Ping Identity, profile picture
Uploaded byPing Identity
PPT, PDF1,432 views

You Can't Spell Enterprise Security without MFA

The document discusses the importance of multi-factor authentication (MFA) in enhancing enterprise security by mitigating vulnerabilities associated with single-factor authentication. It explores various authentication factors, trends, and contextual verification to dynamically assess risk and optimize security, usability, and cost. Key recommendations include adopting risk-based MFA that evaluates the potential harm and likelihood of authentication mistakes while providing flexible options for different user scenarios.

Embed presentation

Downloaded 26 times
You Can’t Spell Enterprise Security Without MFA Paul Madsen, Principal Technical Architect Office of the CTO Ping Identity Copyright 2013 Ping Identity Corp. All rights reserved.© 1
Agenda Copyright 2013 Ping Identity Corp. All rights reserved.© 2 •Why •What •Which •When & Where
WHY MFA? Copyright 2013 Ping Identity Corp. All rights reserved.© 3 • Deficiencies & vulnerabilities of one factor mitigated by another (unless they are dependent) • Raises the bar for attackers • Compromise of one factor insufficient to enable attacker access to sensitive resources • Voted ‘Easiest to pronounce acronym’ 4 years in a row!
Copyright 2013 Ping Identity Corp. All rights reserved.© 4
5 I come not to bury passwords but to appraise them
MFA is Using two or more login factors in order to authenticate a user
MFA is Using two or more login factors in order to authenticate a user multiple independent
MFA is Using two or more login factors in order to authenticate a user Dynamically choosing from multiple independent
MFA is Using two or more login factors in order to authenticate a user Dynamically choosing from implicit & explicit authentication multiple independent
MFA is Using two or more login factors in order to authenticate a user/ with the optimal balance of security, usability, and cost Dynamically choosing from implicit & explicit authentication multiple independent
MFA is Using two or more login factors in order to authenticate a user/ with the optimal balance of security, usability, and cost Dynamically choosing from implicit & explicit authentication/based on an assessment of risk (determined by analysis of various contextual signals and other considerations) multiple independent
MFA is Using two or more login factors in order to authenticate a user/ with the optimal balance of security, usability, and cost Dynamically choosing from implicit & explicit authentication/based on an assessment of risk (determined by analysis of various contextual signals and other considerations) multiple independent
13 Authentication
Firstly, some secret thou knoweth, secondly some object thoust have in thy living, and thirdly some quality of thy p'rson
In practice •Something you forgot •Something you left at home •Something you are nervous about sharing 15
Key Authentication Trends Trope doesn’t adequately acknowledge 1. Device as factor 2. Local authentication 3. Contextual verification
17 Device as factor
Phones make great *have* factors •Connected •Computation •Storage •UI
Phones make great *have* factors •Connected •Computatio n •Storage •UI In a package a user won’t leave at home
yes no Is device authenticated? no yes User authenticated? Enjoy public application access Enjoy public application access Authenticating device & user
yes no Is device authenticated? no yes User authenticated? Enjoy partial application access Enjoy partial application access User logs in from untrusted device. User logs in from untrusted device. Enjoy public application access Enjoy public application access Authenticating device & user
yes no Is device authenticated? no yes User authenticated? Enjoy partial application access Enjoy partial application access Enjoy full application access Enjoy full application access Device Registration Device Registration User logs in from untrusted device. User logs in from untrusted device. Enjoy public application access Enjoy public application access Authenticating device & user
yes no Is device authenticated? no yes User authenticated? Enjoy partial application access Enjoy partial application access Enjoy full application access Enjoy full application access Device Registration Device Registration User logs in from untrusted device. User logs in from untrusted device. Enjoy public application access Enjoy public application access Authenticating device & user Enjoy partial application access Enjoy partial application access
Stand up straight Copyright 2013 Ping Identity Corp. All rights reserved.© 24 • If relying on device authentication, the ‘device posture’ of that device becomes paramount • This ‘device posture’ includes aspects like PIN, malware, screenshot enabled etc • In the enterprise, EMM solutions allow IT to define & enforce policies over device posture – and (in emerging trend) to report current situation into authentication systems • Work underway in the Identity Defined
25 Local authentication
Local authentication • Capabilities of phones also make practical a model where the verification check is performed locally, ie on the device • As used for ‘device unlock’ – the user logically authenticates to the device • Local authentication (particularly for biometrics) has privacy advantages – no secrets on the server
FIDO Alliance Copyright 2013 Ping Identity Corp. All rights reserved.© 27 • The issue with leveraging local authentication is how – A server can prompt the client to perform an authentication – How client can ‘prove’ to server that it did so • FIDO Alliance normalizes the above pattern • Abstracts away from the server the specifics of the local authentication on the client via an asymmetric cryptographic challenge/response pattern • Inherently multi-factor – must have the private key as well as the local factor (either know or are)
28 Contextual verification
Contextual verification • Contextual verification is a model of passively collecting signals & parameters from the user’s environment and analyzing/comparing them to identify anomalies (from expected) • In the context of authentication, supplements (or in some instance replaces) traditional overt & explicit logins. • Valuable because it can increase assurance without negative usability implications • Signals can be collected via multiple channels & touchpoints, e.g. device, browser, agents • Assumption is that attacker unlikely to be able to simulate all signals in order to impersonate valid user • Manifests as • Geofencing Copyright 2014 Ping Identity Corp. All rights reserved.© 29
Explicit giving way to implicit Copyright 2014 Ping Identity Corp. All rights reserved.© 30 Explici t Implici t Trend Explici t Implici t
31 Choosing Factors
Considerations when picking factors Copyright 2013 Ping Identity Corp. All rights reserved.© 32 • IT benefits Is the authentication method easy to deploy? Will it require additional IT resources? Can it work across multiple channels, e.g. online, telephony, etc? • Usability Is the authentication method easy to use? Will end users accept the new process? Can users be expected to have a device capable of supporting a particular mechanism? Will users be concerned about privacy?. • Initial costs Is there a cost per user that will grow every time a new user is added? What is the replacement cost – both for the device and its associated administrative burden? • Deployment costs What are the costs associated with deploying the authentication mechanism. Is client hardware or software required? If so, how is that distributed to consumers and what are the associated costs?
Copyright 2013 Ping Identity Corp. All rights reserved.© 33
Analysis Low assurance High assurance Poor usability Good usability Smart cards OTP Hardware token Passwords Mobile authentication app Device fingerprinting Low cost Medium cost High cost SMS OTP
Analysis Low assurance High assurance Poor usability Good usability Smart cards OTP Hardware token Passwords Mobile authentication app Device fingerprinting Low cost Medium cost High cost SMS OTP FIDO?
36 Recommendations
Risky business Copyright 2013 Ping Identity Corp. All rights reserved.© 37 • Risk-based MFA demands that resources be analyzed for the risk of their compromise • OMB m04-4 defines a model for assessing risk of an authentication mistake - determined by – Potential harm or impact – Likelihood of the authentication mistake • ‘Harm’ includes – Financial loss, damage to reputation, personal safety, civil/criminal prosecution • Once risk has been assessed, authentication factors can be chosen accordingly
Break away from password hegemony Copyright 2013 Ping Identity Corp. All rights reserved.© 38
Flexibility Copyright 2013 Ping Identity Corp. All rights reserved.© 39 • Particularly for consumer space, provide different options for MFA factors • Both to support heterogeneous user base and to offer fall back mechanisms if and when a particular factor doesn’t work, e.g. if a mobile phone is offline or if the consumer is roaming, fall back to a generated OTP
40 MFA 2.0
MFA 2.0 1. Factor in context 1. Anomalies initially determined by policy, allow for natural learning future 2. Risk it 1. Choose authentication factors based on assessment of risk 2. Rely on contextual verification when possible 3. Device advice 1. Leverage local authentication and device authentication 2. Be sensitive to device posture Copyright 2014 Ping Identity Corp. All rights reserved.© 41
MFA 2.0 Copyright 2014 Ping Identity Corp. All rights reserved.© 42 Risk & Policy EngineRisk & Policy EngineRisk & Policy EngineRisk & Policy Engine ContinueContinueContinueContinueStartStartStartStart Active AuthenticationActive AuthenticationActive AuthenticationActive Authentication DenyDeny BehaviorBehaviorBehaviorBehaviorContextContextContextContext ExternalExternal FeedsFeeds ExternalExternal FeedsFeeds CommunityCommunity IntelligenceIntelligence CommunityCommunity IntelligenceIntelligence DenyDeny Behavioural Feedback CorrelationCorrelationCorrelationCorrelation EnvironmentEnvironmentEnvironmentEnvironment ApplicationApplication infoinfo ApplicationApplication infoinfo PolicyPolicyPolicyPolicy
Policy Data Copyright 2014 Ping Identity Corp. All rights reserved.© 43 IdP Device Environment Authenticati on MFA
Policy Data Copyright 2014 Ping Identity Corp. All rights reserved.© 44 IdP RP Device Environment Authenticati on MFA Authorization
45 The M is table stakes
46 Thanks

More Related Content

PPT
Identity-Defined Privacay & Security for Internet of Things
byPing Identity
 
PDF
The Case For Next Generation IAM
byPatrick Harding
 
PPTX
Catalyst 2015: Patrick Harding
byPing Identity
 
PPTX
Connecting The Real World With The Virtual World
byPing Identity
 
PPTX
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
byPing Identity
 
PPTX
Managing Identity without Boundaries
byPing Identity
 
PDF
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
byPing Identity
 
PDF
Clear and Present Danger
byPing Identity
 
Identity-Defined Privacay & Security for Internet of Things
byPing Identity
 
The Case For Next Generation IAM
byPatrick Harding
 
Catalyst 2015: Patrick Harding
byPing Identity
 
Connecting The Real World With The Virtual World
byPing Identity
 
Standard Based API Security, Access Control and AI Based Attack - API Days Pa...
byPing Identity
 
Managing Identity without Boundaries
byPing Identity
 
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
byPing Identity
 
Clear and Present Danger
byPing Identity
 

What's hot

PPTX
Multi-Factor Authentication - "Moving Towards the Enterprise"
bymycroftinc
 
PPTX
Adopting A Zero-Trust Model. Google Did It, Can You?
byZscaler
 
PPTX
Identity's Role in a Zero Trust Strategy
byOkta-Inc
 
PPTX
Identity Access Management 101
byOneLogin
 
PDF
Get an overview of your network and relax with aruba clear pass and device in...
byXylos
 
PDF
Okta Digital Enterprise Report
byOkta-Inc
 
PDF
Webinar: Deep Diving Into the KuppingerCole IDaaS Leadership Compass
byPing Identity
 
PPTX
Identity Beyond Employees: How Customer Experience Impacts Your IAM Practices
byPing Identity
 
PPTX
Con8896 securely enabling mobile access for business transformation - final
byOracleIDM
 
PDF
Webinar: Three Steps to Transform Your Mobile App into a Security Factor
byPing Identity
 
PDF
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
byNok Nok Labs, Inc
 
PDF
2014 IoT Forum_ Fido Alliance
byCOMPUTEX TAIPEI
 
PPTX
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
byPing Identity
 
PDF
Managing Mobile Business Insecurities
byPing Identity
 
PPTX
Balancing Mobile UX & Security: An API Management Perspective Presentation fr...
byCA API Management
 
PPTX
9.35am robert humphrey
byArgyle Executive Forum
 
PPTX
CIS 2013 Ping Identity Chalktalk
byCraig Wu
 
PDF
GDPR & Customer IAM: The Real Winners Won’t Stop At Compliance
byPing Identity
 
PDF
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
byPing Identity
 
PPTX
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
byPing Identity
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
bymycroftinc
 
Adopting A Zero-Trust Model. Google Did It, Can You?
byZscaler
 
Identity's Role in a Zero Trust Strategy
byOkta-Inc
 
Identity Access Management 101
byOneLogin
 
Get an overview of your network and relax with aruba clear pass and device in...
byXylos
 
Okta Digital Enterprise Report
byOkta-Inc
 
Webinar: Deep Diving Into the KuppingerCole IDaaS Leadership Compass
byPing Identity
 
Identity Beyond Employees: How Customer Experience Impacts Your IAM Practices
byPing Identity
 
Con8896 securely enabling mobile access for business transformation - final
byOracleIDM
 
Webinar: Three Steps to Transform Your Mobile App into a Security Factor
byPing Identity
 
FIDO & The Mobile Network Operator - Goode Intelligence & Nok Nok Labs
byNok Nok Labs, Inc
 
2014 IoT Forum_ Fido Alliance
byCOMPUTEX TAIPEI
 
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
byPing Identity
 
Managing Mobile Business Insecurities
byPing Identity
 
Balancing Mobile UX & Security: An API Management Perspective Presentation fr...
byCA API Management
 
9.35am robert humphrey
byArgyle Executive Forum
 
CIS 2013 Ping Identity Chalktalk
byCraig Wu
 
GDPR & Customer IAM: The Real Winners Won’t Stop At Compliance
byPing Identity
 
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
byPing Identity
 
Criteria for Effective Modern IAM Strategies (Gartner IAM 2018)
byPing Identity
 

Similar to You Can't Spell Enterprise Security without MFA

PDF
UNIT 2 Information Security Sharad Institute
bySatishPise4
 
PPT
Electronic Authentication, More Than Just a Password
byNicholas Davis
 
PDF
Course Information Security Lecture 2.pdf
bySamahAdel16
 
PDF
Multi Factor Authentication Whitepaper Arx - Intellect Design
byRajat Jain
 
PPTX
Enhancing Security with Multi-Factor Authentication in Privileged Access Mana...
byBert Blevins
 
PPTX
Evolution of MFA.pptx
byIsraaAkramBasheer
 
PPTX
AUTHENTICATION APPLICATION IN Nw SC.pptx
bysujithangam
 
PPTX
Multi Factor Authentication Vs 2 Factor Authentication | What Is MFA And 2FA?...
bySimplilearn
 
PDF
What, Exactly, is Multi-Factor Authentication, and How To Use It?
byCaroline Johnson
 
PPTX
Chapter_2_Identification_Authentication_Presentation.pptx
byYakob Utama Chandra ,SE., MMSI
 
PPT
MFA, 42 & Compliance - Answers to the Wrong Questions
byDan Houser
 
PPTX
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
byClare Nelson, CISSP, CIPP-E
 
PPTX
FIDO & Strong Authentication Technology Landscape
byFIDO Alliance
 
PPTX
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
bySecureAuth
 
PDF
#MFSummit2016 Secure: Mind the gap strengthening the information security model
byMicro Focus
 
PPT
Authenticationtechnologies 120711134100-phpapp01
byHai Nguyen
 
PPTX
Lunch and Learn: MFA vs 2FA Just A Numbers Game, or Real Value?
byTransUnion
 
PDF
CIS14: Authentication: Who are You? You are What You Eat
byCloudIDSummit
 
PDF
CIS14: Authentication: Who are You? You are What You Eat
byCloudIDSummit
 
PPT
3 factors of fail sec360 5-15-13
byBarry Caplin
 
UNIT 2 Information Security Sharad Institute
bySatishPise4
 
Electronic Authentication, More Than Just a Password
byNicholas Davis
 
Course Information Security Lecture 2.pdf
bySamahAdel16
 
Multi Factor Authentication Whitepaper Arx - Intellect Design
byRajat Jain
 
Enhancing Security with Multi-Factor Authentication in Privileged Access Mana...
byBert Blevins
 
Evolution of MFA.pptx
byIsraaAkramBasheer
 
AUTHENTICATION APPLICATION IN Nw SC.pptx
bysujithangam
 
Multi Factor Authentication Vs 2 Factor Authentication | What Is MFA And 2FA?...
bySimplilearn
 
What, Exactly, is Multi-Factor Authentication, and How To Use It?
byCaroline Johnson
 
Chapter_2_Identification_Authentication_Presentation.pptx
byYakob Utama Chandra ,SE., MMSI
 
MFA, 42 & Compliance - Answers to the Wrong Questions
byDan Houser
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
byClare Nelson, CISSP, CIPP-E
 
FIDO & Strong Authentication Technology Landscape
byFIDO Alliance
 
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
bySecureAuth
 
#MFSummit2016 Secure: Mind the gap strengthening the information security model
byMicro Focus
 
Authenticationtechnologies 120711134100-phpapp01
byHai Nguyen
 
Lunch and Learn: MFA vs 2FA Just A Numbers Game, or Real Value?
byTransUnion
 
CIS14: Authentication: Who are You? You are What You Eat
byCloudIDSummit
 
CIS14: Authentication: Who are You? You are What You Eat
byCloudIDSummit
 
3 factors of fail sec360 5-15-13
byBarry Caplin
 

More from Ping Identity

PDF
Ping’s Technology Partner Program
byPing Identity
 
PDF
Security Practices: The Generational Gap | Infographic
byPing Identity
 
PDF
Optimize Your Zero Trust Infrastructure
byPing Identity
 
PDF
Remote Work Fuels Zero Trust Growth
byPing Identity
 
PDF
Digital Transformation and the Role of IAM
byPing Identity
 
PDF
Healthcare Patient Experiences Matter
byPing Identity
 
PDF
2018 Survey: Consumer Attitudes in a Post-Breach Era - The Generational Gap
byPing Identity
 
PDF
WIE TICKEN VERBRAUCHER IM ZEITALTER DER DATENSCHUTZVERLETZUNGEN? ALLES EINE F...
byPing Identity
 
PDF
API Security Needs AI Now More Than Ever
byPing Identity
 
PDF
How Aligned Are IT, Employees and Security Practices in Today's Mobile World?
byPing Identity
 
PDF
Consumer Attitudes in a Post-breach Era: The Geographical Gap
byPing Identity
 
PDF
ATTITUDES DES CONSOMMATEURS A L’ERE DES PIRATAGES LE CONFLIT DE GENERATIONS
byPing Identity
 
PDF
Extraordinary Financial Customer Experiences
byPing Identity
 
PDF
Extraordinary Retail Customer Experiences
byPing Identity
 
PDF
WIE TICKEN VERBRAUCHER IM ZEITALTER DER DATENSCHUTZVERLETZUNGEN?
byPing Identity
 
PDF
LES ATTITUDES DES CONSOMMATEURS À L’ÈRE DES CYBERATTAQUES
byPing Identity
 
PDF
Identity Verification: Who’s Really There?
byPing Identity
 
PDF
Security Concerns Around the World | Infographic
byPing Identity
 
PDF
Fishing for a CIAM Platform? 11 Question to Ask Before You Buy
byPing Identity
 
Ping’s Technology Partner Program
byPing Identity
 
Security Practices: The Generational Gap | Infographic
byPing Identity
 
Optimize Your Zero Trust Infrastructure
byPing Identity
 
Remote Work Fuels Zero Trust Growth
byPing Identity
 
Digital Transformation and the Role of IAM
byPing Identity
 
Healthcare Patient Experiences Matter
byPing Identity
 
2018 Survey: Consumer Attitudes in a Post-Breach Era - The Generational Gap
byPing Identity
 
WIE TICKEN VERBRAUCHER IM ZEITALTER DER DATENSCHUTZVERLETZUNGEN? ALLES EINE F...
byPing Identity
 
API Security Needs AI Now More Than Ever
byPing Identity
 
How Aligned Are IT, Employees and Security Practices in Today's Mobile World?
byPing Identity
 
Consumer Attitudes in a Post-breach Era: The Geographical Gap
byPing Identity
 
ATTITUDES DES CONSOMMATEURS A L’ERE DES PIRATAGES LE CONFLIT DE GENERATIONS
byPing Identity
 
Extraordinary Financial Customer Experiences
byPing Identity
 
Extraordinary Retail Customer Experiences
byPing Identity
 
WIE TICKEN VERBRAUCHER IM ZEITALTER DER DATENSCHUTZVERLETZUNGEN?
byPing Identity
 
LES ATTITUDES DES CONSOMMATEURS À L’ÈRE DES CYBERATTAQUES
byPing Identity
 
Identity Verification: Who’s Really There?
byPing Identity
 
Security Concerns Around the World | Infographic
byPing Identity
 
Fishing for a CIAM Platform? 11 Question to Ask Before You Buy
byPing Identity
 

Recently uploaded

PDF
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
PPTX
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
PDF
Smart Cloud Solutions-Smart,Secure & Scalable
byfloydjsmith02
 
PPTX
A CIO’s Guide to Salesforce AI Architecture, Governance, and Implementation R...
byKerry Millar
 
PPTX
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
PDF
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
PPTX
CodeMash 2026 - Optimizing Azure App Services
byBrian McKeiver
 
PPTX
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
DOCX
Best Web to Learn About Buying Verified Skrill Accounts (Los Angeles).docx
byhttps://topsellerit.com/product/buy-verified-binance-accounts/
 
PPTX
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
PDF
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
PPTX
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
PPTX
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
PDF
Introduction to Linux and Basic Commands
byiDev Semarang
 
PPTX
SOFTWARE DEVELOPMENT PROCESS - INTRODUCTION
byParithi Thamizh
 
PPTX
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
PDF
Transcript: What ONIX can do: Leveraging metadata to support the discoverabil...
byBookNet Canada
 
PPTX
Migrating-Hadoop-to-Databricks-Ebook-FINAL.pptx
byssuserf37fc8
 
PPT
Database Management Systems: Basics, History, Data Models, etc.
byParithi Thamizh
 
PDF
Lightweight, Travel-Ready Freedom for Adults and Seniors
byTopmate
 
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
Coded Agents – with UiPath SDK + LlamaIndex.pptx
bysuhanisingh58689
 
Smart Cloud Solutions-Smart,Secure & Scalable
byfloydjsmith02
 
A CIO’s Guide to Salesforce AI Architecture, Governance, and Implementation R...
byKerry Millar
 
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
CodeMash 2026 - Optimizing Azure App Services
byBrian McKeiver
 
Storage-and-HCI-Positioning-update-sales.pptx
byhungungphu123
 
Best Web to Learn About Buying Verified Skrill Accounts (Los Angeles).docx
byhttps://topsellerit.com/product/buy-verified-binance-accounts/
 
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
Kubernetes Cloud Native Indonesia Meetup - January 2026
byPrasta Maha
 
API Gateway Architecture - Technical Report 2026
byPowersoft2026
 
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
Introduction to Linux and Basic Commands
byiDev Semarang
 
SOFTWARE DEVELOPMENT PROCESS - INTRODUCTION
byParithi Thamizh
 
AI Meets DBA Transforming Database Administration with Intelligence
byGeoPITS Global Pvt Ltd
 
Transcript: What ONIX can do: Leveraging metadata to support the discoverabil...
byBookNet Canada
 
Migrating-Hadoop-to-Databricks-Ebook-FINAL.pptx
byssuserf37fc8
 
Database Management Systems: Basics, History, Data Models, etc.
byParithi Thamizh
 
Lightweight, Travel-Ready Freedom for Adults and Seniors
byTopmate
 

You Can't Spell Enterprise Security without MFA

  • 1.
    You Can’t SpellEnterprise Security Without MFA Paul Madsen, Principal Technical Architect Office of the CTO Ping Identity Copyright 2013 Ping Identity Corp. All rights reserved.© 1
  • 2.
    Agenda Copyright 2013 PingIdentity Corp. All rights reserved.© 2 •Why •What •Which •When & Where
  • 3.
    WHY MFA? Copyright 2013Ping Identity Corp. All rights reserved.© 3 • Deficiencies & vulnerabilities of one factor mitigated by another (unless they are dependent) • Raises the bar for attackers • Compromise of one factor insufficient to enable attacker access to sensitive resources • Voted ‘Easiest to pronounce acronym’ 4 years in a row!
  • 4.
    Copyright 2013 PingIdentity Corp. All rights reserved.© 4
  • 5.
    5 I come notto bury passwords but to appraise them
  • 6.
    MFA is Using twoor more login factors in order to authenticate a user
  • 7.
    MFA is Using twoor more login factors in order to authenticate a user multiple independent
  • 8.
    MFA is Using twoor more login factors in order to authenticate a user Dynamically choosing from multiple independent
  • 9.
    MFA is Using twoor more login factors in order to authenticate a user Dynamically choosing from implicit & explicit authentication multiple independent
  • 10.
    MFA is Using twoor more login factors in order to authenticate a user/ with the optimal balance of security, usability, and cost Dynamically choosing from implicit & explicit authentication multiple independent
  • 11.
    MFA is Using twoor more login factors in order to authenticate a user/ with the optimal balance of security, usability, and cost Dynamically choosing from implicit & explicit authentication/based on an assessment of risk (determined by analysis of various contextual signals and other considerations) multiple independent
  • 12.
    MFA is Using twoor more login factors in order to authenticate a user/ with the optimal balance of security, usability, and cost Dynamically choosing from implicit & explicit authentication/based on an assessment of risk (determined by analysis of various contextual signals and other considerations) multiple independent
  • 13.
  • 14.
    Firstly, some secretthou knoweth, secondly some object thoust have in thy living, and thirdly some quality of thy p'rson
  • 15.
    In practice •Something youforgot •Something you left at home •Something you are nervous about sharing 15
  • 16.
    Key Authentication Trends Tropedoesn’t adequately acknowledge 1. Device as factor 2. Local authentication 3. Contextual verification
  • 17.
  • 18.
    Phones make great*have* factors •Connected •Computation •Storage •UI
  • 19.
    Phones make great*have* factors •Connected •Computatio n •Storage •UI In a package a user won’t leave at home
  • 20.
    yes no Is device authenticated? no yes User authenticated? Enjoypublic application access Enjoy public application access Authenticating device & user
  • 21.
    yes no Is device authenticated? no yes User authenticated? Enjoypartial application access Enjoy partial application access User logs in from untrusted device. User logs in from untrusted device. Enjoy public application access Enjoy public application access Authenticating device & user
  • 22.
    yes no Is device authenticated? no yes User authenticated? Enjoypartial application access Enjoy partial application access Enjoy full application access Enjoy full application access Device Registration Device Registration User logs in from untrusted device. User logs in from untrusted device. Enjoy public application access Enjoy public application access Authenticating device & user
  • 23.
    yes no Is device authenticated? no yes User authenticated? Enjoypartial application access Enjoy partial application access Enjoy full application access Enjoy full application access Device Registration Device Registration User logs in from untrusted device. User logs in from untrusted device. Enjoy public application access Enjoy public application access Authenticating device & user Enjoy partial application access Enjoy partial application access
  • 24.
    Stand up straight Copyright2013 Ping Identity Corp. All rights reserved.© 24 • If relying on device authentication, the ‘device posture’ of that device becomes paramount • This ‘device posture’ includes aspects like PIN, malware, screenshot enabled etc • In the enterprise, EMM solutions allow IT to define & enforce policies over device posture – and (in emerging trend) to report current situation into authentication systems • Work underway in the Identity Defined
  • 25.
  • 26.
    Local authentication • Capabilitiesof phones also make practical a model where the verification check is performed locally, ie on the device • As used for ‘device unlock’ – the user logically authenticates to the device • Local authentication (particularly for biometrics) has privacy advantages – no secrets on the server
  • 27.
    FIDO Alliance Copyright 2013Ping Identity Corp. All rights reserved.© 27 • The issue with leveraging local authentication is how – A server can prompt the client to perform an authentication – How client can ‘prove’ to server that it did so • FIDO Alliance normalizes the above pattern • Abstracts away from the server the specifics of the local authentication on the client via an asymmetric cryptographic challenge/response pattern • Inherently multi-factor – must have the private key as well as the local factor (either know or are)
  • 28.
  • 29.
    Contextual verification • Contextualverification is a model of passively collecting signals & parameters from the user’s environment and analyzing/comparing them to identify anomalies (from expected) • In the context of authentication, supplements (or in some instance replaces) traditional overt & explicit logins. • Valuable because it can increase assurance without negative usability implications • Signals can be collected via multiple channels & touchpoints, e.g. device, browser, agents • Assumption is that attacker unlikely to be able to simulate all signals in order to impersonate valid user • Manifests as • Geofencing Copyright 2014 Ping Identity Corp. All rights reserved.© 29
  • 30.
    Explicit giving wayto implicit Copyright 2014 Ping Identity Corp. All rights reserved.© 30 Explici t Implici t Trend Explici t Implici t
  • 31.
  • 32.
    Considerations when pickingfactors Copyright 2013 Ping Identity Corp. All rights reserved.© 32 • IT benefits Is the authentication method easy to deploy? Will it require additional IT resources? Can it work across multiple channels, e.g. online, telephony, etc? • Usability Is the authentication method easy to use? Will end users accept the new process? Can users be expected to have a device capable of supporting a particular mechanism? Will users be concerned about privacy?. • Initial costs Is there a cost per user that will grow every time a new user is added? What is the replacement cost – both for the device and its associated administrative burden? • Deployment costs What are the costs associated with deploying the authentication mechanism. Is client hardware or software required? If so, how is that distributed to consumers and what are the associated costs?
  • 33.
    Copyright 2013 PingIdentity Corp. All rights reserved.© 33
  • 34.
  • 35.
  • 36.
  • 37.
    Risky business Copyright 2013Ping Identity Corp. All rights reserved.© 37 • Risk-based MFA demands that resources be analyzed for the risk of their compromise • OMB m04-4 defines a model for assessing risk of an authentication mistake - determined by – Potential harm or impact – Likelihood of the authentication mistake • ‘Harm’ includes – Financial loss, damage to reputation, personal safety, civil/criminal prosecution • Once risk has been assessed, authentication factors can be chosen accordingly
  • 38.
    Break away frompassword hegemony Copyright 2013 Ping Identity Corp. All rights reserved.© 38
  • 39.
    Flexibility Copyright 2013 PingIdentity Corp. All rights reserved.© 39 • Particularly for consumer space, provide different options for MFA factors • Both to support heterogeneous user base and to offer fall back mechanisms if and when a particular factor doesn’t work, e.g. if a mobile phone is offline or if the consumer is roaming, fall back to a generated OTP
  • 40.
  • 41.
    MFA 2.0 1. Factorin context 1. Anomalies initially determined by policy, allow for natural learning future 2. Risk it 1. Choose authentication factors based on assessment of risk 2. Rely on contextual verification when possible 3. Device advice 1. Leverage local authentication and device authentication 2. Be sensitive to device posture Copyright 2014 Ping Identity Corp. All rights reserved.© 41
  • 42.
    MFA 2.0 Copyright 2014Ping Identity Corp. All rights reserved.© 42 Risk & Policy EngineRisk & Policy EngineRisk & Policy EngineRisk & Policy Engine ContinueContinueContinueContinueStartStartStartStart Active AuthenticationActive AuthenticationActive AuthenticationActive Authentication DenyDeny BehaviorBehaviorBehaviorBehaviorContextContextContextContext ExternalExternal FeedsFeeds ExternalExternal FeedsFeeds CommunityCommunity IntelligenceIntelligence CommunityCommunity IntelligenceIntelligence DenyDeny Behavioural Feedback CorrelationCorrelationCorrelationCorrelation EnvironmentEnvironmentEnvironmentEnvironment ApplicationApplication infoinfo ApplicationApplication infoinfo PolicyPolicyPolicyPolicy
  • 43.
    Policy Data Copyright 2014Ping Identity Corp. All rights reserved.© 43 IdP Device Environment Authenticati on MFA
  • 44.
    Policy Data Copyright 2014Ping Identity Corp. All rights reserved.© 44 IdP RP Device Environment Authenticati on MFA Authorization
  • 45.
  • 46.

Editor's Notes

  • #15 This is outdated, doesn’t adequately account for recent trends
  • #17 Know/have/ar only partially accounts for these trends