Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1
EBT Mobile Identity:Oh, the Places You’ll GoJohn Bejjani
Product Manager, Authentication and Mobile
2Copyright Entrust Datacard 2
We will discuss …
• EBT Security Today
• EBT Mobile Identity
• Mobile ID: Secure Credential
• Mobile ID: Technology Overview
• Protecting Personal and FIS Data
• Challenges
• The Places You’ll Go
3Copyright Entrust Datacard 3
Current state of authentication in EBT
• Point of Sale
• Magstripe cards
• PINs
• Browser and app
• Card number or user id
• Password
• Easy to use, easy to administer
• But is there a problem?
4Copyright Entrust Datacard 4
Security and Privacy in current EBT POS
• PoS systems are still reasonably secure
• Thief must gain access to card and PIN
• But we all know about ATM card skimming
• EBT cards have a similar threat
• What about EMV style chips on EBT cards?
• Expensive to issue, expensive to replace
• Doesn’t fully address the problem of online
5Copyright Entrust Datacard 5
Security and Privacy in EBT online today
• Secured by username and password
• Most web-services now encourage or require out-of-band 2nd authentication factor
• Q&A and SMS are most popular
• Q&A is easily hacked
• Most people put Q&A data in their Facebook and Instagram profiles
• SMS is better, but still has issues
• SMS has associated costs
• Attacks have long existed against SMS
6
Mobile Identity for EBT
7Copyright Entrust Datacard 7
What is an “ID” anyway?
• An ID is a document issued representing a person or a thing
• Your driver’s license identifies you and what you are allowed to do with a motor vehicle
• Your passport identifies you and defines how you are allowed to move around at borders
• Your student ID identifies you and your relation to your campus
8Copyright Entrust Datacard 8
An EBT card is not an “ID”
• EBT cards typically have a number and possibly name
• While states can mandate photos there are issues
• Card costs dramatically increase
• Federal law requires that all shoppers be required to present ID, not just EBT recipients
• When photos are not on the card
• Recipients cannot be treated differently and asked for photo ID
• No intuitive, non-intrusive way, to verify an identity during an EBT transaction
9Copyright Entrust Datacard 9
Mobile Identity (ID)
• A digital document created on your mobile device
• Cannot be copied
• Resistant to attacks
• Identifies you to a system, but not necessarily to a person
• Can be used to legally authorize online actions
• Login
• Account transactions
• Purchasing transactions
10Copyright Entrust Datacard 10
High Assurance Mobile ID
• Uses public key cryptography
• Public key can be shared with everyone
• Private key never leaves your mobile device
• Private key can be created in a secured part of your device
• Cannot be read or cloned
• Device OS does not have access
• Using PKI, certificates can be issued
• Issued by trusted authority such as state
• PKI certificates associate a human identity with the public key
• Resistant even to quantum computing attacks
• Access to ID can be controlled with PIN or biometric (ex. facial and fingerprint)
11Copyright Entrust Datacard 11
Mobile ID Security:PIN vs. Password
• Mobile ID PIN is different from account password
• Account passwords stored on a server
• Mobile ID PIN never leaves the device
• Hackers can “steal” the user ID and the public key
• Public keys are meant to be public anyway
• Private key is still secure on device
• Public key useless without private key
12Copyright Entrust Datacard 12
Mobile ID Creation
• Recipient downloads state EBT app
• Recipient goes through onboarding
• Present 1 or more pieces of official government ID
• May need to answer several online questions
• Mobile ID is created in the app
• App creates public crypto keys
• Sends public key to server, keeps private key private
+ +
=EBT
Identity
13Copyright Entrust Datacard 13
Mobile ID Use: Authentication
Bye-bye passwords
• Recipient enters only user ID on login pages
• Notification sent to registered mobile device
• App receives notification and recipient sees it
• Recipient can decide to allow or deny the login
• Recipient can also flag the request as suspicious
• Password is the “something you know”
• Mobile ID PIN is the “something you know”
• Password kept on server, PIN kept in app
• Why is it different?
• Because …
How it works … Where did the password go?
14Copyright Entrust Datacard 14
Security without the password
• Picture using an EBT-focused mobile app
• Currently you provide it your card ID and password
• Would you give your password to the guy down the block?
• Why would you give it to someone’s app?
Convenience!
Unique Services!
15Copyright Entrust Datacard 15
Do I have to give this up?
N0!
16Copyright Entrust Datacard 16
Mobile ID Authentication:Delegating Authentication
• App presents username / card ID to the EBT processor
• The processor sends you an authentication notification
• Use your mobile ID to allow the request
• The processor sends the app an encrypted token
• The token has a lifetime
• The token encodes the operations app can perform
• No password had to be provided to the app
• The processor knows which app made the request
• If you PIN changes this has no impact on the app
• You can revoke the app’s access at any time
• The processor can invalidate the token
How it works … Why is this better?
17Copyright Entrust Datacard 17
Secure! Simple!
Anywhere!
18
The Challenges & Benefits
19Copyright Entrust Datacard 19
Systemic Challenges
Investments
• System-wide architecture review
• Introduction of PKI at State level
• Co-ordination between stake-holders
• Existing apps must change authentication models
Adoption
• FICAM / SICAM rules may apply
• Requires access to mobile devices
• Reluctance to trusting newer technologies
• Transition phase will be long
20Copyright Entrust Datacard 20
Systemic Benefits of Mobile ID
• Nearly ubiquitous Wi-Fi coverage
• Low cost for issuance
• Improved user experience
• Security improves constantly
• Large app ecosystem
• Non-repudiation reduces fraud
• US Fed has long experience with Mobile ID
• Built for tech like block chain
21
The Places You’ll Go …
22Copyright Entrust Datacard 22
Block chain
• Block chain is at the heart of digital currencies like Bitcoin
• Block chain security is based on public key cryptography
• Mobile ID is based on public key cryptography
• Ok, so what?
• Block chain is a ledger for transactions
• Tamper-proof for the foreseeable future
• Easy to make distributed and resilient
• Can be leveraged to perform real-time transaction risk analysis
• Gateway to investigating impact of digital currencies …
23Copyright Entrust Datacard 23
Mobile Payments
• People spend more time on mobile
• Many retailers in EBT offering online shopping
• Mobile ID identifies individuals not payment methods
• Can be linked to existing mobile payments solutions
24
Thank you