This document summarizes a talk given by Clare Nelson at OWASP on why some multi-factor authentication technology is irresponsible. Nelson discusses issues with the outdated NIST definition of multi-factor authentication and how some vendors rely on weak factors like SMS, biometrics, or location data. The talk argues for updated definitions of authentication factors and more responsible choices by vendors to better secure user accounts.

1. www.owasp.org
The
Inmates
Are
Running
the
Asylum
Why
Some
Mul,-­‐Factor
Authen,ca,on
Technology
is
Irresponsible
Clare
Nelson,
CISSP
clare.nelson@owasp.org
@Safe_SaaS
October
22,
2015
AusFn,
TX

2. www.owasp.org
Clare
Nelson,
CISSP
Independent:
not
an
analyst,
not
with
a
vendor
• Scar
Fssue
– Encrypted
TCP/IP
variants
for
NSA
– Product
Management
at
DEC
(HP),
EMC2
– Director
Global
Alliances
at
Dell,
Novell
(IAM)
– VP
Business
Development,
MetaIntelli
(Mobile
Security)
– CEO
ClearMark,
MFA
Technology
and
Architecture
• 2001
CEO
ClearMark
ConsulFng
• 2014
Co-­‐founder
C1ph3r_Qu33ns
• 2015
April,
ISSA
Journal,
Mul,-­‐Factor
Authen,ca,on:
What
to
Look
For
• Talks:
OWASP
AppSec
USA,
HackFormers,
BSides,
LASCON;
clients
including
Fortune
500
financial
services,
IdenFty
Management
• B.S.
MathemaFcs

3. www.owasp.org
Scope
• External
customers,
consumers
– Not
internal
employees,
no
hardware
tokens
– IoT
preview
• No
authenFcaFon
protocols
– OAuth,
OpenID,
UMA,
SCIM,
SAML
• United
States
– EU
regulaFons
o France:
legal
constraints
for
biometrics
§ Need
authorizaFon
from
NaFonal
Commission
for
InformaFcs
and
Liberty
(CNIL)1
– India:
e-­‐commerce
Snapdeal,
Reserve
Bank
of
India
o Move
from
two-­‐factor
to
single-­‐factor
authenFcaFon
for
transacFons
less
than
Rs.
3,0002
1Source:
h+p://www.diva-­‐portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl
2Source:
h+p://economicFmes.indiaFmes.com/industry/services/retail/snapdeal-­‐for-­‐single-­‐factor-­‐authenFcaFon-­‐for-­‐low-­‐value-­‐
deals/arFcleshow/46251251.cms

4. www.owasp.org
NIST
DefiniFon1
Origin
of
definiFon?
• NIST:
might
be
Gene
Spafford,
or
“ancient
lore”2
– @TheRealSpaf,
“Nope
—
that's
even
older
than
me!”3
– 1970s?
NSA?
Academia?
1Source:
h+p://nvlpubs.nist.gov/nistpubs/SpecialPublicaFons/NIST.SP.800-­‐63-­‐2.pdf
2Source:
February
26,
2015
email
response
from
a
NIST
SP
800-­‐63-­‐2
author
3Source:
February
27,
2015
response
from
@TheRealSpaf
(Gene
Spafford)

5. www.owasp.org
How
can
one
write
a
guide
based
on
a
defini,on
of
unknown,
ancient
origin?
How
can
you
implement
MFA
without
a
current,
coherent
defini,on?
Photo:
The
Thinker
by
Auguste
Rodin,
h+ps://commons.wikimedia.org/wiki/File:Auguste_Rodin-­‐The_Thinker-­‐Legion_of_Honor-­‐Lincoln_Park-­‐San_Francisco.jpg

6. www.owasp.org
NIST
versus
New
DefiniFons
MulF-­‐Factor
AuthenFcaFon
(MFA)
Factors:
• Knowledge
• Possession
– Mobile
device
idenFficaFon
• Inherence
– Biometrics:
Physical
or
Behavioral
• LocaFon
– GeolocaFon
– Geofencing
– Geovelocity
• Time1
1Source:
h+p://searchsecurity.techtarget.com/definiFon/mulFfactor-­‐authenFcaFon-­‐MFA
2Source:
h+p://nvlpubs.nist.gov/nistpubs/SpecialPublicaFons/NIST.SP.800-­‐63-­‐2.pdf
NIST:
Device
idenFficaFon,
Fme,
and
geo-­‐
locaFon
could
be
used
to
challenge
an
idenFty;
but
“they
are
not
considered
authenFcaFon
factors”2

7. www.owasp.org
Authen,ca,on
in
an
Internet
Banking
Environment
• OUT:
Simple
device
idenFficaFon
• IN:
Complex
device
idenFficaFon,
“digital
fingerprinFng”
use
PC
configuraFon,
IP
address,
geo-­‐locaFon,
other
factors
– Implement
Fme
of
day
restricFons
for
funds
transfers
– Consider
keystroke
dynamics,
biometric-­‐based
responses1
1Source:
hjps://www.fdic.gov/news/news/press/2011/pr11111a.pdf
“…virtually
every
authenFcaFon
technique
can
be
compromised”

8. www.owasp.org
Why
200+
MFA
Vendors?
Authen,ca,on
has
been
the
Holy
Grail
since
the
early
days
of
the
Web.1
The
iPhone
of
Authen,ca,on
has
yet
to
be
invented.2
1Source:
h+p://sciencewriters.ca/2014/03/26/will-­‐your-­‐brain-­‐waves-­‐become-­‐your-­‐new-­‐password/
2Source:
Clare
Nelson,
February
2015.

9. www.owasp.org
SubopFmal
Choices
AuthenFcaFon
Factors/Technology
1. Biometrics,
2D
fingerprint
2. Short
Message
Service
(SMS)
– One-­‐Time
Password
(OTP)
3. Quick
Response
(QR)
codes
4. JavaScript
(behavioral
biometrics)
5. Overreliance
on
GPS,
insufficient
geolocaFon
data
6. Weak,
arcane,
account
recovery
7. AssumpFon
mobile
devices
are
secure
8. EncrypFon
(without
disclaimers)
– Quantum
compuFng
may
break
RSA
or
ECC
by
20301
• Update
on
NSA’s
$80M
Penetra,ng
Hard
Targets
project2
– EncrypFon
backdoors,
is
it
NSA-­‐free
and
NIST-­‐free
cryptography?
– No
mysterious
constants
or
“magic
numbers”
of
unknown
provenance”3
1Source:
January
18,
2015:
Ralph
Spencer
Poore,
cryptologist,
AusFn
ISSA
guest
lecturer
2Source:
h+p://www.washingtonpost.com/world/naFonal-­‐security/nsa-­‐seeks-­‐to-­‐build-­‐quantum-­‐computer-­‐that-­‐could-­‐crack-­‐most-­‐
types-­‐of-­‐encrypFon/2014/01/02/8fff297e-­‐7195-­‐11e3-­‐8def-­‐a33011492df2_story.html
3Source:
h+ps://www.grc.com/sqrl/sqrl.htm

10. www.owasp.org
Juniper
Research:
• By
2019,
770
million
apps
that
use
biometric
authenFcaFon
will
be
downloaded
annually
- Up
from
6
million
in
2015
• Fingerprint
authenFcaFon
will
account
for
an
overwhelming
majority
- Driven
by
increase
of
fingerprint
scanners
in
smartphones1
IrraFonal
Exuberance
of
Biometric
AdopFon
Samsung
Pay
1Source:
h+p://www.nfcworld.com/2015/01/22/333665/juniper-­‐forecasts-­‐biometric-­‐authenFcaFon-­‐market/

11. www.owasp.org
1Source:
h+ps://www.youtube.com/watch?v=q3ymzRYXezI
Apple
Touch
ID:
Cat
Demo

12. www.owasp.org 1Source:
h+p://www.dw.de/image/0,,18154223_303,00.jpg

13. www.owasp.org
2D
Fingerprint
Hacks
• Starbug,
aka
Jan
Krissler
• 2014:
Cloned
fingerprint
of
German
Defense
Minister,
Ursula
Von
der
Leyen
– From
photographs1,2
• 2013:
Hacked
Apple’s
Touch
ID
on
iPhone
5S
~24
hours
ater
release
in
Germany
– Won
IsTouchIDHackedYet.com
compeFFon3
• 2006:
Published
research
on
hacking
fingerprint
recogniFon
systems4
1Source:
h+ps://www.youtube.com/watch?v=vVivA0eoNGM
2Source:
h+p://www.forbes.com/sites/paulmonckton/2014/12/30/hacker-­‐clones-­‐fingerprint-­‐from-­‐photograph/
3Source:
h+p://istouchidhackedyet.com
4Source:
h+p://berlin.ccc.de/~starbug/talks/0611-­‐pacsec-­‐hacking_fingerprint_recogniFon_systems.pdf

14. www.owasp.org
Starbug
Faking
Touch
ID
1Source:
h+p://istouchidhackedyet.com

15. www.owasp.org
Android:
Remote
Fingerprint
Thet
at
Scale1
“…hackers
can
remotely
steal
fingerprints
without
the
owner
of
the
device
ever
knowing
about
it.
Even
more
dangerous,
this
can
be
done
on
a
“large
scale.”2
1Source:
h+ps://www.blackhat.com/docs/us-­‐15/materials/us-­‐15-­‐Zhang-­‐Fingerprints-­‐On-­‐Mobile-­‐Devices-­‐Abusing-­‐And-­‐Leaking-­‐
wp.pdf
2Source:
h+p://www.forbes.com/sites/thomasbrewster/2015/04/21/samsung-­‐galaxy-­‐s5-­‐fingerprint-­‐a+acks/
Hardware
User
Space
Kernel
Space

16. www.owasp.org
Krissler
versus
Riccio
“Don't
use
fingerprint
recogniFon
systems
for
security
relevant
applicaFons!”1
–
Jan
Krissler
(Starbug)
“Fingerprints
are
one
of
the
best
passwords
in
the
world.”2
–
Dan
Riccio
SVP,
Apple
1Source:
h+p://berlin.ccc.de/~starbug/talks/0611-­‐pacsec-­‐hacking_fingerprint_recogniFon_systems.pdf
2Source:
h+p://www.imore.com/how-­‐touch-­‐id-­‐works
Photo:
h+p://www.mirror.co.uk/news/world-­‐news/revealed-­‐ni-­‐believed-­‐legendary-­‐fight-­‐3181991

17. www.owasp.org
Behavioral
Biometrics
1Source:
h+p://www.behaviosec.com
Issues
• Requires
JavaScript
Learning
curve
• Privacy,
constant
monitoring
• Injury
to
hand
• “Highly
intoxicated”

18. www.owasp.org
Behavioral
Biometrics:
Invisible
Challenge
• Analyze
hundreds
of
bio-­‐
behavioral,
cogniFve
and
physiological
parameters
– Invisible
challenge
– No
user
interacFon
for
step-­‐up
authenFcaFon
– How
you
find
missing
cursor1
1Source:
h+p://www.biocatch.com
1Source:
h+p://www.biocatch.com

19. www.owasp.org
Biometrics:
In
Use,
Proposed
• Fingerprints
2D,
3D
via
ultrasonic
waves
• Palms,
its
prints
and/or
the
whole
hand
(feet?)
• Signature
• Keystroke,
art
of
typing,
mouse,
touch
pad
• Voice
• Iris,
reFna,
features
of
eye
movements
• Face,
head
–
its
shape,
specific
movements
• Ears,
lip
prints
• Gait,
Odor,
DNA,
• ECG
(Bionym’s
Nymi
wristband,
smartphone,
laptop,
car,
home
security)
• EEG1
• Methods:
Pills,
Tajoos
• Smartphone/behavioral:
AirSig
authenFcates
based
on
g-­‐sensor
and
gyroscope,
how
you
write
your
signature
in
the
air2
1Source:
h+p://www.optel.pl/arFcle/future%20of%20biometrics.pdf
2Source:
h+p://www.airsig.com
Digital
Ta+oo:
h+p://motorola-­‐blog.blogspot.com/2014/07/-­‐unlock-­‐your-­‐moto-­‐x-­‐with-­‐a-­‐digital-­‐ta+oo.html

20. www.owasp.org
“Thought
Auth”1
EEG
Biosensor
• MindWave™
headset2
• Measures
brainwave
signals
• EEG
monitor
• InternaFonal
Conference
on
Financial
Cryptography
and
Data
Security3
1Source:
Clare
Nelson,
March
2015
2Source:
h+p://neurosky.com/biosensors/eeg-­‐sensor/biosensors/
3Source:
h+p://www.technewsworld.com/story/77762.html

21. www.owasp.org
3D
Fingerprint1
1Source:
h+p://sonavaFon.com/technology/
No
ma+er
how
advanced
the
biometric
is,
the
same
basic
threat
model
persists.

22. www.owasp.org
How
do
you
stump
an
MFA
vendor?
Ask
for
a
threat
model.
Photo:
h+p://www.huffingtonpost.co.uk/2015/08/09/parents-­‐reveal-­‐why-­‐quesFon-­‐woes_n_7963152.html

23. www.owasp.org
“…
biometrics
cannot,
and
absolutely
must
not,
be
used
to
authen,cate
an
iden,ty”1
–
DusFn
Kirkland,
Ubuntu
Cloud
SoluFons
Product
Manager
and
Strategist
at
Canonical
1Source:
h+p://blog.dusFnkirkland.com/2013/10/fingerprints-­‐are-­‐user-­‐names-­‐not.html
“Fingerprints
are
Usernames,
Not
Passwords”

24. www.owasp.org
@drfuture
on
Biometrics
1Source:
h+ps://www.blackhat.com/docs/us-­‐15/materials/us-­‐15-­‐Keenan-­‐Hidden-­‐Risks-­‐Of-­‐Biometric-­‐IdenFfiers-­‐And-­‐How-­‐
To-­‐Avoid-­‐Them.pdf
Diagram
Source:
h+p://security.stackexchange.com/quesFons/57589/determining-­‐the-­‐accuracy-­‐of-­‐a-­‐biometric-­‐system
Hidden
Risks
• Biometric
reliability
and
the
percep,on
of
it
• Lack
of
discussion
of
the
consequences
of
errors
• Biometric
data’s
irreversibility
and
the
implicaFons
• Our
biometrics
can
be
grabbed
without
our
consent
• Our
behavior
can
rat
us
out
–
someFmes
incorrectly
• Giving
our
biometric
and
behavioral
data
may
be
(de
facto)
mandatory
• Biometric
data
thieves
and
aggregators1
Threshold

25. www.owasp.org
1. Difficult
to
reset,
revoke
2. Exist
in
public
domain,
and
elsewhere
(56M+
fingerprints
stolen
in
2015
OPM
breach1)
3. May
undermine
privacy,
make
idenFty
thet
more
likely2
4. Persist
in
government
and
private
databases,
accreFng
informaFon
whether
we
like
it
or
not3
5. Hygiene
(e.g.,
Bank
of
America
hand
geometry
scanner
for
safe
deposit
box
room
entry)
6. User
acceptance
or
preference
varies
by
geography,
demographic
What
Will
Cause
Biometric
Backlash?
1Source:
h+p://money.cnn.com/2015/07/10/technology/opm-­‐hack-­‐fingerprints/index.html
2Source:
h+p://www.diva-­‐portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl
3Source:
h+p://www.pbs.org/wgbh/nova/next/tech/biometrics-­‐and-­‐the-­‐future-­‐of-­‐idenFficaFon/
Photo:
h+p://www.rineypackard.com/facial-­‐recogniFon.php

26. www.owasp.org
• Intel’s
Dmientrienko,
et
al
- Circumvented
SMS
OTP
of
4
large
banks1
• Northeastern
University
and
Technische
Universität
Berlin
- “SMS
OTP
systems
cannot
be
considered
secure
anymore”2
• SMS
OTP
threat
model
- Physical
access
to
phone
- SIM
swap
ajack
- Wireless
intercepFon
- Mobile
phone
trojans3
SMS
OTP
Ajacks
1Source:
h+p://www.chrisFan-­‐rossow.de/publicaFons/mobile2FA-­‐intel2014.pdf
2,3Source:
h+ps://www.eecs.tu-­‐berlin.de/fileadmin/f4/TechReports/2014/tr_2014-­‐02.pdf

27. www.owasp.org
• OperaFon
Emmental
• Defeated
2FA
- 2014,
discovered
by
Trend
Micro1
- European,
Japanese
banks
- Online
banking
1. Customer
enters
username,
password
2. Token
sent
to
mobile
device
(SMS
OTP)
3. Customer
enters
token
(OTP)
- Ajackers
scraped
SMS
OTPs
off
customers’
Android
phones2,
3
SMS
OTP
Ajack:
Banking
Example
1Source:
h+p://blog.trendmicro.com/finding-­‐holes-­‐operaFon-­‐emmental/
2Source:
h+p://www.trendmicro.com/cloud-­‐content/us/pdfs/security-­‐intelligence/white-­‐papers/wp-­‐finding-­‐holes-­‐operaFon-­‐
emmental.pdf
3Source:
h+ps://www.youtube.com/watch?v=gchKFumYHWc

28. www.owasp.org
SMS
OTP
Ajacks
1Source:
h+p://www.chrisFan-­‐rossow.de/publicaFons/mobile2FA-­‐intel2014.pdf
Diagram
Source:
h+ps://devcentral.f5.com/arFcles/malware-­‐analysis-­‐report-­‐cridex-­‐cross-­‐device-­‐online-­‐banking-­‐trojan
Banking
trojans
deploy
mobile
malware,
allow
ajackers
to
steal
SMS
OTP
1

29. www.owasp.org
QR
Code
Risks1
Example:
two-­‐factor
authenFcaFon
• User
captures
QR
code
with
mobile
device
• User
enters
PIN
code
to
log
on,
or
validate
transacFon2
QR
code
redirects
user
to
URL
• Even
if
the
URL
is
displayed,
not
everyone
reads
• Could
link
to
a
malicious
website
1Source:
h+p://www.csoonline.com/arFcle/2133890/mobile-­‐security/the-­‐dangers-­‐of-­‐qr-­‐codes-­‐for-­‐security.html
2Source:
h+ps://www.vasco.com/products/client_products/sotware_digipass/digipass_for_mobile.aspx

30. www.owasp.org
GeolocaFon
• Are
laFtude
and
longitude
sufficient?
• Digital
AuthenFcaFon
Technologies:
Contextual
LocaFon
Fingerprint™1
– Not
based
on
geo-­‐locaFon
• Issues
in
buildings
• Error
rates
• GPS
spoofing2
• Cellphone
power
meter
can
be
turned
into
a
GPS3
• PowerSpy:
Android
phone’s
geolocaFon
by
tracking
its
power
use
over
Fme
– Unlike
GPS
or
Wi-­‐Fi
locaFon
tracking,
available
to
any
installed
app
without
user’s
permission4
1Source:
h+p://www.dathq.com/OurStrategy.aspx
2Source:
h+p://news.utexas.edu/2013/07/29/ut-­‐ausFn-­‐researchers-­‐successfully-­‐spoof-­‐an-­‐80-­‐million-­‐yacht-­‐at-­‐sea
3Source:
Dan
Boneh,
quoted
in
h+p://cacm.acm.org/magazines/2015/9/191171-­‐qa-­‐a-­‐passion-­‐for-­‐pairings/abstract
4Source:
h+p://www.wired.com/2015/02/powerspy-­‐phone-­‐tracking/

31. www.owasp.org
1Source:
h+p://www.zdnet.com/arFcle/google-­‐unveils-­‐5-­‐year-­‐roadmap-­‐for-­‐strong-­‐authenFcaFon/
Account
recovery
is
the
Achilles
heel
of
2FA
–
Eric
Sachs
Product
Management
Director,
IdenFty
at
Google

32. www.owasp.org
Account
Recovery1
1Source:
h+ps://support.google.com/accounts/answer/1187538?hl=en

33. www.owasp.org
What’s
Wrong
with
Mobile
Device
as
AuthenFcaFon
Device?
MetaIntelli
research:
sample
of
38,000
mobile
apps,
67%
had
M32
Source:
h+ps://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks
Source:
h+p://metaintelli.com/blog/2015/01/06/industry-­‐first-­‐metaintelli-­‐research-­‐discovers-­‐large-­‐number-­‐of-­‐mobile-­‐
apps-­‐affected-­‐by-­‐owasp-­‐mobile-­‐top-­‐10-­‐risks/

34. www.owasp.org
MFA
Double
Standard
Consumers
• Facial
and
voice
for
mobile
login2
Employees
• Symantec
VIP3
1Source:
h+p://cdn.themetapicture.com/media/funny-­‐puppy-­‐poop-­‐double-­‐standards.jpg
2Source:
h+p://www.americanbanker.com/news/bank-­‐technology/biometric-­‐Fpping-­‐point-­‐usaa-­‐deploys-­‐face-­‐voice-­‐
recogniFon-­‐1072509-­‐1.html
3Source:
h+p://www.slideshare.net/ExperianBIS/70-­‐006idenFtyauthenFcaFonandcredenFalinginpracFce
1

35. www.owasp.org
Perfect
Storm
• Crowded
market
– 200+
MFA
vendors
– ~$1.8B
market1
• Apple,
VISA,
Samsung
– 2D
fingerprint
authenFcaFon
is
cool,
secure
• Breaches
• LegislaFon
• FIDO
Alliance
1Source:
h+p://www.slideshare.net/FrostandSullivan/analysis-­‐of-­‐the-­‐strong-­‐authenFcaFon-­‐and-­‐one-­‐Fme-­‐password-­‐
otp-­‐market

36. www.owasp.org
FIDO
Alliance
• Fast
ID
Online
(FIDO)
Alliance
• Proponent
of
interoperability
– Universal
2nd
Factor
(U2F)
– Universal
AuthenFcaFon
Framework
(UAF)
• Triumph
of
markeFng
over
technology
• Store
secrets
on
device
(Android
phone),
versus
hardened
server
• Network-­‐resident
versus
device-­‐resident
biometrics
– FIDO
advocates
device-­‐resident
• Problems,
especially
with
voice1
1Source:
January
2015,
“Network
vs
Device
Resident
Biometrics,”
ValidSot

37. www.owasp.org
“Legacy
thinking
subverts
the
security
of
a
well-­‐constructed
system”1
–
David
Birch,
Digital
Money
and
IdenFty
Consultant,
Author
of
IdenFty
is
the
New
Money2
1Source:
h+ps://www.ted.com/talks/david_birch_idenFty_without_a_name?language=en#t-­‐112382
2Source:
h+p://www.amazon.com/IdenFty-­‐Is-­‐New-­‐Money-­‐PerspecFves/dp/1907994122

38. www.owasp.org
1Source:
h+p://www.slideshare.net/IoTBruce/iot-­‐meets-­‐big-­‐data-­‐the-­‐opportuniFes-­‐and-­‐challenges-­‐by-­‐syed-­‐hoda-­‐of-­‐
parstream
Internet
of
Things
(IoT)
1

39. www.owasp.org
OWASP
IoT
Top
10
1Source:
h+p://www.slideshare.net/SebasFenGioria/clusir-­‐infonord-­‐owasp-­‐iot-­‐2014
A1:
Insecure
Web
Interface
A2:
Insufficient
AuthenFcaFon,
AuthorizaFon
A3:
Insecure
Network
Services
A4:
Lack
of
Transport
EncrypFon
A5:
Privacy
Concern
A6
:
Insecure
Cloud
Interface
A8:
Insecure
Security
Configurability
A10:
Poor
Physical
Security
A7:
Insecure
Mobile
Interface
A9:
Insecure
Sotware
/
Firmware

40. www.owasp.org
IoT
PredicFons
Crea,ve
Cryptography,
Uneven
Protocol
Adop,ons
• Enhanced
Privacy
ID
(EPID®)
–
"ImplemenFng
Intel
EPID
offers
IoT
designers
…proven
security
opFons”1
• PKI:
instead
of
one-­‐to-­‐one
mapping
public
and
private
key
pairs,
uses
one-­‐to-­‐many
mapping
of
public
to
private
keys
• Autobahn
to
dirt
road
– E.g.,
HTTPS
to
Constrained
ApplicaFon
Protocol
(CoAP)
with
OAuth2,
OpenID,
UMA
– Different
implementaFon
constraints
– “Security
of
these
…
mechanisms
is
highly
dependent
on
the
ability
of
the
programmers
creaFng
it.”2
1Source:
h+p://www.prnewswire.com/news-­‐releases/atmel-­‐collaborates-­‐with-­‐intel-­‐on-­‐epid-­‐technology-­‐to-­‐enable-­‐more-­‐secure-­‐iot-­‐
applicaFons-­‐300130062.html
2Source:
Using
OAuth
for
Access
Control
on
the
Internet
of
Things,
Windley,
2015

41. www.owasp.org
Consider
Risk-­‐Based
AuthenFcaFon
(aka
Context-­‐Based
AuthenFcaFon,
AdapFve
AuthenFcaFon)
• Device
registraFon
and
fingerprinFng
• Source
IP
reputaFon
data
• IdenFty
store
lookup
• Geo-­‐locaFon,
geo-­‐fencing,
geo-­‐velocity
• Behavioral
analysis1
• AnalyFcs,
machine
learning,
conFnuous
authenFcaFon2
1Source:
h+p://www.darkreading.com/endpoint/authenFcaFon/moving-­‐beyond-­‐2-­‐factor-­‐authenFcaFon-­‐with-­‐
context/a/d-­‐id/1317911
2Source:
Clare
Nelson,
August
2015
Layer
mulFple
contextual
factors.
Build
a
risk
profile.

42. www.owasp.org
What
You
Can
Do
(1
of
2)
• Request
threat
models
from
MFA
vendors
• Beware
– 2D
fingerprints
– Already-­‐hacked
biometrics
– QR
codes
– SMS
OTP
– JavaScript
requirements
– Overreliance
on
geolocaFon
– Weak
account
recovery
– Lack
of
mobile
device
risk
analysis
– EncrypFon
with
backdoors
Comic:
Greg
Larson,
h+ps://www.pinterest.com/pin/418834834066762730/

43. www.owasp.org
What
You
Can
Do
(2
of
2)
• Do
not
be
swayed
by
latest
InfoSec
fashion
trends
– Apple
Touch
ID
• IntegraFon
with
VISA
• Samsung
Pay
– FIDO
Alliance
• Rethink
MFA
definiFon
– Beware
of
odd
interpretaFons
• AuthenFcaFon
as
a
conFnuous
process
– Not
just
login
and
transacFons
– Cross-­‐channel
risk
• Depending
on
risk
and
use
case,
chain
or
combine
– MFA
+
(locaFon,
Fme,
device
ID)
+
context-­‐
based
analyFcs
Photo:
h+p://northonharper.com/2014/04/wish-­‐list-­‐mini-­‐midi-­‐maxi/

44. www.owasp.org
QuesFons?
Clare
Nelson,
CISSP
clare.nelson@owasp.org
@Safe_SaaS
October
22,
2015
AusFn,
TX
s

45. www.owasp.org
QuesFons?
Clare
Nelson,
CISSP
@Safe_SaaS
clare.nelson@owasp.org

46. www.owasp.org
AddiFonal
References
(1
of
3)
• Stanislav,
Mark;
Two-­‐Factor
Authen9ca9on,
IT
Governance
Publishing
(2015)
• Wouk,
Kristofer;
Flaw
in
Samsung
Galaxy
S5
Could
Give
Hackers
Access
to
Your
Fingerprints,
h+p://www.digitaltrends.com/mobile/galaxy-­‐s5-­‐fingerprint-­‐scanner-­‐flaw/
(April
2015)
• IDC
Technology
Spotlight,
sponsored
by
SecureAuth,
Dynamic
AuthenFcaFon:
Smarter
Security
to
Protect
User
AuthenFcaFon
(September
2014)
Six
technologies
that
are
taking
on
the
password.
—
UN/
HACKABLE
—
Medium
• Barbir,
Abbie,
Ph.D;
Mul9-­‐Factor
Authen9ca9on
Methods
Taxonomy,
h+p://docslide.us/documents/mulF-­‐factor-­‐authenFcaFon-­‐methods-­‐taxonomy-­‐
abbie-­‐barbir.html
(2014)
• Nelson,
Clare,
Mul9-­‐Factor
Authen9ca9on:
What
to
Look
For,
InformaFon
Systems
Security
AssociaFon
(ISSA)
Journal
hJp://www.bluetoad.com/publica9on/?i=252353
(April
2015)

47. www.owasp.org
AddiFonal
References
(2
of
3)
• Keenan,
Thomas;
Hidden
Risks
of
Biometric
Iden9fiers
and
How
to
Avoid
Them,
University
of
Calgary,
Black
Hat
USA,
h+ps://www.blackhat.com/docs/us-­‐15/materials/us-­‐15-­‐Keenan-­‐Hidden-­‐Risks-­‐Of-­‐
Biometric-­‐IdenFfiers-­‐And-­‐How-­‐To-­‐Avoid-­‐Them-­‐wp.pdf
(August
2015)
• Pagliery,
Jose;
OPM’s
hack’s
unprecedented
haul:
1.1
million
fingerprints:
h+p://money.cnn.com/2015/07/10/technology/opm-­‐hack-­‐fingerprints/index.html
(July
2015)
• Bonneau,
Joseph,
et
al,
Passwords
and
the
Evolu9on
of
Imperfect
Authen9ca9on,
CommunicaFons
of
the
ACM,
Vol.
58,
No.
7
(July
2015)
• White,
Conor;
CTO
Doan,
Biometrics
and
Cybersecurity,
h+p://www.slideshare.net/karthihaa/biometrics-­‐and-­‐cyber-­‐security
(2009,
published
2013)
• Gloria,
SébasFen,
OWASP
IoT
Top
10,
the
life
and
the
universe,
h+p://www.slideshare.net/SebasFenGioria/clusir-­‐infonord-­‐owasp-­‐iot-­‐2014
(December
2014)

48. www.owasp.org
AddiFonal
References
(3
of
3)
• Steves,
Michelle,
et
al,
NISTIR,
Report:
Authen9ca9on
Diary
Study,
h+p://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7983.pdf
(February
2014)
• Andres,
Joachim;
blog,
Smarter
Security
with
Device
Fingerprints,
h+ps://forgerock.org/2015/09/smarter-­‐security-­‐with-­‐device-­‐fingerprints/?
mkt_tok=3RkMMJWWfF9wsRonv6TIeu%2FhmjTEU5z16u8kWaSyhokz2EFye
%2BLIHETpodcMTcFnM7DYDBceEJhqyQJxPr3GKtYNysBvRhXlDQ%3D%3D
(September
2015)
• Perrot,
Didier;
There’s
No
Ideal
Authen9ca9on
Solu9on,
h+p://www.inwebo.com/blog/theres-­‐no-­‐ideal-­‐authenFcaFon-­‐soluFon/
(August
2015)

49. www.owasp.org
"A
rose
by
any
other
name
would
smell
as
sweet”1
• AdapFve
authenFcaFon
• MulF-­‐modal
authenFcaFon
• ConFnuous
authenFcaFon
• 2FA,
TFA,
Two-­‐factor
authenFcaFon
• MulF-­‐factor
authenFcaFon
• Strong
authenFcaFon
– United
States:
Many
interpretaFons,
depends
on
context
– European
Central
Bank
(ECB):
strong
authenFcaFon,
or
strong
customer
authenFcaFon,
set
of
specific
recommendaFons2
• Apple:
Two-­‐step
authenFcaFon
• MulF-­‐step
authenFcaFon
• SecureAuth:
AdapFve,
risk-­‐based,
context-­‐based
authenFcaFon
• IDC:
advanced
authenFcaFon,
dynamic
user
authenFcaFon,
mulFform
authenFcaFon,
mulFframe
authenFcaFon,
standard
authenFcaFon,
tradiFonal
authenFcaFon
– TradiFonal
authenFcaFon:
authenFcate
at
beginning
of
session
– Dynamic
authenFcaFon:
users
may
be
asked
to
authenFcate
at
“various
points
during
a
session,
for
various
reasons”3
• Step-­‐up
authenFcaFon
• Re-­‐AuthenFcaFon
• Out-­‐of-­‐Band
AuthenFcaFons
1Source:
Shakespeare,
Romeo
and
Juliet,
h+p://shakespeare.mit.edu/romeo_juliet/romeo_juliet.2.2.html
1Source:
IDC
Technology
Spotlight,
sponsored
by
SecureAuth,
Dynamic
AuthenFcaFon:
Smarter
Security
to
Protect
User
AuthenFcaFon
(September
2014)
2Source:
h+ps://www.ecb.europa.eu/press/pr/date/2013/html/pr130131_1.en.html

50. www.owasp.org
Advice
for
Startups
• For
startup
internal
employees:
– www.gluu.org,
100%
open
source
and
open
standards
– Many
offer
free
service
for
a
small
team
• Apersona
free
up
to
5
users:
h+p://www.apersona.com/#!pricing/c1c8c
• Duo
free
up
to
10
users:
h+ps://www.duosecurity.com/
• Build
authenFcaFon
into
your
products
– Originally
cars
did
not
have
seat
belts.
In
the
future,
authenFcaFon
will
be
designed
in.