Case Study: Case By Touch Pay Study: Leaves Its Fingerprints on SAML 2.0 Bluewin Implements Liberty Alliance Introduction Supermarkets like Piggly Wiggly, Food Sign-On Speciﬁcations for SingleLion and Scotts let customers check out using fingerprints and biometric “50 years ago, credit cards were technology. In Midland, Texas, West Texas National Bank uses biometrics to speed up check cashing. Citibank considered taboo. 30 years ago, Company now offers biometrics options as part of their Singapore nobody thought ATMs would With approximately 2 product suite. platinum credit cardmillion customers, Bluewin (www.bluwin.ch) is the largest Internet service provider catch on. 15 years ago, only in Switzerland and a few of the many organizations that are These are just of a fully owned subsidiary of the researchers used the Internet. deploying biometrics solutions developed by Pay By Touch, telecommunications company SwissCom. a technology and payments company headquartered in San Bluewin is among the ﬁrst Internet service providers Biometrics’ time has arrived.” Francisco. a Liberty-enabled solution. The company to implement provides a range of services geared at both consumers But businesses. most exciting Pay By Touch application and by far, the Bill Townsend is around federation and how Pay By Touch is enabling executive vice president, Application to authenticate themselves online and begin individuals federating with SAML-enabled partners. Pay By Touch’s B2C Pay By Touch federation product is called TrueMe and it is poised to Challenge improve identity security on the Web. dramatically Bluewin sought to simplify single sign-on and How TrueMe Works users to input multiple pieces of eliminate the need for information in order to enter password protected sites. They also wanted to enhance security and improve automatic identification of a person based on his/her physiological or behavioral Biometrics refers to the services. access to third-party characteristics. This method of identification offers several advantages over traditional methods involving ID cards advantage is challenges or passwords. A key these goals, thethe fact that with biometrics, the person to be identified is required to physically In order to meet present their “biometric” identity (e.g., provide a fingerprint ID) at the point-of-identification. extended to areas including managing user identity in a distributed environment, insuring user integrity, first on-demand different legal and TrueMe is thefederation between biometric identity provider service. With TrueMe, a consumer can have all their enabling in a hardware device where it is never exposed to the consumer’s PC. In biometrics information securely encrypted access to organizational entities, as well as making this framework, this identity information becomes the authentication mechanism into the identity provider. When the online services as user-friendly as possible. consumer wishes to authenticate his/her identity online, the consumer simply swipes his/her finger image across a TrueMe-certified biometric finger sensor that is either built into the computer or attached to it via a USB cable. Then via SAML 2.0, the identity provider is able to federate TrueMe accounts the consumer might need to access on the Solution Internet. Bluewin implemented the Liberty Alliance Identity Bluewin has implemented the identity provider functionality in an internal development project is a With TrueMe, the need to remember, maintain and type in passwords is eliminated. And, because a fingerbasedtruly Federation speciﬁcations. In this new environment, on as signatures, PINs, and even photos. unique identifier, it is more secure than other authenticators suchOpen Source Framework Source ID. Bluewin is also Bluewin functions as the identity and attribute provider for a Swiss Circle of Trust. This means that once a Bluewin collaborating with different IT integrators to enable a the of trust with several access on service providers. “The ability to separate out authentication and biometrics fromcircle resources that you participatingthe Internet is very user has been authenticated by a circle of trust identity This way, Touch, “People may have 20 or 30 different important to people today,” Thomas Hintz, the chief architect at Pay ByBluewin will be able to offer single sign-on for provider, that individual can easily be recognized by other if one Swiss sites and will store could be used to passwords and a lot of times, they use the same password andmultiple password is breached itattributes only once.access service providers within the circle. their other accounts. It’s a house of cards and the only way to mitigate this is through standards.” The ﬁrst service provider in the circle of trust is the The Bluewin identity provider supports Liberty’s Identity Federation Framework speciﬁcations. open ID. We’ve Focusing on SAML from day one was also an important element to the project. “We’ve looked at Attribute sharing will Swisscom Micropayment service. Other service providers we do plan the next as many of them as looked at Microsoft CardSpace and you know, on our roadmap,be enabled in to adoptphase of development. are viable, including the famed online chocolate shop, Sprungli, but we chose SAML as the first one because of the maturity of the products in that space,” said Hintz. (www.spruengli.ch) will soon follow suit. The use of standards have been key to facilitating this maturity. Liberty’s Alliance’s standards like SAML 2.0--which are based on well-defined marketplace requirements--have strong marketplace momentum, as evidenced by the broad range of vendors who have committed to implementing the standards and the number of deployer RFPs that mandate them. “The use of standards is a key step in fostering TrueMe ID: How it Works Study: Case interoperability, facilitating industry growth and limiting Bluewin Implements“Liberty Alliance proprietary implementations, said Britta Glade, the chair of the Liberty Alliance identity theft special 1. The user navigates to a Web site that accepts TrueMe. interest group and for Single Sign-On SpeciﬁcationsisLiberty’s director of marketing. “Using standards a way of making your bet ‘safe.’ 2. The Web site presents an i-frame PayByTouch is smart to recognize there are multiple that sends a signed SAML specs out there, and to have long-term plan to support AuthnRequest to Pay By Touch them but starting with what’s proven and mature helps Company deployment speed and adoption.” insure 3. A secure tunnel is established With approximately 2 million customers, Bluewin between the user’s biometric (www.bluwin.ch) is the largest Internet service provider in Switzerland and a fully owned subsidiary of the sensor and Pay By Touch TrueMe Pilot Takes Off SwissCom. telecommunications company 4. The user’s template is extracted TrueMe was initially Internet service providers Bluewin is among the ﬁrstpiloted by Pay By Touch’s sales and encrypted on the biometric to implement a Liberty-enabled solution. The company via team to access their Salesforce.com application provides a range of services loggingat both consumers names device and securely transmitted biometrics. Instead of geared in with their user and businesses. and passwords, they simply swipe their fingers. to Pay By Touch. Application to the Salesforce.com interface, Pay By 5. Pay By Touch verifies the device In addition B2C Touch has a “live” partnership with Oracle and WebEx. key and the user’s template, At WebEx, Pay By Touch is building an interface providing minimum two-factor Challenge to biometrically logon to WebEx and WebEx-based identification supported to simplify single sign-on and Bluewin soughtapplications. “We’re also having in-depth eliminate the need forevery to inputPC OEM provider because discussions with users major multiple pieces of 6. The user’s acceptance is information in more to enter password protected sites. and more and order they are enabling their laptops redirected to the website with a They also wanted to enhance security and improve desktops to have biometric readers. Obviously, they want signed SAML AuthnResponse to create value services. access to third-partyfor those products which our federated model provides,” said Keith Towne, Pay By Touch’s vice 7. The Web site verifies the In order to meet business development. “But where we see president of these goals, the challenges AuthnResponse and logs the extended to areas including for growth is in online access for the greatest potential managing user identity user in, never having to reveal TrueMe ID: How it works in a distributed environment, insuring user integrity, ISP login, the customer’s username or things such as e-commerce, banking, e-mail, enabling federation between different legal and and subscription services.” password to Pay By Touch or organizational entities, as well as making access to through the browser 1. The user navigates to a website Currently, as user-friendly as possible. online services Pay By Touch is in discussions with four U.S. that accepts TrueMe. bank website redirects the user's banks and a major international2. Theto rollout TrueMe. management Beginning with employees and cashbrowser to PayByTouch with a Solution signed SAML AuthnRequest customers, then expanding to customers, the banks User’s Computer 3. A secure tunnel is established between uncovered, hope to counteract what Gartner research the user's sensor and Bluewin implemented the Liberty Alliance Identity lowered their which is that 57% of consumers who have PayByTouch Bluewin has implemented the identity provider Federation activity, and 43% of Internet banking customers, online speciﬁcations. In this new environment, functionality in an internal development project based 4. The user's template is extracted and encrypted on the secure Open Source Framework Source ID. Bluewin is also have done so because of increased device and transmitted toon security-related Bluewin functions as the identity and attribute provider for concerns (source: Gartner, August 2006). Bluewin a Swiss Circle of Trust. This means that PayByTouch. once a collaborating with different IT integrators to enable a circle PayByTouch verifies the device of trust with several participating service providers. 5. trust identity user has been authenticated by a circle of key and the user's template, way, Bluewin will be able to offer single sign-on for This TrueMe is also part of easily be recognized byminimum provider, that individual can Oracle’s Extended Identity two-factor providing other service providers within the circle. Reference Architecture, multiple Swiss sites and will store attributes only once. Management Ecosystem and identification a program that makes it easier for organizations to redirected to 6. The user's browser is SAML the website with a signed The Bluewin identity provider supports Liberty’s Identity ﬁrst siloed security technologies into a comprehensive, Theunify service provider in the circle of trust is the AuthnResponse Swisscom Micropayment service. Other 7. The website verifies the Federation Framework speciﬁcations. Attribute sharing will standards-based identity management framework service providers including TrueMe, users can access Oracle database and logs be enabled in the next phase of development. With the famed online chocolate shop, AuthnResponse Sprungli, the user in, never having to reveal the applications and suite follow suit. customer’s biometrics. (www.spruengli.ch) will soonof Oracle products via username or password to and is an or through This interface s up and running todayPay By Touchavailable the product. browser 6 Benefits to Service Providers Case Study: provider benefits are considerable. TrueMe is The Service “66 percent of consumers worldwide dealing with government and private organizations that need also favored biometrics as the ideal to verify age online – for purchase of age Alliance Bluewin Implements Liberty restricted items or method to combat fraud and identity block criminals and predators from Sign-On Speciﬁcations for Single joining. services. It can help online communities like social networks theft as compared to other methods such as smart cards and tokens” On the e-commerce side, payments are faster via a secure Unisys Study, April 26, 2006 “one-swipe” checkout feature. Pay By Touch is currently Companyworking to match their biometrically accessed electronic “Technology also can substantially approximately can contain checking and With wallet, which 2 million customers, Bluewin credit account (www.bluwin.ch) is health insurance accounts, and loyalty information, the largest Internet service provider improve the authentication process by, for example, the use of biometrics Biometric SSO: Tools of the Trade in Switzerland and a fully more than 2,800of the locations with the accounts, used at owned subsidiary retail TrueMe service, thereby allowing telecommunications company SwissCom. online retailers to process to authenticate the consumer’s payments over the Internet service providers Bluewin is among the ﬁrst lower cost automated clearing house • Identity Provider Infrastructure The company identity, making it less likely that a network as opposed to solution. to implement a Liberty-enabledhigh interchange rates charged by >the credit card associations. provides a range 2.0 services geared at both consumers OASIS SAML of criminal can gain access to another’s and> Liberty Phase II businesses. account.” JAAS (Java Pay By Touch’s retail experience over the past few >Based on Authentication & Authorization Service) President’s ID Theft Task Force, LDAP v3 >years, fraud and identity theft is virtually non-existent when Application Interim Recommendations, JSR-196 (Authentication Provider for Web Services) >biometrics are deployed, because, quite simply, crooks don’t B2C Biometric SSO: Bio AuthN Provider • Biometricgive their fingerprints during the commission of a want to Authentication Infrastructure September 19th, 2006 JAAS Challenge LoginModule >crime. Strategy> OASIS SAML 2.0 Bluewin sought to simplify single sign-on and UsingBiometric Single Sign-on: Bio AuthN Provider Strategy a > OASIS compliant Biometric Authentication Provider SAML SPML 2.0 Adapter “Given the foregoing analysis, eliminate the need for users to input multiple pieces of J2EE Applications Endpoint predicts that fingerprint • Identity in order to enter password protected sites. information Provisioning Infrastructure They also wanted2.0 enhance security and improve readers will proliferate widely, and > OASIS SPML to access to third-party1.1 > OASIS WS-BPEL services. shipments of embedded readers in Issue SAML RequestSAML compliant Assertion notebooks and desktops, which are Access*Biometric AuthN In order to meet these goals, the challenges Databases Biometrics Consortium 2006 Middleware 19 expected to hit 15 million in 2006, will extended to areas including managing user identity in Biometrics a distributed environment, insuring user integrity, Perform reach 228 million in 2011.” Directories Authentication enabling federation between different legal and Single/Multi-modal & Issue SAML Roger L. Kay, Endpoint Technologies Assertion organizational entities, as well as making access to Associates, “The Visible Face of PC online services as user-friendly as possible. Enterprise Security”-2006 Applications * [SAML Asserting [SAML Relying Biometric SSO: Identity Provider Solution Biometrics Consortium 2006 Authority] Authorities] A study of U.S. online adults found that biometrics was the most popular 21 Strategy Singlethe Liberty Alliance Identity Strategy has implemented the identity provider based Bluewin implemented Sign-on: Identity Provider Biometric compliant Identity Provider Using a SAML Bluewin strong authentication method, she J2EE functionality in an internal development project Federation speciﬁcations. In this new environment, Applications Bluewin functions as the identity and attribute provider on Open Source said. When asked which method they Framework Source ID. Bluewin is also for a Swiss Circle of Trust. This means that once a Bluewin would prefer if they had to choose collaborating with different IT integrators to enable a user has been authenticated by a circle of trust identity Issue SAML something besides service providers. circle of trust with several participatinga password, Request provider, that individual can easily be Compliant SAML recognized byAssertion This way, Bluewin will be able to offer single sign-on for Access other Databases 30.7% of respondents selected SSO including Biometrics Multi-factorJava System Access Manager and BiObex Identity Provider Infrastructure multiple Swiss sites and will store attributes only once. service providers within the circle. biometrics, while 18.1% chose a Case study with Sun Biometrics Perform Authentication Directories keyfob that plugs into a computer’s The Bluewin identity provider supports Liberty’s Identity The ﬁrst service provider in the circle of trust is the Single/Multi-modal [SAML Asserting [SAML Relying Federation Frameworkport and 18% chose a smartwill Swisscom Micropayment service. Other AuthN Biometric service providers USB speciﬁcations. Attribute sharing card Authority] Middleware Authority] enabled in the next phase of development. be including the famed online chocolate shop, Sprungli, and reader. (www.spruengli.ch) will soonSun Java System Access Manager follow suit. Enterprise Applications * Gartner Survey, August 2006 Multi-modal Biometrics [SAML Asserting Authentication Relying [SAML Desktops* SAML Authority] Single Sign-on Authorization Authorities] Assertion * Biometrics Consortium 2006 Policies Databases / 20 Multi-Domain SSO Directories SSL User/Role Pr ofiles Federated SSO Audit Logs Smartcard The Perfect Storm for Biometrics Study: CaseThe time is right for biometrics. There’s consumer demand for faster and more secure payment and identity. Bluewin Implements Liberty Alliance Worry over identity theft is at an all time high. Technology like TrueMe exists to make what was once totally futuristic now entirely possible. And, what’s more the standards are in place—to enable widespread adoption. Speciﬁcations for Single Sign-On About Pay By Touch Company San Francisco-based, Pay By Touch (www.paybytouch.com) develops Pay By Touch Online With approximately 2 million customers, Bluewin biometric authentication, personalized marketing and payment (www.bluwin.ch) is the largest Internet service provider solutions. To date, patented Pay By Touch™ biometric services enable in Switzerland and a fully owned subsidiary of the over 4 million shoppers in the U.S., Asia and Europe to quickly telecommunications company SwissCom. and the ﬁrst Internet a finger scan Bluewin is among securely use service providers to access personalized offers, make purchases, and cash The company to implement a Liberty-enabled solution. checks at more than 2,600 locations nationwide. The company also provides robust payment processing solutions for provides a range of services geared at both consumers ACH and businesses. (electronic checking), card-present and card-not-present debit Confidential and credit transactions. Over 60 issued and 175+ pending patents Applicationworldwide covering biometrically authenticated financial, membership B2C or loyalty transactions and/or age verification. Challenge Bluewin sought to simplify single sign-on and eliminate the need for users to input multiple pieces of information in order to enter password protected sites. They also wanted to enhance security and improve access to third-party services. In order to meet these goals, the challenges to areas including Alliance extendedAbout Liberty managing user identity in a distributed environment, insuring user integrity, enabling federation between different legal and 2007 Liberty Alliance is the only global identity organization with a organizational entities, as well as making access to membership base that online services as user-friendly as possible. includes technology vendors, consumer service providers and educational and government organizations working together to build a more trusted Internet by addressing Solution the technology, business and privacy aspects of digital identity management. The Liberty Alliance Management Board consists of Bluewin implemented the Liberty Alliance Identity Bluewin has implemented the identity provider functionality in an internal France representatives from AOL, Ericsson, Fidelity Investments, development project based Federation speciﬁcations. In this new environment, Telecom, HP, Intel, Novell, NTT, Oracle, and Sun Microsystems. Liberty Bluewin functions as the identity and attribute provider on Open Source Framework Source ID. Bluewin is also with identity organizations worldwidedifferent IT integrators to enable a Alliance worksmeans that once a Bluewin for a Swiss Circle of Trust. This collaborating with to ensure all voices are included of the global user has been authenticated by a circle in trust identity identity discussion and regularly circle of trust with several participating service providers. designed to will be able to offer holds and participates in public events This way, Bluewinadvance the single sign-on for provider, that individual can easily be recognized by other service providers within the circle. multiple Swiss sites and will store attributes only once. harmonization and interoperability of CardSpace, Liberty Federation The Bluewin identity specifications. (SAML 2.0), Liberty Web Services, OpenID and WS-* provider supports Liberty’s Identity The ﬁrst service provider in the circle of trust is the Swisscom Micropayment service. Other service providers Federation Framework speciﬁcations. Attribute sharing will including the famed online chocolate shop, Sprungli, be enabled in the next phase of development. (www.spruengli.ch) will soon follow suit.
Pages to are hidden for
"Bluewin Implements Liberty Alliance Specifications for Single Sign-On"Please download to view full document