Protecting apps and APIs using Nordic eIDs

•Als PPTX, PDF herunterladen•

1 gefällt mir•844 views

Erik Wahlström

Technologie

Erik Wahlström
Technology Strategist
9/19/2013
2
Protecting your Applications and
APIs with Nordic e-IDs

Erik Wahlström
Technology Strategist
9/19/2013
3
Todays topics
 eIDs is in the news.
 What is an eID?
 What are the Nordic eID?
 Three ways to use your eIDs to protect apps and APIs.

Erik Wahlström
Technology Strategist
9/19/2013
4
What is a eID?
 Digital passport to authenticate and sign.
 Issued or trusted by governments.
 Legally binding.

Erik Wahlström
Technology Strategist
9/19/2013
5

Erik Wahlström
Technology Strategist
9/19/2013
6
Smartcards or eIDs on file

Erik Wahlström
Technology Strategist
9/19/2013
7
Software based OTPs.

Erik Wahlström
Technology Strategist
9/19/2013
8
Tupas.

Erik Wahlström
Technology Strategist
9/19/2013
9
API based.

Erik Wahlström
Technology Strategist
9/19/2013
10
What’s up next?
 New platform for Swedish BankID.
 SAML based identity federations like eID2.
 New projects in Norway and Finland.

Erik Wahlström
Technology Strategist
9/19/2013
11
How to protect an API using eID?
 Web based APIs.
 Protocol handlers.
 Use browsers and OAuth2.
 A token can be anything.
 Alternatives to call an API:
 Swedish Mobile BankID.
 OAuth2 to authenticate using any other type of eID.
 Bind two devices together to use smartcards on
smartphones.

Erik Wahlström
Technology Strategist
9/19/2013
12
Alternative one – Swedish Mobile BankID

Erik Wahlström
Technology Strategist
9/19/2013
13

Erik Wahlström
Technology Strategist
9/19/2013
14
bankid://redirect=nexus%3A%2F%2Fstate%3Dxyz

Erik Wahlström
Technology Strategist
9/19/2013
15

Erik Wahlström
Technology Strategist
9/19/2013
16
nexus://state=xyz

Erik Wahlström
Technology Strategist
9/19/2013
17

Erik Wahlström
Technology Strategist
9/19/2013
18
Swedish Mobile BankID
Deep dive

Erik Wahlström
Technology Strategist
9/19/2013
19
Personal number
Authentication
Collect
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
20
Personal number
Authentication
Collect
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
21
Personal number
Authentication
Collect
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
22
Personal number
Authentication
Collect
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
23
bankid://redirect=nexus%3A%2F%2Fstate%3Dxyz
Personal number
Authentication
Collect
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
24
Personal number
Authentication
Collect
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
25
Personal number
Authentication
Collect
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
26
Personal number
Authentication
Collect
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
27
nexus://state=xyz
Personal number
Authentication
Collect
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
28
Personal number
Authentication
Collect
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
29
Personal number
Authentication
Collect
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
30
Alternative two – Others eIDs

Erik Wahlström
Technology Strategist
9/19/2013
31
Use your browser to authenticate
using any eID
 OAuth2 industry standard to protect APIs.
 Define a way to get a authorization to use an API.
 A token or two is good.
 Use the token to access the API.
 Use OAuth2 and a browser dance to authenticate.
 Enables any method and eIDaaS.

Erik Wahlström
Technology Strategist
9/19/2013
32

Erik Wahlström
Technology Strategist
9/19/2013
33
https://example.com/oauth2?
response_type=code&client_id=nexus&redirect_uri=nexus%3A%2F%
2Fauthorization&scope=api&state=xyz

Erik Wahlström
Technology Strategist
9/19/2013
34

Erik Wahlström
Technology Strategist
9/19/2013
35
nexus://authorization?code=oauth2grant&stat
e=xyz

Erik Wahlström
Technology Strategist
9/19/2013
36
Other eIDs
Deep dive

Erik Wahlström
Technology Strategist
9/19/2013
37
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
38
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
39
Token
Question

Erik Wahlström
Technology Strategist
9/19/2013
40
Alternative three – eID on other device

Erik Wahlström
Technology Strategist
9/19/2013
41
Use an eID on another device
 Put the rather sad user to work.
 Connect two devices.
 Refresh tokens makes it usable.

Erik Wahlström
Technology Strategist
9/19/2013
42

Erik Wahlström
Technology Strategist
9/19/2013
43

Erik Wahlström
Technology Strategist
9/19/2013
44

Erik Wahlström
Technology Strategist
9/19/2013
45
Final words

Erik Wahlström
Technology Strategist
9/19/2013
46
Final words
 BYOD and consumerization.
 eIDaaS and OAuth2 for best coverage.
 Refresh tokens is not always ok.
 WebCrypto is cool.

Erik Wahlström
Technology Strategist
9/19/2013
47
Thanks!
 @erik_wahlstrom
 erik.wahlstrom@nexusgroup.com

Weitere ähnliche Inhalte

Ähnlich wie Protecting apps and APIs using Nordic eIDs

According to #TechSci Research Report- Vietnam Cyber Security market was valued at USD0.142 billion in 2020 and is projected to grow around USD0.350 billion by 2026 owing to the proliferation of technologies such as cloud-based systems, rising big data demand and increasing usage of internet of things and social media Report URL : https://www.techsciresearch.com/report/vietnam-cybersecurity-market/7793.html #marketresearch #consultingfirms #marketintelligence

Vietnam cyber security market size, shre & market forecast 2016 2026

TechSci Research

Paranoia or risk management 2013

Henrik Kramshøj

Fuelling Digital Innovation - Webinar Deck

The Digital Insurer

The state of cybersecurity in Switzerland - FinTechDay 2017

Tiago Henriques

UK Government identity initiatives since the late 1990s - IDnext 2015

Jerry Fishenden

Smart maintenance of security has emerged as a cardinal concern for any personnel systems, especially for an individuals dwelling place. Over the last decade, the rapid rise of burglary and theft all over the world is threatening due to the vulnerability of traditional home security systems. According to Knoema.com, a company which deals with data. Netherland is the top most country with highest rate of burglary. Looking at the statistics, It is very important to create a safe and secured home environment to avoid theft and burglary. The only thing that is with us all time in today’s world is our smartphone. We can carry out Remote monitoring and security of house using a mobile application. It will help us to check security and monitor our homes from any corner of the world just using an internet connection.

Secured home with 3 factor authentication using android application

Iliyas Khan

Military Enlists Digital Twin Technology to Secure Chips

TJR Global

Cyber security is a prime concern for every business nowadays. Currently, most of the government and private company are using digital platform such as desktop, mobile and application for information transferring. Important information such as financial transaction, healthcare data, and personal information recorded online. To protect user data transmission SSL certificate provider as a secure data transfer device to avoid data loss through hackers and malware.

Top SSL Certificate Providers for Your Business

ClickSSL

CIO Roundtable IOT

Jim Sutter

CIO RoundtableIot IOT

James Sutter

IoT World Forum Press Conference - 10.14.2014

Bessie Wang

Accelerating the creation and deployment of e-Government services by ensuring...

Secure Identity Alliance

Blockchain Devices.pdf

RonnyMartine

Trends in IRM: Internet of Things

ForgeRock

20161201 witdom bdva summit

Elsa Prieto

Smart lock market

ameliasimon0

The potential trillion dollar Internet of Things (IoT) business opportunity rests precariously on one critical factor – security. 71% of executives in our survey agreed that security concerns will influence customers’ purchase decision for IoT products. However, despite increasing cyber attacks and ample warning from security experts, most organizations do not provide adequate security and privacy safeguards for their IoT products. In fact, only 33% of IoT executives in our survey believe that the IoT products in their industry are highly resilient to cyber security attacks. Further, despite rising consumer concerns regarding data privacy, 47% of organizations do not provide any privacy related information regarding their IoT products. So, why are organizations lagging behind in securing their IoT products and systems? Key reasons for this include an expanded attack surface, inefficiencies in the IoT product development process, and the lack of specialized security skill-sets. For instance, our survey showed that only 48% of companies focus on securing their IoT products from the beginning of the product development phase. Building a secure IoT system begins with the recognition that security needs to be as much of a priority as the features and functionality of an IoT product. The report highlights the key measures that organizations must take in order to put security at the core of their IoT value proposition.

Securing the Internet of Things Opportunity: Putting Cybersecurity at the Hea...

Capgemini

Securing the internet of things opportunity putting cybersecurity at the hear...

Rick Bouter

SecureMAG Volume 6 - 2014

Chin Wan Lim

Security In an IoT World

syrinxtech

Ähnlich wie Protecting apps and APIs using Nordic eIDs (20)

Vietnam cyber security market size, shre & market forecast 2016 2026

Paranoia or risk management 2013

Fuelling Digital Innovation - Webinar Deck

The state of cybersecurity in Switzerland - FinTechDay 2017

UK Government identity initiatives since the late 1990s - IDnext 2015

Secured home with 3 factor authentication using android application

Military Enlists Digital Twin Technology to Secure Chips

Top SSL Certificate Providers for Your Business

CIO Roundtable IOT

CIO RoundtableIot IOT

IoT World Forum Press Conference - 10.14.2014

Accelerating the creation and deployment of e-Government services by ensuring...

Blockchain Devices.pdf

Trends in IRM: Internet of Things

20161201 witdom bdva summit

Smart lock market

Securing the Internet of Things Opportunity: Putting Cybersecurity at the Hea...

Securing the internet of things opportunity putting cybersecurity at the hear...

SecureMAG Volume 6 - 2014

Security In an IoT World

Kürzlich hochgeladen

Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx

FIDO Alliance

Using IESVE for Room Loads Analysis - UK & Ireland

IES VE

Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx

MasterG

Syngulon’s technology expands the capacity for selection of microorganisms. The ability to select individual microbes with a behavior of interest is essential, whether for simple cloning at the bench, or for industry-scale production. Synthetic biology uses the concept of “bioengineering” to improve or modify existing genetic systems to create microbes with desired behaviors, and Syngulon uses this approach to develop its selection technologies. This selection technology is based on bacteriocins, ribosomally-produced peptides naturally made by most bacteria to kill competitive microbial species. These bacteriocins can have a limited or wide target range against other microbial species. This technology offers advantageous over antibiotic selection for several reasons: it avoids the use of antibiotics in the first place, helping to reduce the spread of antibiotic resistant microbes. The technology also increases product yield; as bacteriocins are generally smaller peptides, they do not impose a heavy metabolic burden on the producing cell. They can have a wide target specificity, helping to avoid genetic drift. Finally, our system is 100% plasmid-based (e.g. without chromosomal mutations), making it applicable for use in any E. coli strains.

Syngulon - Selection technology May 2024.pdf

Syngulon

Generative AI refers to a class of machine learning algorithms that are designed to generate new data samples that are similar to those in the training data. Unlike traditional AI models that are trained to recognize patterns and make predictions, generative AI models have the ability to create entirely new data based on the patterns they have learned. This is achieved through techniques such as generative adversarial networks (GANs), variational autoencoders (VAEs), and transformer architectures, among others.

Generative AI Use Cases and Applications.pdf

alexjohnson7307

Revolutionizing SAP® Processes with Automation and Artificial Intelligence

Precisely

In today's digital world, trust is key to customer relationships, but keeping it is a huge challenge. Customers are well-informed and empowered, quick to change brands if their trust is broken, even if it costs them more. This puts a lot of pressure on organizations to handle trust and safety issues with great care and transparency. The challenge, however, is real. Fragmented solutions have left privacy, legal, and security teams in a perpetual cycle of catch-up, struggling to update privacy notices, manage customer data rights, and answer lengthy security questionnaires—all while trying to prove ROI to the business. It's a thankless job, filled with repetition, tedious tasks, and constant interdepartmental coordination. Combine this with fast regulatory changes and the quick evolution of AI, and it becomes overwhelming. Join this webinar to learn more about TrustArc's new innovative solution Trust Center, the only unified, no-code online hub for trust and safety information built for privacy, security, compliance, and legal teams. Trust Center streamlines your path to compliance, shortens the pre-sales cycle, and reduces both legal and regulatory risks, saving time, effort, and cost. This webinar will review: - Why companies are building unified Trust Centers for a robust privacy program. - How unified Trust Centers streamline sales cycles, ensure regulatory compliance, and reduce operational bottlenecks. - How compliance, legal, security, GRC, and privacy teams benefit from a unified Trust Center in terms of needs, pains, and outcomes. - How TrustArc Trust Center saves time and work while reducing legal, reputational, and compliance risk by effectively managing policies, notices, terms, and disclosures, and providing real-time updates on subprocessors.

TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...

TrustArc

(Explainable) Data-Centric AI: what are you explaininhg, and to whom?

Paolo Missier

Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.

2024 May Patch Tuesday

Ivanti

Overview of Hyperledger Foundation

Hyperleger Tokyo Meetup

Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...

ScyllaDB

Working together SRE & Platform Engineering

Marcus Vechiato

Ruby has a lot of standard libraries from Ruby 1.8. I promote them democratically with GitHub today via default and bundled gems. So, I'm working to extract them for Ruby 3.4 continuously and future versions. It's long journey for me. After that, some versions may suddenly happen LoadError at require when running bundle exec or bin/rails, for example matrix or net-smtp. We need to learn what's difference default/bundled gems with standard libraries. In this presentation, I will introduce what's the difficult to extract bundled gems from default gems and the details of the functionality that Ruby's require and bundle exec with default/bundled gems. You can learn how handle your issue about standard libraries.

Long journey of Ruby Standard library at RubyKaigi 2024

Hiroshi SHIBATA

WebRTC and SIP not just audio and video @ OpenSIPS 2024

Lorenzo Miniero

WebAssembly is Key to Better LLM Performance

Samy Fodil

Intro to Passkeys and the State of Passwordless.pptx

FIDO Alliance

Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots

Leah Henrickson

Because observability is such a broad topic – and often something we learn on the job – it can feel like there’s too much to learn at once. But you don’t have to tackle everything and can start with the basics and build from there! Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack. No matter what tooling is in place, there are still observability fundamentals that developers should know. That’s why I’ve put together a primer on the different telemetry types, when to use them, how to understand the data journey, and what to look for in time series graphs.

Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)

Paige Cruz

Portal Kombat : extension du réseau de propagande russe

中央社

The Metaverse: Are We There Yet?

Mark Billinghurst

Kürzlich hochgeladen (20)

Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx

Using IESVE for Room Loads Analysis - UK & Ireland

Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx

Syngulon - Selection technology May 2024.pdf

Generative AI Use Cases and Applications.pdf

Revolutionizing SAP® Processes with Automation and Artificial Intelligence

TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...

(Explainable) Data-Centric AI: what are you explaininhg, and to whom?

2024 May Patch Tuesday

Overview of Hyperledger Foundation

Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...

Working together SRE & Platform Engineering

Long journey of Ruby Standard library at RubyKaigi 2024

WebRTC and SIP not just audio and video @ OpenSIPS 2024

WebAssembly is Key to Better LLM Performance

Intro to Passkeys and the State of Passwordless.pptx

Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots

Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)

Portal Kombat : extension du réseau de propagande russe

The Metaverse: Are We There Yet?

Protecting apps and APIs using Nordic eIDs

1. Erik Wahlström Technology Strategist 9/19/2013 1

2. Erik Wahlström Technology Strategist 9/19/2013 2 Protecting your Applications and APIs with Nordic e-IDs

3. Erik Wahlström Technology Strategist 9/19/2013 3 Todays topics  eIDs is in the news.  What is an eID?  What are the Nordic eID?  Three ways to use your eIDs to protect apps and APIs.

4. Erik Wahlström Technology Strategist 9/19/2013 4 What is a eID?  Digital passport to authenticate and sign.  Issued or trusted by governments.  Legally binding.

5. Erik Wahlström Technology Strategist 9/19/2013 5

6. Erik Wahlström Technology Strategist 9/19/2013 6 Smartcards or eIDs on file

7. Erik Wahlström Technology Strategist 9/19/2013 7 Software based OTPs.

8. Erik Wahlström Technology Strategist 9/19/2013 8 Tupas.

9. Erik Wahlström Technology Strategist 9/19/2013 9 API based.

10. Erik Wahlström Technology Strategist 9/19/2013 10 What’s up next?  New platform for Swedish BankID.  SAML based identity federations like eID2.  New projects in Norway and Finland.

11. Erik Wahlström Technology Strategist 9/19/2013 11 How to protect an API using eID?  Web based APIs.  Protocol handlers.  Use browsers and OAuth2.  A token can be anything.  Alternatives to call an API:  Swedish Mobile BankID.  OAuth2 to authenticate using any other type of eID.  Bind two devices together to use smartcards on smartphones.

12. Erik Wahlström Technology Strategist 9/19/2013 12 Alternative one – Swedish Mobile BankID

13. Erik Wahlström Technology Strategist 9/19/2013 13

14. Erik Wahlström Technology Strategist 9/19/2013 14 bankid://redirect=nexus%3A%2F%2Fstate%3Dxyz

15. Erik Wahlström Technology Strategist 9/19/2013 15

16. Erik Wahlström Technology Strategist 9/19/2013 16 nexus://state=xyz

17. Erik Wahlström Technology Strategist 9/19/2013 17

18. Erik Wahlström Technology Strategist 9/19/2013 18 Swedish Mobile BankID Deep dive

19. Erik Wahlström Technology Strategist 9/19/2013 19 Personal number Authentication Collect Token Question

20. Erik Wahlström Technology Strategist 9/19/2013 20 Personal number Authentication Collect Token Question

21. Erik Wahlström Technology Strategist 9/19/2013 21 Personal number Authentication Collect Token Question

22. Erik Wahlström Technology Strategist 9/19/2013 22 Personal number Authentication Collect Token Question

23. Erik Wahlström Technology Strategist 9/19/2013 23 bankid://redirect=nexus%3A%2F%2Fstate%3Dxyz Personal number Authentication Collect Token Question

24. Erik Wahlström Technology Strategist 9/19/2013 24 Personal number Authentication Collect Token Question

25. Erik Wahlström Technology Strategist 9/19/2013 25 Personal number Authentication Collect Token Question

26. Erik Wahlström Technology Strategist 9/19/2013 26 Personal number Authentication Collect Token Question

27. Erik Wahlström Technology Strategist 9/19/2013 27 nexus://state=xyz Personal number Authentication Collect Token Question

28. Erik Wahlström Technology Strategist 9/19/2013 28 Personal number Authentication Collect Token Question

29. Erik Wahlström Technology Strategist 9/19/2013 29 Personal number Authentication Collect Token Question

30. Erik Wahlström Technology Strategist 9/19/2013 30 Alternative two – Others eIDs

31. Erik Wahlström Technology Strategist 9/19/2013 31 Use your browser to authenticate using any eID  OAuth2 industry standard to protect APIs.  Define a way to get a authorization to use an API.  A token or two is good.  Use the token to access the API.  Use OAuth2 and a browser dance to authenticate.  Enables any method and eIDaaS.

32. Erik Wahlström Technology Strategist 9/19/2013 32

33. Erik Wahlström Technology Strategist 9/19/2013 33 https://example.com/oauth2? response_type=code&client_id=nexus&redirect_uri=nexus%3A%2F% 2Fauthorization&scope=api&state=xyz

34. Erik Wahlström Technology Strategist 9/19/2013 34

35. Erik Wahlström Technology Strategist 9/19/2013 35 nexus://authorization?code=oauth2grant&stat e=xyz

36. Erik Wahlström Technology Strategist 9/19/2013 36 Other eIDs Deep dive

37. Erik Wahlström Technology Strategist 9/19/2013 37 Token Question

38. Erik Wahlström Technology Strategist 9/19/2013 38 Token Question

39. Erik Wahlström Technology Strategist 9/19/2013 39 Token Question

40. Erik Wahlström Technology Strategist 9/19/2013 40 Alternative three – eID on other device

41. Erik Wahlström Technology Strategist 9/19/2013 41 Use an eID on another device  Put the rather sad user to work.  Connect two devices.  Refresh tokens makes it usable.

42. Erik Wahlström Technology Strategist 9/19/2013 42

43. Erik Wahlström Technology Strategist 9/19/2013 43

44. Erik Wahlström Technology Strategist 9/19/2013 44

45. Erik Wahlström Technology Strategist 9/19/2013 45 Final words

46. Erik Wahlström Technology Strategist 9/19/2013 46 Final words  BYOD and consumerization.  eIDaaS and OAuth2 for best coverage.  Refresh tokens is not always ok.  WebCrypto is cool.

47. Erik Wahlström Technology Strategist 9/19/2013 47 Thanks!  @erik_wahlstrom  erik.wahlstrom@nexusgroup.com

Protecting apps and APIs using Nordic eIDs

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Protecting apps and APIs using Nordic eIDs

Ähnlich wie Protecting apps and APIs using Nordic eIDs (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Protecting apps and APIs using Nordic eIDs