In this webinar we will discuss the use of multi-factor authentication (MFA), and the new mandate in the latest version of PCI Data Security Standard, PCI DSS 3.2. MFA goes beyond traditional password-based approaches by combining multiple features, such as biometrics, behavioral patterns, and context information. In addition to covering these, the webinar will also address the problem of selecting the right combination of features for a business, given its unique priorities and circumstances. Learn how to comply with PCI DSS 3.2's MFA mandate for admin and user accounts.

2. Authentication:
Past, Present and Future

3. HELLO!
I am Anirban Banerjee.
I am the Founder and
CEO of Onion ID.
https://calendly.com/anirban/enterprise-demo/

4. Multi Factor
Authentication
Multi Factor
Authentication
Conclusions

5. What is
Two-Factor
Authentication?
▸Adds a second level of verification to the
password-based approach.
▸Example: a text message to your phone, a value
from a RSA token.
▸If a hacker gets your username and password
they still won’t be able to get in to your account.

6. Why do we
need this?
Usernames & Passwords can be stolen!
• Phishing attacks
• Same credentials across apps
• Key-loggers
• Educated guesses, social engineering
2FA prevents attackers from accessing your account even
if they obtain your username and password.
Mandated in Version 3.2 of the PCI Data Security
Standard

7. Who Uses
Two-Factor?

8. Multi Factor Authentication

9. Adding More
Factors
• Increasing the strength of authentication can be done by adding
factors.
• Five categories of authentication methods
• who you are,
• what you know,
• what you have,
• what you typically do,
• the context.
• Adding factors from different categories can increase strength only if
the overall set of vulnerabilities is reduced.

10. What can we add?
Physical
Biometric
▸ immutable and
unique
• Facial recognition
• Iris Scan
• Retinal Scan
• Fingerprint Palm
Scan
• Voice
• Liveliness biometric
factors include:
• Pulse.
CAPTCHA;
etc
Behavioral/Biometric
• based on person’s
physical
behavioural activity
patterns
• Keyboard
signature
• Voice
Who You Are
Biometric
what you
know
what you
have
what you
Do Context
• User Name and
Password
(UN/PW),
• A passphrase
• a PIN
• An answer to a
secret question
• One Time
Password
(OTP)
• Smart card
• X.509 and
PKI
• Rarely
used alone
• Used in
combinatio
n with
UN/PW
and a PIN
• Browsing
patterns
• Time of
access
• Type of
device
• Used in
Combinati
on with
other
methods
•
• Location;
Time of
access;
• Subscriber
identity
module
(SIM)
• Frequency
of access;
• Used with
other
methods

11. ▸Combining two or more authentication methods can potentially
increase authentication strength.
▸However!
• Each type of authentication factor has a set of overlapping and
intrinsic vulnerabilities with other factors
• A combination of two attributes of the same type tends to
share many of vulnerabilities
• More factors More complex/costly to implement & use.
The more the
merrier?

12. The more the
merrier?
▸Simply adding factors does not guarantee more protection
Source: Gartner

13. Finding the
Best Factor
Combo
Use Needs and Constraints to Determine
• Authentication strength
• indicated by the level of risk
• Total Cost of Ownership
• Constrained by budget
• Ease of use
• universally desirable, but it is
less critical the greater the
consistency
• Other constraints
• consistency and control of the
endpoint is a particular
constraint;
Source of Figure is Gartner
209.12.74.162209.12.74.162

14. PCI DSS 3.2

15. ▸Feb 1 2018
▸Multi Factor authentication for everyone
▸Need to protect both console and non console based access
▸New requirements 10.8 and 10.8.1 outline that service providers
need to detect and report on failures of critical security control
systems
▸New requirement 11.3.4.1 indicates that service providers need to
perform penetration testing on segmentation controls every six
months
Highlights

16. ▸Server does not support 2FA by default
▸App does not support SAML/Oauth
▸App has no native support for 2FA
▸Regular auditing of access
▸Data Privacy issues, data segregation
Challenges

17. ▸Enable MFA via Browser extensions or Web Filters
▸Use UX friendly MFA: Geo fencing, proximity, fingerprint
▸Set up auditing systems by parsing SIEM info
▸Set up a monthly PCI meeting to go over process and results
▸Commercial tools – Onion ID to do privilege management
Strategies

18. Conclusions

19. ▸Password based authentication is not enough any more.
▸Multi Factor authentication is here to stay!
▸Many different options, each with its own costs and vulnerabilities.
▸Be smart: adding more factors will definitely increase cost and
complexity, but might not (sufficiently) increase security.
▸Consider the trade-offs, customize. Pick the combination that
works for you.
Conclusions

20. THANK YOU!
Any questions?
You can find more about us at:
Onion ID – The Next Generation of Privilege Management
www.onionid.com , sales@onionid.com
Tel: +1-888-315-4745
https://calendly.com/anirban/enterprise-demo/