SlideShare a Scribd company logo

The Password Is Dead: An Argument for Multifactor Biometric Authentication

Veridium
Veridium

In 2015, 63 percent of all confirmed data breaches were the result of weak, default, or stolen passwords. In fact, this was the second primary cause of all data breaches, globally, according to the 2016 Verizon Data Breach Investigations Report. The death of passwords has been heralded for over a decade now, but these reports were often greatly exaggerated. However, in recent years this has begun to change, as new technologies are allowing companies to change how they secure access to digital assets. From traditional usernames and passwords to two-factor authentication, outdated security practices are failing to keep data secure. Whether it’s a lack of user adoption or actual flaws in the security infrastructure, businesses need a better option to protect access to their most important resources. In this webinar, we will discuss the prevalence of data breaches today and where passwords and two-factor authentication fall short, followed by how biometrics, when properly deployed through end-to-end solutions like HoyosID, can provide the missing piece for fully securing digital access.

Technology
1 of 37
Download to read offline
An Argument for Multifactor Biometric Authentication THE PASSWORD IS DEAD © 2016 Veridium All Rights Reserved
B E FORE W E B E G IN Attendees have been muted You may submit questions at any time, but we will respond at the conclusion of the presentation during the Q&A session © 2016 Veridium All Rights Reserved
John Callahan, PhD Chief Technology Officer B E FORE W E B E G IN • PhD in Computer Science from University of Maryland, College Park • Former Associate Director at the Office of Naval Research, Global, London office • Previously Research Director at the NASA Independent Verification and Validation Facility © 2016 Veridium All Rights Reserved
AG E NDA • History of username & password • Password complexity is failing • Biometrics • Physiological and behavioral • Privacy needs for biometric data © 2016 Veridium All Rights Reserved
HISTORY OF USERNAME AND PASSWORD © 2016 Veridium All Rights Reserved
A T IME OF CRISIS • The password is nearly 40 years old • Username doesn’t truly represent Identity © 2016 Veridium All Rights Reserved
NUMB E R OF ACCOUNT S Most people have 10-20 online accounts… …and you are asked to use a different password for all of them! © 2016 Veridium All Rights Reserved
A FLUX P OINT • Passwords alone are no longer adequate for cybersecurity © 2016 Veridium All Rights Reserved
COST OF CHURN • Best practice is to change passwords every three months • These password resets cost time and money © 2016 Veridium All Rights Reserved
H E LP D E SK COST S • Lost password resets also cost time and money • These costs are beyond tolerable © 2016 Veridium All Rights Reserved
COMP ROMISE S E X ACE RBAT E LOSS • Lost/Stolen passwords contribute to other database compromises • Users often reuse passwords • Complexity rules become predictable © 2016 Veridium All Rights Reserved
PASSWORD COMPLEXITY IS FAILING © 2016 Veridium All Rights Reserved
COMP LE X IT Y RULE S • Frequency of change • Minimum Length • Mixture of “ulsd” (upper, lower, special, digit) • Topologies • Difficulty meters: A risk themselves © 2016 Veridium All Rights Reserved
CREDIT: XKCD COMP LE X IT Y RULE S ( CONT.) © 2016 Veridium All Rights Reserved
ANALY SIS Source: Rick Redman’s 2014 OWASP AppSec USA 2014 talk © 2016 Veridium All Rights Reserved
ANALY SIS Source: Rick Redman’s 2014 OWASP AppSec USA 2014 talk © 2016 Veridium All Rights Reserved
ANALY SIS Source: Rick Redman’s 2014 OWASP AppSec USA 2014 talk Top 50 Most Commonly Used Topology IDs Across All Samples Frequency of Common Topologies Across All SamplesPercentofPasswordsMatchingGivenPatternperSampleSet © 2016 Veridium All Rights Reserved
PASSWORD VAULT S • Examples • LastPass • 1Password • Browser extensions • Single point of failure • Non-portable w/o risk of compromise © 2016 Veridium All Rights Reserved
T WO-FACTOR AUT H E NT ICAT ION (2 FA) • An additional step AFTER username & password • The one real cybersecurity improvement in 20 years • Channels • SMS (Twitter & Apple) • Google Authenticator (software app) • RSA dongle (hardware) • Bingo card (A1, F3, H1) © 2016 Veridium All Rights Reserved
P ROB LE MS W IT H 2 FA • Fails if device(s) lost or stolen • NIST recently (25 July 2016) recommended against SMS • SMS can be intercepted/redirected • Codes can be “swiped” if they appear in lock-screen notifications • The algorithms used to generate the 2FA codes can be cracked • 2FA codes can be “phished” from the user Biometrics: The next portable 2FA? © 2016 Veridium All Rights Reserved
BIOMETRICS © 2016 Veridium All Rights Reserved
B IOME T RICS: T H E PASSWORD IS YOU • Face • Fingerprint • Hand • Iris • Voice • DNA • … Physiological • Keystroke • Signature • Voice • Date/Time • Geolocation • … Behavioral Divided, none of these are perfect. Combined, they are a much more robust form of authentication. © 2016 Veridium All Rights Reserved
A H ISTORY OF P OOR START S, B UT H OP E RE MAINS E T E RNAL There have been many attempts at biometrics, but mobile devices have changed the game entirely. © 2016 Veridium All Rights Reserved
FID O STANDARD FIDO Standard Mobile storage & authentication Source: FIDO Alliance © 2016 Veridium All Rights Reserved
IEEE 2410 Biometric Open Protocol Standard (BOPS) Mobile – FIDO-compliant Or, split mobile-server IE E E 2 4 1 0 B OP S © 2016 Veridium All Rights Reserved
V E RID IUMID AUT H E NT ICAT ION © 2016 Veridium All Rights Reserved
V E RID IUMID E NROLLME NT © 2016 Veridium All Rights Reserved
AVAILAB LE B IOME T RIC P LUG INS - Touch ID/Android Fingerprint - 4 Fingers TouchlessID - Face - Iris - Voice - Behavioral And whatever the next biometric on the horizon is… © 2016 Veridium All Rights Reserved
G OOG LE ABACUS • Behavioral • Multifactor • Trust Score © 2016 Veridium All Rights Reserved
PRIVACY NEEDS FOR BIOMETRIC DATA © 2016 Veridium All Rights Reserved
YOUR P H Y SICAL B IOME T RICS D O NOT CH ANG E • Cannot change your biometrics like you can a password • Therefore, they must be carefully protected • This is why regulations have been created for: • Storage • Transport • Encryption © 2016 Veridium All Rights Reserved
RE G ULAT IONS ON B IOME T RIC DATA P RIVACY © 2016 Veridium All Rights Reserved
P RIVACY P ROT E CT ION • Split Biometric: 1/2 on server & 1/2 on mobile or desktop device • Server- and Client-side PKI certificates • Behavioral patterns for risk management • Business rules require multifactor authentication steps © 2016 Veridium All Rights Reserved
SP LIT T ING B IOME T RIC V E CTORS © 2016 Veridium All Rights Reserved
MATCH ING W IT H SP LIT B IOME T RICS © 2016 Veridium All Rights Reserved
T H E PASSWORD IS D E AD • Biometrics are already replacing 2FA • Multifactor Authentication, including biometrics, is proving to be highly effective. • But will biometrics replace passwords completely? © 2016 Veridium All Rights Reserved
QUESTIONS? www.VeridumID.com info@VeridiumID.com Twitter: @Veridium Request a demo at: www.VeridiumID.com/Contact-Us © 2016 Veridium All Rights Reserved

Recommended

Top Biometric Identifiers: Risks & Rewards
Top Biometric Identifiers: Risks & RewardsTop Biometric Identifiers: Risks & Rewards
Top Biometric Identifiers: Risks & Rewards
Veridium
 
Beyond Touch ID: Mobile Fingerprinting & Advances in Biometrics
Beyond Touch ID: Mobile Fingerprinting & Advances in BiometricsBeyond Touch ID: Mobile Fingerprinting & Advances in Biometrics
Beyond Touch ID: Mobile Fingerprinting & Advances in Biometrics
Veridium
 
How BYOD Will Shape Wireless Network Security in 2012
How BYOD Will Shape Wireless Network Security in 2012How BYOD Will Shape Wireless Network Security in 2012
How BYOD Will Shape Wireless Network Security in 2012
hemantchaskar
 
2014 BYOD and Mobile Security Survey Preliminary Results
2014 BYOD and Mobile Security Survey Preliminary Results2014 BYOD and Mobile Security Survey Preliminary Results
2014 BYOD and Mobile Security Survey Preliminary Results
Lumension
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
Yogesh Ojha
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoT
WSO2
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 Risks
Santosh Satam
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2
 

Recommended

Top Biometric Identifiers: Risks & Rewards
Top Biometric Identifiers: Risks & RewardsTop Biometric Identifiers: Risks & Rewards
Top Biometric Identifiers: Risks & Rewards
Veridium
 
Beyond Touch ID: Mobile Fingerprinting & Advances in Biometrics
Beyond Touch ID: Mobile Fingerprinting & Advances in BiometricsBeyond Touch ID: Mobile Fingerprinting & Advances in Biometrics
Beyond Touch ID: Mobile Fingerprinting & Advances in Biometrics
Veridium
 
How BYOD Will Shape Wireless Network Security in 2012
How BYOD Will Shape Wireless Network Security in 2012How BYOD Will Shape Wireless Network Security in 2012
How BYOD Will Shape Wireless Network Security in 2012
hemantchaskar
 
2014 BYOD and Mobile Security Survey Preliminary Results
2014 BYOD and Mobile Security Survey Preliminary Results2014 BYOD and Mobile Security Survey Preliminary Results
2014 BYOD and Mobile Security Survey Preliminary Results
Lumension
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
Yogesh Ojha
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoT
WSO2
 
Mobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 RisksMobile Threats and Owasp Top 10 Risks
Mobile Threats and Owasp Top 10 Risks
Santosh Satam
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...
i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...
i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...
ProductNation/iSPIRT
 
IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process
EC-Council
 
Ensuring Mobile Device Security
Ensuring Mobile Device SecurityEnsuring Mobile Device Security
Ensuring Mobile Device Security
Quick Heal Technologies Ltd.
 
FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance
 
Next-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space AgeNext-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space Age
Block Armour
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
John Rhoton
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
Security Innovation
 
Bank security
Bank securityBank security
Bank security
PLN9 Security Services Pvt. Ltd.
 
Bank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security ThreatsBank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security Threats
Michelle Morgan-Nelsen
 
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerAvoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Product of Things
 
Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017
Ulf Mattsson
 
The Industrial Immune System
The Industrial Immune SystemThe Industrial Immune System
The Industrial Immune System
Justin Hayward
 
AirTight Networks - Wireless Security 2011
AirTight Networks - Wireless Security 2011AirTight Networks - Wireless Security 2011
AirTight Networks - Wireless Security 2011
Risk Analysis Consultants, s.r.o.
 
Implementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile WorldImplementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile World
LINE Corporation
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai Revisited
Clare Nelson, CISSP, CIPP-E
 
Block Armour Case Study
Block Armour Case StudyBlock Armour Case Study
Block Armour Case Study
Block Armour
 
Automatski - The Internet of Things - Security in IoT
Automatski - The Internet of Things - Security in IoTAutomatski - The Internet of Things - Security in IoT
Automatski - The Internet of Things - Security in IoT
automatskicorporation
 
The Internet of Things Isn't Coming, It's Here
The Internet of Things Isn't Coming, It's HereThe Internet of Things Isn't Coming, It's Here
The Internet of Things Isn't Coming, It's Here
Forescout Technologies Inc
 
Top 5 wi fi security threats
Top 5 wi fi security threatsTop 5 wi fi security threats
Top 5 wi fi security threats
gruzabb
 
Biometric Trends for 2017 Webinar
Biometric Trends for 2017 WebinarBiometric Trends for 2017 Webinar
Biometric Trends for 2017 Webinar
Veridium
 
Multifactor Authentication
Multifactor AuthenticationMultifactor Authentication
Multifactor Authentication
Ronnie Isherwood
 

More Related Content

What's hot

IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process
EC-Council
 
FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance
 
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerAvoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Product of Things
 
Top 5 wi fi security threats
Top 5 wi fi security threatsTop 5 wi fi security threats
Top 5 wi fi security threats
gruzabb
 

What's hot (20)

OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...
i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...
i7 Networks - Presentation at Zensar #TechShowcase - An iSPIRT ProductNation ...
 
IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process IoT Security – Executing an Effective Security Testing Process
IoT Security – Executing an Effective Security Testing Process
 
Ensuring Mobile Device Security
Ensuring Mobile Device SecurityEnsuring Mobile Device Security
Ensuring Mobile Device Security
 
FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016
 
Next-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space AgeNext-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space Age
 
Mobile Device Security
Mobile Device SecurityMobile Device Security
Mobile Device Security
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
 
Bank security
Bank securityBank security
Bank security
 
Bank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security ThreatsBank ATM Security to Combat Physical and Logical Cyber Security Threats
Bank ATM Security to Combat Physical and Logical Cyber Security Threats
 
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerAvoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
 
Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017Security for iot and cloud aug 25b 2017
Security for iot and cloud aug 25b 2017
 
The Industrial Immune System
The Industrial Immune SystemThe Industrial Immune System
The Industrial Immune System
 
AirTight Networks - Wireless Security 2011
AirTight Networks - Wireless Security 2011AirTight Networks - Wireless Security 2011
AirTight Networks - Wireless Security 2011
 
Implementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile WorldImplementing Trusted Endpoints in the Mobile World
Implementing Trusted Endpoints in the Mobile World
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai Revisited
 
Block Armour Case Study
Block Armour Case StudyBlock Armour Case Study
Block Armour Case Study
 
Automatski - The Internet of Things - Security in IoT
Automatski - The Internet of Things - Security in IoTAutomatski - The Internet of Things - Security in IoT
Automatski - The Internet of Things - Security in IoT
 
The Internet of Things Isn't Coming, It's Here
The Internet of Things Isn't Coming, It's HereThe Internet of Things Isn't Coming, It's Here
The Internet of Things Isn't Coming, It's Here
 
Top 5 wi fi security threats
Top 5 wi fi security threatsTop 5 wi fi security threats
Top 5 wi fi security threats
 

Viewers also liked

Blue brain project ppt
Blue brain project pptBlue brain project ppt
Blue brain project ppt
Lishita Shah
 

Viewers also liked (11)

Biometric Trends for 2017 Webinar
Biometric Trends for 2017 WebinarBiometric Trends for 2017 Webinar
Biometric Trends for 2017 Webinar
 
Multifactor Authentication
Multifactor AuthenticationMultifactor Authentication
Multifactor Authentication
 
3D password
3D password3D password
3D password
 
Cybernetics
CyberneticsCybernetics
Cybernetics
 
Secure Mobile Banking
Secure Mobile BankingSecure Mobile Banking
Secure Mobile Banking
 
Cybernetics Tradition
Cybernetics TraditionCybernetics Tradition
Cybernetics Tradition
 
Cybernetics - So much more than robots
Cybernetics - So much more than robotsCybernetics - So much more than robots
Cybernetics - So much more than robots
 
3D Password PPT
3D Password PPT3D Password PPT
3D Password PPT
 
Blue brain project ppt
Blue brain project pptBlue brain project ppt
Blue brain project ppt
 
Blue Brain
Blue Brain Blue Brain
Blue Brain
 
3d password ppt
3d password ppt3d password ppt
3d password ppt
 

Similar to The Password Is Dead: An Argument for Multifactor Biometric Authentication

Smart Cards & Devices Forum 2013 - Security on mobile
Smart Cards & Devices Forum 2013 - Security on mobileSmart Cards & Devices Forum 2013 - Security on mobile
Smart Cards & Devices Forum 2013 - Security on mobile
OKsystem
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Lancope, Inc.
 
Mobile security services 2012
Mobile security services 2012Mobile security services 2012
Mobile security services 2012
Tjylen Veselyj
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise"
mycroftinc
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
NowSecure
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Lancope, Inc.
 
Identity Live Paris 2017 | Monetising Digital Customer Relationships
Identity Live Paris 2017 | Monetising Digital Customer RelationshipsIdentity Live Paris 2017 | Monetising Digital Customer Relationships
Identity Live Paris 2017 | Monetising Digital Customer Relationships
ForgeRock
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
PROIDEA
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15
Lancope, Inc.
 

Similar to The Password Is Dead: An Argument for Multifactor Biometric Authentication (20)

Smart Cards & Devices Forum 2013 - Security on mobile
Smart Cards & Devices Forum 2013 - Security on mobileSmart Cards & Devices Forum 2013 - Security on mobile
Smart Cards & Devices Forum 2013 - Security on mobile
 
Beyond username and password it's continuous authorization webinar
Beyond username and password it's continuous authorization webinarBeyond username and password it's continuous authorization webinar
Beyond username and password it's continuous authorization webinar
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
 
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsHow to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
 
Identity Relationship Management - The Right Approach for a Complex Digital W...
Identity Relationship Management - The Right Approach for a Complex Digital W...Identity Relationship Management - The Right Approach for a Complex Digital W...
Identity Relationship Management - The Right Approach for a Complex Digital W...
 
Mobile security services 2012
Mobile security services 2012Mobile security services 2012
Mobile security services 2012
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise"
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
 
Kurogo Higher Ed Mobile Conference 2017: How Mobility is Driving Changes in C...
Kurogo Higher Ed Mobile Conference 2017: How Mobility is Driving Changes in C...Kurogo Higher Ed Mobile Conference 2017: How Mobility is Driving Changes in C...
Kurogo Higher Ed Mobile Conference 2017: How Mobility is Driving Changes in C...
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly BreachesSave Your Network – Protecting Healthcare Data from Deadly Breaches
Save Your Network – Protecting Healthcare Data from Deadly Breaches
 
ch07-Security.pptx
ch07-Security.pptxch07-Security.pptx
ch07-Security.pptx
 
CIS14: Authentication Family Tree (1.1.1 annotated) - Steve Wilson
CIS14: Authentication Family Tree (1.1.1 annotated) - Steve WilsonCIS14: Authentication Family Tree (1.1.1 annotated) - Steve Wilson
CIS14: Authentication Family Tree (1.1.1 annotated) - Steve Wilson
 
Tripwire Retail Cyberthreat Summit
Tripwire Retail Cyberthreat SummitTripwire Retail Cyberthreat Summit
Tripwire Retail Cyberthreat Summit
 
The Case For Next Generation IAM
The Case For Next Generation IAM The Case For Next Generation IAM
The Case For Next Generation IAM
 
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPasswords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
 
Identity Live Paris 2017 | Monetising Digital Customer Relationships
Identity Live Paris 2017 | Monetising Digital Customer RelationshipsIdentity Live Paris 2017 | Monetising Digital Customer Relationships
Identity Live Paris 2017 | Monetising Digital Customer Relationships
 
How Healthcare CISOs Can Secure Mobile Devices
How Healthcare CISOs Can Secure Mobile DevicesHow Healthcare CISOs Can Secure Mobile Devices
How Healthcare CISOs Can Secure Mobile Devices
 
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsThe 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
 
Insider threats webinar 01.28.15
Insider threats webinar 01.28.15Insider threats webinar 01.28.15
Insider threats webinar 01.28.15
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Recently uploaded (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 

The Password Is Dead: An Argument for Multifactor Biometric Authentication

  • 1. An Argument for Multifactor Biometric Authentication THE PASSWORD IS DEAD © 2016 Veridium All Rights Reserved
  • 2. B E FORE W E B E G IN Attendees have been muted You may submit questions at any time, but we will respond at the conclusion of the presentation during the Q&A session © 2016 Veridium All Rights Reserved
  • 3. John Callahan, PhD Chief Technology Officer B E FORE W E B E G IN • PhD in Computer Science from University of Maryland, College Park • Former Associate Director at the Office of Naval Research, Global, London office • Previously Research Director at the NASA Independent Verification and Validation Facility © 2016 Veridium All Rights Reserved
  • 4. AG E NDA • History of username & password • Password complexity is failing • Biometrics • Physiological and behavioral • Privacy needs for biometric data © 2016 Veridium All Rights Reserved
  • 5. HISTORY OF USERNAME AND PASSWORD © 2016 Veridium All Rights Reserved
  • 6. A T IME OF CRISIS • The password is nearly 40 years old • Username doesn’t truly represent Identity © 2016 Veridium All Rights Reserved
  • 7. NUMB E R OF ACCOUNT S Most people have 10-20 online accounts… …and you are asked to use a different password for all of them! © 2016 Veridium All Rights Reserved
  • 8. A FLUX P OINT • Passwords alone are no longer adequate for cybersecurity © 2016 Veridium All Rights Reserved
  • 9. COST OF CHURN • Best practice is to change passwords every three months • These password resets cost time and money © 2016 Veridium All Rights Reserved
  • 10. H E LP D E SK COST S • Lost password resets also cost time and money • These costs are beyond tolerable © 2016 Veridium All Rights Reserved
  • 11. COMP ROMISE S E X ACE RBAT E LOSS • Lost/Stolen passwords contribute to other database compromises • Users often reuse passwords • Complexity rules become predictable © 2016 Veridium All Rights Reserved
  • 12. PASSWORD COMPLEXITY IS FAILING © 2016 Veridium All Rights Reserved
  • 13. COMP LE X IT Y RULE S • Frequency of change • Minimum Length • Mixture of “ulsd” (upper, lower, special, digit) • Topologies • Difficulty meters: A risk themselves © 2016 Veridium All Rights Reserved
  • 14. CREDIT: XKCD COMP LE X IT Y RULE S ( CONT.) © 2016 Veridium All Rights Reserved
  • 15. ANALY SIS Source: Rick Redman’s 2014 OWASP AppSec USA 2014 talk © 2016 Veridium All Rights Reserved
  • 16. ANALY SIS Source: Rick Redman’s 2014 OWASP AppSec USA 2014 talk © 2016 Veridium All Rights Reserved
  • 17. ANALY SIS Source: Rick Redman’s 2014 OWASP AppSec USA 2014 talk Top 50 Most Commonly Used Topology IDs Across All Samples Frequency of Common Topologies Across All SamplesPercentofPasswordsMatchingGivenPatternperSampleSet © 2016 Veridium All Rights Reserved
  • 18. PASSWORD VAULT S • Examples • LastPass • 1Password • Browser extensions • Single point of failure • Non-portable w/o risk of compromise © 2016 Veridium All Rights Reserved
  • 19. T WO-FACTOR AUT H E NT ICAT ION (2 FA) • An additional step AFTER username & password • The one real cybersecurity improvement in 20 years • Channels • SMS (Twitter & Apple) • Google Authenticator (software app) • RSA dongle (hardware) • Bingo card (A1, F3, H1) © 2016 Veridium All Rights Reserved
  • 20. P ROB LE MS W IT H 2 FA • Fails if device(s) lost or stolen • NIST recently (25 July 2016) recommended against SMS • SMS can be intercepted/redirected • Codes can be “swiped” if they appear in lock-screen notifications • The algorithms used to generate the 2FA codes can be cracked • 2FA codes can be “phished” from the user Biometrics: The next portable 2FA? © 2016 Veridium All Rights Reserved
  • 21. BIOMETRICS © 2016 Veridium All Rights Reserved
  • 22. B IOME T RICS: T H E PASSWORD IS YOU • Face • Fingerprint • Hand • Iris • Voice • DNA • … Physiological • Keystroke • Signature • Voice • Date/Time • Geolocation • … Behavioral Divided, none of these are perfect. Combined, they are a much more robust form of authentication. © 2016 Veridium All Rights Reserved
  • 23. A H ISTORY OF P OOR START S, B UT H OP E RE MAINS E T E RNAL There have been many attempts at biometrics, but mobile devices have changed the game entirely. © 2016 Veridium All Rights Reserved
  • 24. FID O STANDARD FIDO Standard Mobile storage & authentication Source: FIDO Alliance © 2016 Veridium All Rights Reserved
  • 25. IEEE 2410 Biometric Open Protocol Standard (BOPS) Mobile – FIDO-compliant Or, split mobile-server IE E E 2 4 1 0 B OP S © 2016 Veridium All Rights Reserved
  • 26. V E RID IUMID AUT H E NT ICAT ION © 2016 Veridium All Rights Reserved
  • 27. V E RID IUMID E NROLLME NT © 2016 Veridium All Rights Reserved
  • 28. AVAILAB LE B IOME T RIC P LUG INS - Touch ID/Android Fingerprint - 4 Fingers TouchlessID - Face - Iris - Voice - Behavioral And whatever the next biometric on the horizon is… © 2016 Veridium All Rights Reserved
  • 29. G OOG LE ABACUS • Behavioral • Multifactor • Trust Score © 2016 Veridium All Rights Reserved
  • 30. PRIVACY NEEDS FOR BIOMETRIC DATA © 2016 Veridium All Rights Reserved
  • 31. YOUR P H Y SICAL B IOME T RICS D O NOT CH ANG E • Cannot change your biometrics like you can a password • Therefore, they must be carefully protected • This is why regulations have been created for: • Storage • Transport • Encryption © 2016 Veridium All Rights Reserved
  • 32. RE G ULAT IONS ON B IOME T RIC DATA P RIVACY © 2016 Veridium All Rights Reserved
  • 33. P RIVACY P ROT E CT ION • Split Biometric: 1/2 on server & 1/2 on mobile or desktop device • Server- and Client-side PKI certificates • Behavioral patterns for risk management • Business rules require multifactor authentication steps © 2016 Veridium All Rights Reserved
  • 34. SP LIT T ING B IOME T RIC V E CTORS © 2016 Veridium All Rights Reserved
  • 35. MATCH ING W IT H SP LIT B IOME T RICS © 2016 Veridium All Rights Reserved
  • 36. T H E PASSWORD IS D E AD • Biometrics are already replacing 2FA • Multifactor Authentication, including biometrics, is proving to be highly effective. • But will biometrics replace passwords completely? © 2016 Veridium All Rights Reserved
  • 37. QUESTIONS? www.VeridumID.com info@VeridiumID.com Twitter: @Veridium Request a demo at: www.VeridiumID.com/Contact-Us © 2016 Veridium All Rights Reserved