Nicholas A. Davis discusses various authentication methods and issues in electronic authentication. He covers passwords, one-time password devices, biometrics, digital certificates, and other authentication factors. Davis notes that current authentication relies too heavily on single factors like passwords, which are weak and easily stolen. He argues that the best solution is a hybrid approach using multiple authentication methods to achieve better security. Davis questions whether the future will include an official U.S. digital identity system and discusses potential benefits and drawbacks of such a system.

1. Authentication
Who’s There?
Nicholas A. Davis
Information Systems 365
University of Wisconsin-Madison

2. Today’s Chocolate Bar
• Baby Ruth
• Created in 1920 by the Curtiss
Candy Company, in Chicago, now
made by Nestle
• Originally named Kandy Kake
• Named after President Grover
Cleveland’s daughter, Ruth
Cleveland, not after baseball
player, Babe Ruth

3. Passwords – Reading Discussion
• Define the root of a password?
• Define the appendage of a
password
• ! % & $ _zipcode have gotten too
easy for password crackers
• Mix upper and lower case in the
middle of password
• Put the appendage in the middle of
your root

4. University Networks --
Reading
• Centralized vs.
decentralized
• Faculty and Staff
demand freedom
• Central data
handling policies
are weak
• What should
universities do to
make their
network more
secure?

5. Overview
• Authentication defined
• Different types of electronic authentication factors
• Username and Password
• Dialog Spoofing Authentication Attacks
• One Time Password devices (OTP), how they work and don’t work
• Biometrics
• Digital Certificates
• Existing devices which can be used for authentication, Blackberry, Mobile Phone
• Shared Secret/Ticket based authentication systems
• Knowledge Based Authenticaition
• The Initial Credentialing Challenge
• Review of Key Concepts
• Who is to Blame For This Authentication Mess?
• SSO Authentication, the realities
• Federated Authentication
• Wireless Authentication issues
• Remaining Issues With Authentication
• What Does the Future Hold?

6. Authentication Defined
“Electronic authentication provides a
level of assurance as to whether
someone or something is who or what it
claims to be in a digital environment.
Thus, electronic authentication
plays a key role in the establishment of
trust relationships for electronic
commerce, electronic government and
many other social interactions. It is also
an essential component of any strategy
to protect information systems and
networks, financial data, personal
information and other assets from
unauthorised access or identity theft.
Electronic authentication is therefore
essential for establishing
accountability online.”

7. Authentication Factors
• Three types of electronic
authentication
• Something you know –
username/password
• Something you have –
One time password device
• Something you are –
Voiceprint or retinal scan

8. Single Factor vs. Multifactor vs Dual
Factor
• Single Factor – Using one method to
authenticate.
• Dual Factor – Using two different types of
authentication mechanism to authenticate
• Multifactor – Using multiple forms of the
same factor. (Password + identifying an
image)
• Some people claim multi factor is just a
way around industry regulations. Good
test is to ask, could I memorize both of
these?

9. Username and Password - Benefits
• Most widely used
electronic
authentication
mechanism in the
world
• Low fixed cost to
implement and
virtually no variable
cost
• Fairly good for low
assurance
applications
• No physical device
required

10. Username and Password - Drawbacks
• Can be easily shared
on purpose
• Can be easily stolen
via Shoulder Surfing,
Keyboard Logger
Packet Sniffer
• Can be guessed
• Can be hard to
remember
• Password code is
easy to hack
• Video 3

11. If You Choose to Use Passwords..
• Be as long as possible (never shorter than 6
characters).
• Include mixed-case letters, if possible.
• Include digits and punctuation marks, if possible.
• Not be based on any personal information.
• Not be based on any dictionary word, in any
language.
• Expire on a regular basis and may not be reused
• May not contain any portion of your name,
birthday, address or other publicly available
information

12. Dialog Spoofing Authentication Attacks
• The biggest threat to authentication
security is users unintentionally giving
away their credentials to a “harvester”
• Dialog spoofing attack makes the user
think they are communicating with a
trusted source, but actually grabs the
credentials for its own malicious use

13. One Time Password Devices
Demystified
• Have an assigned
serial number which
relates to user-id.
For example, ndavis
= serial QB43
• Device generates a
new password every
30 seconds
• Server on other end
knows what to expect
from serial QB43 at
any point in time

14. One Time Password
Devices
• Time based
• Event based
• Sold by RSA,
Vasco, Verisign,
Aladdin, Entrust
and others
• How can event
based OTPs be
defeated?

15. Entrust Identity Guard Can Be Beaten
With a Photocopier!

16. One Time Passwords - Benefits
• Provides true Dual Factor
authentication, making it very
difficult to share
• Constantly changing password
means it can’t be stolen, shoulder
surfed or sniffed
• Coolness factor!

17. One Time Passwords - Drawbacks
• Cost!
• Rank very low on
the washability
index
• Uncomfortable
• Expiration
• Battery Life
• Can be forgotten
at home
• Video 1

18. Biometrics
• Use a unique part
of your body to
authenticate you,
such as your voice
pattern, your
retina, or your
fingerprint

19. Biometrics Benefits
• Harder to steal than even a One
Time Password since it is part of the
user, not simply in their possession
like and OTP device
• Absolute uniqueness of
authentication factor
• Coolness factor

20. Biometrics Drawbacks
• Cost
• Complexity of
Administration
• Highly invasive
• Not always
reliable – false
negatives
• Not foolproof
• The Gummi Bear
thief!

21. Other Biometric Methods and
Associated Issues
• comparing the face with that on a passport
photograph
• fingerprints
• DNA fingerprinting
• Iris scan
• Retina scan
• other biometrics
• signature
• Birthmarks - May be duplicated cosmetically
• Dentition - Identity may be mistaken by lack of or
falsification of dental X-ray records

22. Today’s Agenda
• Collect homework!
• Look at a few password cracking
tools, demonstrating why username
and password is weak!
• Finish lecture on Authentication!
• Class Discussion!
• Maybe Start Lecture on
Cryptography!

23. Today’s Chocolate Bar! - Twix
• Made by Mars
• Called “Raider” in Europe until 1991
• First produced in the UK in 1967
• Introduced to the US in 1979
• Twix, Peanut Butter Twix, Cookies –
n- Cream Twix, Chocolate Fudge
Twix, Triple Chocolate Twix, Choc –
n- Orange Twix
• Not suitable for strict vegetarians!

24. Digital Certificates
• A digital passport,
either contained on a
secure device, or on
a hard disk
• Secured with a
password, making
them truly a dual
factor solution
• Can be used to
authenticate
machines as well as
humans

25. Digital Certificate Benefits
• True Dual Factor Authentication
• Low variable cost to produce
• Can contain authorization data as
well as authentication data

26. Digital Certificate Drawbacks
• High fixed cost to build initial
infrastructure
• Can be copied and shared if not
properly stored
• Expiration
• Often require access to an interface
such as a card reader of USB port,
not always available at kiosks

27. Taking Advantage of Existing
Technology
• Your mobile phone can serve as a
powerful dual factor authentication
device

28. Shared Secret Based Authentication
Mechanisms
• Kerberos
• Needham-Schroeder protocol
• Secure Shell
• Encrypted key exchange (EKE)
• Secure remote password protocol (SRP)
• Closed-loop authentication
• RADIUS
• Diameter (protocol)
• HMAC
• EAP
• Authentication OSID
• CAPTCHA
• Java Authentication and Authorization Service
• Chip Authentication Program

29. Knowledge Based Authentication
• Authenticates the user via
verification of life events,
usually financial in nature,
such as:
• Looks great at first!
• However, most of this is
public information and
that which isn’t public can
be easily stolen
• The credit reports on
which this knowledge
based authentication is
based are often contain
factual errors
• Cost!

30. Initial Credentialing
• The verification of an individual’s or
machine’s identity prior to assignment of
an authentication identifier (DMV,
Passport Agency, Library Card, Credit
Card Application)
• An authentication credential is only as
trustworthy as the underlying
credentialing process
• SSN# often serves as base identifier
• What do you think about that?
• Can you think of a more secure base
identifier than SSN#? When would It have
to be assigned and by whom?

31. Key Concepts
• Current online authentication
techniques are weak at best: Most
rely on multiple single factors
• Credentials are easily stolen from
consumers and rarely change
• Lack of consistency in
authentication processes confuse
consumers

32. Who Is to Blame For the State of
Digital Authentication?
• No individual contributor is at fault
• This is really a failure of multiple parties
• OS Providers
• Browser Providers
• Financial & Commerce
• Software Providers
• Security Vendors
• The Financial and Commerce Institutions

33. It All Starts With a Better OS
• OS Must have security/auth
services baked-in
• Must not rely on 3rd party
applications to enforce security/auth
processes
• Best position within the consumer
access stack to enforce consistency

34. Unified Browser and Web Design
Standards Needed
• The Internet access browser must
contain consistent security/auth
processes and indicators for consumers
• Must not try and re-invent the security
wheel continuously
• This is usually why users pick weak
passwords – to preserve their sanity and
avoid “token necklace” or “fat wallet
syndrome”

35. Single Sign On (SSO), More like RSO
• Single Sign On (SSO) (also known
as Enterprise Single Sign On or
"ESSO") is the ability for a user to
enter the same id and password to
logon to multiple applications within
an enterprise.
• True SSO is rare, but Reduced Sign
On is quite workable

36. Single Sign On Benefits
• Ability to enforce uniform enterprise
authentication and/or authorization
policies across the enterprise
• End to end user audit sessions to
improve security reporting and auditing
• Removes application developers from
having to understand and implement
identity security in their applications
• Usually results in significant password
help desk cost savings

37. Document Authentication
• Humans and machines are easy to
authenticate, but what about
documents?
• Digital certificates to the rescue
• A digital signature, generated by a
private key can prove who authored
the document and can verify that the
contents have not been altered from
their original form

38. Authentication Federation
• The average user today interacts with all
sorts of social, business, financial and
government agencies digitally.
• Each of these requires their own id and
password as user authentication.
• As a result, the user is increasingly
frustrated with:
• Having to remember multiple user id and
passwords
• Providing more identity information than
they would otherwise chose to each entity

39. Authentication Federation
• Allows transitional trust among
institutional membership
• For example, If Nick wants to look up a
scholarly article at Penn State, UW can
tell Penn State that this request comes
from an authenticated and authorized
user without giving out my name, etc.
• Hard to enforce credentialing standards
• Relies a LOT on trusting that the other
institution did the right thing

40. Wireless Authentication
• Wiring actually provides an additional layer of
protection, requiring physical access
• Once this goes away, as is the case on a
wireless network, you need to find another
method to make up for the loss of physical
security which best emulates physical access
• Authenticate with username/password + MAC
address, for example.
• Put the wireless network on a firewalled subnet
• WPA is better than WEP, but not the answer to
everything.
• “Opportunity to Authenticate” is the principle to
keep in mind here as the most serious threat…

41. Securing Wireless Network
Authentication
• All wireless LAN devices need to
be secured, MAC address, static
IP address, secure subnet, etc.
• All users of the wireless network
need to be educated in wireless
network security
• All wireless networks need to be
actively monitored for weaknesses
and breaches

42. Wireless is Still Too New to Be Trusted
• Too many competing protocols,
each of which can have its own set
of security risks
• WEP encryption, WPA, WPA2,
802.1X, LEAP, PEAP, TKIP,
RADIUS, WAPI…The list goes on!

43. Remaining Issues With Authentication
• Authenticating the originator is as important as
authenticating the receiver, but few people pay
attention to this issue
• Currently, when we send email, we simply trust
that george.bush@whitehouse.gov really is the
President…This isn’t sufficient
• We need a method to lookup people in a
trustworthy manner
• Trusted and centralized LDAP to the rescue!
• Sadly, inter-organizational trusted LDAP access
isn’t used.

44. The Best Solution is a Hybrid Solution
• No, not that kind of
hybrid! Way overused
term
• Passwords can be
guessed or hacked
• Physical devices can
be stolen
• Biometrics are costly
and unreliable
• Use a mix of the
above technologies to
achieve the best
authentication
security
• Audit, Audit, Audit!!!

45. What Does the Future Hold?
• Will the federal government get involved
with **official** electronic credentials such
as a “U.S. Citizen Digital Identity”?
• Benefits of a federal digital identity
system?
• Drawbacks of a federal digital identity
system?
• How do you feel about the current state
of electronic authentication systems?