Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OWASP AppSec USA 2015, San Francisco


Published on

OWASP AppSec USA 2015, San Francisco

How do you stump a multi-factor authentication vendor? Ask for a threat model.

This talk will help developers as well as CISOs make better authentication decisions. When we raise the bar, everyone wins.

Published in: Technology
  • The #1 Woodworking Resource With Over 16,000 Plans, Download 50 FREE Plans... ●●●
    Are you sure you want to  Yes  No
    Your message goes here
  • Get access to 16,000 woodworking plans, Download 50 FREE Plans... ★★★
    Are you sure you want to  Yes  No
    Your message goes here

OWASP AppSec USA 2015, San Francisco

  1. 1. The Inmates Are Running the Asylum Why Some Multi-Factor Authentication Technology is Irresponsible Clare Nelson, CISSP
  2. 2. Clare Nelson, CISSP • Scar tissue – Encrypted TCP/IP variants for NSA – Product Management at DEC (HP), EMC2 – Director Global Alliances at Dell, Novell (IAM) – VP Business Development, MetaIntelli (Mobile Security) – CEO ClearMark, MFA Technology and Architecture • 2001 CEO ClearMark Consulting • 2014 Co-founder C1ph3r_Qu33ns • 2015 April, ISSA Journal, Multi-Factor Authentication: What to Look For • Talks: HackFormers; BSides Austin; LASCON; AppSec; clients including Fortune 500 financial services, Identity Management • B.S. Mathematics
  3. 3. Scope • External customers, consumers – Not internal employees, no hardware tokens – IoT preview • No authentication protocols – OAuth, OpenID, UMA, SCIM, SAML • United States – EU regulations o France: legal constraints for biometrics  Need authorization from National Commission for Informatics and Liberty (CNIL)1 – India: e-commerce Snapdeal, Reserve Bank of India o Move from two-factor to single-factor authentication for transactions less than Rs. 3,0002 1Source: 2Source: low-value-deals/articleshow/46251251.cms
  4. 4. NIST Definition1 Origin of definition? • NIST: might be Gene Spafford, or “ancient lore”2 – @TheRealSpaf, “Nope — that's even older than me!”3 – 1970s? NSA? Academia? 1Source: 2Source: February 26, 2015 email response from a NIST SP 800-63-2 author 3Source: February 27, 2015 response from @TheRealSpaf (Gene Spafford)
  5. 5. How can one write a guide based on a definition of unknown, ancient origin? How can you implement MFA without a current, coherent definition? Photo: The Thinker by Auguste Rodin, Legion_of_Honor-Lincoln_Park-San_Francisco.jpg
  6. 6. NIST versus New Definitions Multi-Factor Authentication (MFA) Factors: • Knowledge • Possession – Mobile device identification • Inherence – Biometrics: Physical or Behavioral • Location – Geolocation – Geofencing – Geovelocity • Time1 1Source: 2Source: NIST: Device identification, time, and geo- location could be used to challenge an identity; but “they are not considered authentication factors”2
  7. 7. Authentication in an Internet Banking Environment • OUT: Simple device identification • IN: Complex device identification, “digital fingerprinting” use PC configuration, IP address, geo-location, other factors – Implement time of day restrictions for funds transfers – Consider keystroke dynamics, biometric-based responses1 1Source: “…virtually every authentication technique can be compromised”
  8. 8. “…time to alter how authentication is done …it doesn't meet today’s demands ….the range of technologies, such as soft tokens, hard tokens, Trusted Platform Module (TPM), biometrics, simple passwords and more have led to a ‘Tower of Babel’ for authentication.”1 – Phil Dunkelberger, CEO Nok Nok Labs State of the Market 1Source: authentication.html
  9. 9. Why 200+ MFA Vendors? Authentication has been the Holy Grail since the early days of the Web.1 The iPhone of Authentication has yet to be invented.2 1Source: 2Source: Clare Nelson, February 2015.
  10. 10. Suboptimal Choices Authentication Factors/Technology 1. Biometrics, 2D fingerprint 2. Short Message Service (SMS) – One-Time Password (OTP) 3. Quick Response (QR) codes 4. Overreliance on GPS, location 5. JavaScript 6. Weak, arcane, account recovery 7. Assumption mobile devices are secure 8. Encryption (without disclaimers) – Quantum computing may break RSA or ECC by 20301 • Update on NSA’s $80M Penetrating Hard Targets project2 – Encryption backdoors, is it NSA-free and NIST-free cryptography? – No mysterious constants or “magic numbers” of unknown provenance”3 1Source: January 18, 2015: Ralph Spencer Poore, cryptologist, Austin ISSA guest lecturer 2Source: crack-most-types-of-encryption/2014/01/02/8fff297e-7195-11e3-8def-a33011492df2_story.html 3Source:
  11. 11. Juniper Research: • By 2019, 770 million apps that use biometric authentication will be downloaded annually - Up from 6 million in 2015 • Fingerprint authentication will account for an overwhelming majority - Driven by increase of fingerprint scanners in smartphones1 Irrational Exuberance of Biometric Adoption Samsung Pay 1Source:
  12. 12. 1Source: Apple Touch ID: Cat Demo
  13. 13. 1Source:,,18154223_303,00.jpg
  14. 14. 2D Fingerprint Hacks • Starbug, aka Jan Krissler • 2014: Cloned fingerprint of German Defense Minister, Ursula Von der Leyen – From photographs1,2 • 2013: Hacked Apple’s Touch ID on iPhone 5S ~24 hours after release in Germany – Won competition3 • 2006: Published research on hacking fingerprint recognition systems4 1Source: 2Source: 3Source: 4Source:
  15. 15. Starbug Faking Touch ID 1Source:
  16. 16. Android: Remote Fingerprint Theft at Scale1 “…hackers can remotely steal fingerprints without the owner of the device ever knowing about it. Even more dangerous, this can be done on a “large scale.”2 1Source: Leaking-wp.pdf 2Source: Hardware User Space Kernel Space
  17. 17. Krissler versus Riccio “Don't use fingerprint recognition systems for security relevant applications!”1 – Jan Krissler (Starbug) “Fingerprints are one of the best passwords in the world.”2 – Dan Riccio SVP, Apple 1Source: 2Source: Photo:
  18. 18. Behavioral Biometrics: 1Source: Laptop: requires JavaScript, won’t work with Aviator browser, or if you disable JavaScript
  19. 19. Behavioral Biometrics: Invisible Challenge • Detect threats based on user interaction with online, and mobile applications • Analyze 400+ bio-behavioral, cognitive and physiological parameters – Invisible challenge, no user interaction for step-up authentication – How you find missing cursor1 1Source: 1Source:
  20. 20. Fingerprinting Web Users Via Font Metrics1 • Browser variations – Version – What fonts are installed – Other settings • Font metric–based fingerprinting – Measure onscreen size of font glyphs • Effective against Tor Browser 2Source:
  21. 21. Biometrics: In Use, Proposed • Fingerprints 2D, 3D via ultrasonic waves • Palms, its prints and/or the whole hand (feet?) • Signature • Keystroke, art of typing, mouse, touch pad • Voice • Iris, retina, features of eye movements • Face, head – its shape, specific movements • Ears, lip prints • Gait, Odor, DNA, Pills, Tattoos • ECG (Bionym’s Nymi wristband, smartphone, laptop, car, home security) • EEG1 • Smartphone/behavioral: AirSig authenticates based on g-sensor and gyroscope, how you write your signature in the air2 1Source: 2Source: Digital Tattoo:
  22. 22. “Thought Auth”1 EEG Biosensor • MindWave™ headset2 • Measures brainwave signals • EEG monitor • International Conference on Financial Cryptography and Data Security3 1Source: Clare Nelson, March 2015 2Source: 3Source:
  23. 23. 3D Fingerprint1 1Source: No matter how advanced the biometric is, the same basic threat model persists.
  24. 24. How do you stump an MFA vendor? Ask for a threat model. Photo:
  25. 25. “… biometrics cannot, and absolutely must not, be used to authenticate an identity”1 – Dustin Kirkland, Ubuntu Cloud Solutions Product Manager and Strategist at Canonical 1Source: “Fingerprints are Usernames, Not Passwords”
  26. 26. @drfuture on Biometrics 1Source: And-How-To-Avoid-Them.pdf Diagram Source: system Hidden Risks 1. Biometric reliability and the perception of it 2. Lack of discussion of the consequences of errors 3. Biometric data’s irreversibility and the implications 4. Our biometrics can be grabbed without our consent 5. Our behavior can rat us out – sometimes incorrectly 6. Giving our biometric and behavioral data may be (de facto) mandatory 7. Biometric data thieves and aggregators1 Threshold
  27. 27. • Difficult to reset, revoke • Exist in public domain, and elsewhere (1M+ fingerprints stolen in 2015 OPM breach1) • May undermine privacy, make identity theft more likely2 • Persist in government and private databases, accreting information whether we like it or not3 • User acceptance or preference varies by geography, demographic What Will Cause Biometric Backlash? 1Source: 2Source: 3Source: Photo:
  28. 28. • Intel’s Dmientrienko, et al - Circumvented SMS OTP of 4 large banks1 • Northeastern University and Technische Universität Berlin - “SMS OTP systems cannot be considered secure anymore”2 • SMS OTP threat model - Physical access to phone - SIM swap attack - Wireless interception - Mobile phone trojans3 SMS OTP Attacks 1Source: 2,3Source:
  29. 29. • Operation Emmental • Defeated 2FA - 2014, discovered by Trend Micro1 - European, Japanese banks - Online banking 1. Customer enters username, password 2. Token sent to mobile device (SMS OTP) 3. Customer enters token (OTP) - Attackers scraped SMS OTPs off customers’ Android phones2, 3 SMS OTP Attack: Banking Example 1Source: 2Source: operation-emmental.pdf 3Source:
  30. 30. SMS OTP Attacks 1Source: Diagram Source: Banking trojans deploy mobile malware, allow attackers to steal SMS OTP 1
  31. 31. QR Code Risks1 VASCO two-factor authentication • User captures QR code with mobile device • User enters PIN code to log on, or validate transaction2 QR code redirects user to URL • Even if the URL is displayed, not everyone reads • Could link to a malicious website 1Source: 2Source:
  32. 32. Overreliance on Location • GPS spoofing1 • Cellphone power meter can be turned into a GPS2 • PowerSpy gathers information about an Android phone’s geolocation by tracking its power use over time – That data, unlike GPS or Wi-Fi location tracking, is freely available to any installed app without a requirement to ask the user’s permission3 1Source: 2Source: Dan Boneh, quoted in 3Source:
  33. 33. 1Source: Account recovery is the Achilles heel of 2FA – Eric Sachs Product Management Director, Identity at Google
  34. 34. Account Recovery1 1Source:
  35. 35. Account Recovery1 Apple Two-Step Authentication • What if I lose my Recovery Key? • Go to My Apple ID, create a new Recovery Key using your Apple ID password and one of your trusted devices.1 1Source:
  36. 36. “Mobile is the New Adversarial Ingress Point.”1 – Lee Cocking, VP Product Strategy at GuardTime 1Source:
  37. 37. What’s Wrong with Mobile Device as Authentication Device? MetaIntelli research: sample of 38,000 mobile apps, 67% had M32 Source: Source: mobile-apps-affected-by-owasp-mobile-top-10-risks/
  38. 38. MFA Double Standard Consumers • Facial and voice for mobile login2 Employees • Symantec VIP3 1Source: 2Source: recognition-1072509-1.html 3Source: 1
  39. 39. Perfect Storm • Fractured market – 200+ MFA vendors – ~$1.8B market1 • Apple, VISA, Samsung – 2D fingerprint authentication is cool, secure • Breaches • Legislation • FIDO Alliance 1Source: password-otp-market
  40. 40. FIDO Alliance • Fast ID Online (FIDO) Alliance • Proponent of interoperability – Universal 2nd Factor (U2F) – Universal Authentication Framework (UAF) • Triumph of marketing over technology • Network-resident versus device-resident biometrics – FIDO advocates device-resident • Problems, especially with voice1 1Source: January 2015, “Network vs Device Resident Biometrics,” ValidSoft
  41. 41. “Legacy thinking subverts the security of a well-constructed system”1 – David Birch, Digital Money and Identity Consultant, Author of Identity is the New Money2 1Source: 2Source:
  42. 42. 1Source: parstream Internet of Things (IoT) 1
  43. 43. OWASP IoT Top 10 1Source: A1: Insecure Web Interface A2: Insufficient Authentication/A utorization A3: Insecure Network Services A4:Lack of Transport Encryption A5: Privacy Concern A6 : Insecure Cloud Interface A8: Insecure Security Configurability A10: Poor Physical Security A7: Insecure Mobile Interface A9: Insecure Software / Firmware
  44. 44. IoT Predictions Creative Cryptography, Uneven Protocol Adaptations • Enhanced Privacy ID (EPID®) – "Implementing Intel EPID offers IoT designers …proven security options”1 • PKI: instead of one-to-one mapping public and private key pairs, uses one-to-many mapping of public to private keys • Autobahn to dirt road – E.g., HTTPS to Constrained Application Protocol (CoAP) with OAuth2, OpenID, UMA – Different implementation constraints – “Security of these … mechanisms is highly dependent on the ability of the programmers creating it.”2 1Source: secure-iot-applications-300130062.html 2Source: Using OAuth for Access Control on the Internet of Things, Windley, 2015
  45. 45. Consider Risk-Based Authentication (aka Context-Based Authentication, Adaptive Authentication) • Device registration and fingerprinting • Source IP reputation data • Identity store lookup • Geo-location, geo-fencing, geo-velocity • Behavioral analysis1 • Analytics, machine learning, continuous authentication2 1Source: authentication-with-context/a/d-id/1317911 2Source: Clare Nelson, August 2015 Layer multiple contextual factors. Build a risk profile.
  46. 46. What You Can Do (1 of 2) • Request threat models from MFA vendors • Beware – 2D fingerprints – Already-hacked biometrics – QR codes – SMS OTP – JavaScript requirements – Weak account recovery – Lack of mobile device risk analysis – Encryption with backdoors Comic: Greg Larson,
  47. 47. What You Can Do (2 of 2) • Do not be swayed by latest InfoSec fashion trends – Apple Touch ID • Integration with VISA • Samsung Pay – FIDO Alliance • Rethink the definition of MFA – Beware of new interpretations Photo:
  48. 48. Questions? Clare Nelson, CISSP @Safe_SaaS
  49. 49. Additional References (1 of 3) • Stanislav, Mark; Two-Factor Authentication, IT Governance Publishing (2015) • Wouk, Kristofer; Flaw in Samsung Galaxy S5 Could Give Hackers Access to Your Fingerprints, flaw/ (April 2015) • IDC Technology Spotlight, sponsored by SecureAuth, Dynamic Authentication: Smarter Security to Protect User Authentication (September 2014) Six technologies that are taking on the password. — UN/ HACKABLE — Medium • Barbir, Abbie, Ph.D; Multi-Factor Authentication Methods Taxonomy, abbie-barbir.html (2014) • Nelson, Clare, Multi-Factor Authentication: What to Look For, Information Systems Security Association (ISSA) Journal (April 2015)
  50. 50. Additional References (2 of 3) • Keenan, Thomas; Hidden Risks of Biometric Identifiers and How to Avoid Them, University of Calgary, Black Hat USA, 15/materials/us-15-Keenan-Hidden-Risks-Of-Biometric-Identifiers-And-How-To- Avoid-Them-wp.pdf (August 2015) • Pagliery, Jose; OPM’s hack’s unprecedented haul: 1.1 million fingerprints: (July 2015) • Bonneau, Joseph, et al, Passwords and the Evolution of Imperfect Authentication, Communications of the ACM, Vol. 58, No. 7 (July 2015) • White, Conor; CTO Doan, Biometrics and Cybersecurity, (2009, published 2013) • Gloria, Sébastien, OWASP IoT Top 10, the life and the universe, (December 2014)
  51. 51. Additional References (3 of 3) • Steves, Michelle, et al, NISTIR, Report: Authentication Diary Study, (February 2014) • Andres, Joachim; blog, Smarter Security with Device Fingerprints, fingerprints/?mkt_tok=3RkMMJWWfF9wsRonv6TIeu%2FhmjTEU5z16u8kWaSyhok z2EFye%2BLIHETpodcMTcFnM7DYDBceEJhqyQJxPr3GKtYNysBvRhXlDQ%3D%3D (September 2015) • Perrot, Didier; There’s No Ideal Authentication Solution, (August 2015)
  52. 52. "A rose by any other name would smell as sweet”1 • Adaptive authentication • Multi-modal authentication • Continuous authentication • 2FA, TFA, Two-factor authentication • Multi-factor authentication • Strong authentication – United States: Many interpretations, depends on context – European Central Bank (ECB): strong authentication, or strong customer authentication, set of specific recommendations2 • Apple: Two-step authentication • Multi-step authentication • SecureAuth: Adaptive, risk-based, context-based authentication • IDC: advanced authentication, dynamic user authentication, multiform authentication, multiframe authentication, standard authentication, traditional authentication – Traditional authentication: authenticate at beginning of session – Dynamic authentication: users may be asked to authenticate at “various points during a session, for various reasons”3 • Step-up authentication • Re-Authentication 1Source: Shakespeare, Romeo and Juliet, 1Source: IDC Technology Spotlight, sponsored by SecureAuth, Dynamic Authentication: Smarter Security to Protect User Authentication (September 2014) 2Source: