WA
Uploaded byWill Adams
PPTX, PDF3,871 views

Two factor authentication 2018

This document summarizes a presentation on two-factor authentication (2FA). It discusses the different types of authentication factors including something you know (e.g. passwords), something you have (e.g. security tokens), and something you are (e.g. biometrics). Software token apps like Google Authenticator and Authy that generate one-time passwords for 2FA are also covered. The document outlines the security issues with passwords and why 2FA is needed based on recent data breaches. It provides an overview of standards like FIDO and implementation recommendations for adding a second authentication factor.

Embed presentation

Downloaded 154 times
SATURDAY, MARCH 17, 2018 Two Factor Authentication Will Adams Software Architect Fiserv, Inc.
• What is it? • Authentication Factors • Not to be confused with… • Software token apps • Why do we need it? • Recent headlines • The problem with passwords • How do we implement it? • A word about standards • Adding a second factor Agenda
• Something you know • Password • PIN • Security questions Authentication Factors
• Something you have • Disconnected tokens – e.g. RSA • Connected tokens – e.g. YubiKey • Smart cards Authentication Factors – cont’d
• Something you are – i.e. biometrics • Fingerprint • Voice • Face • Retina/Iris Authentication Factors – cont’d
• Geolocation • New and upcoming factor • For example, GPS • Offers convenience at the risk of privacy • Requires GPS and Internet connectivity to be accurate • Geofence locations such as home or office are whitelisted • Geolocation can be guessed so data should be signed using asymmetric cryptography to certify it came from a trusted device Authentication Factors – cont’d
• Two-step Verification • Authentication factors can belong to the same category • An extra measure of security over static login info • Can be compromised by man-in-the-middle attack • Ex: one time passwords (OTPs) or security images Not to be confused with…
• Google Authenticator • Generates 2-step verification codes using Time-Based One Time Passwords (TOTP) and HMAC-based OTPs • A shared secret key is exchanged during setup between server and app usually via QR code scan • Available for iOS or Android • Authy • Provides 6-digit TOTPs for 2SV but also has multi-device support • Available as a browser extension • Encrypted backups in the Cloud Software Token Apps
• February 2014 – Target stores • Credit card data compromised • Resulted from stolen network credentials • 2014 – JPMorgan Chase • Stolen employee credentials • Attackers compromised personal info for 83 million customers Recent Headlines
• Password Hell… The Problem with Passwords
• Ease of sharing and reuse • Prone to attacks – phishing, malware, brute force • Complex passwords are often written down • Creates a single point of failure without 2FA or MFA • According to Verizon 2017 Data Breach Investigations Report, 81% of hacking-related breaches leveraged either stolen and/or weak passwords The (Real) Problem with Passwords
• FIDO (Fast IDentity Online) Alliance • Group of leading companies like Google and Microsoft that develop standards to enable a simpler and more secure authentication experience across websites and mobile services • UAF (Universal Authentication Framework) • Designed as a replacement for basic authentication • Typically involves biometrics where security info never leaves the device • U2F (Universal Second Factor) • Strengthens and simplifies 2FA using USB, NFC or Bluetooth devices • Has strong security that protects against phishing, session hijacking, man-in-the- middle and malware attacks • Native support offered by major vendors and browsers A Word About Standards…
• Two-step verification • Two-factor authentication Demos
• Two Factor Authentication book by Mark Stanislav • https://www.amazon.com/Two-Factor-Authentication-Governance- Publishing/dp/1849287325 • Pro ASP.NET Web API Security book by Badrinarayanan Lakshmiraghavan • https://www.apress.com/us/book/9781430257820 • Articles: • Authy vs. Google: https://authy.com/blog/authy-vs-google-authenticator/ • MFA Best Practices: https://www.pingidentity.com/content/dam/ping-6-2- assets/Assets/white-papers/en/mfa-best-practices-securing-modern-digital- enterprise-3001.pdf?id=b6322a80-f285-11e3-ac10-0800200c9a66 Resources
• Websites • developers.yubico.com • twofactorauth.org • authy.com Resources, cont’d
Questions?
• @RemoteArchitect • Slides and source to be made available after Code Camp Thank You!

More Related Content

PPTX
Two Factor Authentication
byNikhil Shaw
 
PPTX
Seminar-Two Factor Authentication
byDilip Kr. Jangir
 
PPTX
Two factor authentication presentation mcit
bymmubashirkhan
 
PDF
3 reasons your business can't ignore Two-Factor Authentication
byFortytwo
 
PPTX
Passwordless auth
byLesha Bhansali
 
PPTX
Guide to MFA
byJack Forbes
 
PPTX
Identity Management
byVenkatesh Jambulingam
 
PDF
Future-proofing Authentication with Passkeys
byNordic APIs
 
Two Factor Authentication
byNikhil Shaw
 
Seminar-Two Factor Authentication
byDilip Kr. Jangir
 
Two factor authentication presentation mcit
bymmubashirkhan
 
3 reasons your business can't ignore Two-Factor Authentication
byFortytwo
 
Passwordless auth
byLesha Bhansali
 
Guide to MFA
byJack Forbes
 
Identity Management
byVenkatesh Jambulingam
 
Future-proofing Authentication with Passkeys
byNordic APIs
 

What's hot

PPTX
Cybersecurity Awareness Session by Adam
byMohammed Adam
 
PPTX
Data breach
byBurhan Ahmed
 
PPTX
Multifactor Authentication
byRonnie Isherwood
 
PPTX
Cybersecurity Awareness Training
byDave Monahan
 
PDF
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
byRaffael Marty
 
PPTX
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
PDF
Cybersecurity Awareness Training Presentation v1.3
byDallasHaselhorst
 
PPTX
Best Practices for Multi-Factor Authentication: Delivering Stronger Security ...
bySirius
 
PPTX
Two Factor Authentication: Easy Setup, Major Impact
bySalesforce Admins
 
PPTX
Cyber Security 101: Training, awareness, strategies for small to medium sized...
byStephen Cobb
 
PPTX
Hyphenet Security Awareness Training
byJen Ruhman
 
PPTX
Operating system security
byRamesh Ogania
 
PPTX
public key infrastructure
byvimal kumar
 
PDF
Ethical Hacking Tools
byMultisoft Virtual Academy
 
PPTX
Wireless and mobile security
byPushkar Pashupat
 
PPT
General Awareness On Cyber Security
byDominic Rajesh
 
PPTX
Authentication
byprimeteacher32
 
PDF
Authentication techniques
byIGZ Software house
 
PPT
Web security
bySubhash Basistha
 
PPT
Secure shell ppt
bysravya raju
 
Cybersecurity Awareness Session by Adam
byMohammed Adam
 
Data breach
byBurhan Ahmed
 
Multifactor Authentication
byRonnie Isherwood
 
Cybersecurity Awareness Training
byDave Monahan
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
byRaffael Marty
 
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
Cybersecurity Awareness Training Presentation v1.3
byDallasHaselhorst
 
Best Practices for Multi-Factor Authentication: Delivering Stronger Security ...
bySirius
 
Two Factor Authentication: Easy Setup, Major Impact
bySalesforce Admins
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
byStephen Cobb
 
Hyphenet Security Awareness Training
byJen Ruhman
 
Operating system security
byRamesh Ogania
 
public key infrastructure
byvimal kumar
 
Ethical Hacking Tools
byMultisoft Virtual Academy
 
Wireless and mobile security
byPushkar Pashupat
 
General Awareness On Cyber Security
byDominic Rajesh
 
Authentication
byprimeteacher32
 
Authentication techniques
byIGZ Software house
 
Web security
bySubhash Basistha
 
Secure shell ppt
bysravya raju
 

Similar to Two factor authentication 2018

PPTX
Hardware Authentication
byCoder Tech
 
PDF
Eliminate Password Fatigue with Smart Authentication Solutions.pdf
byensuritytech1
 
PPTX
AUTHENTICATION APPLICATION IN Nw SC.pptx
bysujithangam
 
PDF
Multi Factor Authentication Whitepaper Arx - Intellect Design
byRajat Jain
 
PDF
How to 2FA-enable Open Source Applications
byAll Things Open
 
PDF
Fido Overview: Status and Future
byFIDO Alliance
 
PPTX
Digital authentication
byallanh0526
 
PDF
The State of FIDO
byFIDO Alliance
 
PPTX
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
byClare Nelson, CISSP, CIPP-E
 
PDF
What is Authentication in Network Security| Digitdefence
byRosy G
 
PDF
Easy public-private-keys-strong-authentication-using-u2 f
byCyber Security Alliance
 
PDF
FIDO Alliance Vision and Status
byFIDO Alliance
 
PDF
#MFSummit2016 Secure: Mind the gap strengthening the information security model
byMicro Focus
 
PPTX
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
bySecureAuth
 
PDF
120 i143
byHai Nguyen
 
PPTX
FIDO Alliance: Year in Review Webinar slides from January 20 2016
byFIDO Alliance
 
PDF
Authentication.Next
byMark Diodati
 
PDF
OWASP AppSec USA 2015, San Francisco
byClare Nelson, CISSP, CIPP-E
 
PDF
Fast IDentity Online New wave of open authentication standards
by.NET Crowd
 
PDF
FIDO Workshop at the Cloud Identity Summit: FIDO Alliance Overview
byFIDO Alliance
 
Hardware Authentication
byCoder Tech
 
Eliminate Password Fatigue with Smart Authentication Solutions.pdf
byensuritytech1
 
AUTHENTICATION APPLICATION IN Nw SC.pptx
bysujithangam
 
Multi Factor Authentication Whitepaper Arx - Intellect Design
byRajat Jain
 
How to 2FA-enable Open Source Applications
byAll Things Open
 
Fido Overview: Status and Future
byFIDO Alliance
 
Digital authentication
byallanh0526
 
The State of FIDO
byFIDO Alliance
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
byClare Nelson, CISSP, CIPP-E
 
What is Authentication in Network Security| Digitdefence
byRosy G
 
Easy public-private-keys-strong-authentication-using-u2 f
byCyber Security Alliance
 
FIDO Alliance Vision and Status
byFIDO Alliance
 
#MFSummit2016 Secure: Mind the gap strengthening the information security model
byMicro Focus
 
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
bySecureAuth
 
120 i143
byHai Nguyen
 
FIDO Alliance: Year in Review Webinar slides from January 20 2016
byFIDO Alliance
 
Authentication.Next
byMark Diodati
 
OWASP AppSec USA 2015, San Francisco
byClare Nelson, CISSP, CIPP-E
 
Fast IDentity Online New wave of open authentication standards
by.NET Crowd
 
FIDO Workshop at the Cloud Identity Summit: FIDO Alliance Overview
byFIDO Alliance
 

Recently uploaded

PDF
Digital Finance Summit 2025 - Lauren, Sylvain and Florence (Approach Cyber)
byFinTech Belgium
 
PDF
Digital Finance Summit 2025 - Beep by Maria Vittoria Dalla Rosa Prati
byFinTech Belgium
 
PPTX
Digital Finance Summit 2025 - Balint Kis
byFinTech Belgium
 
PDF
Digital Finance Summit 2025 - Marko Koić
byFinTech Belgium
 
PDF
Digital Finance Summit 2025 - Thomas Vissers
byFinTech Belgium
 
PPTX
Digital Finance Summit 2025 - Vyntra by Joris Lochy
byFinTech Belgium
 
PDF
Digital Finance Summit 2025 - Joris Germonpré
byFinTech Belgium
 
PPTX
Digital Finance Summit 2025 - Inna Kostiuk and Pavlo Denysiuk
byFinTech Belgium
 
DOCX
Top Platforms to Secure Gmail Accounts for Business Use This Year.docx
bysmmtrust service
 
DOCX
The Benefits of Using Old Gmail Accounts for Quick Verification.docx
bysmmtrust service
 
PPT
2014limspresentation-141119055221-conversion-gate02.ppt
byImadAghila
 
PDF
Digital Finance Summit 2025 - Prismos by Pepijn Mores
byFinTech Belgium
 
PDF
OSMC 2025: Current State of Icinga by Bernd Erk.pdf
byNETWAYS
 
PPTX
Digital Marketing for a mnc company.pptx
bybcabcu20222025
 
PPTX
Digital Finance Summit 2025-Benoit van den Hove
byFinTech Belgium
 
PPTX
Life skill habit-3 put first thing first -N (1).pptx
byssuser4f8a7e1
 
PPTX
How to Insert Notes in PowerPoint (Step-by-Step Guide 2025)
byTeresa Garcia
 
PDF
Classification and adoption of AI technologies for use in parliaments
byProf. Dr. Fotios Fitsilis
 
PDF
HEPA (AHU) Qualification.pdf & Replacement Frequency of HEPA filter
byvinodchauhan89
 
PPTX
Bob Stewart Unexpected Arrival 12 07 2025.pptx
byFamilyWorshipCenterD
 
Digital Finance Summit 2025 - Lauren, Sylvain and Florence (Approach Cyber)
byFinTech Belgium
 
Digital Finance Summit 2025 - Beep by Maria Vittoria Dalla Rosa Prati
byFinTech Belgium
 
Digital Finance Summit 2025 - Balint Kis
byFinTech Belgium
 
Digital Finance Summit 2025 - Marko Koić
byFinTech Belgium
 
Digital Finance Summit 2025 - Thomas Vissers
byFinTech Belgium
 
Digital Finance Summit 2025 - Vyntra by Joris Lochy
byFinTech Belgium
 
Digital Finance Summit 2025 - Joris Germonpré
byFinTech Belgium
 
Digital Finance Summit 2025 - Inna Kostiuk and Pavlo Denysiuk
byFinTech Belgium
 
Top Platforms to Secure Gmail Accounts for Business Use This Year.docx
bysmmtrust service
 
The Benefits of Using Old Gmail Accounts for Quick Verification.docx
bysmmtrust service
 
2014limspresentation-141119055221-conversion-gate02.ppt
byImadAghila
 
Digital Finance Summit 2025 - Prismos by Pepijn Mores
byFinTech Belgium
 
OSMC 2025: Current State of Icinga by Bernd Erk.pdf
byNETWAYS
 
Digital Marketing for a mnc company.pptx
bybcabcu20222025
 
Digital Finance Summit 2025-Benoit van den Hove
byFinTech Belgium
 
Life skill habit-3 put first thing first -N (1).pptx
byssuser4f8a7e1
 
How to Insert Notes in PowerPoint (Step-by-Step Guide 2025)
byTeresa Garcia
 
Classification and adoption of AI technologies for use in parliaments
byProf. Dr. Fotios Fitsilis
 
HEPA (AHU) Qualification.pdf & Replacement Frequency of HEPA filter
byvinodchauhan89
 
Bob Stewart Unexpected Arrival 12 07 2025.pptx
byFamilyWorshipCenterD
 
In this document
Powered by AI

Will Adams introduces Two Factor Authentication and its significance.

Key points covered include definition, authentication factors, software tokens, and implementation.

Discusses 'something you know' like passwords, PINs, and security questions.

Explains 'something you have' such as disconnected tokens and smart cards.

Focus on 'something you are' that includes biometric methods like fingerprints and face recognition.

Geolocation as a new authentication factor, discussing its implications and privacy concerns.

Clarifies two-step verification including risks like man-in-the-middle attacks.

Introduces apps like Google Authenticator that facilitate two-step verification through mobile devices.

Highlights major data breaches including Target and JPMorgan Chase involving stolen credentials.

Outlines the challenges and risks associated with password usage.

Details issues like password reuse, attacks, and breaches, citing statistics on hacking.

Discusses the FIDO Alliance and frameworks designed to enhance secure authentication methods.

Reiterates key concepts of two-step verification and two-factor authentication.

Lists relevant books and articles for further reading on two-factor authentication.

Provides websites related to two-factor authentication and security standards.

Opens the floor for questions to clarify any remaining queries about the presentation.

Thanks the audience and mentions availability of slides and sources post-presentation.

Two factor authentication 2018

  • 1.
    SATURDAY, MARCH 17,2018 Two Factor Authentication Will Adams Software Architect Fiserv, Inc.
  • 2.
    • What isit? • Authentication Factors • Not to be confused with… • Software token apps • Why do we need it? • Recent headlines • The problem with passwords • How do we implement it? • A word about standards • Adding a second factor Agenda
  • 3.
    • Something youknow • Password • PIN • Security questions Authentication Factors
  • 4.
    • Something youhave • Disconnected tokens – e.g. RSA • Connected tokens – e.g. YubiKey • Smart cards Authentication Factors – cont’d
  • 5.
    • Something youare – i.e. biometrics • Fingerprint • Voice • Face • Retina/Iris Authentication Factors – cont’d
  • 6.
    • Geolocation • Newand upcoming factor • For example, GPS • Offers convenience at the risk of privacy • Requires GPS and Internet connectivity to be accurate • Geofence locations such as home or office are whitelisted • Geolocation can be guessed so data should be signed using asymmetric cryptography to certify it came from a trusted device Authentication Factors – cont’d
  • 7.
    • Two-step Verification •Authentication factors can belong to the same category • An extra measure of security over static login info • Can be compromised by man-in-the-middle attack • Ex: one time passwords (OTPs) or security images Not to be confused with…
  • 8.
    • Google Authenticator •Generates 2-step verification codes using Time-Based One Time Passwords (TOTP) and HMAC-based OTPs • A shared secret key is exchanged during setup between server and app usually via QR code scan • Available for iOS or Android • Authy • Provides 6-digit TOTPs for 2SV but also has multi-device support • Available as a browser extension • Encrypted backups in the Cloud Software Token Apps
  • 9.
    • February 2014– Target stores • Credit card data compromised • Resulted from stolen network credentials • 2014 – JPMorgan Chase • Stolen employee credentials • Attackers compromised personal info for 83 million customers Recent Headlines
  • 10.
    • Password Hell… TheProblem with Passwords
  • 11.
    • Ease ofsharing and reuse • Prone to attacks – phishing, malware, brute force • Complex passwords are often written down • Creates a single point of failure without 2FA or MFA • According to Verizon 2017 Data Breach Investigations Report, 81% of hacking-related breaches leveraged either stolen and/or weak passwords The (Real) Problem with Passwords
  • 12.
    • FIDO (FastIDentity Online) Alliance • Group of leading companies like Google and Microsoft that develop standards to enable a simpler and more secure authentication experience across websites and mobile services • UAF (Universal Authentication Framework) • Designed as a replacement for basic authentication • Typically involves biometrics where security info never leaves the device • U2F (Universal Second Factor) • Strengthens and simplifies 2FA using USB, NFC or Bluetooth devices • Has strong security that protects against phishing, session hijacking, man-in-the- middle and malware attacks • Native support offered by major vendors and browsers A Word About Standards…
  • 13.
    • Two-step verification •Two-factor authentication Demos
  • 14.
    • Two FactorAuthentication book by Mark Stanislav • https://www.amazon.com/Two-Factor-Authentication-Governance- Publishing/dp/1849287325 • Pro ASP.NET Web API Security book by Badrinarayanan Lakshmiraghavan • https://www.apress.com/us/book/9781430257820 • Articles: • Authy vs. Google: https://authy.com/blog/authy-vs-google-authenticator/ • MFA Best Practices: https://www.pingidentity.com/content/dam/ping-6-2- assets/Assets/white-papers/en/mfa-best-practices-securing-modern-digital- enterprise-3001.pdf?id=b6322a80-f285-11e3-ac10-0800200c9a66 Resources
  • 15.
    • Websites • developers.yubico.com •twofactorauth.org • authy.com Resources, cont’d
  • 16.
  • 17.
    • @RemoteArchitect • Slidesand source to be made available after Code Camp Thank You!

Editor's Notes

  • #6 Typically a factor substitution and not a second factor of authentication Can have false positives and false negatives – i.e.: A false positive is when the system incorrectly accepts a biometric sample as being a match. (Same as false accept) A false negative is when a valid biometric sample is provided but the system falsely rejects it as not a match. (Same as false reject)
  • #8 Have server store OTPs and establish a validity period to offset risk from MITM attack. OTPs as part of 2SV are in-band and phone calls used to verify identity are out-of-band. Goal is to have out-of-band process.
  • #10 Also Tesla and Slack were compromised.
  • #12 Password complexity rules and length do nothing to stop a phishing attack.
  • #13 Specs emphasize a device-centric model. Authentication over the wire happens using public-key crytography. User’s device registers the user to a server by registering a public key. To authenticate the user, the device signs a challenge from the server using its private key. Keys on the device are unlocked by a local user gesture such as a biometric or pressing a button.