Two factor authentication presentation mcit


Published on

Published in: Education, Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • EFT ACT – 2007 Financial Institutions and other institutions providing Electronic Funds Transfer facilities shall ensure that secure means are used for transfer, compliant with current international standards and as may be prescribed by the State Bank from time to time. PCI – DSS Implement two-factor authentication for remote access to the network by employees, administrators, and third parties. NIST SP 800-63 Provides technical guidance for implementing electronic authentication.
  • PR attacks:These are passive attacks in which a hacker or a malicious attacker intercepts the data while transmission and retransmits it.
  • PR attacks:These are passive attacks in which a hacker or a malicious attacker intercepts the data while transmission and retransmits it.
  • Two factor authentication presentation mcit

    1. 1. Some thing you know and Some thing you have.Two Factor AuthenticationSubmitted By: Saba HameedCT-025
    2. 2. AgendaAuthenticationAuthentication FactorsTwo Factor Authentication (2FA)Business Need for 2FA2FA Using OTP Hard Tokens2FA Using Mobile TokensSecurity AnalysisConclusion & Recommendations
    3. 3. Authentication Authentication is the process of verifying theidentity of user. The most common technique to authenticate auser is to use username and passwords
    4. 4. Authentication FactorsSomething you knowSomething you haveSomething you are
    5. 5. Threats to Passwords Social engineering Phishing Brute force attacks Shoulder surfing Keystroke logging Eavesdropping Dictionary attacks
    6. 6. Two factor Authentication It is an approach to authentication which requiresthe presentation of two different kinds of evidencethat someone is who they say they are.
    7. 7. CustomerConfidenceRegulations& BestPracticesEFT ACT2007PCI DSSNISTThreatPreventionPhishing andPacket Replayand Man inthe middleattacksFraudPrevention
    8. 8. TokensHard Token USB Token Smart Card Soft TokenMobile Token OTP is a second layer of security to verify youridentity.
    9. 9. Types of OTP Software – OTPAn one-time password (OTP)generated by the company andsent to your mobile phone or PC. Hardware – OTPAn OTP generated by a securitydevice/token. You press the buttonon the security device/token toobtain the OTP. Event Based OTPHere the moving factor istriggered by an event Time Based OTPHere the moving factor istime.
    10. 10. 2FA Using Hard TokenCourtesy: RSA SecureID
    11. 11. Security AnalysisBenefits It is secure againstpacket replay attacks. It prevents againstphishing.Threats User needs to carrythe deviceeverywhere, and thereis a risk that it may getstolen or lost. Cost is very high. Vulnerable to activeattacks and Man in themiddle attacks 
    12. 12. 2FA Using Mobile Tokens It makes use of: Application installed on user’s mobile IMEI Time Stamp Seed Algorithm Used:Time based One Time Password Algorithm/ HMAC-SHA 1
    13. 13. How it works User Registration on Server•Seed•Pin•IMEI number•Time StampdifferenceMobileApplicationMobileApplicationAuth Server
    14. 14. How it works OTP GenerationSame SeedAlgorithmTimeSeedAlgorithmTimeSeed159759 159759Same TimeSame OTPMobileApplicationAuthenticationServer
    15. 15. How it works Login session
    16. 16. Security AnalysisBenefits A relatively cheaper andflexible means of OTP. User just need to carrytheir mobiles with them,no extra device isneeded.Threats Still vulnerable toactive attacks Man in the middleattacks Man in the browserattacks 
    17. 17. Solution? 1. Challenge ResponseMechanism For fund transfertransactions, the servergenerates a a code andsends to the user. Theuser enters the codeprovided to the Internetbanking site in order tocommit the transaction.Challenges:•High Cost required•Hardware required
    18. 18. Solution?2. SMS with Transaction Details
    19. 19. Security AnalysisThreat: Mobile is now single point of failure. OTP isgenerated/ received on mobile and theverification code of transaction is also receivedvia sms on mobile. If attacker has thepossession of user’s mobile, then he can doeverything.My Recommendation: It is necessary that a different medium is usedfor receiving OTP and receiving transactionverification code.
    20. 20. ConclusionsMethod Threats Effective Against Manin the Browser attak?Static Passwords Can be lost and easilyobtainedBrute force attackspossibleNoBiometric NoOTP Hard Tokens User has to carry thetokenNoOTP Soft/ Mobile Token Man in the middleattacksNoOTP with Signature(Challenge Response)Secure against man inthe middle attacksYes, but inconvenientOTP with SMSTransaction DetailSecure againstPhishing, PacketReplay, MIM and MITMYes!!
    21. 21. My Recommendations User should check and make sure the websitehas https in the URL, so that the password goesencrypted while transmission. The OTP and PIN should be hashed beforesending. Mutual authentication should be establishedbetween the client and the server before thesession starts to ensure the user that server canbe trusted. Using split key technique for authentication.
    22. 22. References Mohamed Hamdy Eldefrawy, KhaledAlghathbar, Muhammad Khurram Khan, “OTP-Based Two-Factor Authentication Using MobilePhones” Roland M. van Rijswijk – SURFnetbv, Utrecht, The Netherlands, “tiqr: a novel take ontwo factor authentication” Fadi Aloul, Syed Zahidi, “Two FactorAuthentication Using Mobile Phones” Costin Andrei SOARE, “Internet Banking Two-Factor Authentication using Smartphones”
    23. 23. Q & A Session