This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Knowledge Based Authentication Performance Metrics Project"

From OWASP
Jump to: navigation, search
(KBAPM Project Supports the NSTIC Guiding Principles)
(AGENDA)
 
(115 intermediate revisions by 3 users not shown)
Line 7: Line 7:
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
  
 +
== News and Events ==
 +
Our first KBAPMP draft is finished. It is temporary hosted at github: [https://github.com/luisenriquez/kbapmp  KBAPMP_DRAFT]. We are building a dynamic KBA sandbox for testing purposes. We need contributors.
 +
 +
KBAPMP Archive: Please see the [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#News News] and [https://www.owasp.org/index.php/OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project#Talks Talks] tabs
  
 +
==What is KBA-PMP ==
  
==The KBAPM Project==
+
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication, following a transnational perspective.
  
There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBAPMP's goal is to establish standard performance metrics for knowledge based authentication.
 
  
=='''The KBA Paradigms and Challenges'''==
 
  
=='''KBA Best Practices'''==
+
=='''KBA-PMP Best Practices'''==
  
 
<!-- ==What is Knowledge Based Authentication? ==-->
 
<!-- ==What is Knowledge Based Authentication? ==-->
Line 23: Line 26:
 
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."-->
 
<!--From Wikipedia— "Knowledge-based authentication, commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a website. As the name suggests, KBA requires the knowledge of personal information of the individual to grant access to the protected material. There are two types of KBA: "static KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information."-->
  
====KBAPM Project Supports the NSTIC Guiding Principles ====
+
<!-- In this project, we are focused on Dynamic KBA. However the methodology described here can also be suitable for static KBA. Data is such a broad category. We live in the Big Data era, and information is gold. Today, KBA service providers can get data sources from public records, social networks, and many others. Tose sources can be used for remote identity proofing.
KBAPM Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBAPM Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.
+
 
 +
However, legal restrictions such as personal data protection and the right of privacy, are legal restrictions in the fields of data transfers to third countries, data retention, data processing, and so on. The methodology established on this standard tries to solve these privacy issues.
 +
 
 +
====KBA-PMP Project Supports the NSTIC Guiding Principles ====
 +
KBA-PMP Project is dedicated to developing KBA Standards in alignment the the NSTIC Guiding Principle. To that end KBA-PMP Project has answered the IDESG Standards Committee Solicitation to develop Knowledge Based Authentication Performance Metrics Standards.
  
 
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:
 
The IDESG, its components, and its members shall at all times operate in accordance with four Guiding Principles set forth in the NSTIC. They are:
Line 43: Line 50:
  
 
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.-->
 
<!--The Identity Ecosystem will promote identity solutions that enable individuals to use a smaller number of identity credentials across a wide array of service providers. These identity solutions must be cost-effective for users, identity and attribute providers, and relying parties. Furthermore, identity solutions should be simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training.-->
 +
 +
== Related Projects ==
 +
<!-- OWASP Security Labeling System Project
 +
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project] -->
 +
 +
[[ASVS]]
 +
 +
[[https://www.owasp.org/index.php/Choosing_and_Using_Security_Questions_Cheat_Sheet] Choosing and Using Security Questions Cheat Sheet]
 +
 +
OWASP NNI (NIST NSTIC IDESG) Initiative: https://www.owasp.org/index.php/OWASP_NNI_Initiative
  
 
==Licensing==
 
==Licensing==
Line 53: Line 70:
 
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
 
| valign="top"  style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
  
<!-- == What is OWASP KBAPM Project? == -->
+
<!-- == What is OWASP KBA-PMP Project? == -->
  
 
== Project Leaders ==
 
== Project Leaders ==
  
 
* [mailto:luis.enriquez@owasp.org Luis Enriquez]
 
* [mailto:luis.enriquez@owasp.org Luis Enriquez]
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]
+
* [mailto:bev.corwin@owasp.org Bev Corwin]
  
== Project Manager ==
 
* [mailto:ann.racuya.robbins@owasp.org Ann Racuya-Robbins]
 
  
 
===  Join our Mailing List ===
 
===  Join our Mailing List ===
Line 67: Line 82:
 
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br>
 
[https://lists.owasp.org/mailman/listinfo/owasp_kbapm_project Mailing List]<br>
  
=== Follow us on Twitter ===
 
  
[https://twitter.com/owasp_kbapmp @OWASP_KBAPMP]<br>
 
  
== Our Next Meeting ==
+
=== Standard DRAFT ===
 +
 
  
<!-- ==== WHEN ==== -->
+
[https://github.com/luisenriquez/kbapmp KBAPMP] <br>
  
==== Monday March 23, 2015 at 11:00 AM - 12:30 PM US Eastern Time ====
 
Our Meetings are Open and All are Welcome to Attend
 
  
<!--//'''Previous Meeting Minutes''' <!--[[https://www.owasp.org/index.php/KBAPM_Meeting_Notes#KBAPM_Meeting_Notes_20150112]]-->
 
*[https://www.dropbox.com/s/a8mm4msrkg9s6z5/2015-02-23%2011.20%20OWASP%20KBAPMP.mp3?dl=0 '''RECORDING of CONVERSATION with CRYPTOGRAPHER BILL BURR''']
 
  
 
==== AGENDA ====
 
==== AGENDA ====
  
Welcome
+
We will be presenting the KBAPMP standard at the OWASP APP SEC USA 2016 in Washington between October 11th and October 14th. For more information about the OWASP APP Sec USA 2016, please visit this link: [https://2016.appsecusa.org/ USA_APPSEC_2016]
 
 
*'''Discussions:'''
 
** Building a KBA Evaluation Structure and Testing Methodology
 
** KBA Questions
 
** Outreach to KBA Providers and other Stakeholders Continues
 
  
*'''Ongoing:'''
 
*International Participants
 
*Discuss and Document Tools/Ways Update
 
*Information Management Update
 
*Blog Article Update
 
*Application to Conference in Amsterdam Update
 
**https://2015.appsec.eu/call-for-papers/
 
**https://2015.appsec.eu/call-for-research/
 
  
*Take aways: Tasks
+
All Meetings are Open and All are Welcome
*Schedule next meeting
 
*Adjourn
 
  
==== WHERE  ====
+
== KBA-PMP Project Metrics ==
 +
<!-- [https://github.com/luisenriquez/kbapmp]
 +
We are working on a ruby based performance metrics demo for the KBA-PMP standard-->
  
GoToMeeting
 
'''https://www3.gotomeeting.com/join/642177878'''
 
'''Access Code: 642-177-878'''
 
 
2. Use your microphone and speakers (VoIP) - a headset is recommended. Or, call in using your telephone.
 
Dial +1 (571) 317-3112
 
Audio PIN: Shown after joining the meeting
 
Meeting ID: 642-177-878
 
GoToMeeting®
 
Online Meetings Made Easy®
 
Not at your computer? Click the link to join this meeting from your iPhone®, iPad® or Android® device via the GoToMeeting app
 
<br>
 
 
 
 
<!-- == Previous Meeting(s)==
 
 
Fill in information on past meeting(s), links to slides, pictures, etc.-->
 
 
<!-- == Presentation == -->
 
 
<!-- == Project Leaders == -->
 
 
<!-- * [mailto:luis.enriquez@owasp.org Luis Enriquez]
 
* [mailto:ann.racuya-robbins@owasp.org Ann Racuya-Robbins] -->
 
 
== Related Projects ==
 
OWASP Security Labeling System Project
 
 
[https://www.owasp.org/index.php/Projects/OWASP_Security_Labeling_System_Project]
 
 
OWASP NIST NSTIC Initiative
 
 
== KBAPM Project Metrics ==
 
https://www.openhub.net/accounts/KBAOpenHub
 
A performance metrics tool for the KBAPM Project
 
 
== Quick Download ==
 
 
 
 
== News and Events ==
 
 
 
 
== In Print ==
 
 
 
==Classifications==
 
  
 +
<!--== Quick Download ==
 +
== [https://github.com/luisenriquez/kbapmp] == -->
  
 +
== Classification ==
  
 
   {| width="200" cellpadding="2"
 
   {| width="200" cellpadding="2"
Line 168: Line 119:
 
|}
 
|}
  
=FAQs=
+
= News =
 
 
 
 
 
 
  
==How can I participate in your project?==
+
== September 23, 2016 ==
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.
 
  
==If I am not a programmer can I participate in your project?==
+
== Knowledge Based Authentication Performance Metrics Project (KBA-PMP) will be at AppSecUSA in Washington DC USA, October 11-14, 2016 for the OWASP Project Summit, for details see https://2016.appsecusa.org ==
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.  
 
 
 
= Acknowledgements =
 
  
==Contributors==
+
== April 20, 2016 ==
  
 +
First draft is released on github. We are closing our Second Phase. Now is time to Debug and test.
  
 +
== Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/. ==
  
 +
= Talks =
 +
== May 21, 2015 ==
 +
== Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project's current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/ ==
  
= Road Map and Time Line =
+
= Road Map - Time Line =
  
OWASP KBAPMP - Knowledge Based Authentication Performance Metrics Project
+
OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project
  
 
Goals - To meet the requirements of the IDESG KBA Solicitation:
 
Goals - To meet the requirements of the IDESG KBA Solicitation:
Line 209: Line 158:
 
'''SECOND PHASE: DEVELOPMENT'''
 
'''SECOND PHASE: DEVELOPMENT'''
 
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be
 
Once the advantages and drawbacks of the KBA market have been clearly identified, it would be
necessary to have our own plattform for testing purposes. This will give us the right perspective about
+
necessary to have our own platform for testing purposes. This will give us the right perspective about
 
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest
 
developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest
 
building an open wiki, to get community feedback.
 
building an open wiki, to get community feedback.
Line 232: Line 181:
 
# Research Licensing models //
 
# Research Licensing models //
  
 +
 +
= Research Papers =
 +
 +
'''1. Knowledge Based Authentication: Paradigms and Challenges '''
 +
https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing"
 +
 +
 +
= Acknowledgements =
 +
 +
== Current Contributors==
 +
 +
Luis Enriquez <br>
 +
Robert Faron <br>
 +
Bev Corwin <br>
 +
Noreen Whysel <br>
 +
 +
= FAQs =
 +
 +
==How can I participate in your project?==
 +
All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.
 +
 +
==If I am not a programmer can I participate in your project?==
 +
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.
  
  

Latest revision as of 23:00, 26 September 2016

OWASP Project Header.jpg

News and Events

Our first KBAPMP draft is finished. It is temporary hosted at github: KBAPMP_DRAFT. We are building a dynamic KBA sandbox for testing purposes. We need contributors.

KBAPMP Archive: Please see the News and Talks tabs

What is KBA-PMP

There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication, following a transnational perspective.


KBA-PMP Best Practices

2. Identity solutions will be secure and resilient.


3. Identity solutions will be interoperable.


4. Identity solutions will be cost-effective and easy to use.


Related Projects

ASVS

[[1] Choosing and Using Security Questions Cheat Sheet]

OWASP NNI (NIST NSTIC IDESG) Initiative: https://www.owasp.org/index.php/OWASP_NNI_Initiative

Licensing

Creative Commons Attribution ShareAlike 3.0 License



Project Leaders


Join our Mailing List

Mailing List


Standard DRAFT

KBAPMP


AGENDA

We will be presenting the KBAPMP standard at the OWASP APP SEC USA 2016 in Washington between October 11th and October 14th. For more information about the OWASP APP Sec USA 2016, please visit this link: USA_APPSEC_2016


All Meetings are Open and All are Welcome

KBA-PMP Project Metrics

Classification

New projects.png
Cc-button-y-sa-small.png
Project Type Files DOC.jpg
Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Knowledge_Based_Authentication_Performance_Metrics_Project&oldid=221820"