WSO2 Guest Webinar: Securing SaaS Apps with Multi-factor Authentication with MePIN and WSO2 Identity...
-
Upload
wso2-inc -
Category
Technology
-
view
221 -
download
3
Transcript of WSO2 Guest Webinar: Securing SaaS Apps with Multi-factor Authentication with MePIN and WSO2 Identity...
Securing SaaS Apps with Multi-Factor Auth with MePIN and WSO2 Identity Server
- a strong authentication company
n MePIN / Meontrust Inc; founded 4/2010 n Venture funded from Finland, US & HK n R&D locations; Helsinki & Oulu, Finland n MasterCard Start Path company n Customers and partners globally
Passwords are not enough anymore
World is going mobile but require omnichannel experience
Legacy is slow, clumsy & expensive
Why mobile Multi-Factor Authentication?
authentication and authorization
Fast.Mobile.
Secure.
Strong security with user convenience
Strong authentication on any channel
Auth API Identity and Access
Management
Authenticate and authorize with a digital signature
MePIN server
PKI
Access anywhere
Flexible solution, for multiple use cases ...
n Multi-factor authentication and/or secure passwordless login n Dynamic, Service Provider set auth policy - tap, PIN, fingerprint or
face n Patented linking to a service or passwordless login with an Access
Code
n Secure online transaction authorization n Subscriptions, orders, invoices, expenses, anything … n Provides digital signatures and non-repudiation of transactions
Multi-factor authentication with
n Works on any channel and device n Login on PC, tablet, mobile, TV, etc, etc
n 3 optional modes / authentication methods:
n 2FA mode; username + password + authorization n Reactive mode; username + PIN/FP authorization n Active mode; username + active authorization
authentication: 2FA mode
n Login with username + password n Usernames and passwords managed
by Identity Server n Authorize with a MePIN enabled
app n Authorization can be a simple tap,
PIN, fingerprint or face recognition
+
authentication: Reactive mode
n Login with username only n Authorize a login request with a
PIN, fingerprint or face recognition on a MePIN enabled app
+ or
authentication: Active mode
n Login with username only n The service shows an Access Code,
valid for 60 seconds n Authorize the login by scanning
the code with the MePIN enabled app or entering it manually
+ or
Digitally signing transactions
n Request users to authorize transactions n Authorization policy can be set per
transaction (a tap, PIN, fingerprint or face recognition)
n Every authorized transaction is digitally signed by the user's private key
n Remote revoke, lock or unlock the app n Self service or from management
n Re-enrollment after lost or changed device n Self service or from management
n Optional multi-device support n User can confirm with any one of her devices
n Trusted messaging inbox for user messaging n Authenticated interactions (in-app browser)
Device lifecycle and other major features
Extendable biometrics support
n Pick and choose your biometrics n Fingerprints n Face recognition n Eye verification n Anything the future holds …
n Biometric info stored only locally in users´ devices
Flexible deployment and integration options
MePIN library
Customer's mobile app
Customer branded ID app
MePIN SDK
or
Client
Server
On-premise Mixed (hosted PKI)
Fully hosted
or or
or
Complete future proof authentication platform
Mobile PKI +
biometrics
FIDO U2F/UAF
Mobile & HW TOTP
SMS OTP
Paper OTP
High security + high usability
Legacy users + fallback options
Security audited solution and source code
… because passwords are evil.
WSO2 Identity Server
PrabathSiriwardena,DirectorofSecurityArchitecture
WSO2 Platform
o 5th Generation Product o Current version 5.2.0 (Sept 2016)
o Why did we build it? o Federated identity and entitlement is a key part of any distributed architecture
o Internal security threats, Partnerships o Mergers, De-mergers o APIs, Cloud systems
o SSO is important but need to federate and bridge across SSOs o Open Standards for Identity are changing the industry landscape
o Based on WSO2 Carbon platform, which provides support for multi-tenancy, logging, clustering, and other common services
SupportforHeterogeneousUserStores.
Iden2tyFedera2onBetweenMul2pleHeterogeneousSystems
Iden2tyBroker(SAML2.0,OIDC,WS-Fed,CAS,OpenID)
Mul2-step(mul2-factor)Authen2ca2on
Mul2-op2onAuthen2ca2on
Just-in-2meProvisioning(rulebased+outboundprovisioning)
AutomatedProvisioningofAccountsAmongHeterogeneousSystems.
Rule-basedProvisioning
ApprovalWorkflows
?
SelfService
RoleEngineering
PluggableAuthen2ca2onPolicies
Authoriza2onPolicies&Fine-grainedAccessControl(XACML)
SecuringAPIs(OAuth2.0authoriza2onserver)
SecuringSOAPServices(WS-Security/WS-Trust)
Analy2cs
Analy2cs
Analy2cs
Analy2cs
Analy2cs
FraudDetec2on
Iden2tyAdminFunc2onality-Automa2on
Extensibility
● Authen'cators○ FIDO,IWA,Facebook,LinkedIn,MePIN,SMSOTP,Yammer,Foursquare,Tiqr
● ProvisioningConnectors○ GoogleApps,Salesforce,SCIM,SPML,Inwebo
● UserStoreManagers○ LDAP,AD,JDBC
● PolicyEnforcers● PolicyInforma'onPoints
Extensibility
● Authen'cators○ FIDO,IWA,Facebook,LinkedIn,MePIN,SMSOTP,Yammer,Foursquare,Tiqr
● ProvisioningConnectors○ GoogleApps,Salesforce,SCIM,SPML,Inwebo
● UserStoreManagers○ LDAP,AD,JDBC
● PolicyEnforcers● PolicyInforma'onPoints
Thank you!