1
00:00:00,460 --> 00:00:02,350
<v ->Authentication Models.</v>

2
00:00:02,350 --> 00:00:04,698
In addition to the standard authentication process

3
00:00:04,698 --> 00:00:07,240
and concept of multi-factor authentication,

4
00:00:07,240 --> 00:00:09,100
there are other models of authentication

5
00:00:09,100 --> 00:00:11,348
that can be utilized by an organization.

6
00:00:11,348 --> 00:00:13,998
These include context-aware authentication,

7
00:00:13,998 --> 00:00:15,828
Single Sign-On authentication,

8
00:00:15,828 --> 00:00:18,362
and Federated Identity Management.

9
00:00:18,362 --> 00:00:21,100
Context-aware authentication is a process that checks the

10
00:00:21,100 --> 00:00:23,699
user or system attributes or their characteristics

11
00:00:23,699 --> 00:00:25,723
prior to allowing them to connect.

12
00:00:25,723 --> 00:00:28,445
The most common form of Context-aware authentication

13
00:00:28,445 --> 00:00:31,153
occurs by limiting the time or the day that the user

14
00:00:31,153 --> 00:00:34,385
is able to log on to a particular client or server.

15
00:00:34,385 --> 00:00:36,029
Another common use of this is to limit

16
00:00:36,029 --> 00:00:39,179
the geographic location that the user can log in from.

17
00:00:39,179 --> 00:00:41,945
For example, if you're a small company in the United States,

18
00:00:41,945 --> 00:00:43,903
you don't have any international employees,

19
00:00:43,903 --> 00:00:46,257
then you might be able to prevent any users from outside

20
00:00:46,257 --> 00:00:48,965
the United States from logging into your systems.

21
00:00:48,965 --> 00:00:51,042
This can be checked either by the location source

22
00:00:51,042 --> 00:00:54,049
of the IP address, or the GPS coordinates of the device

23
00:00:54,049 --> 00:00:56,090
that they're trying to log in from.

24
00:00:56,090 --> 00:00:59,900
Another authentication model is Single Sign-On or SSO.

25
00:00:59,900 --> 00:01:02,255
Due to the large number of resources and websites

26
00:01:02,255 --> 00:01:05,248
that the average person accesses on a daily basis,

27
00:01:05,248 --> 00:01:07,229
many organizations are beginning

28
00:01:07,229 --> 00:01:08,999
to adopt an SSO environment.

29
00:01:08,999 --> 00:01:11,255
When adopted, the organization establishes

30
00:01:11,255 --> 00:01:13,691
a default user profile for each user,

31
00:01:13,691 --> 00:01:16,197
and then they link that profile to all of the different

32
00:01:16,197 --> 00:01:19,129
resources that that user is going to have to access.

33
00:01:19,129 --> 00:01:21,559
Now, under this type of system, the user is able to have a

34
00:01:21,559 --> 00:01:24,746
single long, strong password that they can memorize.

35
00:01:24,746 --> 00:01:27,597
This replaces the 30 or 40 different login credentials

36
00:01:27,597 --> 00:01:29,135
that the average user has.

37
00:01:29,135 --> 00:01:31,721
And since they let you memorize one, they can make it more

38
00:01:31,721 --> 00:01:34,091
complex and easier to learn.

39
00:01:34,091 --> 00:01:36,761
Additionally, if you're using multi-factor authentication,

40
00:01:36,761 --> 00:01:38,495
like we talked about in the last lesson,

41
00:01:38,495 --> 00:01:41,359
you now have a single strong dual factor

42
00:01:41,359 --> 00:01:43,745
or multi-factor authentication to use.

43
00:01:43,745 --> 00:01:46,257
This makes accessing new resources much quicker

44
00:01:46,257 --> 00:01:48,761
and much easier and it simplifies user

45
00:01:48,761 --> 00:01:50,291
and password management.

46
00:01:50,291 --> 00:01:52,947
Now, the one major drawback to using a Single Sign-On

47
00:01:52,947 --> 00:01:54,835
environment is that the user's credentials have been

48
00:01:54,835 --> 00:01:58,420
compromised. That attacker now has access to every resource

49
00:01:58,420 --> 00:02:00,602
that the user had access to.

50
00:02:00,602 --> 00:02:02,604
I like to think about it like a master key.

51
00:02:02,604 --> 00:02:05,162
Let's assume you had a single key that opens your office,

52
00:02:05,162 --> 00:02:06,880
your car, and your house.

53
00:02:06,880 --> 00:02:09,700
But as you went to the mall, you dropped it and lost it.

54
00:02:09,700 --> 00:02:11,956
And if I found it, now I'm going to have access

55
00:02:11,956 --> 00:02:13,066
to all three things.

56
00:02:13,066 --> 00:02:15,340
Your car, your house, and your office.

57
00:02:15,340 --> 00:02:18,115
This is the big drawback to a Single Sign-On environment,

58
00:02:18,115 --> 00:02:20,612
but again, if you use multi-factor authentication,

59
00:02:20,612 --> 00:02:22,630
that's going to help secure it even more.

60
00:02:22,630 --> 00:02:25,472
The final model is called the Federated Identity Management

61
00:02:25,472 --> 00:02:26,305
or FIDM.

62
00:02:27,234 --> 00:02:29,806
Many organizations are now grouping together

63
00:02:29,806 --> 00:02:31,711
to create these Federations.

64
00:02:31,711 --> 00:02:33,856
Each organization that joins this Federation

65
00:02:33,856 --> 00:02:36,175
has agreed to a common set of standards and policies

66
00:02:36,175 --> 00:02:38,146
for the use of identification.

67
00:02:38,146 --> 00:02:39,730
This allows a Federated Identity

68
00:02:39,730 --> 00:02:41,484
to be created for that user.

69
00:02:41,484 --> 00:02:44,124
This identity can then be used across all of those different

70
00:02:44,124 --> 00:02:45,850
businesses that are part of the Federation,

71
00:02:45,850 --> 00:02:47,980
as well as all their systems.

72
00:02:47,980 --> 00:02:50,791
These Federations support the provisioning and management

73
00:02:50,791 --> 00:02:54,196
of identification, authentication, and authorization.

74
00:02:54,196 --> 00:02:56,176
This can be done through two basic models,

75
00:02:56,176 --> 00:02:59,364
either Cross-Certification or Trusted Third-Party.

76
00:02:59,364 --> 00:03:01,854
The Cross Certification model is going to utilize

77
00:03:01,854 --> 00:03:04,412
a web of trust between these organizations.

78
00:03:04,412 --> 00:03:06,856
Each organization is going to certify every other

79
00:03:06,856 --> 00:03:09,062
organization inside the Federation.

80
00:03:09,062 --> 00:03:11,086
This works well when there's just a small number

81
00:03:11,086 --> 00:03:12,676
of organizations inside the Federation.

82
00:03:12,676 --> 00:03:15,616
But once that number gets large, anything above 5 or 10

83
00:03:15,616 --> 00:03:18,713
organizations, it becomes pretty difficult to manage.

84
00:03:18,713 --> 00:03:20,359
Thinking back to your early network studies,

85
00:03:20,359 --> 00:03:22,412
you can relate the Cross Certification model

86
00:03:22,412 --> 00:03:24,760
to a full mesh network model.

87
00:03:24,760 --> 00:03:26,686
Anything higher than about five organizations

88
00:03:26,686 --> 00:03:29,012
and this model is going to break down really,

89
00:03:29,012 --> 00:03:30,564
really quickly.

90
00:03:30,564 --> 00:03:32,410
Now, that brings us to the second type,

91
00:03:32,410 --> 00:03:34,531
which is called a Trusted Third-Party Model.

92
00:03:34,531 --> 00:03:36,384
This is also known as a bridge model.

93
00:03:36,384 --> 00:03:38,530
This allows organizations to place their trust

94
00:03:38,530 --> 00:03:40,374
in a single third party.

95
00:03:40,374 --> 00:03:42,490
This third party, then, manages the verification

96
00:03:42,490 --> 00:03:44,725
and certification for all of the organizations

97
00:03:44,725 --> 00:03:46,104
within the Federation.

98
00:03:46,104 --> 00:03:47,671
This is more similar to the way a traditional

99
00:03:47,671 --> 00:03:50,350
certificate authority on the Internet is going to work.

100
00:03:50,350 --> 00:03:53,552
In this model, it's quite efficient even with a large number

101
00:03:53,552 --> 00:03:55,390
of organizations within the Federation,

102
00:03:55,390 --> 00:03:57,924
because everybody goes to that one trusted person

103
00:03:57,924 --> 00:04:00,160
to get their verification done.

104
00:04:00,160 --> 00:04:02,462
Security Assertion Markup Language, or SAML,

105
00:04:02,462 --> 00:04:05,920
is an attestation model that's built on top of XML,

106
00:04:05,920 --> 00:04:08,926
and it supports this federated identity management.

107
00:04:08,926 --> 00:04:11,574
SAML is used for the authentication and authorization

108
00:04:11,574 --> 00:04:13,140
between different systems,

109
00:04:13,140 --> 00:04:16,463
especially over the Internet using a Single Sign-On method.

110
00:04:16,463 --> 00:04:17,686
To perform this function,

111
00:04:17,686 --> 00:04:19,944
SAML is going to use an attestation ticket

112
00:04:19,944 --> 00:04:22,330
that's provided to the user being authenticated.

113
00:04:22,330 --> 00:04:24,601
This ticket is then provided to the web server

114
00:04:24,601 --> 00:04:26,590
that the user is going to want to access.

115
00:04:26,590 --> 00:04:28,956
SAML is designed as a standardization of the

116
00:04:28,956 --> 00:04:31,694
Single Sign-On process, and it's used across the web

117
00:04:31,694 --> 00:04:34,205
in a large number of organizations.

118
00:04:34,205 --> 00:04:37,287
Another possible solution that you might find is OpenID,

119
00:04:37,287 --> 00:04:39,906
which is an open standard decentralized protocol

120
00:04:39,906 --> 00:04:41,548
to authenticate users.

121
00:04:41,548 --> 00:04:44,728
OpenID allows the user to log into an identity provider

122
00:04:44,728 --> 00:04:46,926
and they can then utilize that same account across all

123
00:04:46,926 --> 00:04:48,740
of the cooperating websites.

124
00:04:48,740 --> 00:04:51,434
These cooperating websites are known as

125
00:04:51,434 --> 00:04:53,616
RP's or Relying Parties.

126
00:04:53,616 --> 00:04:56,150
One of the largest and most well-known OpenID

127
00:04:56,150 --> 00:04:57,928
identity providers is actually Google.

128
00:04:57,928 --> 00:05:00,404
Anytime you've gone to a website outside of Google,

129
00:05:00,404 --> 00:05:02,480
and you click that Google login button,

130
00:05:02,480 --> 00:05:06,074
you're using an OpenID system, to have Google authenticate

131
00:05:06,074 --> 00:05:07,940
you to that third-party website.

132
00:05:07,940 --> 00:05:11,255
OpenID is also much less difficult to implement than SAML.

133
00:05:11,255 --> 00:05:14,166
But SAML does perform these functions a lot more

134
00:05:14,166 --> 00:05:15,800
efficiently than OpenID.

135
00:05:15,800 --> 00:05:20,345
Which one you're using is really going to be up to you.