OWASP Knowledge Based Authentication Performance Metrics

Main

![OWASP_Project_Header.jpg](OWASP_Project_Header.jpg "OWASP_Project_Header.jpg")

Our first KBAPMP draft is finished. It is temporary hosted at github: KBAPMP_DRAFT. We are building a dynamic KBA sandbox for testing purposes. We need contributors.

KBAPMP Archive: Please see the News and Talks tabs

What is KBA-PMP

There is a lack of standard performance metrics regarding the use of knowledge based authentication (KBA) for remote identity proofing. KBA-PMP's goal is to establish standard performance metrics for knowledge based authentication, following a transnational perspective.

KBA-PMP Best Practices

2. Identity solutions will be secure and resilient.

3. Identity solutions will be interoperable.

4. Identity solutions will be cost-effective and easy to use.

ASVS

[1 Choosing and Using Security Questions Cheat Sheet]

OWASP NNI (NIST NSTIC IDESG) Initiative: https://www.owasp.org/index.php/OWASP_NNI_Initiative

Licensing

Creative Commons Attribution ShareAlike 3.0 License

</td>

KBA-PMP Project Metrics

</td> </tr> </tbody>

Project Leaders

Join our Mailing List

Join our Mailing List

Mailing List

Mailing List

Standard DRAFT

Standard DRAFT

KBAPMP

KBAPMP

AGENDA

AGENDA

We will be presenting the KBAPMP standard at the OWASP APP SEC USA 2016 in Washington between October 11th and October 14th. For more information about the OWASP APP Sec USA 2016, please visit this link: USA_APPSEC_2016

We will be presenting the KBAPMP standard at the OWASP APP SEC USA 2016 in Washington between October 11th and October 14th. For more information about the OWASP APP Sec USA 2016, please visit this link: USA_APPSEC_2016

All Meetings are Open and All are Welcome

All Meetings are Open and All are Welcome

KBA-PMP Project Metrics

</table>

News

News

September 23, 2016

September 23, 2016

Knowledge Based Authentication Performance Metrics Project (KBA-PMP) will be at AppSecUSA in Washington DC USA, October 11-14, 2016 for the OWASP Project Summit, for details see https://2016.appsecusa.org

Knowledge Based Authentication Performance Metrics Project (KBA-PMP) will be at AppSecUSA in Washington DC USA, October 11-14, 2016 for the OWASP Project Summit, for details see https://2016.appsecusa.org

April 20, 2016

April 20, 2016

First draft is released on github. We are closing our Second Phase. Now First draft is released on github. We are closing our Second Phase. Now is time to Debug and test. is time to Debug and test.

Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/.

Knowledge Based Authentication Performance Metrics (KBA-PMP) holds its first Project Summit in Amsterdam, Netherlands see https://2015.appsec.eu/conference-program/ KBA-PMP and https://2015.appsec.eu/project-summit/.

Talks

Talks

May 21, 2015

May 21, 2015

Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project’s current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/

Co-Project Leaders Luis Enriquez and Ann Racuya-Robbins co-create a Lightning talk on the project’s current essential features at the OWASP AppSec EU 2015 in Amsterdam, Netherlands. https://2015.appsec.eu/conference-program/

Road Map - Time Line

Road Map - Time Line

OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics OWASP KBA-PMP - Knowledge Based Authentication Performance Metrics Project Project

Goals - To meet the requirements of the IDESG KBA Solicitation: Goals - To meet the requirements of the IDESG KBA Solicitation:

KBA PROJECT PHASES (PROPOSAL) Dear KBA collegues, we propose an KBA PROJECT PHASES (PROPOSAL) Dear KBA collegues, we propose an action plan divided in the following phases: action plan divided in the following phases:

FIRST PHASE: SCANNING THE MARKET The goal of this first phase, is to FIRST PHASE: SCANNING THE MARKET The goal of this first phase, is to understand how KBA is working today (static and dynamic), and how KBA understand how KBA is working today (static and dynamic), and how KBA methodologies have been implemented by KBA providers. I think this a methodologies have been implemented by KBA providers. I think this a good departure point. good departure point.

  • 1. Footprinting the KBA market providers.
  • 1. Footprinting the KBA market providers.
  • 2. Identifying the KBA product providers used by the main market
  • 2. Identifying the KBA product providers used by the main market players. players.
  • 3. Identifying the advantages and drawbacks of KBA provider’s
  • 3. Identifying the advantages and drawbacks of KBA provider’s methodology. methodology.
  • 4. Draw the document’s structure.
  • 4. Draw the document’s structure.
    • Complete document structure v1
    • Complete document structure v1
  • 5. Initial Timeline
  • 5. Initial Timeline
  • 5. Launch Participant Outreach
  • 5. Launch Participant Outreach

SECOND PHASE: DEVELOPMENT Once the advantages and drawbacks of the SECOND PHASE: DEVELOPMENT Once the advantages and drawbacks of the KBA market have been clearly identified, it would be necessary to have KBA market have been clearly identified, it would be necessary to have our own platform for testing purposes. This will give us the right our own platform for testing purposes. This will give us the right perspective about developing a transnational, neutral, secure, and perspective about developing a transnational, neutral, secure, and market wise KBA standard. I would also suggest building an open wiki, to market wise KBA standard. I would also suggest building an open wiki, to get community feedback. get community feedback.

  • 1. Setting an Application for KBA testing purposes.
  • 1. Setting an Application for KBA testing purposes.
  • 2. Build an open wiki for community feedback.
  • 2. Build an open wiki for community feedback.
  • 3. Test the KBA proposals in our test application.
  • 3. Test the KBA proposals in our test application.
  • 4. Analyzing the framework in crucial legal areas (such as Dynamic
  • 4. Analyzing the framework in crucial legal areas (such as Dynamic KBA and privacy). KBA and privacy).

THIRD PHASE: EDITION This phase is very important, as it concerns THIRD PHASE: EDITION This phase is very important, as it concerns the text edition. Once all proposals have being tested in our lab, we the text edition. Once all proposals have being tested in our lab, we should translate them into a clear document. should translate them into a clear document.

  • 1. Edit the contents of the sources (sources such as the wiki).
  • 1. Edit the contents of the sources (sources such as the wiki).
  • 2. Release the version 1.0. and license it under the terms of a
  • 2. Release the version 1.0. and license it under the terms of a suitable license. suitable license.

Initial Overview Initial Overview

  1. Survey and research the Global OWASP Community and other networks to
  2. Survey and research the Global OWASP Community and other networks to identify and recruit appropriate participation. identify and recruit appropriate participation.
  3. Develop Opinion polls, foundations’ research, interviews,
  4. Develop Opinion polls, foundations’ research, interviews, perspectives on project, input from communities outside of the perspectives on project, input from communities outside of the networks. networks.
  5. Survey and research other standards groups and their interests.
  6. Survey and research other standards groups and their interests.
  7. Phase I footprinting
  8. Phase I footprinting
  9. Phase II Development
  10. Phase II Development
  11. Phase III Implementation, Lessons Learned, Continuous refinement,
  12. Phase III Implementation, Lessons Learned, Continuous refinement, Ongoing participation model, etc. Ongoing participation model, etc.
  13. Research Licensing models //
  14. Research Licensing models //

Research Papers

Research Papers

’'’1. Knowledge Based Authentication: Paradigms and Challenges ‘’’ ‘'’1. Knowledge Based Authentication: Paradigms and Challenges ‘’’ https://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharinghttps://drive.google.com/file/d/0B3AkniUi7NFeRXduS3pPQTJ6Mm8/view?usp=sharing

Acknowledgements

Acknowledgements

Current Contributors

Current Contributors

Luis Enriquez Luis Enriquez Robert Faron Robert Faron Bev Corwin Bev Corwin Noreen Whysel Noreen Whysel

FAQs

FAQs

How can I participate in your project?

How can I participate in your project?

All you have to do is make the Project Leader’s aware of your available All you have to do is make the Project Leader’s aware of your available time to contribute to the project. It is also important to let the time to contribute to the project. It is also important to let the Leader’s know how you would like to contribute and pitch in to help the Leader’s know how you would like to contribute and pitch in to help the project meet it’s goals and milestones. There are many different ways project meet it’s goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads you can contribute to an OWASP Project, but communication with the leads is key. is key.

If I am not a programmer can I participate in your project?

If I am not a programmer can I participate in your project?

Yes, you can certainly participate in the project if you are not a Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project looking for researchers, writers, graphic designers, and a project administrator. administrator.

NOTOC NOTOC

Category:OWASP Project Category:OWASP Project Category:OWASP_Builders Category:OWASP_Builders Category:OWASP_Defenders Category:OWASP_Defenders Category:OWASP_Document Category:OWASP_Document


Example

Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.