3 factors of fail sec360 5-15-13


Published on

Passwords weakness has been in the news again lately. But we have known for some time that passwords alone are not a good authentication or access control mechanism. Strong and practical authentication is very challenging. There are “strong” schemes, but they often don’t work well for users. Security practitioners are familiar with the 3 factors of authentication: something you know; something you have, and; something you are. Each of these have fundamental flaws. I like to think of them as: something you forgot; something you lost, and; something you were!
We will take a look at the current state of authentication, examine weaknesses in authentication factors, introduce the fourth factor of authentication and consider some solutions.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 1993 New Yorker magazine cartoon
  • People get the minimum access necessary to do their jobs… no more and no less
  • The challenge is that passwords need to be used by people
  • One can make easily guessable pw’s that meet requirements; Shorter pw’s make shoulder surfing worse; Schneier suggests putting passwords in wallet – which is already well secured
  • http://www.ismytwitterpasswordsecure.com/
  • http://www.ismytwitterpasswordsecure.com/
  • http://www.ismytwitterpasswordsecure.com/
  • 2-factor is most common.
    Static methods can’t be changed – sword-in-stone, license, card, ring, etc. Have all the problems of Dynamic plus revocation problems.
  • I need to find a video of that security commercial with bald, pale people who can’t authenticate because they have no more hair and can’t get a blood sample.
  • Risk-based, location-based, adaptive authentication
    “somewhere you are”, “something you are doing”
    Key is establishing “rich” profile of user: machine used, software, used, date/time of access, IP address, geo location, actions attempted (NBA)
    Upon connection, check against profile, then: allow, deny or further challenge
  • Biggest issue… establishing profile (like with biometrics) non-trivial and takes time – so probably best when you already have long relationship with, or much info about, user – otherwise degenerates to 1-factor
    Newer but promising
  • But tokens often left with laptops; tokens on badge (or smart card) lanyards left also (pic); and “safety” of token causes some users to choose weak pw; policy can prevent but then we back to pw’s on sticky notes
    Makes sense in theory but has all the problems already covered
  • Can’t just admire the problems!
  • Single factor is not good except in tightly controlled environments (controlled how???)
    Challenge: we need a system to positively identify a person, and it has to be easy (enough) to use
  • Think about: User. Use.
    Ex: customer or staff already have relationship with; tech worker; newbie; what hardware/software; what control do you have over hardware/software; classification of data; regulatory; threats; risks
    Auth method: susceptible to replay attack; need to be available anywhere; manual/help-desk work-arounds; single or multi-use; easy to use?
    Then use what makes sense
  • biometric authentication for entrance to a high-security building or room - badges are typically used, but anyone can be in possession of a badge.  If you have an area that needs higher security physical controls, biometrics or perhaps a keywatcher-type system can be used.
    One-time passwords - using tools like Google Authenticator or Yubikey.  I like the use of smartphone app or sms
    for one-time passwords because users are less likely to leave their phone (rather than a hard token) with their computer.  This is a great choice for websites.
  • Bank example: system auth -> preselected word/picture -> id/pw + reauth for large/unusual transaction
  • long passwords! + vault - Unfortunately, passwords as a stand-alone authentication method will still be with us for
    a while.  Among the problems with passwords is that people make poor choices.  Long alphabetic passphrases are easier to remember, but I still recommend the use of long random passwords and a vault.
    remote access with risk-based authentication - we discussed risk-based authentication in part 5.  People may attempt to login in a variety of situations.  Risk-based authentication can help measure the potential threat and challenge for additional levels or factors.
  • Fast Identity Online (Google, Yubico, NokNok);
    brainwave authentication - http://neurogadget.com/2013/04/17/passthoughts-the-future-of-authentication/7671
    OATH – initiative for Open Authentication – standard for 2-factor “strong” auth incl. Verisign, Google Auth, etc.
    Oauth – Open standard for Auth – 3rd party login via token (after logging in at another site like Facebook, Twitter, Google)
    OpenID – like Oauth except uses certs via self-created URI
    SQRL - https://www.grc.com/sqrl/sqrl.htm
    Nymi – uses pulse - http://www.getnymi.com/
  • 3 factors of fail sec360 5-15-13

    1. 1. 3 Factors of Fail Barry Caplin Like what you hear? Tweet it using: #WebTracks
    2. 2. Welcome to UMSA WebTracks Questions during webinar Post webinar survey Are you tweeting? #WebTracks Like what you hear? Tweet it using: #WebTracks
    3. 3. 3 Factors of Fail The Authentication Problem UMSA WebTracks Wed. Apr. 9, 2015 bcaplin1@fairview.org bc@bjb.org @bcaplin http://about.me/barrycaplin http://securityandcoffee.blogspot.com Barry Caplin VP, Chief Information Security Officer Fairview Health Services
    4. 4. Celebrating a decade of guiding security professionals. @Secure360 or www.Secure360.org Secure360! May 12-13, 2015 Be There!
    5. 5. http://about.me/barrycaplin securityandcoffee.blogspot.com @bcaplin
    6. 6. Who is Fairview? A partnership of North Memorial and Fairview
    7. 7. Authentication isAuthentication is thethe ChallengeChallenge
    8. 8. And The Challenge is…And The Challenge is… People need to: •Enter Buildings •Use Systems •Use Data
    9. 9. And The Challenge is…And The Challenge is… The Right People need to: •Enter Buildings •Use Systems •Use Data
    10. 10. Guiding PrincipleGuiding Principle Minimum Necessary
    11. 11. We Usually Think Of…We Usually Think Of… SS
    12. 12. And Passwords Get StolenAnd Passwords Get Stolen
    13. 13. And Bad Choices Are MadeAnd Bad Choices Are Made
    14. 14. Luckily, Passwords are Dead!Luckily, Passwords are Dead!
    15. 15. 3 Factors of3 Factors of AuthenticationAuthentication 1. Something You Know 2. Something You Have 3. Something You Are (or Do)
    16. 16. 3 Factors of Auth FAIL3 Factors of Auth FAIL 1. Something You Forgot 2. Something You Lost 3. Something You Were (or Did)
    17. 17. 1. Something You Forgot1. Something You Forgot • P@sswOrd5 • PINs • Combinations • “Secret” Phrases • Picture Identification • Patterns
    18. 18. Used by…Used by…
    19. 19. Not SimpleNot Simple • Can’t be easily guessable • False positives −Grant rights to wrong person −Actions attributable to you! So not simple/guessable… But simple is memorable…
    20. 20. ComplexityComplexity RequirementsRequirements • Make Guessing Hard −Common: 8 char, upper/lower, numeric, special • Smart Users Circumvent • Nonsense/Random great −But impossible to remember
    21. 21. To Make It WorseTo Make It Worse • Expiration −“best practice” −Like changing your house locks every 30 days! • Secret Questions – too simple, too guessable −Answers on Facebook −Remember… don’ t have to be true! • Help Desks −social engineering and process hacks (ask Mat Honan)
    22. 22. 3 More Issues3 More Issues • Bad Choices −NYG1@nts! meets requirements • Shoulder Surfing −Complex => slow to enter • Writing Down −Not bad if done well
    23. 23. To Make It WorseTo Make It Worse • Social Engineering • Phishing
    24. 24. These are Legit
    25. 25. SolutionsSolutions • Length − Better than Complexity! − Long phrases easier to remember − Why do some sites have max length??? • Vaults − Use ‘em! − Don’t forget the main password! • OTP (One Time Passwords) − Fixes many issues except delivery
    26. 26. Something You LostSomething You Lost • Hard/Soft token • Static/Dynamic
    27. 27. OTP DeliveryOTP Delivery • Hard Token −Time (RFC 6238) or Sequence-based −Also Smart Cards, Key Cards • Soft Tokens −Program or App −Device independence • SMS • Paper
    28. 28. ChallengesChallenges • Hard Tokens −Can be lost −Worse – often kept with laptop −Multiple systems = multiple tokens • Soft Tokens – better because people don’t lose their phones… • … Oh Wait…
    29. 29. SolutionSolution • I still like this when implemented well −Google Auth −SMS −Smart phones −Paper
    30. 30. Something You WereSomething You Were • Usually means biometrics • Oldest form of ID • Animals, babies, tribes/groups – senses • Mixed reliability
    31. 31. BiometricsBiometrics • False Positives – bad for security • False Negatives – bad for business
    32. 32. BiometricsBiometrics Some common choices •Iris/retinal scan, fingerprint, palm print/geometry Less common •Voice, typing cadence, “bottom” print
    33. 33. BiometricsBiometrics • Best auth method for use in movies!
    34. 34. ChallengesChallenges • Logistics • Registration, hardware/people, “failure to enroll” (FER), contaminants on readers • Hygiene • Perception (movie story) • Back-end systems
    35. 35. 2 Biggest Issues2 Biggest Issues • Can’t change your biometric when you need to • Your biometric can change when it wants to −Hard to fake (getting easier) −Easy to steal −Nearly impossible to change/fix
    36. 36. Solutions?Solutions? • Not bad if used correctly • Local physical access • Voice-print for automated pw reset
    37. 37. The 4The 4thth FactorFactor • Risk-based, location-based, adaptive auth • “somewhere you are” or “something you are doing” • Key need – “rich” user profile • Check against profile, then: −Allow −Deny −Challenge
    38. 38. Biggest IssueBiggest Issue • Establishing profile −Takes time −Highly non-trivial −Needs much info and/or long/ongoing relationship • Otherwise degenerates to 1-factor • Promising
    39. 39. Multi-Factor (MFA)Multi-Factor (MFA) •Take 2 bad things and combine them together! •That makes sense!
    40. 40. Multi-Factor (MFA)Multi-Factor (MFA) • Typically 2-factor −ID/pw + token −Steal one, you can’t get in −Either can be “easily” changed
    41. 41. Multi-Factor (MFA)Multi-Factor (MFA) • But…
    42. 42. Solutions!
    43. 43. SolutionsSolutions • Typical − 1-factor – id/pw for login ; badges for entry − Occasional hard token use − But 1-factor only safe in “controlled” environments • Challenge: − Positively id a person − Easy to use
    44. 44. User/UseUser/Use • Customer • Staff • Tech worker • Clinical • Newbie • Hardware/software • Control over hw/sw • Data classification • Regulatory • Threats/Risks • Replay attack • Availability • Work-arounds • Single/multi-use • Easy to use? Then do what makes sense!
    45. 45. ExampleExample • Biometrics for entrance into high-security area • Badges can be lost or used by anyone − Combine with measures like Keywatcher • OTP − Google Auth or Yubikey − SmartPhones – can be lost but often kept close and rarely left with computer − Good choice for online/web-based services
    46. 46. ExampleExample Online Banking •System auth -> −Preselected word/picture ->  Id/pw -> Challenge or Reauth for large/unusual transaction
    47. 47. ExampleExample • Long passwords + vault −pw’s – with us for a while −People make poor pw choices −Long phrases easier to remember −Long random strings better • Better – Add easy-to-use soft fob • Remote access + risk-based auth −We have more info about staff
    48. 48. The FutureThe Future Nymi
    49. 49. Wearing My Heart On My Sleeve… Literally! Secure360 Tues. May 12, 2015 bcaplin1@fairview.org bc@bjb.org @bcaplin http://about.me/barrycaplin http://securityandcoffee.blogspot.com Barry Caplin VP, Chief Information Security Official Fairview Health Services
    50. 50. CISOs are from Mars CIOs are from Venus Secure360 Tues. May 12, 2015 1:30P bcaplin1@fairview.org bc@bjb.org @bcaplin http://about.me/barrycaplin http://securityandcoffee.blogspot.com Barry Caplin VP, Chief Information Security Official Fairview Health Services
    51. 51. @bcaplin http://about.me/barrycaplin http://securityandcoffee.blogspot.com
    52. 52. Thank you for attending Don’t forget to complete your post webinar survey Barry will stay on for additional questions until 1:30pm Like what you hear? Tweet it using: #WebTracks