IoT? The ‘I’ needs to be ‘Identity’
Paul Madsen CTO Office, Ping @paulmadsen
We’re s9ll only at the diaper stage in the IoT
The IoT still has its training wheels on
The IoT is nothing but hot air
The IoT is sure to go through labor pains
THE INTERNET OF THINGS IS COMING
What are we going to do about it?!
(In this !
Room)!
Only identity can provide the necessary organizing principle by which we can enable, manage and control all these relationships
Defini9ons
Sensors Actuators
Data
Physical environment
Network
Opera9ons
Physical environment
Network
App App
Humans are merely a part of the physical environment (yes Steve an important part)
Sensor
Thing
Environment
Interacts with
Actuator
User
• Lawn sprinklers • Jet turbines • Toasters
• Water meter • Thermometer • GPS
• Alarm clock • Phone vibrator
• Heart implants • Muse headband
Phone as sensor plaMorm
Copyright © 2014 Ping Identity Corp. All rights reserved. 17
Laptops are things too!!
Sensor
Thing
Environment
Interacts with
Actuator
User
• Lawn sprinklers • Jet turbines
• Water meter • Thermometer • GPS
• Alarm clock • Phone vibrator • Screen
• Heart implants • Muse headband • Keyboard • Touch screens • Fingerprint sensor • Camera
The nature of our interac9ons with devices is changing
• Direct -‐> Indirect (e.g. manage Nest thermostat via na9ve applica9on) • Ac9ve invoca9on -‐> passive (e.g. rules-‐based as per IFTTT) • Sta9c -‐> dynamic (e.g. washing machine downloads OS updates & new features)
Passive /implicit
Interac3on model
Authen9ca9on
UX
Ac9ve /explicit
Applica9on
• Browsers • Keyboards • screen swipes
• Step counters • Heart rate sensors • Blood pressure
• Keyboards • TouchID • Facial recogni9on
• Geoloca9on • Device proximity • Facial recogni9on • Stride analysis
Human Device Interac9on
Iden3ty for Things
Things for Iden3ty
Device Cloud
Applica9on Client Server
Device
Cloud
Applica9on Client Server
Iden9ty Cloud Authn & ID Client Server
OpenID Connect 1.0
Copyright © 2014 Ping Identity Corp. All rights reserved. 27
• OpenID Connect normalizes an identity layer on top of OAuth 2.0 • Newly standardized from OpenID Foundation • Adds identity semantics to base OAuth flow to enable – a web SSO model (like SAML) – User attribute sharing
• Arguably matches functionality of SAML, though with a more modern architecture
Device
Cloud
Applica9on Client Server
Iden9ty Cloud
Authn & ID Client Server
Device
Authn & ID Client Server
FIDO
Copyright © 2014 Ping Identity Corp. All rights reserved. 29
• Fast IDentity Online is 2 yr old standardization effort
• Spearheaded by PayPal, Google, NokNok Labs, Microsoft and many others
• Standardizes interaction between client authenticators and authentication servers by which client can demonstrate possession of a crypto key
• User authenticates with local authentication method to unlock a key so it can be used for authentication to server.
• For biometrics, doesn’t require biometric information be stored on servers – stays local
Made for each other
FIDO? Mature federation protocol seeks youthful authentication standard for integrations AND MORE. I enjoy long redirects on the browser, but detest form fill. I’m tired of insecure password posers – and am looking for something real. If you think you are ‘Something I (Should) Have’, let’s Connect!
Device
Cloud
Applica9on Client Server
Iden9ty Cloud
Authn & ID Client Server
Device
Authn & ID Client Server
Explicit giving way to implicit
Device
Cloud
Applica9on Client Server
Iden9ty Cloud
Authn & ID Client Server
Device
Authn & ID Client Server
Apple ‘Selfie for authn’ patent
Copyright © 2014 Ping Identity Corp. All rights reserved. 34
“Smart Lock for Android keeps your phone or tablet unlocked when it’s safe – no PIN, pa`ern or password needed. And when your device senses it may not be safe, it’ll need to be manually unlocked. Android can do this by recognizing signals like its proximity to that fly smartwatch on your wrist, your safe home loca9on, even your voice.”
1. A variety of devices interact with users, both actively & passively, to collect context and communicate signals to authentication server
2. Aggregated & analyzed 3. Relevant identity attributes
encapsulated in tokens 4. Token communicated to application 5. Rinse & repeat
THANKS