Mike Schwartz, profile picture
Uploaded byMike Schwartz
PPTX, PDF1,722 views

RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!

The document discusses the importance of two-factor authentication (2FA) and multi-factor authentication in enhancing security, emphasizing the need for standardized API usage for trust elevation and the challenges associated with deploying these methods. It also highlights the role of OAuth2 in making 2FA more deployable and the necessity of collaboration among domains to align on authentication standards. Finally, the document advocates for broader trust elevation strategies beyond just 2FA to enhance overall security in applications.

Internet
Related topics:
Information Security

Embed presentation

Downloaded 36 times
#RSAC 1
#RSAC Obama says use two factors… 2 https://nakedsecurity.sophos.com/2016/02/12/obama-says-passwords-arent-strong-enough-urges-use-of-2fa/
#RSAC Progress = Obliviousness 3 2FA = two-factor authentication
#RSAC Authentication tradeoffs… 4
#RSAC Protect your money! 5 Issued guidance in 2005 entitled “Authentication in an Internet Banking Environment“ Source: https://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf “… the techniques employed should be commensurate with the risks associated with the products and services offered ”
#RSAC What is Trust Elevation? 6
#RSAC Agenda 7 Background on authentication technology: where are we today? Deep Dive into OAuth2: what features does it have to support Trust Elevation Trust Elevation across domain boundaries GOAL: Make you aware of some of the challenges we face to enable Trust Elevation
#RSAC What is Multi-Factor Authentication? 8 NIST defines this as two or more of … Something you know Something you have Something you are Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
#RSAC Risk Scores 9
#RSAC Contextual Combinations Complicate 10 Is the IP address a known hacker? Was the device rooted? Is a browser cookie present? Is the device running virus protection? Is the location recognized? When was credential issued? What is the time of the day?
#RSAC “…every scheme does worse than passwords on deployability” 11 http://research.microsoft.com/pubs/161585/QuestToReplacePasswords.pdf
#RSAC OAuth2 will make 2FA more “deployable” 12 Applications should use Standard API’s for authentication and Trust Elevation! No “one-offs” http://nordicapis.com/api-security-oauth-openid-connect-depth/ Good Intro to Oauth2:
#RSAC Enter OAuth2 13 i.e. API’s i.e. Website or mobile app i.e. Secure Token Service
#RSAC OpenID Connect 14 Resource Server = user_info API To call this API, you need an Access Token TOKENTOKEN
#RSAC Importance of Audience 15 https://hanszandbelt.wordpress.com/2015/12/14/the-importance-of-audience-in-web-sso/ BEFORE AFTER
#RSAC OpenID Connect: Client Registration, Discovery too! 16 http://openid.net/connect
#RSAC Overview of Authorization Code Flow 17 Relying Party (RP) redirects person to OpenID Provider (OP) for authorization Authentication happens only once! OP returns code to RP RP uses code to get tokens from OP RP uses access token to obtain user claims from /user_info API: {“given_name”: “Mike”, “family_name”: “Schwartz”}
#RSAC OpenID Connect id_token 18 Information about authentication event { "iss": "https://server.example.com", “sub": "248289761001", "aud": "3214244", "iat": 1311195570, "exp": 1311281970, “auth_time”: 131195001, “acr”: http://example.com/basic_bio” “amr”: [‘eye’, ‘pwd’, ‘12’] }
#RSAC ACR and AMR 19 How does the app know what kind of authentication happened?
#RSAC OpenID Provider Discovery 20 GET host + /.well-known/openid-configuration
#RSAC OpenID Dynamic Client Registration 21
#RSAC Authentication Request 22 In the request, acr_values is actually a space delimited string…
#RSAC id_token 23 Returned id_token confirms acr and amr values { "iss": "https://server.example.com", “sub": "248289761001", "aud": "3214244", "iat": 1311195570, "exp": 1311281970, “auth_time”: 131195001, “acr”: http://example.com/basic_bio” “amr”: [‘eye’, ‘pwd’, ‘12’] }
#RSAC App Policy 24 GET https://example.com/finance Just an example… using OpenID Connect alone, you could require a certain type of authentication
#RSAC Best Practice: Centralize Policy Management 25
#RSAC UMA 26 Protect any API: require an RPT Token
#RSAC UMA In 60 seconds 27 Client Calls API without RPT Token RS obtains Permission Ticket from AS and returns it to Client Client presents ticket to AS AS evaluates polices. If ok, issues RPT token (bearer) Client calls API with RPT Token RS introspects Token: if ok, returns content
#RSAC Subtle difference… Scope references policy 28 Scope based access: Level of abstraction that enables the central policy decision point to decide which acr is required
#RSAC What kind of policies can you make? 29
#RSAC Elevating Trust using UMA 30 You are Forbidden because you need acr…
#RSAC Re-Authenticate! 31
#RSAC Part III: Intedomain trust elevation 32 Infrastructure and security is not (usually) basis for competition between firms in the same industry.
#RSAC Saml Federations 33 Normalize legal/technical
#RSAC Many SAML Federations publish user schema. 34 http://www.incommon.org/federation/attributesummary.html
#RSAC Oauth2 schema: not just user claims… 35
#RSAC Collaboration on ACR / AMR values 36 So what values should we use for amr and acr? https://tools.ietf.org/html/draft-jones-oauth-amr-values-05 This IETF draft defines some AMR’s… but its inadequate
#RSAC ACR alignment 37 Domains need to collaborate on the values for acr’s and amr’s
#RSAC OTTO – Kantara Initiative Work Group 38 http://kantarainitiative.org/confluence/display/OTTO/Home Open Trust Taxonomy for OAuth2
#RSAC SAML federations 39
#RSAC OAuth2 has new entities and new jargon 40
#RSAC Where do we need federations 41
#RSAC Summary 42 We don’t lack ways to identify people, but we lack agreement on the relative strength of these mechanisms. OAuth2 enables centralized risk based trust elevation, driving down the cost of deployment—the main impediment to 2FA adoption. To enable trust elevation across domains, federations are needed.
#RSAC Action items 43 Don’t limit your planning to two-factor authentication. Make a plan for trust elevation! Start architecting your applications to leverage central policy decision point—not for all fine grained authorization, but for key security escalations. If you work in an ecosystem, consider collaborating (even with your competitors) to drive down the cost of security.
#RSAC 44

More Related Content

PPTX
OpenID Connect and Single Sign-On for Beginners
bySalesforce Developers
 
PDF
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
byMike Schwartz
 
PPTX
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
byForgeRock
 
PDF
Identiverse - Microservices Security
byBertrand Carlier
 
PPTX
The Client is not always right! How to secure OAuth authentication from your...
byMike Schwartz
 
PDF
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
byMike Schwartz
 
PPTX
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
byForgeRock
 
PDF
Authlete: API Authorization Enabler for API Economy
byTatsuo Kudo
 
OpenID Connect and Single Sign-On for Beginners
bySalesforce Developers
 
Trust Elevation: Implementing an OAuth2 Infrastructure using OpenID Connect &...
byMike Schwartz
 
Webinar: Extend The Power of The ForgeRock Identity Platform Through Scripting
byForgeRock
 
Identiverse - Microservices Security
byBertrand Carlier
 
The Client is not always right! How to secure OAuth authentication from your...
byMike Schwartz
 
OAuth2 for IoT Security: Why OpenID Connect & UMA Are They Key
byMike Schwartz
 
User-Managed Access: Why and How? - Access Control in Digital Contract Contexts
byForgeRock
 
Authlete: API Authorization Enabler for API Economy
byTatsuo Kudo
 

What's hot

PDF
ForgeRock Platform Release - Summer 2016
byForgeRock
 
PPT
Securing RESTful API
byMuhammad Zbeedat
 
PPTX
Mit 2014 introduction to open id connect and o-auth 2
byJustin Richer
 
PPTX
NYC Identity Summit Tech Day: ForgeRock Identity Platform Overview
byForgeRock
 
PDF
Cyber Kill Chain: Web Application Exploitation
byPrathan Phongthiproek
 
PDF
Beyond username and password it's continuous authorization webinar
byForgeRock
 
PDF
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
byEve Maler
 
PDF
Cisco connect winnipeg 2018 cloud and on premises collaboration security ex...
byCisco Canada
 
PDF
FIDO Technical Specifications Overview
byFIDO Alliance
 
PDF
Mobile Defense-in-Dev (Depth)
byPrathan Phongthiproek
 
PPT
Authentication and strong authentication for Web Application
bySylvain Maret
 
PPTX
Implementing MITREid - CIS 2014 Presentation
byJustin Richer
 
PDF
FIDO Technical Specifications Overview
byFIDO Alliance
 
PDF
The Business Ecosystem is a Neighborhood - ForgeRock Identity Live Austin 2017
byForgeRock
 
PDF
Digital Trust: How Identity Tackles the Privacy, Security and IoT Challenge
byForgeRock
 
PDF
Sydney Identity Summit: Addressing the New Threat Landscape with Continuous S...
byForgeRock
 
PPTX
Webinar: Consent 2.0: Applying User-Managed Access to the Privacy Challenge
byForgeRock
 
PDF
The Future is Now: The ForgeRock Identity Platform, Early 2017 Release
byForgeRock
 
PPTX
The New Venn of Access Control in the API-Mobile-IOT Era
byForgeRock
 
PDF
FIDO2 Specifications Overview
byFIDO Alliance
 
ForgeRock Platform Release - Summer 2016
byForgeRock
 
Securing RESTful API
byMuhammad Zbeedat
 
Mit 2014 introduction to open id connect and o-auth 2
byJustin Richer
 
NYC Identity Summit Tech Day: ForgeRock Identity Platform Overview
byForgeRock
 
Cyber Kill Chain: Web Application Exploitation
byPrathan Phongthiproek
 
Beyond username and password it's continuous authorization webinar
byForgeRock
 
Consumerizing Industrial IoT Access Control: Using UMA to Add Privacy and Usa...
byEve Maler
 
Cisco connect winnipeg 2018 cloud and on premises collaboration security ex...
byCisco Canada
 
FIDO Technical Specifications Overview
byFIDO Alliance
 
Mobile Defense-in-Dev (Depth)
byPrathan Phongthiproek
 
Authentication and strong authentication for Web Application
bySylvain Maret
 
Implementing MITREid - CIS 2014 Presentation
byJustin Richer
 
FIDO Technical Specifications Overview
byFIDO Alliance
 
The Business Ecosystem is a Neighborhood - ForgeRock Identity Live Austin 2017
byForgeRock
 
Digital Trust: How Identity Tackles the Privacy, Security and IoT Challenge
byForgeRock
 
Sydney Identity Summit: Addressing the New Threat Landscape with Continuous S...
byForgeRock
 
Webinar: Consent 2.0: Applying User-Managed Access to the Privacy Challenge
byForgeRock
 
The Future is Now: The ForgeRock Identity Platform, Early 2017 Release
byForgeRock
 
The New Venn of Access Control in the API-Mobile-IOT Era
byForgeRock
 
FIDO2 Specifications Overview
byFIDO Alliance
 

Viewers also liked

PPTX
LASCON: Three Profiels of OAuth2 for Identity and Access Management
byMike Schwartz
 
PPTX
RSA Conference 2016: Who Are You? From Meat to Electrons and Back Again
byMike Schwartz
 
PPT
ID Next 2013 Keynote Slides by Mike Schwartz
byMike Schwartz
 
PPTX
Kantara OTTO slides
byMike Schwartz
 
PDF
SAML Protocol Overview
byMike Schwartz
 
PDF
DON'T Use Two-Factor Authentication...Unless You Need It!
byPriyanka Aash
 
PPTX
DaaS/IaaS Forum Moscow - Ivo Murris
byDenis Gundarev
 
PPTX
DaaS/IaaS Forum Moscow - Chris Rogers
byDenis Gundarev
 
PDF
Who Are You? From Meat to Electrons - SXSW 2014
byMike Schwartz
 
PPTX
BriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
byDenis Gundarev
 
PPTX
Briforum 2011 Chicago
byDan Brinkmann
 
PPT
Mule security - saml
bycharan teja R
 
PPTX
RSA Europe: Future of Cloud Identity
byMike Schwartz
 
PPTX
The Tools I Use
byDan Brinkmann
 
PPTX
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
byDenis Gundarev
 
PPTX
DaaS/IaaS Forum Moscow - Najat Messaoud
byDenis Gundarev
 
PDF
Cloud Identity: A Recipe for Higher Education
byMike Schwartz
 
PDF
Citrix Internals: Tracing, Debugging & Troubleshooting
byDenis Gundarev
 
PPTX
RUCUG: 6. Fabian Kienle - NetScaler and Branch Repeater for Hyper-V
byDenis Gundarev
 
PPTX
How to Fail at VDI
byDan Brinkmann
 
LASCON: Three Profiels of OAuth2 for Identity and Access Management
byMike Schwartz
 
RSA Conference 2016: Who Are You? From Meat to Electrons and Back Again
byMike Schwartz
 
ID Next 2013 Keynote Slides by Mike Schwartz
byMike Schwartz
 
Kantara OTTO slides
byMike Schwartz
 
SAML Protocol Overview
byMike Schwartz
 
DON'T Use Two-Factor Authentication...Unless You Need It!
byPriyanka Aash
 
DaaS/IaaS Forum Moscow - Ivo Murris
byDenis Gundarev
 
DaaS/IaaS Forum Moscow - Chris Rogers
byDenis Gundarev
 
Who Are You? From Meat to Electrons - SXSW 2014
byMike Schwartz
 
BriForum 2013 Chicago - Citrix Troubleshooting - Denis Gundarev
byDenis Gundarev
 
Briforum 2011 Chicago
byDan Brinkmann
 
Mule security - saml
bycharan teja R
 
RSA Europe: Future of Cloud Identity
byMike Schwartz
 
The Tools I Use
byDan Brinkmann
 
RUCUG: 9. Sergey Khalyapin: Представляем XenDesktop 5
byDenis Gundarev
 
DaaS/IaaS Forum Moscow - Najat Messaoud
byDenis Gundarev
 
Cloud Identity: A Recipe for Higher Education
byMike Schwartz
 
Citrix Internals: Tracing, Debugging & Troubleshooting
byDenis Gundarev
 
RUCUG: 6. Fabian Kienle - NetScaler and Branch Repeater for Hyper-V
byDenis Gundarev
 
How to Fail at VDI
byDan Brinkmann
 

Similar to RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!

PDF
Adventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
byPriyanka Aash
 
PPTX
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
bySecureAuth
 
PPTX
The Holy Grail of IAM: Getting to Grips with Authorization
byDavid Brossard
 
PDF
Risk-Based Approach to Deployment of Omnichannel Biometrics in Sberbank
byPriyanka Aash
 
PDF
Improving Mobile Authentication for Public Safety and First Responders
byPriyanka Aash
 
PPTX
Codemash-2017
byKevin Cody
 
PDF
OAuth 2.0 Threat Landscapes
byPriyanka Aash
 
PPTX
Webinar: Goodbye RSA. Hello Modern Authentication.
bySecureAuth
 
PDF
Oauth 2.0 Security Considerations for Client Applications
byKasun Dharmadasa
 
PPTX
OAuth 2.0 Threat Landscape
byPrabath Siriwardena
 
PDF
How to 2FA-enable Open Source Applications
byAll Things Open
 
PDF
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
byQAFest
 
PDF
JDD2015: Security in the era of modern applications and services - Bolesław D...
byPROIDEA
 
PPTX
Lunch and Learn: MFA vs 2FA Just A Numbers Game, or Real Value?
byTransUnion
 
PDF
OAuth 2.0 Security Reinforced
byTorsten Lodderstedt
 
PPT
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
PDF
Implementing Authorization
byTorin Sandall
 
PPTX
Identity and Access Management - RSA 2017 Security Foundations Seminar
byBrian Campbell
 
PDF
OAuth Base Camp
byOliver Pfaff
 
PDF
Centralise legacy auth at the ingress gateway
byAndrew Kirkpatrick
 
Adventures in Open Banking: Understanding OAuth and OpenID Client Ecosystems
byPriyanka Aash
 
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
bySecureAuth
 
The Holy Grail of IAM: Getting to Grips with Authorization
byDavid Brossard
 
Risk-Based Approach to Deployment of Omnichannel Biometrics in Sberbank
byPriyanka Aash
 
Improving Mobile Authentication for Public Safety and First Responders
byPriyanka Aash
 
Codemash-2017
byKevin Cody
 
OAuth 2.0 Threat Landscapes
byPriyanka Aash
 
Webinar: Goodbye RSA. Hello Modern Authentication.
bySecureAuth
 
Oauth 2.0 Security Considerations for Client Applications
byKasun Dharmadasa
 
OAuth 2.0 Threat Landscape
byPrabath Siriwardena
 
How to 2FA-enable Open Source Applications
byAll Things Open
 
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
byQAFest
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
byPROIDEA
 
Lunch and Learn: MFA vs 2FA Just A Numbers Game, or Real Value?
byTransUnion
 
OAuth 2.0 Security Reinforced
byTorsten Lodderstedt
 
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
Implementing Authorization
byTorin Sandall
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
byBrian Campbell
 
OAuth Base Camp
byOliver Pfaff
 
Centralise legacy auth at the ingress gateway
byAndrew Kirkpatrick
 

More from Mike Schwartz

PPTX
LASCON 2017: SAML v. OpenID v. Oauth
byMike Schwartz
 
PPTX
OTTO - Internet2 TechX 2017
byMike Schwartz
 
PDF
OpenID Connect vs. OpenID 1 & 2
byMike Schwartz
 
PPTX
Federation registry
byMike Schwartz
 
PPTX
Single Sign On 101
byMike Schwartz
 
PPTX
Requirements for Personal Clouds : Tech Ranch Talk 8/7/13
byMike Schwartz
 
PDF
Gluu EDU Webinar: Shibboleth/SAML SSO
byMike Schwartz
 
LASCON 2017: SAML v. OpenID v. Oauth
byMike Schwartz
 
OTTO - Internet2 TechX 2017
byMike Schwartz
 
OpenID Connect vs. OpenID 1 & 2
byMike Schwartz
 
Federation registry
byMike Schwartz
 
Single Sign On 101
byMike Schwartz
 
Requirements for Personal Clouds : Tech Ranch Talk 8/7/13
byMike Schwartz
 
Gluu EDU Webinar: Shibboleth/SAML SSO
byMike Schwartz
 

RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!

Editor's Notes

  • #3 For the first time, the President of the United States advised citizens to use two-factor authentication. But he didn’t say when to use two factor authentication… Let’s face it… two factor authentication is a pain in the butt. I don’t want to get a SMS every time I turn on my TV. Ideally, I’d like to use two factor authentication never! I’d like my devices to just know who I am!
  • #5 But there is a tradeoff between security, usability, and cost (or deployability). If there was a technology out there that was really secure, super easy to use, and cheap… we’d be using it. In fact, in many ways, passwords offer one of the most attractive triangles out there today.
  • #6 Internet banking has always been at the forefront of digital person identification. Know your customer is the first rule of banking, but how do you know someone when they show up at your branch as a stream of electrons? Not surprisingly, banks have been at the forefront of what we call “trust-elevation”. For example, you may login with a password, but when you add a new wire recipient, maybe you receive a text. That’s text is a simple example of trust elevation– its because the bank wants to be even more sure its you.
  • #7  There is a technical committee at OASIS, a standards organization, who is working on standards for Trust-Elevation. They came up with this definition. Its sort of a weird oxymoronic definition… but it works. They want to increment the decrementing of risk. But this is actually a very useful definition—notice it doesn’t assume we ever know who the person is. We only can reduce the risk that its not the person we think it is… no authentication technique is 100%. On the Internet, we’re basically never really sure its you!
  • #9 We have a lot of technology to identify a person. I’m not going to go into it here. Check out my slides from the talk I gave on Monday where I detailed about 80 tricks we can use to authenticate a person. Let’s just say that we don’t have any shortage of technologies for person authentication. I assure you… the reason everyone is still using passwords is not because no one can think of some better way!
  • #10 In addition to the classic “what you know”, “what you have”, “what your are” techniques, today we can mitigate a lot of risk by looking at the context of an authentication. Perhaps we have a positive biometic authentication, but the ip address indicates that the person is in a foreign country, and that it’s an IP address used recently by a known hacker.
  • #11 So if you ever hoped to create some kind of uber-matrix, where you rate the various types of authentication, and how good they are…. Its really impossible. First of all, individual types are not the same. How complex is the password? How sensitive is the fingerprint scanner? Etc. etc. etc…. And how does fingerprint + password compare relative to mobile token + fraud detection?
  • #12 So with all these techniques for person identification available to us? Why are we still using passwords at almost every website and mobile application? It goes back to cost? Cost is a big part of deployability. There was no license fee for passwords. It was easy for developers to implement. Users understand passwords—they aren’t going to call your help desk because they don’t undertand how to use it. And it was inexpensive to automate password recovery—support costs are low.
  • #13 To justify the cost of two-factor authentication, we’re going to have to make sure its used by a lot of applications. This is where OAuth2 come in.