Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Codebits 2011The End Of Passwords...                 11/11/11
Summary  Summary:                              •	  Mo&va&on                              •	  Today’s	  scenario           ...
Motivation > Lots of accounts compromisedSAPO	  Websecurity	  Team                 3
Motivation > Lots of accounts compromisedSAPO	  Websecurity	  Team                 4
Motivation > People Reuse Passwords   •	  	  Password	  Sharing:	  73%	  of	  users	  share	  passwords	  that	  are	  use...
Today Typical	  choice	  of	  passwords	  on	  the	  Web:    • Weak	  password	  and	  reused	  in	  different	  sites    •...
Today                Can	  we	  memorize	  hundreds	                     of	  strong	  passwords?SAPO	  Websecurity	  Team...
Today                              No	  way!SAPO	  Websecurity	  Team                8
Today                              So	  what	  can	  we	  do?SAPO	  Websecurity	  Team                                    9
Alternatives > Password Managers    Password	  Managers         Use	  a	  password	  manager	  to	  manage	  all	  your	  ...
Passwords     But	   Passwords	   per	   se	   are	   not	   a	   secure	       authenIcaIon	  mechanism     A	  password	...
Alternatives     What	  is	  the	  alternaIve?               MulL-­‐Factor	  AuthenLcaLon                              Any...
Two-Factor Auth      The	  most	  popular	  combinaIon	  is	  the	        2-­‐factor	  authenIcaIon:	  “something	        ...
Two-Factor Auth           ...	  but	  the	  second	  (physical)	  factor	  cannot	  be	  stolen?SAPO	  Websecurity	  Team ...
Two-Factor Auth      ...sure,	  but	  it	  is	  about	  scale.SAPO	  Websecurity	  Team                            15
Two-Factor Authentication                  Two-­‐Factor	  AuthenLcaLonSAPO	  Websecurity	  Team                      16
Two-Factor Auth > Examples    Some	  Examples       •	  Biometrics	         •	  Smart	  cards       •	  SMS       •	  So>w...
Two-Factor Auth > Biometrics    Biometrics          Verifies	  a	  unique	  personal	  aYribute	  or	  behavior.	  Divided	...
Two-Factor Auth > Biometrics    Biometrics    Usage:         • Could	  be	  used	  for	  Internet	  banking,	  to	  confirm...
Two-Factor Auth > Smart Cards    Smart	  Cards          A	  smart	  card	  has	  the	  capability	  of	  processing	  info...
Two-Factor Auth > Smart Cards    Smart	  Cards    Usage:       • Some	  sites	  allow	  you	  to	  use	  SSL	  Client	  ce...
Two-Factor Auth > Smart Cards    SMS          Some	  sites	  can	  send	  a	  text	  message	  as	  a	  2nd	  factor	  of	...
Two-Factor Auth > Google Authenticator    One	  Time	  Passwords	  (OATH)          It	  can	  be	  HOTP	  (event-­‐based)	...
Two-Factor Auth > Yubikey > What is it?What	  is	  it?       •    The	  Yubikey	  is	  a	  small	  USB	  token	  which	  a...
Two-Factor Auth > Yubikey > How does it work? StaLc	  Passwords    • The	  Yubikey	  can	  be	  provisioned	  with	  a	  s...
Two-Factor Auth > Yubikey > Where does it work?Lastpass	  (h^p://www.lastpass.com)SAPO	  Websecurity	  Team               ...
Two-Factor Auth > Yubikey > Where does it work?Yubico	  OpenID	  (h^p://openid.yubico.com)SAPO	  Websecurity	  Team       ...
Yubikey > Where does it work?FastMail	  (h^p://www.fastmail.fm)SAPO	  Websecurity	  Team           28
Two-Factor Auth > Yubikey > Where does it work?Laptop	  	  (h^p://127.0.0.1)                  One	  Time	  Password   Sta&...
Yubikey > Where could it work?ArchitectureSAPO	  Websecurity	  Team      30
Two-Factor Auth > Yubikey > DetailsInner	  workings	  (Protocol	  spec	  is	  Open)SAPO	  Websecurity	  Team              ...
Two-Factor Auth > Yubikey > Security ThreatsProtocol	  a^acks   • Generated	  OTPs	  consist	  of	  unique	  128	  bit	  b...
Two-Factor Auth > Yubikey > Security Threats Server	  a^acks    • Central	  authenIcaIon	  servers	  store	  symmetric	  k...
Two-Factor Auth > Yubikey > Security Threats User	  a^acks    • Social	  engineering;       •    Phishing;       •    “Bor...
Two-Factor Auth > Yubikey > Security Threats Host	  a^acks     • Soeware	  key	  extracIon	  (very	  hard	  to	  exploit);...
Two-Factor Auth > Yubikey > Security Threats  Hardware	  a^acks     • Hardware	  key	  extracIon	  and	  Token	  duplicaIo...
Two-Factor Auth > Yubikey > AdvantagesConvenient   • No	  drivers	  necessary         •     Types	  the	  key	  for	  youO...
Two-Factor Auth > NFC/RFID NFC/RFID     We	  can	  use	  the	  technology	  for	  many	  purposes,	  including	  authen&ca...
Trends > PoCSAPO	  Websecurity	  Team   39
Future                              TrendsSAPO	  Websecurity	  Team            40
Trends Two-­‐factor	  AuthenLcaLon	  is	  gecng	  Popular:SAPO	  Websecurity	  Team                                41
Future QR	  Codes   Some	  interesLng	  ideas	  are	  brewing...SAPO	  Websecurity	  Team                           42
Trends > BMWʼs NFC PoCSAPO	  Websecurity	  Team   43
LinksSmart	  Cards   • OpenSC	  Project	  -­‐	  h^p://www.opensc-­‐project.orgYubikeys  • Yubico	  -­‐	  h^p://www.yubico....
The End                                         QuesLons? Nuno	  Loureiro	  <nuno@co.sapo.pt>          João	  Poupino	  <j...
Upcoming SlideShare
Loading in …5
×

Codebits 2011 - The end of passwords...

1,466 views

Published on

The end of passwords... as we know it.

We talk about password alternatives, or 2-factor authentication and some trends that we are starting to see in regard to authentication.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Codebits 2011 - The end of passwords...

  1. 1. Codebits 2011The End Of Passwords... 11/11/11
  2. 2. Summary Summary: •  Mo&va&on •  Today’s  scenario •  Two-­‐Factor  Authen&ca&on -­‐  Biometrics -­‐  So>ware  Tokens -­‐  Hardware  Tokens •  TrendsSAPO  Websecurity  Team 2
  3. 3. Motivation > Lots of accounts compromisedSAPO  Websecurity  Team 3
  4. 4. Motivation > Lots of accounts compromisedSAPO  Websecurity  Team 4
  5. 5. Motivation > People Reuse Passwords •    Password  Sharing:  73%  of  users  share  passwords  that  are  used  for  online  banking   with  at  least  one  non-­‐financial  website. •    Username  /  Password  Sharing:  42%  of  users  share  both  their  username  and   password  with  at  least  one  non-­‐financial  website Study  on  4M  PCs in  Reusing  Login  Creden.als,  Security  Advisor,    February  2010,  Trusteer  Inc.SAPO  Websecurity  Team 5
  6. 6. Today Typical  choice  of  passwords  on  the  Web: • Weak  password  and  reused  in  different  sites • Strong  password  but  reused  in  different  sites • Weak  password  but  different  from  other  sites • Strong  password  for  criIcal  sites,  Weak  password  for  other  sites • Strong  or  weak  password  and  basic  derivaIons  on  other  sitesSAPO  Websecurity  Team 6
  7. 7. Today Can  we  memorize  hundreds   of  strong  passwords?SAPO  Websecurity  Team 7
  8. 8. Today No  way!SAPO  Websecurity  Team 8
  9. 9. Today So  what  can  we  do?SAPO  Websecurity  Team 9
  10. 10. Alternatives > Password Managers Password  Managers Use  a  password  manager  to  manage  all  your  passwords  instead  of  trying  to  memorize   them  all Types: •  Local •  Stateless •  Remote Pros: • easy  to  use • prac&cal • enable  you  to  use  strong  and   different  passwords  across  sites Cons: • If  a  hacker  breaks  your  password   manager,  ALL  your  passwords  are   compromised!SAPO  Websecurity  Team 10
  11. 11. Passwords But   Passwords   per   se   are   not   a   secure   authenIcaIon  mechanism A  password  is   a  piece  of  informaIon,  that  can  be   shared,  leaked  or  stolen.   Someone  with  your  password  =  youSAPO  Websecurity  Team 11
  12. 12. Alternatives What  is  the  alternaIve? MulL-­‐Factor  AuthenLcaLon Any  combinaIon  of  these: •  Something  you  know •  Something  you  have •  Something  you  areSAPO  Websecurity  Team 12
  13. 13. Two-Factor Auth The  most  popular  combinaIon  is  the   2-­‐factor  authenIcaIon:  “something   you  know”  and  “something  you  have”SAPO  Websecurity  Team 13
  14. 14. Two-Factor Auth ...  but  the  second  (physical)  factor  cannot  be  stolen?SAPO  Websecurity  Team 14
  15. 15. Two-Factor Auth ...sure,  but  it  is  about  scale.SAPO  Websecurity  Team 15
  16. 16. Two-Factor Authentication Two-­‐Factor  AuthenLcaLonSAPO  Websecurity  Team 16
  17. 17. Two-Factor Auth > Examples Some  Examples •  Biometrics   •  Smart  cards •  SMS •  So>ware  OTP  Tokens: -­‐  Google  AuthenIcator -­‐  Verisign  VIP •  Hardware  OTP  Tokens: -­‐  Yubikey -­‐  CryptoCard -­‐  RSA  SecureID Pros: • More  secure  than  single-­‐ factor:) Cons: • Not  very  convenient • May  provide  a  false  sense  of  security • Typically  a  closed  market  (most   vendors  rip  you  off!)SAPO  Websecurity  Team 17
  18. 18. Two-Factor Auth > Biometrics Biometrics Verifies  a  unique  personal  aYribute  or  behavior.  Divided  into  two  categories:   physiological  (iris,  re&na,  fingerprint)  or  behavioral  (signature,  keystroke,  voice  dynamics) Pros: • effec&ve  and  accurate  method  of  iden&fica&on Cons: • Cannot  be  re-­‐issued!   • Expensive  ($$$$$) • Privacy  concerns • Physical  and  Behavioral  aYributes  can  change • Not  suitable  for  all  scenarios • Can  be  dangerous!  (If  thief  cuts  your  finger  off)SAPO  Websecurity  Team 18
  19. 19. Two-Factor Auth > Biometrics Biometrics Usage: • Could  be  used  for  Internet  banking,  to  confirm  the  authen&city  of  a  high-­‐value   transac&on • Can  be  used  for  authen&ca&on  in  computers,  other  systems  or  applica&onsSAPO  Websecurity  Team 19
  20. 20. Two-Factor Auth > Smart Cards Smart  Cards A  smart  card  has  the  capability  of  processing  informa&on  because  it  has  a   microprocessor  and  integrated  circuits  incorporated  into  the  card  itself. Two-­‐factor  =  PIN  +  Smart  Card                      Types  =  contact  and  contactless Pros: • Good  security  offered,  the  secret   never  leaves  the  smartcard Cons: • Not  very  convenient • You  may  need  to  install  drivers   before  using • May  provide  a  false  sense  of  securitySAPO  Websecurity  Team 20
  21. 21. Two-Factor Auth > Smart Cards Smart  Cards Usage: • Some  sites  allow  you  to  use  SSL  Client  cer&ficates  as  a   mean  of  authen&ca&on.  Cer&ficates  can  be  stored  in  a   Smart  Card.   • Some  sites  allow  you  to  authen&cate  through  the  smart   card  (some  government  sites  using  the  ci&zen  card) • You  can  use  a  smart  card  to  sign  email,  documents,   authen&cate  to  WiFi  networks  and  SSH,  use  them  with   PAM,  and  more...SAPO  Websecurity  Team 21
  22. 22. Two-Factor Auth > Smart Cards SMS Some  sites  can  send  a  text  message  as  a  2nd  factor  of  authen&ca&on Pros: • Easy  to  implement • No  need  to  carry[/buy]  extra  devices  (your   mobile  phone  is  always  with  you) Cons: • It’s  probably  the  weakest  2nd-­‐factor  (easy  to  fake   and  intercept)SAPO  Websecurity  Team 22
  23. 23. Two-Factor Auth > Google Authenticator One  Time  Passwords  (OATH) It  can  be  HOTP  (event-­‐based)  or  TOTP  (&me-­‐based). Pros: • It’s  an  Open  Standard • You  can  use  it  in  your  own  systems  (using  a  PAM   Module  or  integra&ng  it  with  RADIUS) • You  have  mul&ple  implementa&ons  that  work   on  a  panoply  of  devices  (e.g.  smartphone,   yubikey,  hardware  tokens) Cons: • Concerns  related  to  security  of  the  device  (in   so>ware  implementa&ons) • Your  baYery  may  die  when  you  most  need  an  OTP   (in  case  of  a  smartphone) • You  lose  some  &me  to  generate/enter  an  OTPSAPO  Websecurity  Team 23
  24. 24. Two-Factor Auth > Yubikey > What is it?What  is  it? • The  Yubikey  is  a  small  USB  token  which  acts  as  a  regular  keyboard.  It  can   generate  StaIc  Passwords  and  One  Time  Passwords.  SAPO  Websecurity  Team 24
  25. 25. Two-Factor Auth > Yubikey > How does it work? StaLc  Passwords • The  Yubikey  can  be  provisioned  with  a  staIc  password  with  up  to  64   chars.  This  password  can  be  used  with  applicaIons/services  that  do  not   support  OTPs.  You  should  use  an  addiIonal  password! One  Time  Passwords • Two  different  One  Time  Password  standards  are  supported:  event-­‐based   HOTP  and  Yubikey-­‐style  OTPs. • HOTP  is  a  be^er  known  standard,  but  it  is  more  limited  due  to  usability   concerns  (smaller  OTP,  sync  issues,  etc.). • The  Yubikey  OTP  standard  leverages  the  fact  that  the  Yubikey  inputs  the   OTPs  for  you. Two  slots • Short-­‐press  for  slot  1;  Long-­‐press  for  slot  2  (3  secs); Drivers • Any  OS  with  USB-­‐keyboard  support.  It  even  works  during  boot  (useful  for,   e.g.,  whole-­‐disk  encrypIon  soluIons  such  as  PGP-­‐WDE  and  TrueCrypt).SAPO  Websecurity  Team 25
  26. 26. Two-Factor Auth > Yubikey > Where does it work?Lastpass  (h^p://www.lastpass.com)SAPO  Websecurity  Team 26
  27. 27. Two-Factor Auth > Yubikey > Where does it work?Yubico  OpenID  (h^p://openid.yubico.com)SAPO  Websecurity  Team 27
  28. 28. Yubikey > Where does it work?FastMail  (h^p://www.fastmail.fm)SAPO  Websecurity  Team 28
  29. 29. Two-Factor Auth > Yubikey > Where does it work?Laptop    (h^p://127.0.0.1) One  Time  Password Sta&c  PasswordSAPO  Websecurity  Team 29
  30. 30. Yubikey > Where could it work?ArchitectureSAPO  Websecurity  Team 30
  31. 31. Two-Factor Auth > Yubikey > DetailsInner  workings  (Protocol  spec  is  Open)SAPO  Websecurity  Team 31
  32. 32. Two-Factor Auth > Yubikey > Security ThreatsProtocol  a^acks • Generated  OTPs  consist  of  unique  128  bit  blocks  encrypted  with  a  shared   AES  key  between  Token  and  Server.  Protocol  security  depends  on  the   security  strength  of  the  AES  algorithm.SAPO  Websecurity  Team 32
  33. 33. Two-Factor Auth > Yubikey > Security Threats Server  a^acks • Central  authenIcaIon  servers  store  symmetric  keys  for  all  Tokens.  If  successfully   a^acked,  this  can  be  catastrophic.  Yubico  miIgates  this  with  tamper-­‐proof  HSMs.   • A  DoS  a^ack  on  the  server  will  result  in  users  not  being  able  to  log  in.SAPO  Websecurity  Team 33
  34. 34. Two-Factor Auth > Yubikey > Security Threats User  a^acks • Social  engineering; • Phishing; • “Borrowing”  the  Token.SAPO  Websecurity  Team 34
  35. 35. Two-Factor Auth > Yubikey > Security Threats Host  a^acks • Soeware  key  extracIon  (very  hard  to  exploit); • Man-­‐in-­‐the-­‐browser.SAPO  Websecurity  Team 35
  36. 36. Two-Factor Auth > Yubikey > Security Threats Hardware  a^acks • Hardware  key  extracIon  and  Token  duplicaIon.SAPO  Websecurity  Team 36
  37. 37. Two-Factor Auth > Yubikey > AdvantagesConvenient • No  drivers  necessary • Types  the  key  for  youOpen • Open  standard  and  infrastructure • Soeware  released  under  permissive  license • Extensible  (PIN  opIon) • No  license  required  per  tokenAffordable • Around  10€  if  purchased  in  larger  quanIIesSecure • Provides  an  addiIonal  authenIcaIon  factor • OTP  generaIon  requires  manual  intervenIonSAPO  Websecurity  Team 37
  38. 38. Two-Factor Auth > NFC/RFID NFC/RFID We  can  use  the  technology  for  many  purposes,  including  authen&ca&on Pros: • Could  be  very  convenient • No  need  to  carry[/buy]  extra  devices  (your   mobile  phone  is  always  with  you) Cons: • The  security  aspects  are  s&ll  being  discussed.   (Mifare  1K  and  DESFire  tags  can  be  cloned) • In  reality,  there  are  no  standard  mechanisms  on   devices  to  use  NFC  authen&ca&on.SAPO  Websecurity  Team 38
  39. 39. Trends > PoCSAPO  Websecurity  Team 39
  40. 40. Future TrendsSAPO  Websecurity  Team 40
  41. 41. Trends Two-­‐factor  AuthenLcaLon  is  gecng  Popular:SAPO  Websecurity  Team 41
  42. 42. Future QR  Codes Some  interesLng  ideas  are  brewing...SAPO  Websecurity  Team 42
  43. 43. Trends > BMWʼs NFC PoCSAPO  Websecurity  Team 43
  44. 44. LinksSmart  Cards • OpenSC  Project  -­‐  h^p://www.opensc-­‐project.orgYubikeys • Yubico  -­‐  h^p://www.yubico.comTime-­‐based  and  event-­‐based  OTPs • Google  AuthenIcator  -­‐  h^p://code.google.com/p/google-­‐authenIcator/NFC • libnfc-­‐  h^p://www.libnfc.org/documentaIon/introducIon QR  Codes • Iqr  -­‐  hYps://&qr.org/Biometrics • BioAPI  Consor&um  -­‐  hYp://www.bioapi.org/SAPO  Websecurity  Team 44
  45. 45. The End QuesLons? Nuno  Loureiro  <nuno@co.sapo.pt> João  Poupino  <joao.poupino@co.sapo.pt>SAPO  Websecurity  Team 45

×