Assurity seminar 24 jan

  • 117 views
Uploaded on

seminar on 2FA

seminar on 2FA

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
117
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
6
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. 1
  • 2. 2
  • 3. Vulnerability of Smart PhonesSmartphones are a permanent point of access to the internet (mostly on),they can be compromised easier than computersImplied permission•  this infection is based on the fact that the user has a habit of installing software. Most trojans try to seduce the user into installing attractive applications (games, useful applications etc.) that actually contain malware.Common interaction•  this infection is related to a common behavior, such as opening an MMS or email. http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf 3
  • 4. Dangers of Relying Solely on User ID /Password for sensitive data •  Flexispy is a commercially available application for spying. •  The program sends all information received and sent from the smartphone to a Flexispy server. It was originally created to protect children and spy on adulterous spouses. 4
  • 5. 5
  • 6. Typical Mobile Malware Gameplan http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf 6
  • 7. Get Malware installed by user http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf 7
  • 8. What Hackers want to achieve http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf 8
  • 9. Level of enforcement before allowing apps on AppStore/ Goggle PlayWill a hacker be deterred by the need to provide IP/SMS or Credit Card?Is Corporate ID and Personal ID ( Drivers License) numbers good enough toensure malware is not disguised as an App ? http://www.us-cert.gov/GFIRST/presentations/2012/mobile_exploit_intel_guido.pdf 9
  • 10. Public Feedback on 2FA 10
  • 11. National Authentication FrameworkWhat is NAF•  nationwide platform for the adoption of strong authentication•  for eServices that handle sensitive information and/ or facilitate transaction•  provide trusted and cost-effective authentication.Why•  fulfill strong authentication requirements from regulators, banks and financial institutions, government & healthcareThe National 2FA system has been operational sinceDecember 2011 11
  • 12. Service Providers live on OneKey 1212
  • 13. •  Stronger security is required to protect •  SingPass – set up for sensitive data every resident aged 15•  This valuable repository •  Assurity, a subsidiary and above in 2003 …. of personal information of IDA is the sole There are more than includes income tax, CPF bidder 2.8 million SingPass and HDB Loan Records. users today. 1313
  • 14. OneKey Mission: Consumer Security & Convenience OneKey can be used across multiple Service Providers, Banks, Government, online services, corporate VPN etc… 14
  • 15. OneKey’s Value Proposition•  Stronger protection against online identity theft & fraud•  Convenience to end-users: a single authentication device across multiple online services ( e.g. banking, trading, govt e-services, insurance, online commerce etc)•  Giving consumer a choice to manage their own security policies 15
  • 16. OneKey: A Convenient, SecureAuthentication Mechanism•  Current Offerings –  Assurity provides 2FA services via the OneKey Pad – a robust and integrated mechanism that is secure, convenient and cost-effective –  OneKey Pad offers 3 options of 2FA - OTP, Challenge Response and Transaction Signing. –  OneKey SMS – OTP delivered via SMS for convenience to users•  Under Development –  OneKey Card –  OneKey Mobile 16
  • 17. OneKey: A Reliable & Trusted Security Device*Compliances & Certifications Your complete•  Certified to ISO/IEC 27001:2005 solution to compliance with•  **Complied to MAS IBTRM V3 & ***MASand 2012 Consultation Paper 2nd Factor Authentication•  Complied to Government IM8 requirements –•  Complied to SS540 Quick,•  Complied to TIA942 Cost-Effective &•  Complied to FIPS Always Updated!*Certifications are renewed and audited annually** Fully redundant active-active tier 3 data centres*** Assurity is the appointed NAF operator and works closely with MAS 17
  • 18. Assurity’s Service Model Send On eKey Deliver SM to End U SO ser to End Us TP er mobile de ’s viceSP – Service ProvidersOTP – One Time Password 18
  • 19. Committed Service Level Basic Service §  2FA using OneKey Pads Offering §  2nd factor credential registration, issuance and management §  Authentication Service : §  99.99% service availability §  90% within 800ms, 100% within 2 seconds §  24x7 technical support Additional Service Offerings §  Dedicated technical support packages §  SMS OTP traffic charges 19
  • 20. Service LevelsItem Service LevelAuthentication Service Availability 99.99% in a monthAuthentication requests completed 90% within 800 msec 100% within 2 secIssuance of tokens and password Within 3 and 3+2 working days*mailers to end-userSeverity 1, 2, 3 requests 3 levels of service support •  Basic •  Gold •  Platinum 20
  • 21. Use Cases of OneKey1.  2FA for online services2.  Incorporate OneKey 2FA into mobile apps so that consumers know that it is an authentic app3.  Corporate VPN 2FA to access corporate applicationAssurity provide SPs with testenvironment and specifications to connectto OneKey 21
  • 22. Budget to leverage on OneKey•  Volume based pricing      Volume  per  year   up  to  3M   ¢/Transac/on   6  cents  •  Early-adoption special for SPs that signs up before Dec 2013 ¢/Transac/on   4.5  cents  •  Billed monthly based on prorated volume•  Fees waived for 1st 2 years from system live-date (Dec 2011 – Dec 2013) 22
  • 23. Other Costs for Budgeting•  SP’s Setup –  Application 2FA Page (Resources to develop, test) –  Connections to Assurity (MPLS or IPSec VPN over Internet)•  SMS Traffic Cost for Authentications Using SMS OTP –  Connection to SMS aggregator, SMS traffic cost•  Customer Support –  SPs handle 1st level of calls typically –  Assurity provides training materials to help SP helpdesk –  Assurity will offer 24 x 7 customer support for 2FA calls that require escalation•  NAF Gateway from accredited partners –  Easier implementation –  Time to market•  Budget range from SGD 70K – 250K depending on organisation’s requirements 23
  • 24. Service Support Levels Communication Support Level Severity Initial Response* Resolution *** Frequency ** 1 2 hours Every 2 hours 8 hours Basic 2 4 hours Every business day 4 business days Support Every 2 business 3 8 hours 7 business days days 1 30 minutes Every 30 minutes 4 hours Gold 2 1 hour Every 2 hours 8 hours Support 3 4 hours Every business day 4 business days 1 15 minutes Every 15 minutes 2 hours Platinum 2 30 minutes Every 1 hour 4 hours Support 3 3 hours Every business day 3 business days* Initial Response: First update to SP regarding the current status of the issue from the time the incident is reported.** Communication Frequency: Frequency at which support team updates the SP on the status of the issue.*** Resolution: Time allowed to resolve the issue. 24
  • 25. NAF Technical Architecture Fully redundant Architecture 2 Data centres with: •  Dual tele- communications providers and Internet service providers •  Dual power supply •  Synchronised data between both Active sites 25
  • 26. NAF Technical Architecture•  Fully redundant architecture (active-active)•  NAF Systems to the SPs are NOT exposed directly to the Internet -  NAF AO connects to SPs only via Private Network•  NAF’s infrastructure service availability and uptime ~ 99.999% availability and RTO=0 26
  • 27. THANK YOUJason Kong, Deputy DirectorAssurity Trusted Solutions, a wholly owned subsidiary of IDAjason@assurity.sg jason_kong@ida.gov.sgMobile: +65 9851 – 0020 27