5 Signs Your Authentication Is All Wrong

5 Signs You’re Doing Authentication Wrong
March 25, 2014
#duowebinar

5 Signs You're Doing Authentication Wrong
Eve Maler, Forrester Research 
5 Signs You're Doing Authentication Wrong
Brian Kelly, Duo Security 
Helping You Get It Right
Daniel Frye, CedarCrestone 
Choosing The Appropriate Solution
#duowebinar

5 Signs You’re Doing
Authentication Wrong
Eve Maler, Principal Analyst 
Forrester Research
#duowebinar

5 Signs You’re Doing
Authentication Wrong
A Listicle About Security And Usability
Eve Maler, Principal Analyst
March 25, 2014

You’re engaging in security theater

© 2014 Forrester Research, Inc. Reproduction Prohibited 3
Yeah, we really do have a problem

Source: December 30, 2013, “Market
Overview: Employee And Customer
Authentication Solutions In 2013,
Part 1 Of 2” Forrester report
2 out of 3
top data
breach types
involve the
keys to the
kingdom

Passwords (and security Qs) have a weak “UDS profile”
Source: February 24, 2014, “Market Overview: Employee And
Customer Authentication Solutions In 2013, Part 2 Of 2” Forrester report
Usability Deployability Security
Memorywise-Effortless Accessible Resilient-to-Physical-Observation
Scalable-for-Users Negligible-Cost-per-User Resilient-to-Targeted-Impersonation
Nothing-to-Carry Server-Compatible Resilient-to-Throttled-Guessing
Physically-Effortless Nothing-to-Provision-to-User Resilient-to-Unthrottled-Guessing
Easy-to-Learn Mature Resilient-to-Internal-Observation
Efficient-to-Use Multiple-Purposes Resilient-to-Leaks-from-Other-Verifiers
Infrequent-Errors Available-Offline Resilient-to-Phishing
Easy-Recovery-from-
Loss
Resilient-to-Theft
No-Trusted-Third-Party
Requiring-Explicit-Consent
Unlinkable

Passwords (and security Qs) have a weak “UDS profile”
Easy-Recovery-from-
Loss
Resilient-to-Theft
Unlinkable
!!!

But password policy has become a bludgeon
We conclude that the sites with the most restrictive password policies do not
have greater security concerns, they are simply better insulated from the
consequences of poor usability.
...
Most organizations have security professionals who demand stronger policies, but
only some have usability imperatives strong enough to push back. When the
voices that advocate for usability are absent or weak, security measures become
needlessly restrictive. The watchers must be watched, not merely to ensure that
they do not steal or cheat, but also to ensure that they do not decide to make their
job a little easier at the cost of great inconvenience to everyone else.
– Florencio and Herley, Where do security policies come from? (2010) [emph
added]

What compensating controls can we use
to better effect?
›  Lockout policy
›  Getting “securely random” closer
to “memorable”
›  Risk-based and contextual
authentication
›  Real-time strength checking

You’re unifying on a
single login experience

Weird but true tales
“Since it’s hard to type passwords on mobile devices
or speak them out loud to customer service reps, we
force all passwords to be short and uppercase.”
“We want to give everyone the identical login
experience on every channel. How do we do
that?”
“We have two-factor auth: Users give a
password to log in, and if they forget their
password, we ask them security questions.”

Authentication stages and tasks have
different needs
New account enrollment,
with users and devices
potentially never seen
before.
Stronger authentication
to access higher-value,
higher-risk functions.
Front-door
authentication to
access ordinary
functions.
Password reset and other
security profile changes,
which may require re-
enrollment.
Onboarding
LoginStep-up
Recovery
Source: December 30, 2013, “Market
Overview: Employee And Customer
Authentication Solutions In 2013, Part 1 Of
2” Forrester report

© 2012 Forrester Research, Inc. Reproduction Prohibited
Think in terms of “responsive design”
for authentication tasks per channel
12
•  Pick up risk-based
clues from the
channel and task
wherever possible
•  Leverage users’
smart mobile
devices if they have
them

“Mobile first” means IT has less room to
maneuver than ever
›  Business owners want in-app
registration and login
›  Individuals demand user
experiences with a clear
purpose
›  Security task flows on mobile
devices feel different

Your authentication
chain has weak links

What’s your task/channel matrix?
Web Mobile
web
Mobile
app
Phone
CSR
Phone
IVR…
Register
user
Register
device
Routine
login
Account
recovery
Change
email…

What’s
your
population
and
scenario?
Benefit
in
sharing
credentials
Degree of
freedom to
walk away from
relationship
Baseline
Greater
benefit
Large
benefit
None (captive) Some at cost A lot
Regular
employee
Contractor
Nonpaying
affiliate
Paying
affiliate
Bank
customer
Privileged
employee
Social
network
user
Retail
customer
Service-
paying
customer
Payout
beneficiary
Employee
of partner

It’s intractably hard to stamp out all
passwords
› Back-end privileged accounts
› API client credentials and access tokens
› PINs to unlock MDM-protected devices
› Passwords as a required first factor of many
third-generation strong authentication solutions

You’re pretending your
enterprise is unextended

Source: December 30, 2013 “Market Overview:
Employee And Customer Authentication
Solutions In 2013, Part1 Of 2” Forrester report
The extended
enterprise needs
Zero Trust
authentication

Source: November 15, 2012,
“No More Chewy Centers:
Introducing The Zero Trust
Model Of Information Security”
Forrester report
Zero Trust and the cloud have affinities
All resources are
accessed in a
secure manner
regardless of
location.
Access control is
on a “need-to-
know” basis and is
strictly enforced.
Verify and never
trust.
Inspect and log all
traffic.
The network is
designed from the
inside out.

You annoy real users
as much as fraudsters

Easy-Recovery-from-
Loss
Resilient-to-Theft
Unlinkable
Adding contextual cues can be a great booster shot

Easy-Recovery-from-
Loss
Resilient-to-Theft
Unlinkable
Mobile-fueled third-gen solutions can add UDS strength

Leverage “adjacent uses” for employees
and consumers alike
Source: June 12, 2013,
“Introducing The Customer
Authentication Assessment
Framework” Forrester report

Thank you
Eve Maler
+1 425 345 6756
emaler@forrester.com
Twitter: @xmlgrrl

Helping You Get It Right
Brian Kelly, Sr. Product Marketing Manager 
Duo Security
#duowebinar

Passwords
 
The security problem we all share

100% 94% 416
of victims have up-to-date
anti-virus software
of breaches are reported by
third parties
100%
median number of days
advanced attackers are on the
network before being detected
of breaches involved stolen
credentials
(2013)
All Breaches Involve Stolen Passwords

Helping You Get Two-Factor Authentication Right
1. Avoid Security Theatre
2. Deploy Responsive Two-Factor Authentication
3. Remove Weak Links In Your Authentication Chain
4. Embrace Your Extended Enterprise
5. Don’t Annoy Your Users

‣ Your employees and users don’t want to
change their passwords every 90 days
my.vt.edu (Mar 2014)

‣ Your employees and users don’t want to
change their passwords every 90 days  
‣ Maintain a reasonable password policy
and require two-factor authentication
xkcd.com/936/

‣ Your sales team probably doesn’t have the
same risk proﬁle as your IT administrators
≠
!
!
⋆

!
same risk proﬁle as your IT administrators 
‣ Allow sales team to self-enroll and
leverage Duo’s Trusted Device policy

!
⋆
same risk proﬁle as your IT administrators 
‣ Allow sales team to self-enroll and
leverage Duo’s Trusted Device policy 
‣ Require admins
‣ to use 2FA on every login
‣ not rely on phone callback or SMS OTP
‣ manually enroll

Know Your Humans
‣ Enroll
‣ Authenticate
‣ Migrate
‣ Deactivate

Know Your Humans: Prove Identity
‣ Enroll
‣ Authenticate
‣ Migrate
‣ Deactivate
# #
##

Know Your Humans
‣ Enroll: TOFU (self-enrollment), batch, manual, sync
‣ Authenticate
‣ Migrate
‣ Deactivate

Know Your Humans
‣ Enroll
‣ Authenticate: policy, bypass
‣ Migrate
‣ Deactivate

Know Your Humans
‣ Enroll
‣ Authenticate
‣ Migrate: change phone, token
‣ Deactivate

Remote Access Security Hygiene
‣ Understanding all points of access
‣ Fail safe (open) v. fail secure (close) tradeoffs

‣ Added 2FA for SSH access to your
UNIX servers? Great!
‣ Did you remember turn off port
forwarding and tunneling?  
 
# Duo UNIX 2FA - sshd_config:
PermitTunnel no
AllowTcpForwarding no
ForceCommand /usr/sbin/login_duo
duosecurity.com/docs/duounix

‣ Duo 2FA for Windows RDP locks
down remote, interactive sessions
‣ “Run as” & non-interactive logins do
not invoke credential provider
‣ Understand limitations for local auth 
duosecurity.com/docs/rdp-faq

Integrate with everything that matters
‣ On-premises: VPN, servers, web apps
‣ Cloud: Google Apps, Office 365,
Salesforce, Box, and more (SAML)
‣ API: Duo Web and REST

Authenticate users with any device
‣ Duo Push: iOS, Android, BlackBerry,
Windows Phone
‣ Offline Passcodes
‣ SMS Passcodes
‣ Phone callback
‣ Tokens: HOTP/TOTP & YubiKey

Manage from anywhere
‣ Cloud-accessible management console
‣ Manage users, devices, integrations and
access logs all from web interface
‣ Admin REST API for automation

5. Don’t Annoy Your Users
Your users are smart
‣ Explain why 2FA is important  
(and better than archaic password policies)
‣ Give them choice
‣ Provide personal security value
‣ Get out of the way
guide.duosecurity.com

Thousands Doing It Right, Today
duosecurity.com/success-stories

Choosing The 
Appropriate Solution
Daniel Frye, SVP Corporate Security 
CedarCrestone
#duowebinar

About CedarCrestone
‣ Formed in 2005
‣ Merger of Cedar Enterprise Solutions (founded 1981)
and Crestone International (founded 1995)
‣ Global consulting & managed services
company
‣ Support 2,000+ employees for
CedarCrestone & affiliated companies
Headquarters 
Atlanta, GA

Business Challenge
‣ Evaluated susceptibility to password
phishing via internal pen-testing &
social engineering testing
‣ Hundreds of consultants on the road
that need VPN access
‣ Needed application-centric multi-
factor solution as an option for
managed services clients

Choosing The Appropriate Authentication Solution
‣ Why two-factor authentication vs. other security solutions?
‣ Deﬁning authentication solution success
‣ Protect critical resources
‣ Make it easy on users and staff
‣ Evaluation and competitive bake off

Decision: Duo Security
‣ Protect critical resources
‣ Drop-in integrations for Juniper and more
‣ Flexible API for custom integration or
enhancement
‣ Make it easy on users and staff
‣ Easy To Use: Duo Push, self-enrollment
‣ Easy To Deliver: Minimal training, factor choice
‣ Easy To Trust: Secure by design
$
Duo API

Results
‣ Password-related vulnerabilities mitigated since Duo
deployment
‣ Feedback from 3rd party pen-testing team very positive
‣ Feedback from staff who have used other 2FA solutions:  
Duo Push is much better
‣ Flexibility of mobile apps, SMS, phone callback, and YubiKey
support has proven integral to success

Questions + Answers #duowebinar
Eve Maler, Forrester Research 
emaler@forrester.com @xmlgrrl
Brian Kelly, Duo Security 
bkelly@duosecurity.com @resetbrian
Daniel Frye, CedarCrestone 
dan.frye@cedarcrestone.com @CedarCrestone

5 Signs Your Authentication Is All Wrong

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to 5 Signs Your Authentication Is All Wrong

Similar to 5 Signs Your Authentication Is All Wrong (20)

More from Duo Security

More from Duo Security (7)

Recently uploaded

Recently uploaded (20)

5 Signs Your Authentication Is All Wrong