Last night, I had the opportunity to present at an OWASP event @Hartford, CT. James McGovern, a long-time buddy of mine organized this event at one of the Hartford skyscrappers – What a great view ! I had contributed code artifacts to OWASP projects before, but it was the first time I had a chance to attend an OWASP event. Amazing to see..it was an enthusiastic crowd with a lot of focus on the emerging trends in IT security. I took a small piece of the IT puzzle.. to present a topic on “Multi-factor Authentication” and then a demo showing OpenSSO w. PKI/Biometric authentication. It was a well-organized event and I saw a lot of interests around OpenSSO.
As promised, here is my slides for your reading pleasure. Enjoy.
Not a shameless promotion – I came to know from multiple feedback and praises from the people who took the Sun Certified Enterprise Architect exam. Core Security patterns is overwhelmingly suggested as a reference text for ”Section 8 – Security” of Sun Certified Enterprise Architect for Java EE5 exam.
Section 8: Security
Absolutely…. “Core Security Patterns” provides INDEPTH coverage on the above topics with detailed examples. You can certainly rely on that for “Section 8 – Security” of SCEA.
Congratulations to those who become SCEA and Goodluck for those aspiring to become SCEA. Thanks for all the feedback…Please do keep us posted.
I had been involved with multiple Biometric ISV providers and its integration with Sun technologies particularly OpenSSO, IdM, Sun Rays and Solaris. I also had the opportunity to deploy Biometric solutions to few govt organizations that starts with “D” and “N”. Believe it or not…we have few of them in production.
Now, getting down to the specifics – Putting it all together, in simpler terms you will see the solution would look like this…..
Ofcourse the Desktop can be your PC or Sun Ray or anything that capable of running a browser and allows plugin a Biometric Fingerprint Scanner (USB device). If you look into the ingredients of this solution, you would need the following:
For those curious to know ….and concerned about security of using Biometrics as a network credential…here is my answer to those known security issues.
OpenSSO provides JAAS based authentication framework for plugging in JAAS LoginModules (from authentication providers) and also allows enabling multi-factor authentication through OpenSSO authentication chaining and session upgrade features. Refer to OpenSSO Administrator guide for the finer details.
Few weeks ago, I posted another entry on Match-to-Smartcard PKI and Biometric authentication which is a different solution that makes use of Biometric information (CBEFF) stored on a PIV card. I am still working on the documentation….will keep you posted very soon.
Last few months, I was passionately busy working on an interesting project opportunity …to implement a biometric authentication module for a security sensitive J2EE application (Sorry…don’t ask who is the customer ). Ofcourse, the target is a die-hard Sun customer who believed on us -not- that armed contractor. They suggested me to use CrossMatch Verifier-E Fingerprint scanner and BioBex middleware for supporting biometric enrollment and authentication. I also lucky to work together with a good friend of mine from Finland “Tuomo Lampinen”…I should credit him here – he taught me the ABCs of Biometrics. I lost hopes initially..as there is no easy way to initiate/receive the JAAS callbacks to/from biometric device and then convert it to web-based text callbacks to perform actual authentication with the biometric middleware. The complexities goes even a bit more harder, when you want to make a browser plugin to handle the device callbacks. After trial-and-errors with several callback mechanisms (believe me,…at some point I lost all my hopes) – Finally, It worked without any hacks. Way cool, I even performed multi-factor authentication by combining with another JAAS LoginModule we built for using PKI/digital certificates.
If you are curious to know the secrets – Couple of days ago, Reid Williams and I did deliver a session at JavaONE entitled ” Biometric Authentication for J2EE Applications” and we also demonstrated it. You may also interested to read my follow-on article “Building Biometric Authentication for J2EE, Web and Enterprise Applications“.