Claims-Based Identity: A Better Model for Authentication
(Last updated on February 7, 2020)
Claims-based identity is a common method used by applications to obtain identity information about a user that another application has authenticated. Claims are pieces of information about a user that have been packaged and signed into security tokens and sent by an issuer/identity provider to relying party applications through a Security Token Service (STS).
In a claims based approach to authentication, trust is explicit. Your applications believe a claim about the current user only if it trusts the entity that issued the claim.
A real life analogy
Think of the airport check-in procedure. When you get to the airport, you first check with the ticket counter and present your passport. After verifying your passport by matching the document photo with your face and confirming that you have paid for the ticket, the agent prints a boarding pass with relevant information about you (Name, flight, seat, priority, etc.). Now you can head to the security checkpoint and into the boarding gate by presenting the boarding pass.
In this analogy, a boarding pass is a token containing a set of claims about you such as name, seat number, and flight number. The gate agent doesn’t need to validate claims you make about yourself because they have been issued and verified by a source that the gate agent trusts – the airline.
Why is it a better way?
Claims-based identity removes the responsibility of authentication from applications and puts it in the hands of trusted identity providers. This approach is not new and is common in single sign-on solutions but when extended to identity and access management or more specifically to self-service password reset solutions, it removes the need to integrate to third-party services, all of which handle identity differently, to extend authentication attributes. The approach also removes the need to store sensitive user account and password information needed to manage authentication internally –eliminating this security risk and the synchronization issues it poses with password data provisioning.
Specops uReset™ and Claims-Based Identity
Our new self-service password reset solution, Specops uReset™ utilizes claims-based identity to open up new, robust ways for end-users to authenticate their identity during a password reset or when unlocking their account.
Specops uReset™ can receive tokens from various trusted identity providers, ranging from social media identities like LinkedIn to company-oriented applications like Google to higher-trust methods like mobile One Time Passcodes. Token signatures are verified to ensure that they were originated by trusted issuers and user identifiers within the tokens are validated via Active Directory.
Currently Specops uReset™ supports more than 20 identity services which can be layered to meet the appropriate organization and user-role security level. Additionally, a few of the identity services leverage existing assets from existing Active Directory user profile information (for pre-enrollment), mobile devices or authentication hardware.