Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil

5,141 views

Published on

My presentation given at LASCON 2014.

Published in: Technology
  • Be the first to comment

LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil

  1. 1. Multi-Factor Authentication: Weeding Out the Snake Oil LASCON 2014 David Ochel 2014-10-24 This work is licensed under a Creative Commons Attribution 4.0 International License.
  2. 2. Objectives •Understand what’s going on in the market of multi-factor authentication. •Look at solutions from a risk view… Which problems are we actually solving / trying to solve? Multi-Factor Authentication Criteria – LASCON 2014 Page 2
  3. 3. Agenda: Less Formalism, More Examples… •Motivation / Introduction –Authentication Factors –Why Multi-Factor? •Criteria and Industry Examples –Security-focused criteria –Less risky criteria •…and the Snake Oil? Page 3 Multi-Factor Authentication Criteria – LASCON 2014
  4. 4. INTRODUCTION Multi-Factor Authentication Criteria – LASCON 2014 Page 4
  5. 5. Authentication Factors •Knowledge-based “know” –Passwords –Security questions (?) –Pattern/image recognition, … •Token-based “have” –Time-based one-time-passwords –Crypto-based challenge response (e.g. X.509) –Various form factors: smart cards, RFID, USB, LED dongles, phones, smartphones (arguably) •Biometrics “are” –Behavioral –Physical •Context-/behavioral-based –As in “risk-based authentication”: IP addresses, locations, date/time, etc. Multi-Factor Authentication Criteria – LASCON 2014 Page 5
  6. 6. Why Do We Still Use Passwords? “The continued domination of passwords over all other methods of end-user authentication is a major embarrassment to security researchers.” [1] •Passwords –Highly deployable: infrastructure exists, users are accustomed, cheap, … –Security issues: observation, interception, replay, guessing, phishing –Pervasive assumption: General-purpose personal computers (laptops, PCs, …) cannot be secured/trusted •Issues with existing alternatives –Memory-based (“know”): no better than passwords? –Biometrics (“are”): privacy, liveness detection on unsupervised devices, hard to replace –Tokens (“have”): susceptible to theft, expensive, hard to replace –Contexts: unreliable proof of identity Page 6 Multi-Factor Authentication Criteria – LASCON 2014 [1] http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.html
  7. 7. Current Industry Trend: Combine Multiple Factors •Tokens –Hard(er) to compromise; susceptible to physical theft •Passwords –Interceptable (malware); hard to physically steal •Also in the running: –Biometrics •Convenient; but often trust issues when unsupervised (liveness detection) –Contexts •Back-end risk evaluation; not technically authentication Multi-Factor Authentication Criteria – LASCON 2014 Page 7
  8. 8. Authentication – A Piece of the Identity & Access Management Puzzle… Multi-Factor Authentication Criteria – LASCON 2014 Page 8 http://forgerock.com/products/open-identity-stack/
  9. 9. Which threats are we trying to counter? •Are we protecting: •Individual consumer accounts? •Corporate users and data? •Machine authentication? •Assets •Adversaries •Vulnerabilities •Etc… Page 9 Multi-Factor Authentication Criteria – LASCON 2014
  10. 10. CRITERIA – FROM A SECURITY POINT OF VIEW Page 10 Multi-Factor Authentication Criteria – LASCON 2014
  11. 11. Are there at least two factors? •Password + PIN = one factor •Password-protected private key? –…on a hardware token? Multi-Factor Authentication Criteria – LASCON 2014 Page 11 http://blog.mailchimp.com/introducing-alterego-1-5-factor-authentication-for-web-apps/, https://alteregoapp.com
  12. 12. Swivel PIN Safe – Human-Computed Challenge Response •But… password + PIN still aren’t two factors? –When used in browser, helps against keylogging –When used for SMS, actually helps!? Multi-Factor Authentication Criteria – LASCON 2014 Page 12 http://www.swivelsecure.com/devices/browser/
  13. 13. How many communication channels? One? More? Different physical band? Multi-Factor Authentication Criteria – LASCON 2014 Page 13
  14. 14. Communication channels (continued) •Securing smartphone apps with smartphone tokens…? •“plug and play” –Factors –Channels Multi-Factor Authentication Criteria – LASCON 2014 Page 14
  15. 15. When to pull another factor? •Once per session, at login. •For every high risk transaction, during session. •“Risk-based” –Determined by context analysis. Multi-Factor Authentication Criteria – LASCON 2014 Page 15 http://www.safenet-inc.com/multi-factor-authentication/context-based-authentication/
  16. 16. Enrolling users / tokens •Personalization/provisioning of tokens •Enrollment in service •Central management of credentials Multi-Factor Authentication Criteria – LASCON 2014 Page 16 https://www.yubico.com/wp-content/uploads/2012/10/Yubikey-Programming-Station- v1.0.pdf
  17. 17. Crypto •There’s crypto everywhere –Token challenge-response, digital signatures –Transportation security for authentication channels •Robustness/diversity –More than one set of algorithm types supported? •Trust –Algorithms –Implementations Multi-Factor Authentication Criteria – LASCON 2014 Page 17 https://www.securityinnovation.com/products/encryption-libraries/ntru-crypto/
  18. 18. EMV-based Multi-Factor Authentication Criteria – LASCON 2014 Page 18 •Mastercard CAP / VISA DPA •German Sm@art TAN •CrontoSign (photoTAN)… https://www.vasco.com/products/products.aspx •https://www.vasco.com/Images/DP% 20760_DS201309-v1b.pdf https://www.vasco.com/Images/DP%20836_DS201401_v4.pdf
  19. 19. CRITERIA – LESS SECURITY-RELEVANT Page 19 Multi-Factor Authentication Criteria – LASCON 2014
  20. 20. $$$ •OpEx vs. CapEx –Licensing fees (per user, server, year, …?) –Token cost –… Multi-Factor Authentication Criteria – LASCON 2014 20 http://www.entrust.com/products/entrust-identityguard/
  21. 21. Open Source? •Lots of freemium solutions •E.g. WikID Multi-Factor Authentication Criteria – LASCON 2014 Page 21 https://www.wikidsystems.com/learn-more/features
  22. 22. Integration with Identity & Access Management Solutions •Open Source, e.g. gluu or OpenAM •Commercial, e.g. SailPoint, and many more Multi-Factor Authentication Criteria – LASCON 2014 Page 22 http://www.gluu.org/gluu-server/strong-authentication/ http://www.sailpoint.com/solutions/products/identityiq/access-manager
  23. 23. Usability •Efficiency •Ease of use •Availability •Convenience –Is it realistic to expect that every user carries half a dozen hardware tokens with them? Multi-Factor Authentication Criteria – LASCON 2014 Page 23 © Edwin Sarmiento, https://www.flickr.com/photos/bassplayerdoc/6245647402/
  24. 24. (Security) architecture •Client-less vs. plug-ins, apps, … •Service –SaaS / cloud –In-house •Server side: –APIs –Logging –RADIUS, etc. interfaces Multi-Factor Authentication Criteria – LASCON 2014 Page 24
  25. 25. Availability •Does it scale? –Authentications per second •Capacity to bug/security-fix –Reputation, history, size, … •SLA, redundancy, … •Fallback if the cloud is unavailable? Multi-Factor Authentication Criteria – LASCON 2014 Page 25 http://www.earlychildhoodworksheets.com/nature-clipart.html
  26. 26. …AND THE SNAKE OIL? 26 Multi-Factor Authentication Criteria – LASCON 2014
  27. 27. How to find snake oil? •Wait until it finds you, or… Google it! •OWASP ‘Guide to Cryptography’ suggests: ‘A good understanding of crypto is required to be able to discern between solid products and snake oil. The inherent complexity of crypto makes it easy to fall for fantastic claims from vendors about their product. Typically, these are “a breakthrough in cryptography” or “unbreakable” or provide "military grade" security. If a vendor says "trust us, we have had experts look at this,” chances are they weren't experts!’ Multi-Factor Authentication Criteria – LASCON 2014 27 https://www.owasp.org/index.php/Guide_to_Cryptography
  28. 28. Multi-Factor Authentication Criteria Page 28
  29. 29. Unbreakable, impenetrable, etc. Multi-Factor Authentication Criteria – LASCON 2014 Page 29 from http://www.edulok.com – retrieved 2014-09-23
  30. 30. WWPass (aka EduLok): What might be going on? This is abstracted from their public online documentation… haven’t checked out the patents or anything else. Multi-Factor Authentication Criteria – LASCON 2014 Page 30
  31. 31. What about “Best in Class”? •E.g., SafeNet – “a consistent leader in the Magic Quadrant for User Authentication” •Not exempt from marketing blah? ;-) Multi-Factor Authentication Criteria – LASCON 2014 Page 31 http://www.safenet-inc.com/multi-factor-authentication/ - retrieved 2014-09-23
  32. 32. Conclusions •Don’t trust the marketing hype! •Understand your exposure. •Understand which solutions can reduce it. •And then look at usability, interoperability, etc. Multi-Factor Authentication Criteria – LASCON 2014 Page 36
  33. 33. Contact David Ochel Blog: http://secuilibrium.com Twitter: @lostgravity Multi-Factor Authentication Criteria – LASCON 2014 Page 37

×