Nicholas A. Davis discusses various authentication methods and issues in electronic authentication. He covers passwords, one-time password devices, biometrics, digital certificates, and other authentication factors. Davis notes that current authentication relies too heavily on single factors like passwords, which are weak and easily stolen. He argues that the best solution is a hybrid approach using multiple authentication methods to achieve better security. Davis questions whether the future will include an official U.S. digital identity system and discusses potential benefits and drawbacks of such a system.
Multi-Factor Authentication - "Moving Towards the Enterprise" mycroftinc
In the past year, we’ve seen a significant shift in how we are asked to authenticate to web applications. The trend is moving from relying on simple username & passwords to wider scale use of two-factor, risk-based & multi-factor authentication (MFA), such as software tokens, one-time password (OTP), and various forms of device identification. What does it all mean & is it something your organization needs?
The simple answer is…multi-factor authentication needs to be on the radar of every organization, as passwords are no longer enough to protect users. Passwords are too easy to crack or steal & hackers are indiscriminant. From an operational perspective, organizations are losing money through high volumes of help desk tickets related to logins & password resets. Strong passwords are still just too weak of a defense in today’s business world.
Join us at 11amET on Tuesday, April 1st for an interactive webcast with our team of subject matter experts to learn more about how to turn this new requirement into a seamless feature of your current environment.
Multi-Factor Authentication - "Moving Towards the Enterprise" mycroftinc
In the past year, we’ve seen a significant shift in how we are asked to authenticate to web applications. The trend is moving from relying on simple username & passwords to wider scale use of two-factor, risk-based & multi-factor authentication (MFA), such as software tokens, one-time password (OTP), and various forms of device identification. What does it all mean & is it something your organization needs?
The simple answer is…multi-factor authentication needs to be on the radar of every organization, as passwords are no longer enough to protect users. Passwords are too easy to crack or steal & hackers are indiscriminant. From an operational perspective, organizations are losing money through high volumes of help desk tickets related to logins & password resets. Strong passwords are still just too weak of a defense in today’s business world.
Join us at 11amET on Tuesday, April 1st for an interactive webcast with our team of subject matter experts to learn more about how to turn this new requirement into a seamless feature of your current environment.
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPriyanka Aash
People use more passwords today than ever before. But with the advent of Apple’s latest iPhone releases and its TouchID and FaceID technologies, we’ll begin to see a wider acceptance of some biometrics methods like fingerprint and facial scanning. This session will assess the security of these methods compared to the tried and true password.
Learning Objectives:
1: Understand the password’s history and an overview of biometrics.
2: Understand the security pros and cons of passwords versus biometrics.
3: Obtain tips for creating a password/biometrics authentication stack.
(Source: RSA Conference USA 2018)
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
In this webinar we will discuss the use of multi-factor authentication (MFA), and the new mandate in the latest version of PCI Data Security Standard, PCI DSS 3.2. MFA goes beyond traditional password-based approaches by combining multiple features, such as biometrics, behavioral patterns, and context information. In addition to covering these, the webinar will also address the problem of selecting the right combination of features for a business, given its unique priorities and circumstances. Learn how to comply with PCI DSS 3.2's MFA mandate for admin and user accounts.
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsMaxim Salnikov
The ForgeRock Identity Platform and Edge security solution can turn any IoT device into a secure, trusted active subject enrolled and on-boarded from a hardware based root of trust to become an autonomous entity in your business relationship eco system represented by a digital twin.
Client Cert Deployment Models and Hardware Tokens/Smart CardsEd Dodds
8:45 Monday, January 23rd, 2012!
Joe St Sauver, Ph.D.!
joe@internet2.edu / joe@uoregon.edu!
InCommon Certificate Program Manager and !
Internet2 Nationwide Security Programs Manager!
http://pages.uoregon.edu/joe/client-cert-models/!
There is no debate that companies large or small are more or less have put a lot of efforts in protect digital security and privacy with “best practice” recommendations, often use solutions from branded security vendors or built by best in-house/outsourced experts, yet they are falling prey of cyber and insider attacks, because “compliance” or “best practice” do not equal to security. The reality has shown us that traditional security approaches have fall behind the increased system complexity and advanced technical capabilities that have been mastered by adversaries.
The key weakness in our security defenses lies with the weakness of digital identities systems have been used to authenticate users (no system could defends against attacker impersonates legitimate user); follow by inability to validate the authenticity and integrity of communication (If attacker can temper with the data freely, then no need to crack the one time password) and finally incapable of protecting information from unauthorized accesses in an event of inevitable security breach because unknown system or application security vulnerabilities.
FrontOne’s information security solution addresses all security weakness listed above:
First, FrontOne uses its own digital identity that is harden to withstand advanced hackers using sophisticated real time attacks and help all its users from falling prey of identity thieves from phishing and malware attacks at client side to advanced persistent threats at the server side, because FrontOne’s digital identity is dynamic and non-transferable.
Second, FrontOne provides 100% message integrity by using dedicated and destination aware messaging system and ensure each and every message is completely unique; reducing the chance of attackers from being able to identifying and manipulating it for their benefit.
Finally, FrontOne uses its own method of protecting information at rest, in transit or in use, by focusing our innovation at the security and integrity of encryption key while using industry standardized cryptography. FrontOne’s user centric data protection solution uses dual control for its encryption keys. Random encryption key is protected with security key that has two parts, one part from the client side and other from the centralized key server. This arrangement ensures that access to protected data is available with the presence of the user device of the authorized user.
The security approaches FrontOne have taken above are further strengthened with its own patented technologies that introduce a dynamic element is each and every message and transaction, mutually authenticate both parties before a request is served and providing user with ultimate control that is not accessible digitally.
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Systems, Inc.
Hitachi ID Password Manager:
Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications.
Integrated credential management for users: passwords, encryption keys, tokens, smart cards and more.
http://hitachi-id.com/
Electronic Authentication, More Than Just a PasswordNicholas Davis
A Presentation which discusses the three different types of electronic authentication: username/password (something you know), One Time Password (something you have) and Biometrics (Something you are). The benefits and drawbacks of each type of authentication are also addressed. A helpful presentation for those people looking to strengthen their authentication system, but who are unsure which technology fits their situation appropriately.
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPriyanka Aash
People use more passwords today than ever before. But with the advent of Apple’s latest iPhone releases and its TouchID and FaceID technologies, we’ll begin to see a wider acceptance of some biometrics methods like fingerprint and facial scanning. This session will assess the security of these methods compared to the tried and true password.
Learning Objectives:
1: Understand the password’s history and an overview of biometrics.
2: Understand the security pros and cons of passwords versus biometrics.
3: Obtain tips for creating a password/biometrics authentication stack.
(Source: RSA Conference USA 2018)
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
In this webinar we will discuss the use of multi-factor authentication (MFA), and the new mandate in the latest version of PCI Data Security Standard, PCI DSS 3.2. MFA goes beyond traditional password-based approaches by combining multiple features, such as biometrics, behavioral patterns, and context information. In addition to covering these, the webinar will also address the problem of selecting the right combination of features for a business, given its unique priorities and circumstances. Learn how to comply with PCI DSS 3.2's MFA mandate for admin and user accounts.
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsMaxim Salnikov
The ForgeRock Identity Platform and Edge security solution can turn any IoT device into a secure, trusted active subject enrolled and on-boarded from a hardware based root of trust to become an autonomous entity in your business relationship eco system represented by a digital twin.
Client Cert Deployment Models and Hardware Tokens/Smart CardsEd Dodds
8:45 Monday, January 23rd, 2012!
Joe St Sauver, Ph.D.!
joe@internet2.edu / joe@uoregon.edu!
InCommon Certificate Program Manager and !
Internet2 Nationwide Security Programs Manager!
http://pages.uoregon.edu/joe/client-cert-models/!
There is no debate that companies large or small are more or less have put a lot of efforts in protect digital security and privacy with “best practice” recommendations, often use solutions from branded security vendors or built by best in-house/outsourced experts, yet they are falling prey of cyber and insider attacks, because “compliance” or “best practice” do not equal to security. The reality has shown us that traditional security approaches have fall behind the increased system complexity and advanced technical capabilities that have been mastered by adversaries.
The key weakness in our security defenses lies with the weakness of digital identities systems have been used to authenticate users (no system could defends against attacker impersonates legitimate user); follow by inability to validate the authenticity and integrity of communication (If attacker can temper with the data freely, then no need to crack the one time password) and finally incapable of protecting information from unauthorized accesses in an event of inevitable security breach because unknown system or application security vulnerabilities.
FrontOne’s information security solution addresses all security weakness listed above:
First, FrontOne uses its own digital identity that is harden to withstand advanced hackers using sophisticated real time attacks and help all its users from falling prey of identity thieves from phishing and malware attacks at client side to advanced persistent threats at the server side, because FrontOne’s digital identity is dynamic and non-transferable.
Second, FrontOne provides 100% message integrity by using dedicated and destination aware messaging system and ensure each and every message is completely unique; reducing the chance of attackers from being able to identifying and manipulating it for their benefit.
Finally, FrontOne uses its own method of protecting information at rest, in transit or in use, by focusing our innovation at the security and integrity of encryption key while using industry standardized cryptography. FrontOne’s user centric data protection solution uses dual control for its encryption keys. Random encryption key is protected with security key that has two parts, one part from the client side and other from the centralized key server. This arrangement ensures that access to protected data is available with the presence of the user device of the authorized user.
The security approaches FrontOne have taken above are further strengthened with its own patented technologies that introduce a dynamic element is each and every message and transaction, mutually authenticate both parties before a request is served and providing user with ultimate control that is not accessible digitally.
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Systems, Inc.
Hitachi ID Password Manager:
Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications.
Integrated credential management for users: passwords, encryption keys, tokens, smart cards and more.
http://hitachi-id.com/
Electronic Authentication, More Than Just a PasswordNicholas Davis
A Presentation which discusses the three different types of electronic authentication: username/password (something you know), One Time Password (something you have) and Biometrics (Something you are). The benefits and drawbacks of each type of authentication are also addressed. A helpful presentation for those people looking to strengthen their authentication system, but who are unsure which technology fits their situation appropriately.
Security Considerations for Microservices and Multi cloudNeelkamal Gaharwar
These slides contains my notes on what are the security consideration w.r.t Micro services and Multi Cloud. I am still working on this part. It is just a comprehension of whatever I have studied so far.
How Cloud-Based Service Providers Can Integrate Strong Identity and SecurityGlobalSign
Our Chief Product Officer, Lila Kee spoke at Cloud Computing Expo in New York.
The talk is about how cloud-based service providers must build security and trust into their offerings. It is imperative that as these cloud-based service providers make identity, security, and privacy easy for their customers as customers become more reliant on these offerings. The slides include the best practices for cloud-based service providers and how a superior user experience that is backed by security features will enable business growth and reduce customer churn.
You can find out more in our webinar: https://www.globalsign.com/en/lp/webinar-the-business-advantages-of-ssl-as-a-service/
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKelly Robertson
Have you ever wondered why our web apps, and mobile web apps in particular, are hard to secure?
Be sure to read the speakers notes in this presentation
In this lengthy presentation, you will observe where researchers and hackers corrupt the developer's intentions...then, you will look at the Good, the Bad and the Ugly of Secure Software Development, WAF considerations, and Mobile Device Management...
CNIT 125 6. Identity and Access ManagementSam Bowne
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
Authentication Simple as a Selfie - How Biometrics are Reducing Customer Fric...Easy Solutions Inc
Biometric authentication adoption is booming because it helps balance security and convenience by reducing customer friction. Our fingerprints, voice, face and more can all be used to validate our identity online. But where do biometrics fit in an authentication framework and how can these factors best be deployed?
In this webinar, we will discuss:
- New biometric options and how they reduce customer friction
- Channels other than mobile to consider when launching biometrics
- The need to integrate biometrics with legacy authentication systems
- Why biometrics need to be part of an authentication framework in a layered fraud protection strategy
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
2. Today’s Chocolate Bar
• Baby Ruth
• Created in 1920 by the Curtiss
Candy Company, in Chicago, now
made by Nestle
• Originally named Kandy Kake
• Named after President Grover
Cleveland’s daughter, Ruth
Cleveland, not after baseball
player, Babe Ruth
3. Passwords – Reading Discussion
• Define the root of a password?
• Define the appendage of a
password
• ! % & $ _zipcode have gotten too
easy for password crackers
• Mix upper and lower case in the
middle of password
• Put the appendage in the middle of
your root
4. University Networks --
Reading
• Centralized vs.
decentralized
• Faculty and Staff
demand freedom
• Central data
handling policies
are weak
• What should
universities do to
make their
network more
secure?
5. Overview
• Authentication defined
• Different types of electronic authentication factors
• Username and Password
• Dialog Spoofing Authentication Attacks
• One Time Password devices (OTP), how they work and don’t work
• Biometrics
• Digital Certificates
• Existing devices which can be used for authentication, Blackberry, Mobile Phone
• Shared Secret/Ticket based authentication systems
• Knowledge Based Authenticaition
• The Initial Credentialing Challenge
• Review of Key Concepts
• Who is to Blame For This Authentication Mess?
• SSO Authentication, the realities
• Federated Authentication
• Wireless Authentication issues
• Remaining Issues With Authentication
• What Does the Future Hold?
6. Authentication Defined
“Electronic authentication provides a
level of assurance as to whether
someone or something is who or what it
claims to be in a digital environment.
Thus, electronic authentication
plays a key role in the establishment of
trust relationships for electronic
commerce, electronic government and
many other social interactions. It is also
an essential component of any strategy
to protect information systems and
networks, financial data, personal
information and other assets from
unauthorised access or identity theft.
Electronic authentication is therefore
essential for establishing
accountability online.”
7. Authentication Factors
• Three types of electronic
authentication
• Something you know –
username/password
• Something you have –
One time password device
• Something you are –
Voiceprint or retinal scan
8. Single Factor vs. Multifactor vs Dual
Factor
• Single Factor – Using one method to
authenticate.
• Dual Factor – Using two different types of
authentication mechanism to authenticate
• Multifactor – Using multiple forms of the
same factor. (Password + identifying an
image)
• Some people claim multi factor is just a
way around industry regulations. Good
test is to ask, could I memorize both of
these?
9. Username and Password - Benefits
• Most widely used
electronic
authentication
mechanism in the
world
• Low fixed cost to
implement and
virtually no variable
cost
• Fairly good for low
assurance
applications
• No physical device
required
10. Username and Password - Drawbacks
• Can be easily shared
on purpose
• Can be easily stolen
via Shoulder Surfing,
Keyboard Logger
Packet Sniffer
• Can be guessed
• Can be hard to
remember
• Password code is
easy to hack
• Video 3
11. If You Choose to Use Passwords..
• Be as long as possible (never shorter than 6
characters).
• Include mixed-case letters, if possible.
• Include digits and punctuation marks, if possible.
• Not be based on any personal information.
• Not be based on any dictionary word, in any
language.
• Expire on a regular basis and may not be reused
• May not contain any portion of your name,
birthday, address or other publicly available
information
12. Dialog Spoofing Authentication Attacks
• The biggest threat to authentication
security is users unintentionally giving
away their credentials to a “harvester”
• Dialog spoofing attack makes the user
think they are communicating with a
trusted source, but actually grabs the
credentials for its own malicious use
13. One Time Password Devices
Demystified
• Have an assigned
serial number which
relates to user-id.
For example, ndavis
= serial QB43
• Device generates a
new password every
30 seconds
• Server on other end
knows what to expect
from serial QB43 at
any point in time
14. One Time Password
Devices
• Time based
• Event based
• Sold by RSA,
Vasco, Verisign,
Aladdin, Entrust
and others
• How can event
based OTPs be
defeated?
16. One Time Passwords - Benefits
• Provides true Dual Factor
authentication, making it very
difficult to share
• Constantly changing password
means it can’t be stolen, shoulder
surfed or sniffed
• Coolness factor!
17. One Time Passwords - Drawbacks
• Cost!
• Rank very low on
the washability
index
• Uncomfortable
• Expiration
• Battery Life
• Can be forgotten
at home
• Video 1
18. Biometrics
• Use a unique part
of your body to
authenticate you,
such as your voice
pattern, your
retina, or your
fingerprint
19. Biometrics Benefits
• Harder to steal than even a One
Time Password since it is part of the
user, not simply in their possession
like and OTP device
• Absolute uniqueness of
authentication factor
• Coolness factor
20. Biometrics Drawbacks
• Cost
• Complexity of
Administration
• Highly invasive
• Not always
reliable – false
negatives
• Not foolproof
• The Gummi Bear
thief!
21. Other Biometric Methods and
Associated Issues
• comparing the face with that on a passport
photograph
• fingerprints
• DNA fingerprinting
• Iris scan
• Retina scan
• other biometrics
• signature
• Birthmarks - May be duplicated cosmetically
• Dentition - Identity may be mistaken by lack of or
falsification of dental X-ray records
22. Today’s Agenda
• Collect homework!
• Look at a few password cracking
tools, demonstrating why username
and password is weak!
• Finish lecture on Authentication!
• Class Discussion!
• Maybe Start Lecture on
Cryptography!
23. Today’s Chocolate Bar! - Twix
• Made by Mars
• Called “Raider” in Europe until 1991
• First produced in the UK in 1967
• Introduced to the US in 1979
• Twix, Peanut Butter Twix, Cookies –
n- Cream Twix, Chocolate Fudge
Twix, Triple Chocolate Twix, Choc –
n- Orange Twix
• Not suitable for strict vegetarians!
24. Digital Certificates
• A digital passport,
either contained on a
secure device, or on
a hard disk
• Secured with a
password, making
them truly a dual
factor solution
• Can be used to
authenticate
machines as well as
humans
25. Digital Certificate Benefits
• True Dual Factor Authentication
• Low variable cost to produce
• Can contain authorization data as
well as authentication data
26. Digital Certificate Drawbacks
• High fixed cost to build initial
infrastructure
• Can be copied and shared if not
properly stored
• Expiration
• Often require access to an interface
such as a card reader of USB port,
not always available at kiosks
27. Taking Advantage of Existing
Technology
• Your mobile phone can serve as a
powerful dual factor authentication
device
29. Knowledge Based Authentication
• Authenticates the user via
verification of life events,
usually financial in nature,
such as:
• Looks great at first!
• However, most of this is
public information and
that which isn’t public can
be easily stolen
• The credit reports on
which this knowledge
based authentication is
based are often contain
factual errors
• Cost!
30. Initial Credentialing
• The verification of an individual’s or
machine’s identity prior to assignment of
an authentication identifier (DMV,
Passport Agency, Library Card, Credit
Card Application)
• An authentication credential is only as
trustworthy as the underlying
credentialing process
• SSN# often serves as base identifier
• What do you think about that?
• Can you think of a more secure base
identifier than SSN#? When would It have
to be assigned and by whom?
31. Key Concepts
• Current online authentication
techniques are weak at best: Most
rely on multiple single factors
• Credentials are easily stolen from
consumers and rarely change
• Lack of consistency in
authentication processes confuse
consumers
32. Who Is to Blame For the State of
Digital Authentication?
• No individual contributor is at fault
• This is really a failure of multiple parties
• OS Providers
• Browser Providers
• Financial & Commerce
• Software Providers
• Security Vendors
• The Financial and Commerce Institutions
33. It All Starts With a Better OS
• OS Must have security/auth
services baked-in
• Must not rely on 3rd party
applications to enforce security/auth
processes
• Best position within the consumer
access stack to enforce consistency
34. Unified Browser and Web Design
Standards Needed
• The Internet access browser must
contain consistent security/auth
processes and indicators for consumers
• Must not try and re-invent the security
wheel continuously
• This is usually why users pick weak
passwords – to preserve their sanity and
avoid “token necklace” or “fat wallet
syndrome”
35. Single Sign On (SSO), More like RSO
• Single Sign On (SSO) (also known
as Enterprise Single Sign On or
"ESSO") is the ability for a user to
enter the same id and password to
logon to multiple applications within
an enterprise.
• True SSO is rare, but Reduced Sign
On is quite workable
36. Single Sign On Benefits
• Ability to enforce uniform enterprise
authentication and/or authorization
policies across the enterprise
• End to end user audit sessions to
improve security reporting and auditing
• Removes application developers from
having to understand and implement
identity security in their applications
• Usually results in significant password
help desk cost savings
37. Document Authentication
• Humans and machines are easy to
authenticate, but what about
documents?
• Digital certificates to the rescue
• A digital signature, generated by a
private key can prove who authored
the document and can verify that the
contents have not been altered from
their original form
38. Authentication Federation
• The average user today interacts with all
sorts of social, business, financial and
government agencies digitally.
• Each of these requires their own id and
password as user authentication.
• As a result, the user is increasingly
frustrated with:
• Having to remember multiple user id and
passwords
• Providing more identity information than
they would otherwise chose to each entity
39. Authentication Federation
• Allows transitional trust among
institutional membership
• For example, If Nick wants to look up a
scholarly article at Penn State, UW can
tell Penn State that this request comes
from an authenticated and authorized
user without giving out my name, etc.
• Hard to enforce credentialing standards
• Relies a LOT on trusting that the other
institution did the right thing
40. Wireless Authentication
• Wiring actually provides an additional layer of
protection, requiring physical access
• Once this goes away, as is the case on a
wireless network, you need to find another
method to make up for the loss of physical
security which best emulates physical access
• Authenticate with username/password + MAC
address, for example.
• Put the wireless network on a firewalled subnet
• WPA is better than WEP, but not the answer to
everything.
• “Opportunity to Authenticate” is the principle to
keep in mind here as the most serious threat…
41. Securing Wireless Network
Authentication
• All wireless LAN devices need to
be secured, MAC address, static
IP address, secure subnet, etc.
• All users of the wireless network
need to be educated in wireless
network security
• All wireless networks need to be
actively monitored for weaknesses
and breaches
42. Wireless is Still Too New to Be Trusted
• Too many competing protocols,
each of which can have its own set
of security risks
• WEP encryption, WPA, WPA2,
802.1X, LEAP, PEAP, TKIP,
RADIUS, WAPI…The list goes on!
43. Remaining Issues With Authentication
• Authenticating the originator is as important as
authenticating the receiver, but few people pay
attention to this issue
• Currently, when we send email, we simply trust
that george.bush@whitehouse.gov really is the
President…This isn’t sufficient
• We need a method to lookup people in a
trustworthy manner
• Trusted and centralized LDAP to the rescue!
• Sadly, inter-organizational trusted LDAP access
isn’t used.
44. The Best Solution is a Hybrid Solution
• No, not that kind of
hybrid! Way overused
term
• Passwords can be
guessed or hacked
• Physical devices can
be stolen
• Biometrics are costly
and unreliable
• Use a mix of the
above technologies to
achieve the best
authentication
security
• Audit, Audit, Audit!!!
45. What Does the Future Hold?
• Will the federal government get involved
with **official** electronic credentials such
as a “U.S. Citizen Digital Identity”?
• Benefits of a federal digital identity
system?
• Drawbacks of a federal digital identity
system?
• How do you feel about the current state
of electronic authentication systems?