Multi-factor Authentication       Methods Taxonomy                   Some ThoughtsAbbie Barbir, Ph.DCo-chair OASIS Trust E...
Authentication Strength•       (entity) authentication: A process used to achieve sufficient confidence in the binding    ...
How to determine the "Best" Authentication Method    Use Needs and Constraints to Determine    • Authentication strength  ...
Elevating Trust in Authentication Strength Level• Increasing the strength of authentication can be done by adding factors ...
Authentication Categories        Who You Are               what you                 what you           what you          B...
How to Evaluate Authentication Strength1. Two aspects to consider• Methods resistance to attack     – how difficult is it ...
How to Evaluate Authentication Strength• Combining two or more authentication methods can potentially increases  authentic...
How to Evaluate Authentication Strength• Not any MFA method is stronger than an authentication method  based on a single a...
Evaluating Authentication Strength “Take Away”•       Counting Factors is not enough to evaluate authentication strength  ...
Authentication Process Threats     • Online guessing                       •   Eavesdropping     • Phishing               ...
Example Calculating Overall Authentication               Assurance Level (LOA 3)• Overall authentication assurance level i...
Tokens• A Token is something that the Claimant possesses and controls (typically a  cryptographic module or password) that...
Tokens “Token Style”1. Memorized Secret Token      – A secret shared between the Subscriber and the CSP2. Pre-registered K...
Tokens “Token Style”6. Single-factor (SF) Cryptographic Device      – A hardware device that performs cryptographic operat...
Token Threats                     Source: NIST, ITU-T15
Token Threat Mitigation Strategies16
NIST: Assurance Levels for Multi-Token E-Authentication                             Schemes17
Upcoming SlideShare
Loading in …5
×

Trust elevation-share

555 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
555
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Trust elevation-share

  1. 1. Multi-factor Authentication Methods Taxonomy Some ThoughtsAbbie Barbir, Ph.DCo-chair OASIS Trust Elevation TChttps://www.oasis-open.org/committees/tc_home.php?wg_abbrev=trust-el
  2. 2. Authentication Strength• (entity) authentication: A process used to achieve sufficient confidence in the binding between the entity and the presented identity.• What is Authentication Strength (or Trust in the Authentication Step)? – Measures how difficult it is for imposter to masquerade as the legitimate user – Authentication strength is often more formally expressed as a "level of assurance“ (ITU X.1254 and ISO 29115 (Based on NIST 800 63))• Two-factor authentication (TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more factors from the same or different category• Multi-factor authentication uses more that 2 factors from different categories• Analysis – Overall objective is to elevate Trust in the Authentication step – Established terms, such as “2FA" are no longer precise enough to guide technology decisions – Choosing the method or methods appropriate for the needs of securing the enterprise using appropriate comparisons of different vendors products and services require a more granular taxonomy 2
  3. 3. How to determine the "Best" Authentication Method Use Needs and Constraints to Determine • Authentication strength • indicated by the level of risk • Total Cost of Ownership • Constrained by budget • Ease of use • universally desirable • Other constraints • consistency and control of the endpoint important Source Gartner3
  4. 4. Elevating Trust in Authentication Strength Level• Increasing the strength of authentication can be done by adding factors from the same or different kinds of authentication categories that don’t have the same vulnerabilities.• There are five categories of authentication methods • who you are, • what you know, • what you have, • what you typically do and • the context.• What you typically do consists of behavioral habits that are independent of physical biometric attributes.• Context includes, “but is not limited” to, location, time, party, prior relationship, social relationship and source.• Authentication assurance or elevation can be within the classic four X.1254 ITU-T LoA (ISO 29115 (NIST 800-063))• Adding factors from different categories can increase strength only if the overall set of vulnerabilities is reduced. 4
  5. 5. Authentication Categories Who You Are what you what you what you Biometric know have Do ContextPhysical • User Name and • One Time Password (UN/PW), Password • Browsing • Location;Biometric A passphrase, a PIN (OTP) patterns Time of• immutable and unique • Time of access; • Very often used • Smart card• Facial recognition alone or in access • Subscriber • X.509 and• Iris Scan combinations with PKI • Type of identity KBA methods. device module (SIM)• Retinal Scan • Rarely used • Knowledge Based • Used in • Frequency of• Fingerprint Palm Scan Authentication alone Combinatio access;• Voice (KBA) • Used in n with other • Source and• Liveliness biometric • Static KBA combination methods with UN/PW endpoint factors include: • • Dynamic and a PIN identity • Pulse. KBA attributes such CAPTCHA; etc asBehavioral • Used inBiometric Combination• based on person’s of other physical behavioural methods activity patterns • Keyboard signature • Voice Mostly used to provide Secondary Attributes 5
  6. 6. How to Evaluate Authentication Strength1. Two aspects to consider• Methods resistance to attack – how difficult is it for an attacker to directly compromise or undermine the authentication method (without the users knowing collusion)• Method resistance to wilful misuse – how difficult is it for a user to deliberately allow others to share his account?2. Authentication Strength• Measures how hard it is for another person to masquerade as the legitimate user – Authentication may be undermined by two kinds of attacks: – Masquerade attacks, in which an attacker is (by some means) able to corroborate a falsely claimed digital identity and, thus, log in as a legitimate user. – Session hijacking attacks, such as a man-in-the browser attack, which take control of or parasitize an already-authenticated session after a legitimate users claimed digital identity has been corroborated.Session hijacking attacks bypass authentication and, thus, can succeed no matter how strongthe authentication method is.There is always a need for fraud detection, misuse monitoringand other compensating controls in order to elevate trust . Source : Gartner 6
  7. 7. How to Evaluate Authentication Strength• Combining two or more authentication methods can potentially increases authentication strength, compared with using either one. – For example, passwords are vulnerable to key logging – adding a second, partial password entered via drop down menu may reduce vulnerability to this attack.• Point of Caution – Each type of authentication attribute has a set of overlapping and intrinsic vulnerabilities with other attributes – A combination of two attributes of the same type tends to share many of vulnerabilities – It is a big mistake to assume that strong authentication always result when combining multiple authentication attributes/factors. Only by combining attributes of different kinds (that is, different factors) with different (non-overlapping) sets of vulnerabilities is there a significant increase in resistance to attack and, thus, in authentication strength7 Source: OASIS, ITU, NIST, Gartner
  8. 8. How to Evaluate Authentication Strength• Not any MFA method is stronger than an authentication method based on a single authentication factor/attribute.• For example, a biometric authentication method using heart beat is stronger than a password + OTP• For some type of attacks, a 2FA method might not be stronger than one of its components if used alone. – For example, a "fly-phishing" attack that captures and immediately use an OTP will be equally successful whether the OTP token was PIN-protected or not.• Some issues to consider• How Unique is the credential• Level Trust of Binding of credential to entity Source: NIST, Gartner 8
  9. 9. Evaluating Authentication Strength “Take Away”• Counting Factors is not enough to evaluate authentication strength Source: Gartner 9
  10. 10. Authentication Process Threats • Online guessing • Eavesdropping • Phishing • Replay • Pharming • Session hijack • Man-in-the-middle Threat Resistance per Assurance Level Source: ITU-T, NIST10
  11. 11. Example Calculating Overall Authentication Assurance Level (LOA 3)• Overall authentication assurance level is based on the weakest link of the assurance levels for each components• For instance, to achieve an overall assurance level of 3: – The registration and identity proofing process shall, at a minimum, use Level 3 processes or higher. – Token (or combination of tokens) used shall have an assurance level of 3 or higher. – The binding between the identity proofing and the token(s), if proofing is done separately from token issuance, shall be established at level 3. – The authentication protocols used shall have a Level 3 assurance level or higher. – The token and credential management processes shall use a Level 3 assurance level or higher – Authentication assertions (if used) shall have a Level 3 assurance or higher 11
  12. 12. Tokens• A Token is something that the Claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the Claimant’s identity • Single-factor Token – • A token that uses one of the three factors to achieve authentication. • For example, a password is something you know. • There are no additional factors required to activate the token, so this is considered single factor. • Multi-factor Token – • A token that uses two or more factors to achieve authentication. • For example, a private key on a smart card that is activated via PIN is a multi-factor token. • The smart card is something you have, and something you know 12 (the PIN) is required to activate the token.
  13. 13. Tokens “Token Style”1. Memorized Secret Token – A secret shared between the Subscriber and the CSP2. Pre-registered Knowledge Token – A series of responses to a set of prompts or challenges3. Look-up Secret Token – A physical or electronic token that stores a set of secrets shared between the Claimant and the CSP. The token authenticator is the secret(s) identified by the prompt. Look-up secret tokens are something you have.4. Out of Band Token – A physical token that is uniquely addressable and can receive a Verifier- selected secret for one-time use. The device is possessed and controlled by the Claimant and supports private communication19 over a channel that is separate from the primary channel for e-authentication.5. Single-factor (SF) One-Time Password (OTP) Device – A hardware device that supports the spontaneous generation of one-time passwords 13
  14. 14. Tokens “Token Style”6. Single-factor (SF) Cryptographic Device – A hardware device that performs cryptographic operations on input provided to the device. This device does not require activation through a second factor of authentication7. Multi-factor (MF) Software Cryptographic Token – A cryptographic key is stored on disk or some other “soft” media and requires activation through a second factor of authentication.8. Multi-factor (MF) One-Time Password (OTP) Device – A hardware device that generates one-time passwords for use in authentication and which requires activation through a second factor of authentication9. Multi-factor (MF) Cryptographic Device – A hardware device that contains a protected cryptographic key that requires activation through a second authentication factor. Authentication is accomplished by proving possession of the device and control of the key. The token authenticator is highly dependent on the specific cryptographic device and protocol, but it is generally some type of signed message. For example, in TLS, there is a “certificate verify” message. The MF Cryptographic device is something you have, and it may be activated by either something you know or something you are.14
  15. 15. Token Threats Source: NIST, ITU-T15
  16. 16. Token Threat Mitigation Strategies16
  17. 17. NIST: Assurance Levels for Multi-Token E-Authentication Schemes17

×