https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=AnnElizabeth+Racuya-RobbinsOWASP - User contributions [en]2026-05-03T19:31:56ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=204590OWASP Knowledge Based Authentication Performance Metrics Project2015-12-04T16:48:29Z<p>AnnElizabeth Racuya-Robbins: /* Main */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
== Related Projects ==<br />
<!-- OWASP Security Labeling System Project<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] --><br />
<br />
[[ASVS]]<br />
<br />
[[https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet] Choosing and Using Security Questions Cheat Sheet]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday August 31, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** KBA Performance Metrics v7 Luis <br />
** Followup on Remote First Use KBA. Is this wanted and needed?<br />
** In a Mobile Context, Public Safety<br />
** What role does Uncertainty play? The GUM?<br />
** Follow on Questions for Healthcare Providers who use KBA<br />
** How do we make individuals or entities take risks? Ways Forward for KBA-PMP<br />
** Its time to ask for resources to support our project. Lets discuss.<br />
** KBA-PMP Data Collection if ready.<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=204589OWASP Knowledge Based Authentication Performance Metrics Project2015-12-04T16:46:02Z<p>AnnElizabeth Racuya-Robbins: /* Contributors */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
<!-- =='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''== --><br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
== Related Projects ==<br />
<!-- OWASP Security Labeling System Project<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] --><br />
<br />
[[ASVS]]<br />
<br />
[[https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet] Choosing and Using Security Questions Cheat Sheet]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday August 31, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** KBA Performance Metrics v7 Luis <br />
** Followup on Remote First Use KBA. Is this wanted and needed?<br />
** In a Mobile Context, Public Safety<br />
** What role does Uncertainty play? The GUM?<br />
** Follow on Questions for Healthcare Providers who use KBA<br />
** How do we make individuals or entities take risks? Ways Forward for KBA-PMP<br />
** Its time to ask for resources to support our project. Lets discuss.<br />
** KBA-PMP Data Collection if ready.<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=204587OWASP Knowledge Based Authentication Performance Metrics Project2015-12-04T16:44:38Z<p>AnnElizabeth Racuya-Robbins: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
<!-- =='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''== --><br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
== Related Projects ==<br />
<!-- OWASP Security Labeling System Project<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] --><br />
<br />
[[ASVS]]<br />
<br />
[[https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet] Choosing and Using Security Questions Cheat Sheet]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday August 31, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** KBA Performance Metrics v7 Luis <br />
** Followup on Remote First Use KBA. Is this wanted and needed?<br />
** In a Mobile Context, Public Safety<br />
** What role does Uncertainty play? The GUM?<br />
** Follow on Questions for Healthcare Providers who use KBA<br />
** How do we make individuals or entities take risks? Ways Forward for KBA-PMP<br />
** Its time to ask for resources to support our project. Lets discuss.<br />
** KBA-PMP Data Collection if ready.<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=204586OWASP Knowledge Based Authentication Performance Metrics Project2015-12-04T16:43:06Z<p>AnnElizabeth Racuya-Robbins: /* Project Leaders */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
<!-- =='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''== --><br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
== Related Projects ==<br />
<!-- OWASP Security Labeling System Project<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] --><br />
<br />
[[ASVS]]<br />
<br />
[[https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet] Choosing and Using Security Questions Cheat Sheet]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday August 31, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** KBA Performance Metrics v7 Luis <br />
** Followup on Remote First Use KBA. Is this wanted and needed?<br />
** In a Mobile Context, Public Safety<br />
** What role does Uncertainty play? The GUM?<br />
** Follow on Questions for Healthcare Providers who use KBA<br />
** How do we make individuals or entities take risks? Ways Forward for KBA-PMP<br />
** Its time to ask for resources to support our project. Lets discuss.<br />
** KBA-PMP Data Collection if ready.<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=199723OWASP Knowledge Based Authentication Performance Metrics Project2015-08-31T15:01:39Z<p>AnnElizabeth Racuya-Robbins: /* Our Next Meeting */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
<!-- =='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''== --><br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
== Related Projects ==<br />
<!-- OWASP Security Labeling System Project<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] --><br />
<br />
[[ASVS]]<br />
<br />
[[https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet] Choosing and Using Security Questions Cheat Sheet]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday August 31, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** KBA Performance Metrics v7 Luis <br />
** Followup on Remote First Use KBA. Is this wanted and needed?<br />
** In a Mobile Context, Public Safety<br />
** What role does Uncertainty play? The GUM?<br />
** Follow on Questions for Healthcare Providers who use KBA<br />
** How do we make individuals or entities take risks? Ways Forward for KBA-PMP<br />
** Its time to ask for resources to support our project. Lets discuss.<br />
** KBA-PMP Data Collection if ready.<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=199722OWASP Knowledge Based Authentication Performance Metrics Project2015-08-31T14:59:17Z<p>AnnElizabeth Racuya-Robbins: /* Monday August 3, 2015 at 11:00 AM - 12:30 PM US Eastern Time */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
<!-- =='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''== --><br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
== Related Projects ==<br />
<!-- OWASP Security Labeling System Project<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] --><br />
<br />
[[ASVS]]<br />
<br />
[[https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet] Choosing and Using Security Questions Cheat Sheet]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday August 31, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** KBA Performance Metrics v7 Luis <br />
** Followup on Remote First Use KBA. Is this wanted and needed?<br />
** Follow on Questions for Healthcare Providers who use KBA<br />
** How do we make individuals or entities take risks? Ways Forward for KBA-PMP<br />
** Its time to ask for resources to support our project. Lets discuss.<br />
** KBA-PMP Data Collection if ready.<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=198305OWASP Knowledge Based Authentication Performance Metrics Project2015-08-02T23:17:47Z<p>AnnElizabeth Racuya-Robbins: /* AGENDA */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
<!-- =='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''== --><br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
== Related Projects ==<br />
<!-- OWASP Security Labeling System Project<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] --><br />
<br />
[[ASVS]]<br />
<br />
[[https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet] Choosing and Using Security Questions Cheat Sheet]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday August 3, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** KBA Performance Metrics v7 Luis <br />
** Followup on Remote First Use KBA. Is this wanted and needed?<br />
** Follow on Questions for Healthcare Providers who use KBA<br />
** How do we make individuals or entities take risks? Ways Forward for KBA-PMP<br />
** Its time to ask for resources to support our project. Lets discuss.<br />
** KBA-PMP Data Collection if ready.<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=197948OWASP Knowledge Based Authentication Performance Metrics Project2015-07-27T17:48:32Z<p>AnnElizabeth Racuya-Robbins: /* Main */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
<!-- =='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''== --><br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
== Related Projects ==<br />
<!-- OWASP Security Labeling System Project<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] --><br />
<br />
[[ASVS]]<br />
<br />
[[https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet] Choosing and Using Security Questions Cheat Sheet]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday August 3, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Questions and Processes Healthcare Providers who use KBA)<br />
** Ways Forward for KBA-PMP<br />
** Its time to ask for resources to support our project. Lets discuss.<br />
** KBA-PMP Data Collection if ready.<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=197867OWASP Knowledge Based Authentication Performance Metrics Project2015-07-24T15:14:27Z<p>AnnElizabeth Racuya-Robbins: /* Main */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
<!-- =='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''== --><br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
== Related Projects ==<br />
<!-- OWASP Security Labeling System Project<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] --><br />
<br />
[[ASVS]]<br />
<br />
[[https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet] Choosing and Using Security Questions Cheat Sheet]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday July 27, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Questions and Processes Healthcare Providers who use KBA)<br />
** Ways Forward for KBA-PMP<br />
** Its time to ask for resources to support our project. Lets discuss.<br />
** KBA-PMP Data Collection if ready.<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=197595OWASP Knowledge Based Authentication Performance Metrics Project2015-07-19T20:45:55Z<p>AnnElizabeth Racuya-Robbins: /* Our Next Meeting */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
<!-- =='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''== --><br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
== Related Projects ==<br />
<!-- OWASP Security Labeling System Project<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] --><br />
<br />
[[ASVS]]<br />
<br />
[[https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet] Choosing and Using Security Questions Cheat Sheet]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday July 20, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Questions and Processes Healthcare Providers who use KBA)<br />
** Ways Forward for KBA-PMP<br />
** Its time to ask for resources to support our project. Lets discuss.<br />
** KBA-PMP Data Collection if ready.<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=197154OWASP Knowledge Based Authentication Performance Metrics Project2015-07-07T21:16:45Z<p>AnnElizabeth Racuya-Robbins: /* AGENDA */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
<!-- =='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''== --><br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
== Related Projects ==<br />
<!-- OWASP Security Labeling System Project<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] --><br />
<br />
[[ASVS]]<br />
<br />
[[https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet] Choosing and Using Security Questions Cheat Sheet]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday July 13, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Questions and Processes Healthcare Providers who use KBA)<br />
** Ways Forward for KBA-PMP<br />
** Its time to ask for resources to support our project. Lets discuss.<br />
** KBA-PMP Data Collection if ready.<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=197153OWASP Knowledge Based Authentication Performance Metrics Project2015-07-07T21:15:30Z<p>AnnElizabeth Racuya-Robbins: /* Main */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
<!-- =='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''== --><br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
== Related Projects ==<br />
<!-- OWASP Security Labeling System Project<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] --><br />
<br />
[[ASVS]]<br />
<br />
[[https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet] Choosing and Using Security Questions Cheat Sheet]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday July 13, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Questions for Conversation with Healthcare Providers who use KBA)<br />
** Ways Forward for KBA-PMP<br />
** Its time to ask for resources to support our project. Lets discuss.<br />
** KBA-PMP Data Collection if ready.<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=197020OWASP Knowledge Based Authentication Performance Metrics Project2015-07-05T21:24:26Z<p>AnnElizabeth Racuya-Robbins: /* AGENDA */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
<!-- =='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''== --><br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
== Related Projects ==<br />
<!-- OWASP Security Labeling System Project<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] --><br />
<br />
[[ASVS]]<br />
<br />
[[https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet] Choosing and Using Security Questions Cheat Sheet]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday July 6 29, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Questions for Conversation with Healthcare Providers who use KBA)<br />
** Ways Forward for KBA-PMP<br />
** Its time to ask for resources to support our project. Lets discuss.<br />
** KBA-PMP Data Collection if ready.<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=197019OWASP Knowledge Based Authentication Performance Metrics Project2015-07-05T19:43:06Z<p>AnnElizabeth Racuya-Robbins: /* Main */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
<!-- =='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''== --><br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
== Related Projects ==<br />
<!-- OWASP Security Labeling System Project<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] --><br />
<br />
[[ASVS]]<br />
<br />
[[https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet] Choosing and Using Security Questions Cheat Sheet]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday July 6 29, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=196479OWASP Knowledge Based Authentication Performance Metrics Project2015-06-22T17:09:56Z<p>AnnElizabeth Racuya-Robbins: /* Our Next Meeting */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
<!-- =='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''== --><br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
== Related Projects ==<br />
<!-- OWASP Security Labeling System Project<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] --><br />
<br />
[[ASVS]]<br />
<br />
[[https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet] Choosing and Using Security Questions Cheat Sheet]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 29, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195900OWASP Knowledge Based Authentication Performance Metrics Project2015-06-08T15:00:16Z<p>AnnElizabeth Racuya-Robbins: /* http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
<!-- =='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''== --><br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
== Related Projects ==<br />
<!-- OWASP Security Labeling System Project<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] --><br />
<br />
[[ASVS]]<br />
<br />
[[https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet] Choosing and Using Security Questions Cheat Sheet]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 15, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195854OWASP Knowledge Based Authentication Performance Metrics Project2015-06-07T14:29:03Z<p>AnnElizabeth Racuya-Robbins: /* Our Next Meeting */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''==<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
== Related Projects ==<br />
<!-- OWASP Security Labeling System Project<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] --><br />
<br />
[[ASVS]]<br />
<br />
[[https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet] Choosing and Using Security Questions Cheat Sheet]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 15, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195652OWASP Knowledge Based Authentication Performance Metrics Project2015-06-02T15:28:34Z<p>AnnElizabeth Racuya-Robbins: /* Related Projects */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''==<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
== Related Projects ==<br />
<!-- OWASP Security Labeling System Project<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] --><br />
<br />
[[ASVS]]<br />
<br />
[[https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet] Choosing and Using Security Questions Cheat Sheet]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195651OWASP Knowledge Based Authentication Performance Metrics Project2015-06-02T15:27:32Z<p>AnnElizabeth Racuya-Robbins: /* Related Projects */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''==<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
== Related Projects ==<br />
<!-- OWASP Security Labeling System Project<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] --><br />
<br />
[[ASVS]]<br />
<br />
[[https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet]]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195650OWASP Knowledge Based Authentication Performance Metrics Project2015-06-02T15:25:37Z<p>AnnElizabeth Racuya-Robbins: /* Related Projects */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''==<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
== Related Projects ==<br />
<!-- OWASP Security Labeling System Project<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] --><br />
<br />
[[ASVS]]<br />
<br />
<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195649OWASP Knowledge Based Authentication Performance Metrics Project2015-06-02T15:23:34Z<p>AnnElizabeth Racuya-Robbins: /* Related Projects */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''==<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
== Related Projects ==<br />
<!-- OWASP Security Labeling System Project<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] --><br />
<br />
ASVS<br />
<br />
<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195648OWASP Knowledge Based Authentication Performance Metrics Project2015-06-02T15:22:32Z<p>AnnElizabeth Racuya-Robbins: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''==<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
== Related Projects ==<br />
<!-- OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] --><br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195647OWASP Knowledge Based Authentication Performance Metrics Project2015-06-02T15:19:28Z<p>AnnElizabeth Racuya-Robbins: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''==<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195474OWASP Knowledge Based Authentication Performance Metrics Project2015-05-28T19:43:15Z<p>AnnElizabeth Racuya-Robbins: /* http://www.kba-pmp.org/dir /Visit Our Website kba-pmp.org */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''[[http://www.kba-pmp.org/dir Visit Our Website KBA-PMP.org]]'''==<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195473OWASP Knowledge Based Authentication Performance Metrics Project2015-05-28T19:41:45Z<p>AnnElizabeth Racuya-Robbins: /* Visit Our Website */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''[[http://www.kba-pmp.org/dir /Visit Our Website kba-pmp.org]]'''==<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195472OWASP Knowledge Based Authentication Performance Metrics Project2015-05-28T19:37:49Z<p>AnnElizabeth Racuya-Robbins: /* Visit Our Website */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Visit Our Website'''==<br />
[http://kba-pmp.org/dir]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195471OWASP Knowledge Based Authentication Performance Metrics Project2015-05-28T19:37:12Z<p>AnnElizabeth Racuya-Robbins: /* Our Website */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Visit Our Website'''==<br />
[http://kba-pmp.org]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195470OWASP Knowledge Based Authentication Performance Metrics Project2015-05-28T19:35:04Z<p>AnnElizabeth Racuya-Robbins: /* Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195469OWASP Knowledge Based Authentication Performance Metrics Project2015-05-28T19:33:25Z<p>AnnElizabeth Racuya-Robbins: /* Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, The Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195468OWASP Knowledge Based Authentication Performance Metrics Project2015-05-28T19:27:40Z<p>AnnElizabeth Racuya-Robbins: /* Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, the Netherlands. */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, The Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195467OWASP Knowledge Based Authentication Performance Metrics Project2015-05-28T19:22:15Z<p>AnnElizabeth Racuya-Robbins: /* News */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19-20, 2015 ==<br />
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, The Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, the Netherlands. ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195466OWASP Knowledge Based Authentication Performance Metrics Project2015-05-28T19:18:16Z<p>AnnElizabeth Racuya-Robbins: /* May 21, 2015 */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
<br />
<br />
== May 19-20, 2015 Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, The Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 == <br />
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, the Netherlands. ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195465OWASP Knowledge Based Authentication Performance Metrics Project2015-05-28T19:14:50Z<p>AnnElizabeth Racuya-Robbins: /* Talks */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
<br />
<br />
== May 19-20, 2015 Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, The Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
== May 21, 2015 Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features to KBA Performance Metrics. ==<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195464OWASP Knowledge Based Authentication Performance Metrics Project2015-05-28T19:14:13Z<p>AnnElizabeth Racuya-Robbins: /* News */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
<br />
<br />
== May 19-20, 2015 Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, The Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
<br />
<br />
<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195461OWASP Knowledge Based Authentication Performance Metrics Project2015-05-28T19:08:01Z<p>AnnElizabeth Racuya-Robbins: /* News */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
== May 19- 20, 2015 Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, The Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==<br />
<br />
= Talks =<br />
<br />
<br />
<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195460OWASP Knowledge Based Authentication Performance Metrics Project2015-05-28T18:56:35Z<p>AnnElizabeth Racuya-Robbins: /* News */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit at https://2015.appsec.eu/conference-program/ KBA-PMP<br />
<br />
= Talks =<br />
<br />
<br />
<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195459OWASP Knowledge Based Authentication Performance Metrics Project2015-05-28T18:49:16Z<p>AnnElizabeth Racuya-Robbins: </p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
<!--== Quick Download ==<br />
== In Print == --><br />
<br />
== Classification ==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
= Talks =<br />
<br />
<br />
<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195458OWASP Knowledge Based Authentication Performance Metrics Project2015-05-28T18:43:19Z<p>AnnElizabeth Racuya-Robbins: /* AGENDA */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome and Introductions <br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** KBA-PMP Standard Structure #3 - All<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
<br />
*'''Ongoing:'''<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
== Quick Download ==<br />
<br />
<br />
<br />
== In Print ==<br />
<br />
<br />
==Classifications==<br />
<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
= Talks =<br />
<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195457OWASP Knowledge Based Authentication Performance Metrics Project2015-05-28T18:40:23Z<p>AnnElizabeth Racuya-Robbins: /* Our Next Meeting */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome <br />
** Introductions<br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** OWASP KBA Structure - Pilots KBA request All<br />
**** Integrating where appropriate OWASP ASVS and SAMM and engaging the larger OWASP community<br />
<br />
<br />
** ''If time allows''<br />
*** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
****Update on Project Infrastructure<br />
<br />
*'''Ongoing:'''<br />
* International Participants<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
== Quick Download ==<br />
<br />
<br />
<br />
== In Print ==<br />
<br />
<br />
==Classifications==<br />
<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
= Talks =<br />
<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195456OWASP Knowledge Based Authentication Performance Metrics Project2015-05-28T18:35:46Z<p>AnnElizabeth Racuya-Robbins: /* News and Events */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome <br />
** Introductions<br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** OWASP KBA Structure - Pilots KBA request All<br />
**** Integrating where appropriate OWASP ASVS and SAMM and engaging the larger OWASP community<br />
*** NIST SP 800-63-2<br />
<br />
<br />
** ''If time allows''<br />
**** Identity Proofing Contextual Article/NIST SP 800-63-2 Eauthentication<br />
**** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
****Update on Project Infrastructure<br />
<br />
*'''Ongoing:'''<br />
* International Participants<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
* Application to Conference in Amsterdam Update<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
<br />
<br />
<!-- == Previous Meeting(s)==<br />
<br />
Fill in information on past meeting(s), links to slides, pictures, etc.--><br />
<br />
<!-- == Presentation == --><br />
<br />
<!-- == Project Leaders == --><br />
<br />
<!-- * [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya-robbins@owasp.org Ann Racuya-Robbins] --><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
== Quick Download ==<br />
<br />
<br />
<br />
== In Print ==<br />
<br />
<br />
==Classifications==<br />
<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
= Talks =<br />
<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195455OWASP Knowledge Based Authentication Performance Metrics Project2015-05-28T18:33:18Z<p>AnnElizabeth Racuya-Robbins: /* News and Events */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== News and Events ==<br />
<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome <br />
** Introductions<br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** OWASP KBA Structure - Pilots KBA request All<br />
**** Integrating where appropriate OWASP ASVS and SAMM and engaging the larger OWASP community<br />
*** NIST SP 800-63-2<br />
<br />
<br />
** ''If time allows''<br />
**** Identity Proofing Contextual Article/NIST SP 800-63-2 Eauthentication<br />
**** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
****Update on Project Infrastructure<br />
<br />
*'''Ongoing:'''<br />
* International Participants<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
* Application to Conference in Amsterdam Update<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
<br />
<br />
<!-- == Previous Meeting(s)==<br />
<br />
Fill in information on past meeting(s), links to slides, pictures, etc.--><br />
<br />
<!-- == Presentation == --><br />
<br />
<!-- == Project Leaders == --><br />
<br />
<!-- * [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya-robbins@owasp.org Ann Racuya-Robbins] --><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
== Quick Download ==<br />
<br />
<br />
<br />
== In Print ==<br />
<br />
<br />
==Classifications==<br />
<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
= Talks =<br />
<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195454OWASP Knowledge Based Authentication Performance Metrics Project2015-05-28T18:31:19Z<p>AnnElizabeth Racuya-Robbins: /* News and Events */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome <br />
** Introductions<br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** OWASP KBA Structure - Pilots KBA request All<br />
**** Integrating where appropriate OWASP ASVS and SAMM and engaging the larger OWASP community<br />
*** NIST SP 800-63-2<br />
<br />
<br />
** ''If time allows''<br />
**** Identity Proofing Contextual Article/NIST SP 800-63-2 Eauthentication<br />
**** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
****Update on Project Infrastructure<br />
<br />
*'''Ongoing:'''<br />
* International Participants<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
* Application to Conference in Amsterdam Update<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
<br />
<br />
<!-- == Previous Meeting(s)==<br />
<br />
Fill in information on past meeting(s), links to slides, pictures, etc.--><br />
<br />
<!-- == Presentation == --><br />
<br />
<!-- == Project Leaders == --><br />
<br />
<!-- * [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya-robbins@owasp.org Ann Racuya-Robbins] --><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
== Quick Download ==<br />
<br />
<br />
<br />
== In Print ==<br />
<br />
<br />
==Classifications==<br />
<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
= Talks =<br />
<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195453OWASP Knowledge Based Authentication Performance Metrics Project2015-05-28T18:27:43Z<p>AnnElizabeth Racuya-Robbins: /* Our Next Meeting */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday June 1, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome <br />
** Introductions<br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** OWASP KBA Structure - Pilots KBA request All<br />
**** Integrating where appropriate OWASP ASVS and SAMM and engaging the larger OWASP community<br />
*** NIST SP 800-63-2<br />
<br />
<br />
** ''If time allows''<br />
**** Identity Proofing Contextual Article/NIST SP 800-63-2 Eauthentication<br />
**** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
****Update on Project Infrastructure<br />
<br />
*'''Ongoing:'''<br />
* International Participants<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
* Application to Conference in Amsterdam Update<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
<br />
<br />
<!-- == Previous Meeting(s)==<br />
<br />
Fill in information on past meeting(s), links to slides, pictures, etc.--><br />
<br />
<!-- == Presentation == --><br />
<br />
<!-- == Project Leaders == --><br />
<br />
<!-- * [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya-robbins@owasp.org Ann Racuya-Robbins] --><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
== Quick Download ==<br />
<br />
<br />
<br />
== News and Events ==<br />
<br />
<br />
<br />
== In Print ==<br />
<br />
<br />
==Classifications==<br />
<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
= Talks =<br />
<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=195452OWASP Knowledge Based Authentication Performance Metrics Project2015-05-28T18:26:32Z<p>AnnElizabeth Racuya-Robbins: KBA-PMP News</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday May 25, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome <br />
** Introductions<br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** OWASP KBA Structure - Pilots KBA request All<br />
**** Integrating where appropriate OWASP ASVS and SAMM and engaging the larger OWASP community<br />
*** NIST SP 800-63-2<br />
<br />
<br />
** ''If time allows''<br />
**** Identity Proofing Contextual Article/NIST SP 800-63-2 Eauthentication<br />
**** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
****Update on Project Infrastructure<br />
<br />
*'''Ongoing:'''<br />
* International Participants<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
* Application to Conference in Amsterdam Update<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
<br />
<br />
<!-- == Previous Meeting(s)==<br />
<br />
Fill in information on past meeting(s), links to slides, pictures, etc.--><br />
<br />
<!-- == Presentation == --><br />
<br />
<!-- == Project Leaders == --><br />
<br />
<!-- * [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya-robbins@owasp.org Ann Racuya-Robbins] --><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
== Quick Download ==<br />
<br />
<br />
<br />
== News and Events ==<br />
<br />
<br />
<br />
== In Print ==<br />
<br />
<br />
==Classifications==<br />
<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
= News =<br />
<br />
= Talks =<br />
<br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= FAQs =<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=194436OWASP Knowledge Based Authentication Performance Metrics Project2015-05-04T20:19:21Z<p>AnnElizabeth Racuya-Robbins: /* Our Next Meeting */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday May 25, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome <br />
** Introductions<br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** OWASP KBA Structure - Pilots KBA request All<br />
**** Integrating where appropriate OWASP ASVS and SAMM and engaging the larger OWASP community<br />
*** NIST SP 800-63-2<br />
<br />
<br />
** ''If time allows''<br />
**** Identity Proofing Contextual Article/NIST SP 800-63-2 Eauthentication<br />
**** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
****Update on Project Infrastructure<br />
<br />
*'''Ongoing:'''<br />
* International Participants<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
* Application to Conference in Amsterdam Update<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
<br />
<br />
<!-- == Previous Meeting(s)==<br />
<br />
Fill in information on past meeting(s), links to slides, pictures, etc.--><br />
<br />
<!-- == Presentation == --><br />
<br />
<!-- == Project Leaders == --><br />
<br />
<!-- * [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya-robbins@owasp.org Ann Racuya-Robbins] --><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
== Quick Download ==<br />
<br />
<br />
<br />
== News and Events ==<br />
<br />
<br />
<br />
== In Print ==<br />
<br />
<br />
==Classifications==<br />
<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=194336OWASP Knowledge Based Authentication Performance Metrics Project2015-05-02T18:03:00Z<p>AnnElizabeth Racuya-Robbins: /* Main */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday May 4, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome <br />
** Introductions<br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** OWASP KBA Structure - Pilots KBA request All<br />
**** Integrating where appropriate OWASP ASVS and SAMM and engaging the larger OWASP community<br />
*** NIST SP 800-63-2<br />
<br />
<br />
** ''If time allows''<br />
**** Identity Proofing Contextual Article/NIST SP 800-63-2 Eauthentication<br />
**** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
****Update on Project Infrastructure<br />
<br />
*'''Ongoing:'''<br />
* International Participants<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
* Application to Conference in Amsterdam Update<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
<br />
<br />
<!-- == Previous Meeting(s)==<br />
<br />
Fill in information on past meeting(s), links to slides, pictures, etc.--><br />
<br />
<!-- == Presentation == --><br />
<br />
<!-- == Project Leaders == --><br />
<br />
<!-- * [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya-robbins@owasp.org Ann Racuya-Robbins] --><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
== Quick Download ==<br />
<br />
<br />
<br />
== News and Events ==<br />
<br />
<br />
<br />
== In Print ==<br />
<br />
<br />
==Classifications==<br />
<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=194206OWASP Knowledge Based Authentication Performance Metrics Project2015-04-29T20:19:14Z<p>AnnElizabeth Racuya-Robbins: /* P */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday April 27, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome <br />
** Introductions<br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** Harmonizing the name of our work KBA-PMP or KBA-PM and Infrastructure Update<br />
*** Framework and Structure ALL<br />
**** Integrating where appropriate OWASP ASVS and SAMM and engaging the larger OWASP community<br />
*** NIST SP 800-63-2<br />
*** Perspectives and Filters ALL<br />
<br />
** ''If time allows''<br />
**** Identity Proofing Contextual Article/NIST SP 800-63-2 Eauthentication<br />
**** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
****Update on Project Infrastructure<br />
<br />
*'''Ongoing:'''<br />
* International Participants<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
* Application to Conference in Amsterdam Update<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
<br />
<br />
<!-- == Previous Meeting(s)==<br />
<br />
Fill in information on past meeting(s), links to slides, pictures, etc.--><br />
<br />
<!-- == Presentation == --><br />
<br />
<!-- == Project Leaders == --><br />
<br />
<!-- * [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya-robbins@owasp.org Ann Racuya-Robbins] --><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
== Quick Download ==<br />
<br />
<br />
<br />
== News and Events ==<br />
<br />
<br />
<br />
== In Print ==<br />
<br />
<br />
==Classifications==<br />
<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
Performance Metrics<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=194205OWASP Knowledge Based Authentication Performance Metrics Project2015-04-29T20:18:26Z<p>AnnElizabeth Racuya-Robbins: /* S */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday April 27, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome <br />
** Introductions<br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** Harmonizing the name of our work KBA-PMP or KBA-PM and Infrastructure Update<br />
*** Framework and Structure ALL<br />
**** Integrating where appropriate OWASP ASVS and SAMM and engaging the larger OWASP community<br />
*** NIST SP 800-63-2<br />
*** Perspectives and Filters ALL<br />
<br />
** ''If time allows''<br />
**** Identity Proofing Contextual Article/NIST SP 800-63-2 Eauthentication<br />
**** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
****Update on Project Infrastructure<br />
<br />
*'''Ongoing:'''<br />
* International Participants<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
* Application to Conference in Amsterdam Update<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
<br />
<br />
<!-- == Previous Meeting(s)==<br />
<br />
Fill in information on past meeting(s), links to slides, pictures, etc.--><br />
<br />
<!-- == Presentation == --><br />
<br />
<!-- == Project Leaders == --><br />
<br />
<!-- * [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya-robbins@owasp.org Ann Racuya-Robbins] --><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
== Quick Download ==<br />
<br />
<br />
<br />
== News and Events ==<br />
<br />
<br />
<br />
== In Print ==<br />
<br />
<br />
==Classifications==<br />
<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
Scalability<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=194204OWASP Knowledge Based Authentication Performance Metrics Project2015-04-29T20:12:08Z<p>AnnElizabeth Racuya-Robbins: /* KBA-PMP Best Practices */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA-PMP Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday April 27, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome <br />
** Introductions<br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** Harmonizing the name of our work KBA-PMP or KBA-PM and Infrastructure Update<br />
*** Framework and Structure ALL<br />
**** Integrating where appropriate OWASP ASVS and SAMM and engaging the larger OWASP community<br />
*** NIST SP 800-63-2<br />
*** Perspectives and Filters ALL<br />
<br />
** ''If time allows''<br />
**** Identity Proofing Contextual Article/NIST SP 800-63-2 Eauthentication<br />
**** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
****Update on Project Infrastructure<br />
<br />
*'''Ongoing:'''<br />
* International Participants<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
* Application to Conference in Amsterdam Update<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
<br />
<br />
<!-- == Previous Meeting(s)==<br />
<br />
Fill in information on past meeting(s), links to slides, pictures, etc.--><br />
<br />
<!-- == Presentation == --><br />
<br />
<!-- == Project Leaders == --><br />
<br />
<!-- * [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya-robbins@owasp.org Ann Racuya-Robbins] --><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
== Quick Download ==<br />
<br />
<br />
<br />
== News and Events ==<br />
<br />
<br />
<br />
== In Print ==<br />
<br />
<br />
==Classifications==<br />
<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbinshttps://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&diff=194202OWASP Knowledge Based Authentication Performance Metrics Project2015-04-29T19:40:03Z<p>AnnElizabeth Racuya-Robbins: /* KBA-PMP Project Metrics */</p>
<hr />
<div>=Main=<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<br />
<br />
==What is KBA-PMP ==<br />
<br />
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication.<br />
<br />
=='''Collaborate'''==<br />
[[http://kba-pmp.org/dir/ Collaborate]]<br />
<br />
=='''KBA Best Practices'''==<br />
<br />
<!-- ==What is Knowledge Based Authentication? ==--><br />
<br />
<!-- Knowledge Based Authentication (KBA) is much more complex than the following description from Wikipedia might lead one to expect. In order to establish reliable and standard performance metrics these complexities will need to be identified and addressed.--><br />
<br />
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."--><br />
<br />
====KBA-PMP Project Supports the NSTIC Guiding Principles ====<br />
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.<br />
<br />
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:<br />
<br />
'''1. Identity solutions will be privacy-enhancing and voluntary.'''<br />
<br />
<!--The Identity Ecosystem will be grounded in a holistic, integrated implementation of the Fair Information Practice Principles to promote the creation and adoption of policies and standards that are privacy-enhancing, including the preservation of the capacity to engage in anonymous and pseudonymous activities online. Ideally, identity solutions within the Identity Ecosystem should preserve the positive privacy benefits associated with offline identity-related transactions while mitigating some of the negative privacy aspects. Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them. Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party. Individuals’ participation in the Identity Ecosystem will be a day-to-day—or even a transaction-to-transaction—choice.--><br />
<br />
'''2. Identity solutions will be secure and resilient.'''<br />
<br />
<!--Identity solutions within the Identity Ecosystem will provide secure and reliable methods of electronic authentication by being grounded in technology and security standards that are open and collaboratively developed with auditable security processes. Credentials within the Identity Ecosystem are: issued based on sound criteria for verifying the identity of individuals and devices, when appropriate; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements. Identity solutions must detect when trust has been broken, be capable of timely restoration after any disruption, be able to quickly revoke and recover compromised digital identities, and be capable of adapting to the dynamic nature of technology.--><br />
<br />
'''3. Identity solutions will be interoperable.'''<br />
<br />
<!--Interoperability encourages and enables service providers to accept a wide variety of credentials and enables users to take advantage of different credentials to assert their identity online. Two types of interoperability are recognized in the Identity Ecosystem: technical interoperability is the ability for different technologies to communicate and exchange data based upon well-defined and testable interface standards; policy-level interoperability is the ability for organizations to adopt common business policies and processes.--><br />
<br />
'''4. Identity solutions will be cost-effective and easy to use.'''<br />
<br />
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.--><br />
<br />
==Licensing==<br />
<br />
Creative Commons Attribution ShareAlike 3.0 License<br />
<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
<!-- == What is OWASP KBA-PMP Project? == --><br />
<br />
== Project Leaders ==<br />
<br />
* [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
== Project Manager Scrum Leader ==<br />
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]<br />
<br />
=== Join our Mailing List ===<br />
<br />
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br><br />
<br />
=== Follow us on Twitter ===<br />
<br />
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br><br />
<br />
== Our Next Meeting ==<br />
<br />
<!-- ==== WHEN ==== --><br />
<br />
==== Monday April 27, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====<br />
<br />
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]--><br />
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']<br />
<br />
==== AGENDA ====<br />
All Meetings are Open and All are Welcome<br />
<br />
* Welcome <br />
** Introductions<br />
** Discussion on: (We can decide/confirm the order of discussion at the top of meeting)<br />
*** Harmonizing the name of our work KBA-PMP or KBA-PM and Infrastructure Update<br />
*** Framework and Structure ALL<br />
**** Integrating where appropriate OWASP ASVS and SAMM and engaging the larger OWASP community<br />
*** NIST SP 800-63-2<br />
*** Perspectives and Filters ALL<br />
<br />
** ''If time allows''<br />
**** Identity Proofing Contextual Article/NIST SP 800-63-2 Eauthentication<br />
**** New approaches to KBA metrics <br />
**** Feedback from US National Science Foundation's (NSF) Bahvani (from NIST Big Data Public Working Group - NBDPWG) on challenges to Multi-Factor Authentication (MFA)<br />
****Update on Project Infrastructure<br />
<br />
*'''Ongoing:'''<br />
* International Participants<br />
* Outreach to KBA Providers and other Stakeholders Continues<br />
* Application to Conference in Amsterdam Update<br />
** https://2015.appsec.eu/call-for-papers/<br />
** https://2015.appsec.eu/call-for-research/<br />
** Distributing Recorded Meetings?<br />
<br />
*Next Steps: Tasks<br />
*Adjourn<br />
<br />
==== WHERE ====<br />
<br />
GoToMeeting<br />
'''https://www3.gotomeeting.com/join/642177878'''<br />
'''Access Code: 642-177-878'''<br />
<br />
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.<br />
Dial +1 (571) 317-3112<br />
Audio PIN: Shown after joining the meeting<br />
Meeting ID: 642-177-878<br />
GoToMeeting® <br />
Online Meetings Made Easy®<br />
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app<br />
<br><br />
<br />
<br />
<br />
<!-- == Previous Meeting(s)==<br />
<br />
Fill in information on past meeting(s), links to slides, pictures, etc.--><br />
<br />
<!-- == Presentation == --><br />
<br />
<!-- == Project Leaders == --><br />
<br />
<!-- * [mailto:luis.enriquez@owasp.org Luis Enriquez]<br />
* [mailto:ann.racuya-robbins@owasp.org Ann Racuya-Robbins] --><br />
<br />
== Related Projects ==<br />
OWASP Security Labeling System Project<br />
<br />
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]<br />
<br />
OWASP NIST NSTIC Initiative<br />
<br />
== KBA-PMP Project Metrics ==<br />
<!-- https://www.openhub.net/accounts/KBAOpenHub <br />
A performance metrics tool for the KBA-PMP--><br />
https://github.com/KBA-PMP-ADMIN<br />
<br />
== Quick Download ==<br />
<br />
<br />
<br />
== News and Events ==<br />
<br />
<br />
<br />
== In Print ==<br />
<br />
<br />
==Classifications==<br />
<br />
<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="2"| [[File:New projects.png|100px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]<br />
|-<br />
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]] <br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_DOC.jpg|link=]] <br />
|}<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
<br />
<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. <br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator. <br />
<br />
= Acknowledgements =<br />
<br />
==Contributors==<br />
<br />
Ann Racuya-Robbins Project Co-Leader<br />
<br />
Luis Enriquez Project Co-Leader<br />
<br />
= Road Map - Time Line =<br />
<br />
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project<br />
<br />
Goals - To meet the requirements of the IDESG KBA Solicitation:<br />
<br />
'''KBA PROJECT PHASES''' (PROPOSAL)<br />
Dear KBA collegues, we propose an action plan divided in the following phases:<br />
<br />
'''FIRST PHASE: SCANNING THE MARKET'''<br />
The goal of this first phase, is to understand how KBA is working today (static and dynamic), and<br />
how KBA methodologies have been implemented by KBA providers. I think this a good departure<br />
point.<br />
*1. Footprinting the KBA market providers.<br />
*2. Identifying the KBA product providers used by the main market players.<br />
*3. Identifying the advantages and drawbacks of KBA provider's methodology.<br />
*4. Draw the document's structure.<br />
**Complete document structure v1<br />
*5. Initial Timeline <br />
*5. Launch Participant Outreach<br />
<br />
'''SECOND PHASE: DEVELOPMENT'''<br />
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be<br />
necessary to have our own platform for testing purposes. This will give us the right perspective about<br />
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest<br />
building an open wiki, to get community feedback.<br />
*1. Setting an Application for KBA testing purposes.<br />
*2. Build an open wiki for community feedback.<br />
*3. Test the KBA proposals in our test application.<br />
*4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy).<br />
<br />
'''THIRD PHASE: EDITION'''<br />
This phase is very important, as it concerns the text edition. Once all proposals have being tested in our<br />
lab, we should translate them into a clear document.<br />
*1. Edit the contents of the sources (sources such as the wiki).<br />
*2. Release the version 1.0. and license it under the terms of a suitable license.<br />
<br />
Initial Overview<br />
# Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation.<br />
# Develop Opinion polls, foundations' research, interviews, perspectives on project, input from communities outside of the networks.<br />
# Survey and research other standards groups and their interests.<br />
# Phase I footprinting<br />
# Phase II Development<br />
# Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc.<br />
# Research Licensing models //<br />
<br />
<br />
= Research Papers =<br />
<br />
'''1. Knowledge Based Authentication: Paradigms and Challenges '''<br />
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"<br />
<br />
= Glossary =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
= KBA Concepts =<br />
<br />
{{taggedDocument<br />
| type=partialOld <br />
| mode=silent <br />
}} <br />
{{compactTOC}}<br />
<br />
{{SecureSoftware}}<br />
<br />
==0–9==<br />
<br />
==A==<br />
<br />
==B==<br />
<br />
==C==<br />
<br />
==D==<br />
<br />
==E==<br />
<br />
==F==<br />
<br />
==G==<br />
<br />
==H==<br />
<br />
==I==<br />
<br />
==J==<br />
<br />
==K==<br />
<br />
==L==<br />
<br />
==M==<br />
<br />
==N==<br />
<br />
==O==<br />
<br />
==P==<br />
<br />
==Q==<br />
<br />
==R==<br />
<br />
==S==<br />
<br />
==T==<br />
<br />
==U==<br />
<br />
==V==<br />
<br />
==W==<br />
<br />
==X==<br />
<br />
==Y==<br />
<br />
==Z==<br />
<br />
<br />
<!-- DO NOT ALTER OR REMOVE THE TEXT ON NEXT LINE --><br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]</div>AnnElizabeth Racuya-Robbins