More Related Content Similar to The Password Is Dead: An Argument for Multifactor Biometric Authentication (20) The Password Is Dead: An Argument for Multifactor Biometric Authentication1. An Argument for Multifactor Biometric Authentication
THE PASSWORD IS DEAD
© 2016 Veridium All Rights Reserved
2. B E FORE W E B E G IN
Attendees have been muted
You may submit questions at any
time, but we will respond at the
conclusion of the presentation
during the Q&A session
© 2016 Veridium All Rights Reserved
3. John Callahan, PhD
Chief Technology Officer
B E FORE W E B E G IN
• PhD in Computer Science from University of
Maryland, College Park
• Former Associate Director at the Office of Naval
Research, Global, London office
• Previously Research Director at the NASA
Independent Verification and Validation Facility
© 2016 Veridium All Rights Reserved
4. AG E NDA
• History of username & password
• Password complexity is failing
• Biometrics
• Physiological and behavioral
• Privacy needs for biometric data
© 2016 Veridium All Rights Reserved
6. A T IME OF CRISIS
• The password is nearly
40 years old
• Username doesn’t truly
represent Identity
© 2016 Veridium All Rights Reserved
7. NUMB E R OF ACCOUNT S
Most people have 10-20 online accounts…
…and you are asked to use a different password for all of them!
© 2016 Veridium All Rights Reserved
8. A FLUX P OINT
• Passwords alone are
no longer adequate for
cybersecurity
© 2016 Veridium All Rights Reserved
9. COST OF CHURN
• Best practice is to
change passwords
every three months
• These password resets
cost time and money
© 2016 Veridium All Rights Reserved
10. H E LP D E SK COST S
• Lost password resets also
cost time and money
• These costs are beyond
tolerable
© 2016 Veridium All Rights Reserved
11. COMP ROMISE S E X ACE RBAT E LOSS
• Lost/Stolen passwords
contribute to other
database compromises
• Users often reuse
passwords
• Complexity rules become
predictable
© 2016 Veridium All Rights Reserved
13. COMP LE X IT Y RULE S
• Frequency of change
• Minimum Length
• Mixture of “ulsd” (upper, lower, special, digit)
• Topologies
• Difficulty meters: A risk themselves
© 2016 Veridium All Rights Reserved
17. ANALY SIS
Source: Rick Redman’s 2014 OWASP AppSec USA 2014 talk
Top 50 Most Commonly Used Topology IDs Across All Samples
Frequency of Common Topologies Across All SamplesPercentofPasswordsMatchingGivenPatternperSampleSet
© 2016 Veridium All Rights Reserved
18. PASSWORD VAULT S
• Examples
• LastPass
• 1Password
• Browser extensions
• Single point of failure
• Non-portable w/o risk
of compromise
© 2016 Veridium All Rights Reserved
19. T WO-FACTOR AUT H E NT ICAT ION (2 FA)
• An additional step AFTER
username & password
• The one real cybersecurity
improvement in 20 years
• Channels
• SMS (Twitter & Apple)
• Google Authenticator
(software app)
• RSA dongle (hardware)
• Bingo card (A1, F3, H1)
© 2016 Veridium All Rights Reserved
20. P ROB LE MS W IT H 2 FA
• Fails if device(s) lost or stolen
• NIST recently (25 July 2016) recommended against SMS
• SMS can be intercepted/redirected
• Codes can be “swiped” if they appear in lock-screen notifications
• The algorithms used to generate the 2FA codes can be cracked
• 2FA codes can be “phished” from the user
Biometrics: The next portable 2FA?
© 2016 Veridium All Rights Reserved
22. B IOME T RICS: T H E PASSWORD IS YOU
• Face
• Fingerprint
• Hand
• Iris
• Voice
• DNA
• …
Physiological
• Keystroke
• Signature
• Voice
• Date/Time
• Geolocation
• …
Behavioral
Divided, none of these are perfect.
Combined, they are a much more robust form of authentication.
© 2016 Veridium All Rights Reserved
23. A H ISTORY OF P OOR START S,
B UT H OP E RE MAINS E T E RNAL
There have been many attempts at biometrics,
but mobile devices have changed the game entirely.
© 2016 Veridium All Rights Reserved
24. FID O STANDARD
FIDO Standard
Mobile storage & authentication
Source: FIDO Alliance
© 2016 Veridium All Rights Reserved
25. IEEE 2410 Biometric Open Protocol Standard (BOPS)
Mobile – FIDO-compliant
Or, split mobile-server
IE E E 2 4 1 0 B OP S
© 2016 Veridium All Rights Reserved
26. V E RID IUMID AUT H E NT ICAT ION
© 2016 Veridium All Rights Reserved
27. V E RID IUMID E NROLLME NT
© 2016 Veridium All Rights Reserved
28. AVAILAB LE B IOME T RIC P LUG INS
- Touch ID/Android Fingerprint
- 4 Fingers TouchlessID
- Face
- Iris
- Voice
- Behavioral
And whatever the next
biometric on the horizon is…
© 2016 Veridium All Rights Reserved
29. G OOG LE ABACUS
• Behavioral
• Multifactor
• Trust Score
© 2016 Veridium All Rights Reserved
31. YOUR P H Y SICAL B IOME T RICS D O NOT CH ANG E
• Cannot change your biometrics like you can a password
• Therefore, they must be carefully protected
• This is why regulations have been created for:
• Storage
• Transport
• Encryption
© 2016 Veridium All Rights Reserved
32. RE G ULAT IONS ON B IOME T RIC DATA P RIVACY
© 2016 Veridium All Rights Reserved
33. P RIVACY P ROT E CT ION
• Split Biometric: 1/2 on server & 1/2 on mobile or desktop device
• Server- and Client-side PKI certificates
• Behavioral patterns for risk management
• Business rules require multifactor authentication steps
© 2016 Veridium All Rights Reserved
34. SP LIT T ING B IOME T RIC V E CTORS
© 2016 Veridium All Rights Reserved
35. MATCH ING W IT H SP LIT B IOME T RICS
© 2016 Veridium All Rights Reserved
36. T H E PASSWORD IS D E AD
• Biometrics are already replacing 2FA
• Multifactor Authentication, including biometrics,
is proving to be highly effective.
• But will biometrics replace passwords
completely?
© 2016 Veridium All Rights Reserved