Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Webinar - Easy multi factor authentication strategies and PCI DSS


Published on

In this webinar we will discuss the use of multi-factor authentication (MFA), and the new mandate in the latest version of PCI Data Security Standard, PCI DSS 3.2. MFA goes beyond traditional password-based approaches by combining multiple features, such as biometrics, behavioral patterns, and context information. In addition to covering these, the webinar will also address the problem of selecting the right combination of features for a business, given its unique priorities and circumstances. Learn how to comply with PCI DSS 3.2's MFA mandate for admin and user accounts.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Webinar - Easy multi factor authentication strategies and PCI DSS

  1. 1. Authentication: Past, Present and Future
  2. 2. HELLO! I am Anirban Banerjee. I am the Founder and CEO of Onion ID.
  3. 3. Multi Factor Authentication Multi Factor Authentication Conclusions
  4. 4. What is Two-Factor Authentication? ▸Adds a second level of verification to the password-based approach. ▸Example: a text message to your phone, a value from a RSA token. ▸If a hacker gets your username and password they still won’t be able to get in to your account.
  5. 5. Why do we need this? Usernames & Passwords can be stolen! • Phishing attacks • Same credentials across apps • Key-loggers • Educated guesses, social engineering 2FA prevents attackers from accessing your account even if they obtain your username and password. Mandated in Version 3.2 of the PCI Data Security Standard
  6. 6. Who Uses Two-Factor?
  7. 7. Multi Factor Authentication
  8. 8. Adding More Factors • Increasing the strength of authentication can be done by adding factors. • Five categories of authentication methods • who you are, • what you know, • what you have, • what you typically do, • the context. • Adding factors from different categories can increase strength only if the overall set of vulnerabilities is reduced.
  9. 9. What can we add? Physical Biometric ▸ immutable and unique • Facial recognition • Iris Scan • Retinal Scan • Fingerprint Palm Scan • Voice • Liveliness biometric factors include: • Pulse. CAPTCHA; etc Behavioral/Biometric • based on person’s physical behavioural activity patterns • Keyboard signature • Voice Who You Are Biometric what you know what you have what you Do Context • User Name and Password (UN/PW), • A passphrase • a PIN • An answer to a secret question • One Time Password (OTP) • Smart card • X.509 and PKI • Rarely used alone • Used in combinatio n with UN/PW and a PIN • Browsing patterns • Time of access • Type of device • Used in Combinati on with other methods • • Location; Time of access; • Subscriber identity module (SIM) • Frequency of access; • Used with other methods
  10. 10. ▸Combining two or more authentication methods can potentially increase authentication strength. ▸However! • Each type of authentication factor has a set of overlapping and intrinsic vulnerabilities with other factors • A combination of two attributes of the same type tends to share many of vulnerabilities • More factors More complex/costly to implement & use. The more the merrier?
  11. 11. The more the merrier? ▸Simply adding factors does not guarantee more protection Source: Gartner
  12. 12. Finding the Best Factor Combo Use Needs and Constraints to Determine • Authentication strength • indicated by the level of risk • Total Cost of Ownership • Constrained by budget • Ease of use • universally desirable, but it is less critical the greater the consistency • Other constraints • consistency and control of the endpoint is a particular constraint; Source of Figure is Gartner
  13. 13. PCI DSS 3.2
  14. 14. ▸Feb 1 2018 ▸Multi Factor authentication for everyone ▸Need to protect both console and non console based access ▸New requirements 10.8 and 10.8.1 outline that service providers need to detect and report on failures of critical security control systems ▸New requirement indicates that service providers need to perform penetration testing on segmentation controls every six months Highlights
  15. 15. ▸Server does not support 2FA by default ▸App does not support SAML/Oauth ▸App has no native support for 2FA ▸Regular auditing of access ▸Data Privacy issues, data segregation Challenges
  16. 16. ▸Enable MFA via Browser extensions or Web Filters ▸Use UX friendly MFA: Geo fencing, proximity, fingerprint ▸Set up auditing systems by parsing SIEM info ▸Set up a monthly PCI meeting to go over process and results ▸Commercial tools – Onion ID to do privilege management Strategies
  17. 17. Conclusions
  18. 18. ▸Password based authentication is not enough any more. ▸Multi Factor authentication is here to stay! ▸Many different options, each with its own costs and vulnerabilities. ▸Be smart: adding more factors will definitely increase cost and complexity, but might not (sufficiently) increase security. ▸Consider the trade-offs, customize. Pick the combination that works for you. Conclusions
  19. 19. THANK YOU! Any questions? You can find more about us at: Onion ID – The Next Generation of Privilege Management , Tel: +1-888-315-4745