioning(rulebased+outboundprovisioning)

AutomatedProvisioningofAccountsAmongHeterogeneousSystems.

Rule-basedProvisioning

ApprovalWorkflows

?

SelfService

RoleEngineering

PluggableAuthen2ca2onPolicies

Authoriza2onPolicies&Fine-grainedAccessControl(XACML)

SecuringAPIs(OAuth2.0authoriza2onserver)

SecuringSOAPServices(WS-Security/WS-Trust)

Analy2cs

Analy2cs

Analy2cs

Analy2cs

Analy2cs

FraudDetec2on

Iden2tyAdminFunc2onality-Automa2on

Extensibility

●  Authen'cators○  FIDO,IWA,Facebook,LinkedIn,MePIN,SMSOTP,Yammer,Foursquare,Tiqr

●  ProvisioningConnectors○  GoogleApps,Salesforce,SCIM,SPML,Inwebo

●  UserStoreManagers○  LDAP,AD,JDBC

●  PolicyEnforcers●  PolicyInforma'onPoints

Extensibility

●  Authen'cators○  FIDO,IWA,Facebook,LinkedIn,MePIN,SMSOTP,Yammer,Foursquare,Tiqr

●  ProvisioningConnectors○  GoogleApps,Salesforce,SCIM,SPML,Inwebo

●  UserStoreManagers○  LDAP,AD,JDBC

●  PolicyEnforcers●  PolicyInforma'onPoints

Thank you!