SlideShare a Scribd company logo

Authenticationtechnologies 120711134100-phpapp01

•Download as PPT, PDF•
•
Hai Nguyen
Hai Nguyen
Technology
1 of 46
Authentication Who’s There? Nicholas A. Davis Information Systems 365 University of Wisconsin-Madison
Today’s Chocolate Bar • Baby Ruth • Created in 1920 by the Curtiss Candy Company, in Chicago, now made by Nestle • Originally named Kandy Kake • Named after President Grover Cleveland’s daughter, Ruth Cleveland, not after baseball player, Babe Ruth
Passwords – Reading Discussion • Define the root of a password? • Define the appendage of a password • ! % & $ _zipcode have gotten too easy for password crackers • Mix upper and lower case in the middle of password • Put the appendage in the middle of your root
University Networks -- Reading • Centralized vs. decentralized • Faculty and Staff demand freedom • Central data handling policies are weak • What should universities do to make their network more secure?
Overview • Authentication defined • Different types of electronic authentication factors • Username and Password • Dialog Spoofing Authentication Attacks • One Time Password devices (OTP), how they work and don’t work • Biometrics • Digital Certificates • Existing devices which can be used for authentication, Blackberry, Mobile Phone • Shared Secret/Ticket based authentication systems • Knowledge Based Authenticaition • The Initial Credentialing Challenge • Review of Key Concepts • Who is to Blame For This Authentication Mess? • SSO Authentication, the realities • Federated Authentication • Wireless Authentication issues • Remaining Issues With Authentication • What Does the Future Hold?
Authentication Defined “Electronic authentication provides a level of assurance as to whether someone or something is who or what it claims to be in a digital environment. Thus, electronic authentication plays a key role in the establishment of trust relationships for electronic commerce, electronic government and many other social interactions. It is also an essential component of any strategy to protect information systems and networks, financial data, personal information and other assets from unauthorised access or identity theft. Electronic authentication is therefore essential for establishing accountability online.”
Authentication Factors • Three types of electronic authentication • Something you know – username/password • Something you have – One time password device • Something you are – Voiceprint or retinal scan
Single Factor vs. Multifactor vs Dual Factor • Single Factor – Using one method to authenticate. • Dual Factor – Using two different types of authentication mechanism to authenticate • Multifactor – Using multiple forms of the same factor. (Password + identifying an image) • Some people claim multi factor is just a way around industry regulations. Good test is to ask, could I memorize both of these?
Username and Password - Benefits • Most widely used electronic authentication mechanism in the world • Low fixed cost to implement and virtually no variable cost • Fairly good for low assurance applications • No physical device required
Username and Password - Drawbacks • Can be easily shared on purpose • Can be easily stolen via Shoulder Surfing, Keyboard Logger Packet Sniffer • Can be guessed • Can be hard to remember • Password code is easy to hack • Video 3
If You Choose to Use Passwords.. • Be as long as possible (never shorter than 6 characters). • Include mixed-case letters, if possible. • Include digits and punctuation marks, if possible. • Not be based on any personal information. • Not be based on any dictionary word, in any language. • Expire on a regular basis and may not be reused • May not contain any portion of your name, birthday, address or other publicly available information
Dialog Spoofing Authentication Attacks • The biggest threat to authentication security is users unintentionally giving away their credentials to a “harvester” • Dialog spoofing attack makes the user think they are communicating with a trusted source, but actually grabs the credentials for its own malicious use
One Time Password Devices Demystified • Have an assigned serial number which relates to user-id. For example, ndavis = serial QB43 • Device generates a new password every 30 seconds • Server on other end knows what to expect from serial QB43 at any point in time
One Time Password Devices • Time based • Event based • Sold by RSA, Vasco, Verisign, Aladdin, Entrust and others • How can event based OTPs be defeated?
Entrust Identity Guard Can Be Beaten With a Photocopier!
One Time Passwords - Benefits • Provides true Dual Factor authentication, making it very difficult to share • Constantly changing password means it can’t be stolen, shoulder surfed or sniffed • Coolness factor!
One Time Passwords - Drawbacks • Cost! • Rank very low on the washability index • Uncomfortable • Expiration • Battery Life • Can be forgotten at home • Video 1
Biometrics • Use a unique part of your body to authenticate you, such as your voice pattern, your retina, or your fingerprint
Biometrics Benefits • Harder to steal than even a One Time Password since it is part of the user, not simply in their possession like and OTP device • Absolute uniqueness of authentication factor • Coolness factor
Biometrics Drawbacks • Cost • Complexity of Administration • Highly invasive • Not always reliable – false negatives • Not foolproof • The Gummi Bear thief!
Other Biometric Methods and Associated Issues • comparing the face with that on a passport photograph • fingerprints • DNA fingerprinting • Iris scan • Retina scan • other biometrics • signature • Birthmarks - May be duplicated cosmetically • Dentition - Identity may be mistaken by lack of or falsification of dental X-ray records
Today’s Agenda • Collect homework! • Look at a few password cracking tools, demonstrating why username and password is weak! • Finish lecture on Authentication! • Class Discussion! • Maybe Start Lecture on Cryptography!
Today’s Chocolate Bar! - Twix • Made by Mars • Called “Raider” in Europe until 1991 • First produced in the UK in 1967 • Introduced to the US in 1979 • Twix, Peanut Butter Twix, Cookies – n- Cream Twix, Chocolate Fudge Twix, Triple Chocolate Twix, Choc – n- Orange Twix • Not suitable for strict vegetarians!
Digital Certificates • A digital passport, either contained on a secure device, or on a hard disk • Secured with a password, making them truly a dual factor solution • Can be used to authenticate machines as well as humans
Digital Certificate Benefits • True Dual Factor Authentication • Low variable cost to produce • Can contain authorization data as well as authentication data
Digital Certificate Drawbacks • High fixed cost to build initial infrastructure • Can be copied and shared if not properly stored • Expiration • Often require access to an interface such as a card reader of USB port, not always available at kiosks
Taking Advantage of Existing Technology • Your mobile phone can serve as a powerful dual factor authentication device
Shared Secret Based Authentication Mechanisms • Kerberos • Needham-Schroeder protocol • Secure Shell • Encrypted key exchange (EKE) • Secure remote password protocol (SRP) • Closed-loop authentication • RADIUS • Diameter (protocol) • HMAC • EAP • Authentication OSID • CAPTCHA • Java Authentication and Authorization Service • Chip Authentication Program
Knowledge Based Authentication • Authenticates the user via verification of life events, usually financial in nature, such as: • Looks great at first! • However, most of this is public information and that which isn’t public can be easily stolen • The credit reports on which this knowledge based authentication is based are often contain factual errors • Cost!
Initial Credentialing • The verification of an individual’s or machine’s identity prior to assignment of an authentication identifier (DMV, Passport Agency, Library Card, Credit Card Application) • An authentication credential is only as trustworthy as the underlying credentialing process • SSN# often serves as base identifier • What do you think about that? • Can you think of a more secure base identifier than SSN#? When would It have to be assigned and by whom?
Key Concepts • Current online authentication techniques are weak at best: Most rely on multiple single factors • Credentials are easily stolen from consumers and rarely change • Lack of consistency in authentication processes confuse consumers
Who Is to Blame For the State of Digital Authentication? • No individual contributor is at fault • This is really a failure of multiple parties • OS Providers • Browser Providers • Financial & Commerce • Software Providers • Security Vendors • The Financial and Commerce Institutions
It All Starts With a Better OS • OS Must have security/auth services baked-in • Must not rely on 3rd party applications to enforce security/auth processes • Best position within the consumer access stack to enforce consistency
Unified Browser and Web Design Standards Needed • The Internet access browser must contain consistent security/auth processes and indicators for consumers • Must not try and re-invent the security wheel continuously • This is usually why users pick weak passwords – to preserve their sanity and avoid “token necklace” or “fat wallet syndrome”
Single Sign On (SSO), More like RSO • Single Sign On (SSO) (also known as Enterprise Single Sign On or "ESSO") is the ability for a user to enter the same id and password to logon to multiple applications within an enterprise. • True SSO is rare, but Reduced Sign On is quite workable
Single Sign On Benefits • Ability to enforce uniform enterprise authentication and/or authorization policies across the enterprise • End to end user audit sessions to improve security reporting and auditing • Removes application developers from having to understand and implement identity security in their applications • Usually results in significant password help desk cost savings
Document Authentication • Humans and machines are easy to authenticate, but what about documents? • Digital certificates to the rescue • A digital signature, generated by a private key can prove who authored the document and can verify that the contents have not been altered from their original form
Authentication Federation • The average user today interacts with all sorts of social, business, financial and government agencies digitally. • Each of these requires their own id and password as user authentication. • As a result, the user is increasingly frustrated with: • Having to remember multiple user id and passwords • Providing more identity information than they would otherwise chose to each entity
Authentication Federation • Allows transitional trust among institutional membership • For example, If Nick wants to look up a scholarly article at Penn State, UW can tell Penn State that this request comes from an authenticated and authorized user without giving out my name, etc. • Hard to enforce credentialing standards • Relies a LOT on trusting that the other institution did the right thing
Wireless Authentication • Wiring actually provides an additional layer of protection, requiring physical access • Once this goes away, as is the case on a wireless network, you need to find another method to make up for the loss of physical security which best emulates physical access • Authenticate with username/password + MAC address, for example. • Put the wireless network on a firewalled subnet • WPA is better than WEP, but not the answer to everything. • “Opportunity to Authenticate” is the principle to keep in mind here as the most serious threat…
Securing Wireless Network Authentication • All wireless LAN devices need to be secured, MAC address, static IP address, secure subnet, etc. • All users of the wireless network need to be educated in wireless network security • All wireless networks need to be actively monitored for weaknesses and breaches
Wireless is Still Too New to Be Trusted • Too many competing protocols, each of which can have its own set of security risks • WEP encryption, WPA, WPA2, 802.1X, LEAP, PEAP, TKIP, RADIUS, WAPI…The list goes on!
Remaining Issues With Authentication • Authenticating the originator is as important as authenticating the receiver, but few people pay attention to this issue • Currently, when we send email, we simply trust that george.bush@whitehouse.gov really is the President…This isn’t sufficient • We need a method to lookup people in a trustworthy manner • Trusted and centralized LDAP to the rescue! • Sadly, inter-organizational trusted LDAP access isn’t used.
The Best Solution is a Hybrid Solution • No, not that kind of hybrid! Way overused term • Passwords can be guessed or hacked • Physical devices can be stolen • Biometrics are costly and unreliable • Use a mix of the above technologies to achieve the best authentication security • Audit, Audit, Audit!!!
What Does the Future Hold? • Will the federal government get involved with **official** electronic credentials such as a “U.S. Citizen Digital Identity”? • Benefits of a federal digital identity system? • Drawbacks of a federal digital identity system? • How do you feel about the current state of electronic authentication systems?
Authenticationtechnologies 120711134100-phpapp01

Recommended

Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication Technologies
Nicholas Davis
 
Electronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordElectronic Authentication More Than Just A Password
Electronic Authentication More Than Just A Password
Nicholas Davis
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methods
lapao2014
 
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Nicholas Davis
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)
Ali Raw
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise"
mycroftinc
 
Pki the key to securing sensitive communications
Pki the key to securing sensitive communicationsPki the key to securing sensitive communications
Pki the key to securing sensitive communications
Nicholas Davis
 
Data Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information PresentationData Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information Presentation
guestf018d88
 

Recommended

Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication Technologies
Nicholas Davis
 
Electronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordElectronic Authentication More Than Just A Password
Electronic Authentication More Than Just A Password
Nicholas Davis
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methods
lapao2014
 
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Nicholas Davis
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)
Ali Raw
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise"
mycroftinc
 
Pki the key to securing sensitive communications
Pki the key to securing sensitive communicationsPki the key to securing sensitive communications
Pki the key to securing sensitive communications
Nicholas Davis
 
Data Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information PresentationData Securities Corporate Technology Information Presentation
Data Securities Corporate Technology Information Presentation
guestf018d88
 
Vanderhoof smartcard-roadmap
Vanderhoof smartcard-roadmapVanderhoof smartcard-roadmap
Vanderhoof smartcard-roadmap
Hai Nguyen
 
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPasswords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Priyanka Aash
 
IoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureIoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architecture
Vinod Wilson
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
Ramesh Nagappan
 
Trust elevation-abbie-v1
Trust elevation-abbie-v1Trust elevation-abbie-v1
Trust elevation-abbie-v1
Abbie Barbir
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSS
onionid12
 
2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]
Hai Nguyen
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACM
hackingtrialpay
 
Securing Your Mobile Applications
Securing Your Mobile ApplicationsSecuring Your Mobile Applications
Securing Your Mobile Applications
Greg Patton
 
Identity Assertions Draftv5
Identity Assertions Draftv5Identity Assertions Draftv5
Identity Assertions Draftv5
Salvatore D'Agostino
 
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsHow to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
Maxim Salnikov
 
Client Cert Deployment Models and Hardware Tokens/Smart Cards
Client Cert Deployment Models and Hardware Tokens/Smart CardsClient Cert Deployment Models and Hardware Tokens/Smart Cards
Client Cert Deployment Models and Hardware Tokens/Smart Cards
Ed Dodds
 
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Amazon Web Services
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutions
frontone
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018
Will Adams
 
User-Friendly Digital Signatures
User-Friendly Digital SignaturesUser-Friendly Digital Signatures
User-Friendly Digital Signatures
Jon Matonis
 
Nordic eGovernment conference 201 - Peter Lind DamkjĂŚr
Nordic eGovernment conference 201 - Peter Lind DamkjĂŚrNordic eGovernment conference 201 - Peter Lind DamkjĂŚr
Nordic eGovernment conference 201 - Peter Lind DamkjĂŚr
JulieCarlslund
 
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Systems, Inc.
 
Authentication technologies
Authentication technologiesAuthentication technologies
Authentication technologies
Nicholas Davis
 
Electronic authentication more than just a password
Electronic authentication more than just a passwordElectronic authentication more than just a password
Electronic authentication more than just a password
Nicholas Davis
 
Electronic Authentication, More Than Just a Password
Electronic Authentication, More Than Just a PasswordElectronic Authentication, More Than Just a Password
Electronic Authentication, More Than Just a Password
Nicholas Davis
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authentication
MecklerMedia
 

More Related Content

What's hot

Vanderhoof smartcard-roadmap
Vanderhoof smartcard-roadmapVanderhoof smartcard-roadmap
Vanderhoof smartcard-roadmap
Hai Nguyen
 
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPasswords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Priyanka Aash
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
Ramesh Nagappan
 
2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]
Hai Nguyen
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACM
hackingtrialpay
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutions
frontone
 

What's hot (18)

Vanderhoof smartcard-roadmap
Vanderhoof smartcard-roadmapVanderhoof smartcard-roadmap
Vanderhoof smartcard-roadmap
 
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPasswords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
 
IoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureIoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architecture
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
 
Trust elevation-abbie-v1
Trust elevation-abbie-v1Trust elevation-abbie-v1
Trust elevation-abbie-v1
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSS
 
2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACM
 
Securing Your Mobile Applications
Securing Your Mobile ApplicationsSecuring Your Mobile Applications
Securing Your Mobile Applications
 
Identity Assertions Draftv5
Identity Assertions Draftv5Identity Assertions Draftv5
Identity Assertions Draftv5
 
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsHow to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
 
Client Cert Deployment Models and Hardware Tokens/Smart Cards
Client Cert Deployment Models and Hardware Tokens/Smart CardsClient Cert Deployment Models and Hardware Tokens/Smart Cards
Client Cert Deployment Models and Hardware Tokens/Smart Cards
 
Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012Security and Privacy in the AWS Cloud - AWS India Summit 2012
Security and Privacy in the AWS Cloud - AWS India Summit 2012
 
FrontOne our new and different solutions
FrontOne our new and different solutionsFrontOne our new and different solutions
FrontOne our new and different solutions
 
Two factor authentication 2018
Two factor authentication 2018Two factor authentication 2018
Two factor authentication 2018
 
User-Friendly Digital Signatures
User-Friendly Digital SignaturesUser-Friendly Digital Signatures
User-Friendly Digital Signatures
 
Nordic eGovernment conference 201 - Peter Lind DamkjĂŚr
Nordic eGovernment conference 201 - Peter Lind DamkjĂŚrNordic eGovernment conference 201 - Peter Lind DamkjĂŚr
Nordic eGovernment conference 201 - Peter Lind DamkjĂŚr
 
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
 

Similar to Authenticationtechnologies 120711134100-phpapp01

Authentication technologies
Authentication technologiesAuthentication technologies
Authentication technologies
Nicholas Davis
 
Electronic authentication more than just a password
Electronic authentication more than just a passwordElectronic authentication more than just a password
Electronic authentication more than just a password
Nicholas Davis
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authentication
MecklerMedia
 
Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...
Nicholas Davis
 
How Cloud-Based Service Providers Can Integrate Strong Identity and Security
How Cloud-Based Service Providers Can Integrate Strong Identity and SecurityHow Cloud-Based Service Providers Can Integrate Strong Identity and Security
How Cloud-Based Service Providers Can Integrate Strong Identity and Security
GlobalSign
 
managingyouraccesscontrolsystems-130223182036-phpapp01
managingyouraccesscontrolsystems-130223182036-phpapp01managingyouraccesscontrolsystems-130223182036-phpapp01
managingyouraccesscontrolsystems-130223182036-phpapp01
Walter Sinchak,
 
Authentication Simple as a Selfie - How Biometrics are Reducing Customer Fric...
Authentication Simple as a Selfie - How Biometrics are Reducing Customer Fric...Authentication Simple as a Selfie - How Biometrics are Reducing Customer Fric...
Authentication Simple as a Selfie - How Biometrics are Reducing Customer Fric...
Easy Solutions Inc
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
Wajahat Rajab
 

Similar to Authenticationtechnologies 120711134100-phpapp01 (20)

Authentication technologies
Authentication technologiesAuthentication technologies
Authentication technologies
 
Electronic authentication more than just a password
Electronic authentication more than just a passwordElectronic authentication more than just a password
Electronic authentication more than just a password
 
Electronic Authentication, More Than Just a Password
Electronic Authentication, More Than Just a PasswordElectronic Authentication, More Than Just a Password
Electronic Authentication, More Than Just a Password
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authentication
 
Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...
 
Date security identifcation and authentication
Date security identifcation and authenticationDate security identifcation and authentication
Date security identifcation and authentication
 
Security Considerations for Microservices and Multi cloud
Security Considerations for Microservices and Multi cloudSecurity Considerations for Microservices and Multi cloud
Security Considerations for Microservices and Multi cloud
 
RSA SecurID Access
RSA SecurID AccessRSA SecurID Access
RSA SecurID Access
 
How Cloud-Based Service Providers Can Integrate Strong Identity and Security
How Cloud-Based Service Providers Can Integrate Strong Identity and SecurityHow Cloud-Based Service Providers Can Integrate Strong Identity and Security
How Cloud-Based Service Providers Can Integrate Strong Identity and Security
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application Security
 
CISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementCISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access Management
 
Introduction to Web Security
Introduction to Web SecurityIntroduction to Web Security
Introduction to Web Security
 
Security audit
Security auditSecurity audit
Security audit
 
Security Audit
Security AuditSecurity Audit
Security Audit
 
managingyouraccesscontrolsystems-130223182036-phpapp01
managingyouraccesscontrolsystems-130223182036-phpapp01managingyouraccesscontrolsystems-130223182036-phpapp01
managingyouraccesscontrolsystems-130223182036-phpapp01
 
Cryptography in user authentication
Cryptography in user authenticationCryptography in user authentication
Cryptography in user authentication
 
CNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access ManagementCNIT 125 6. Identity and Access Management
CNIT 125 6. Identity and Access Management
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
 
Authentication Simple as a Selfie - How Biometrics are Reducing Customer Fric...
Authentication Simple as a Selfie - How Biometrics are Reducing Customer Fric...Authentication Simple as a Selfie - How Biometrics are Reducing Customer Fric...
Authentication Simple as a Selfie - How Biometrics are Reducing Customer Fric...
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
 

More from Hai Nguyen

Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
Hai Nguyen
 
Sms based otp
Sms based otpSms based otp
Sms based otp
Hai Nguyen
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailar
Hai Nguyen
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_fa
Hai Nguyen
 
Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheet
Hai Nguyen
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthentication
Hai Nguyen
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Hai Nguyen
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_brief
Hai Nguyen
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 en
Hai Nguyen
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
Hai Nguyen
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
Hai Nguyen
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authentication
Hai Nguyen
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
Hai Nguyen
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheet
Hai Nguyen
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheet
Hai Nguyen
 
Gambling
GamblingGambling
Gambling
Hai Nguyen
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authentication
Hai Nguyen
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationx
Hai Nguyen
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
Hai Nguyen
 

More from Hai Nguyen (20)

Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
Sms based otp
Sms based otpSms based otp
Sms based otp
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailar
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_fa
 
Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheet
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthentication
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_brief
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 en
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authentication
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheet
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheet
 
Gambling
GamblingGambling
Gambling
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authentication
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationx
 
Csd6059
Csd6059Csd6059
Csd6059
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Authenticationtechnologies 120711134100-phpapp01

  • 1. Authentication Who’s There? Nicholas A. Davis Information Systems 365 University of Wisconsin-Madison
  • 2. Today’s Chocolate Bar • Baby Ruth • Created in 1920 by the Curtiss Candy Company, in Chicago, now made by Nestle • Originally named Kandy Kake • Named after President Grover Cleveland’s daughter, Ruth Cleveland, not after baseball player, Babe Ruth
  • 3. Passwords – Reading Discussion • Define the root of a password? • Define the appendage of a password • ! % & $ _zipcode have gotten too easy for password crackers • Mix upper and lower case in the middle of password • Put the appendage in the middle of your root
  • 4. University Networks -- Reading • Centralized vs. decentralized • Faculty and Staff demand freedom • Central data handling policies are weak • What should universities do to make their network more secure?
  • 5. Overview • Authentication defined • Different types of electronic authentication factors • Username and Password • Dialog Spoofing Authentication Attacks • One Time Password devices (OTP), how they work and don’t work • Biometrics • Digital Certificates • Existing devices which can be used for authentication, Blackberry, Mobile Phone • Shared Secret/Ticket based authentication systems • Knowledge Based Authenticaition • The Initial Credentialing Challenge • Review of Key Concepts • Who is to Blame For This Authentication Mess? • SSO Authentication, the realities • Federated Authentication • Wireless Authentication issues • Remaining Issues With Authentication • What Does the Future Hold?
  • 6. Authentication Defined “Electronic authentication provides a level of assurance as to whether someone or something is who or what it claims to be in a digital environment. Thus, electronic authentication plays a key role in the establishment of trust relationships for electronic commerce, electronic government and many other social interactions. It is also an essential component of any strategy to protect information systems and networks, financial data, personal information and other assets from unauthorised access or identity theft. Electronic authentication is therefore essential for establishing accountability online.”
  • 7. Authentication Factors • Three types of electronic authentication • Something you know – username/password • Something you have – One time password device • Something you are – Voiceprint or retinal scan
  • 8. Single Factor vs. Multifactor vs Dual Factor • Single Factor – Using one method to authenticate. • Dual Factor – Using two different types of authentication mechanism to authenticate • Multifactor – Using multiple forms of the same factor. (Password + identifying an image) • Some people claim multi factor is just a way around industry regulations. Good test is to ask, could I memorize both of these?
  • 9. Username and Password - Benefits • Most widely used electronic authentication mechanism in the world • Low fixed cost to implement and virtually no variable cost • Fairly good for low assurance applications • No physical device required
  • 10. Username and Password - Drawbacks • Can be easily shared on purpose • Can be easily stolen via Shoulder Surfing, Keyboard Logger Packet Sniffer • Can be guessed • Can be hard to remember • Password code is easy to hack • Video 3
  • 11. If You Choose to Use Passwords.. • Be as long as possible (never shorter than 6 characters). • Include mixed-case letters, if possible. • Include digits and punctuation marks, if possible. • Not be based on any personal information. • Not be based on any dictionary word, in any language. • Expire on a regular basis and may not be reused • May not contain any portion of your name, birthday, address or other publicly available information
  • 12. Dialog Spoofing Authentication Attacks • The biggest threat to authentication security is users unintentionally giving away their credentials to a “harvester” • Dialog spoofing attack makes the user think they are communicating with a trusted source, but actually grabs the credentials for its own malicious use
  • 13. One Time Password Devices Demystified • Have an assigned serial number which relates to user-id. For example, ndavis = serial QB43 • Device generates a new password every 30 seconds • Server on other end knows what to expect from serial QB43 at any point in time
  • 14. One Time Password Devices • Time based • Event based • Sold by RSA, Vasco, Verisign, Aladdin, Entrust and others • How can event based OTPs be defeated?
  • 15. Entrust Identity Guard Can Be Beaten With a Photocopier!
  • 16. One Time Passwords - Benefits • Provides true Dual Factor authentication, making it very difficult to share • Constantly changing password means it can’t be stolen, shoulder surfed or sniffed • Coolness factor!
  • 17. One Time Passwords - Drawbacks • Cost! • Rank very low on the washability index • Uncomfortable • Expiration • Battery Life • Can be forgotten at home • Video 1
  • 18. Biometrics • Use a unique part of your body to authenticate you, such as your voice pattern, your retina, or your fingerprint
  • 19. Biometrics Benefits • Harder to steal than even a One Time Password since it is part of the user, not simply in their possession like and OTP device • Absolute uniqueness of authentication factor • Coolness factor
  • 20. Biometrics Drawbacks • Cost • Complexity of Administration • Highly invasive • Not always reliable – false negatives • Not foolproof • The Gummi Bear thief!
  • 21. Other Biometric Methods and Associated Issues • comparing the face with that on a passport photograph • fingerprints • DNA fingerprinting • Iris scan • Retina scan • other biometrics • signature • Birthmarks - May be duplicated cosmetically • Dentition - Identity may be mistaken by lack of or falsification of dental X-ray records
  • 22. Today’s Agenda • Collect homework! • Look at a few password cracking tools, demonstrating why username and password is weak! • Finish lecture on Authentication! • Class Discussion! • Maybe Start Lecture on Cryptography!
  • 23. Today’s Chocolate Bar! - Twix • Made by Mars • Called “Raider” in Europe until 1991 • First produced in the UK in 1967 • Introduced to the US in 1979 • Twix, Peanut Butter Twix, Cookies – n- Cream Twix, Chocolate Fudge Twix, Triple Chocolate Twix, Choc – n- Orange Twix • Not suitable for strict vegetarians!
  • 24. Digital Certificates • A digital passport, either contained on a secure device, or on a hard disk • Secured with a password, making them truly a dual factor solution • Can be used to authenticate machines as well as humans
  • 25. Digital Certificate Benefits • True Dual Factor Authentication • Low variable cost to produce • Can contain authorization data as well as authentication data
  • 26. Digital Certificate Drawbacks • High fixed cost to build initial infrastructure • Can be copied and shared if not properly stored • Expiration • Often require access to an interface such as a card reader of USB port, not always available at kiosks
  • 27. Taking Advantage of Existing Technology • Your mobile phone can serve as a powerful dual factor authentication device
  • 28. Shared Secret Based Authentication Mechanisms • Kerberos • Needham-Schroeder protocol • Secure Shell • Encrypted key exchange (EKE) • Secure remote password protocol (SRP) • Closed-loop authentication • RADIUS • Diameter (protocol) • HMAC • EAP • Authentication OSID • CAPTCHA • Java Authentication and Authorization Service • Chip Authentication Program
  • 29. Knowledge Based Authentication • Authenticates the user via verification of life events, usually financial in nature, such as: • Looks great at first! • However, most of this is public information and that which isn’t public can be easily stolen • The credit reports on which this knowledge based authentication is based are often contain factual errors • Cost!
  • 30. Initial Credentialing • The verification of an individual’s or machine’s identity prior to assignment of an authentication identifier (DMV, Passport Agency, Library Card, Credit Card Application) • An authentication credential is only as trustworthy as the underlying credentialing process • SSN# often serves as base identifier • What do you think about that? • Can you think of a more secure base identifier than SSN#? When would It have to be assigned and by whom?
  • 31. Key Concepts • Current online authentication techniques are weak at best: Most rely on multiple single factors • Credentials are easily stolen from consumers and rarely change • Lack of consistency in authentication processes confuse consumers
  • 32. Who Is to Blame For the State of Digital Authentication? • No individual contributor is at fault • This is really a failure of multiple parties • OS Providers • Browser Providers • Financial & Commerce • Software Providers • Security Vendors • The Financial and Commerce Institutions
  • 33. It All Starts With a Better OS • OS Must have security/auth services baked-in • Must not rely on 3rd party applications to enforce security/auth processes • Best position within the consumer access stack to enforce consistency
  • 34. Unified Browser and Web Design Standards Needed • The Internet access browser must contain consistent security/auth processes and indicators for consumers • Must not try and re-invent the security wheel continuously • This is usually why users pick weak passwords – to preserve their sanity and avoid “token necklace” or “fat wallet syndrome”
  • 35. Single Sign On (SSO), More like RSO • Single Sign On (SSO) (also known as Enterprise Single Sign On or "ESSO") is the ability for a user to enter the same id and password to logon to multiple applications within an enterprise. • True SSO is rare, but Reduced Sign On is quite workable
  • 36. Single Sign On Benefits • Ability to enforce uniform enterprise authentication and/or authorization policies across the enterprise • End to end user audit sessions to improve security reporting and auditing • Removes application developers from having to understand and implement identity security in their applications • Usually results in significant password help desk cost savings
  • 37. Document Authentication • Humans and machines are easy to authenticate, but what about documents? • Digital certificates to the rescue • A digital signature, generated by a private key can prove who authored the document and can verify that the contents have not been altered from their original form
  • 38. Authentication Federation • The average user today interacts with all sorts of social, business, financial and government agencies digitally. • Each of these requires their own id and password as user authentication. • As a result, the user is increasingly frustrated with: • Having to remember multiple user id and passwords • Providing more identity information than they would otherwise chose to each entity
  • 39. Authentication Federation • Allows transitional trust among institutional membership • For example, If Nick wants to look up a scholarly article at Penn State, UW can tell Penn State that this request comes from an authenticated and authorized user without giving out my name, etc. • Hard to enforce credentialing standards • Relies a LOT on trusting that the other institution did the right thing
  • 40. Wireless Authentication • Wiring actually provides an additional layer of protection, requiring physical access • Once this goes away, as is the case on a wireless network, you need to find another method to make up for the loss of physical security which best emulates physical access • Authenticate with username/password + MAC address, for example. • Put the wireless network on a firewalled subnet • WPA is better than WEP, but not the answer to everything. • “Opportunity to Authenticate” is the principle to keep in mind here as the most serious threat…
  • 41. Securing Wireless Network Authentication • All wireless LAN devices need to be secured, MAC address, static IP address, secure subnet, etc. • All users of the wireless network need to be educated in wireless network security • All wireless networks need to be actively monitored for weaknesses and breaches
  • 42. Wireless is Still Too New to Be Trusted • Too many competing protocols, each of which can have its own set of security risks • WEP encryption, WPA, WPA2, 802.1X, LEAP, PEAP, TKIP, RADIUS, WAPI…The list goes on!
  • 43. Remaining Issues With Authentication • Authenticating the originator is as important as authenticating the receiver, but few people pay attention to this issue • Currently, when we send email, we simply trust that george.bush@whitehouse.gov really is the President…This isn’t sufficient • We need a method to lookup people in a trustworthy manner • Trusted and centralized LDAP to the rescue! • Sadly, inter-organizational trusted LDAP access isn’t used.
  • 44. The Best Solution is a Hybrid Solution • No, not that kind of hybrid! Way overused term • Passwords can be guessed or hacked • Physical devices can be stolen • Biometrics are costly and unreliable • Use a mix of the above technologies to achieve the best authentication security • Audit, Audit, Audit!!!
  • 45. What Does the Future Hold? • Will the federal government get involved with **official** electronic credentials such as a “U.S. Citizen Digital Identity”? • Benefits of a federal digital identity system? • Drawbacks of a federal digital identity system? • How do you feel about the current state of electronic authentication systems?