Passwords weakness has been in the news again lately. But we have known for some time that passwords alone are not a good authentication or access control mechanism. Strong and practical authentication is very challenging. There are “strong” schemes, but they often don’t work well for users. Security practitioners are familiar with the 3 factors of authentication: something you know; something you have, and; something you are. Each of these have fundamental flaws. I like to think of them as: something you forgot; something you lost, and; something you were!
We will take a look at the current state of authentication, examine weaknesses in authentication factors, introduce the fourth factor of authentication and consider some solutions.
Why Teams call analytics are critical to your entire business
3 factors of fail sec360 5-15-13
1. 3 Factors of Fail
Barry Caplin
Like what you hear? Tweet it using:
#WebTracks
2. Welcome to UMSA WebTracks
Questions during webinar
Post webinar survey
Are you tweeting? #WebTracks
Like what you hear? Tweet it
using: #WebTracks
3. 3 Factors of Fail
The Authentication Problem
UMSA WebTracks
Wed. Apr. 9, 2015
bcaplin1@fairview.org
bc@bjb.org @bcaplin
http://about.me/barrycaplin
http://securityandcoffee.blogspot.com
Barry Caplin
VP, Chief Information Security Officer
Fairview Health Services
4. Celebrating a decade
of guiding security
professionals.
@Secure360 or www.Secure360.org
Secure360!
May 12-13, 2015
Be There!
20. Not SimpleNot Simple
• Can’t be easily guessable
• False positives
−Grant rights to wrong person
−Actions attributable to you!
So not simple/guessable…
But simple is memorable…
22. To Make It WorseTo Make It Worse
• Expiration
−“best practice”
−Like changing your house locks every 30 days!
• Secret Questions – too simple, too guessable
−Answers on Facebook
−Remember… don’ t have to be true!
• Help Desks
−social engineering and process hacks (ask Mat
Honan)
23. 3 More Issues3 More Issues
• Bad Choices
−NYG1@nts! meets
requirements
• Shoulder Surfing
−Complex => slow to
enter
• Writing Down
−Not bad if done well
24. To Make It WorseTo Make It Worse
• Social Engineering
• Phishing
27. SolutionsSolutions
• Length
− Better than Complexity!
− Long phrases easier to remember
− Why do some sites have max length???
• Vaults
− Use ‘em!
− Don’t forget the main password!
• OTP (One Time Passwords)
− Fixes many issues except delivery
29. OTP DeliveryOTP Delivery
• Hard Token
−Time (RFC 6238) or Sequence-based
−Also Smart Cards, Key Cards
• Soft Tokens
−Program or App
−Device independence
• SMS
• Paper
30. ChallengesChallenges
• Hard Tokens
−Can be lost
−Worse – often kept with laptop
−Multiple systems = multiple tokens
• Soft Tokens – better because people don’t
lose their phones…
• … Oh Wait…
37. 2 Biggest Issues2 Biggest Issues
• Can’t change your biometric when you need
to
• Your biometric can change when it wants to
−Hard to fake (getting easier)
−Easy to steal
−Nearly impossible to change/fix
39. The 4The 4thth
FactorFactor
• Risk-based, location-based, adaptive auth
• “somewhere you are” or “something you are
doing”
• Key need – “rich” user profile
• Check against profile, then:
−Allow
−Deny
−Challenge
40. Biggest IssueBiggest Issue
• Establishing profile
−Takes time
−Highly non-trivial
−Needs much info and/or long/ongoing relationship
• Otherwise degenerates to 1-factor
• Promising
45. SolutionsSolutions
• Typical
− 1-factor – id/pw for login ; badges for entry
− Occasional hard token use
− But 1-factor only safe in “controlled” environments
• Challenge:
− Positively id a person
− Easy to use
46.
47. User/UseUser/Use
• Customer
• Staff
• Tech worker
• Clinical
• Newbie
• Hardware/software
• Control over hw/sw
• Data classification
• Regulatory
• Threats/Risks
• Replay attack
• Availability
• Work-arounds
• Single/multi-use
• Easy to use?
Then do what makes
sense!
48. ExampleExample
• Biometrics for entrance into high-security area
• Badges can be lost or used by anyone
− Combine with measures like Keywatcher
• OTP
− Google Auth or Yubikey
− SmartPhones – can be lost but often kept close and
rarely left with computer
− Good choice for online/web-based services
50. ExampleExample
• Long passwords + vault
−pw’s – with us for a while
−People make poor pw choices
−Long phrases easier to remember
−Long random strings better
• Better – Add easy-to-use soft fob
• Remote access + risk-based auth
−We have more info about staff
52. Wearing My Heart On
My Sleeve…
Literally!
Secure360
Tues. May 12, 2015
bcaplin1@fairview.org
bc@bjb.org @bcaplin
http://about.me/barrycaplin
http://securityandcoffee.blogspot.com
Barry Caplin
VP, Chief Information Security Official
Fairview Health Services
53. CISOs are from Mars
CIOs are from Venus
Secure360
Tues. May 12, 2015 1:30P
bcaplin1@fairview.org
bc@bjb.org @bcaplin
http://about.me/barrycaplin
http://securityandcoffee.blogspot.com
Barry Caplin
VP, Chief Information Security Official
Fairview Health Services
55. Thank you for attending
Don’t forget to complete your post
webinar survey
Barry will stay on for additional
questions until 1:30pm
Like what you hear? Tweet it
using: #WebTracks
Editor's Notes
1993 New Yorker magazine cartoon
People get the minimum access necessary to do their jobs… no more and no less
The challenge is that passwords need to be used by people
One can make easily guessable pw’s that meet requirements; Shorter pw’s make shoulder surfing worse; Schneier suggests putting passwords in wallet – which is already well secured
http://www.ismytwitterpasswordsecure.com/
http://www.ismytwitterpasswordsecure.com/
http://www.ismytwitterpasswordsecure.com/
2-factor is most common.
Static methods can’t be changed – sword-in-stone, license, card, ring, etc. Have all the problems of Dynamic plus revocation problems.
I need to find a video of that security commercial with bald, pale people who can’t authenticate because they have no more hair and can’t get a blood sample.
Risk-based, location-based, adaptive authentication
“somewhere you are”, “something you are doing”
Key is establishing “rich” profile of user: machine used, software, used, date/time of access, IP address, geo location, actions attempted (NBA)
Upon connection, check against profile, then: allow, deny or further challenge
Biggest issue… establishing profile (like with biometrics) non-trivial and takes time – so probably best when you already have long relationship with, or much info about, user – otherwise degenerates to 1-factor
Newer but promising
But tokens often left with laptops; tokens on badge (or smart card) lanyards left also (pic); and “safety” of token causes some users to choose weak pw; policy can prevent but then we back to pw’s on sticky notes
Makes sense in theory but has all the problems already covered
Can’t just admire the problems!
Single factor is not good except in tightly controlled environments (controlled how???)
Challenge: we need a system to positively identify a person, and it has to be easy (enough) to use
Think about: User. Use.
Ex: customer or staff already have relationship with; tech worker; newbie; what hardware/software; what control do you have over hardware/software; classification of data; regulatory; threats; risks
Auth method: susceptible to replay attack; need to be available anywhere; manual/help-desk work-arounds; single or multi-use; easy to use?
Then use what makes sense
biometric authentication for entrance to a high-security building or room - badges are typically used, but anyone can be in possession of a badge. If you have an area that needs higher security physical controls, biometrics or perhaps a keywatcher-type system can be used.
One-time passwords - using tools like Google Authenticator or Yubikey. I like the use of smartphone app or sms
for one-time passwords because users are less likely to leave their phone (rather than a hard token) with their computer. This is a great choice for websites.
Bank example: system auth -> preselected word/picture -> id/pw + reauth for large/unusual transaction
long passwords! + vault - Unfortunately, passwords as a stand-alone authentication method will still be with us for
a while. Among the problems with passwords is that people make poor choices. Long alphabetic passphrases are easier to remember, but I still recommend the use of long random passwords and a vault.
remote access with risk-based authentication - we discussed risk-based authentication in part 5. People may attempt to login in a variety of situations. Risk-based authentication can help measure the potential threat and challenge for additional levels or factors.
Fast Identity Online (Google, Yubico, NokNok);
brainwave authentication - http://neurogadget.com/2013/04/17/passthoughts-the-future-of-authentication/7671
OATH – initiative for Open Authentication – standard for 2-factor “strong” auth incl. Verisign, Google Auth, etc.
Oauth – Open standard for Auth – 3rd party login via token (after logging in at another site like Facebook, Twitter, Google)
OpenID – like Oauth except uses certs via self-created URI
SQRL - https://www.grc.com/sqrl/sqrl.htm
Nymi – uses pulse - http://www.getnymi.com/