Electronic Authentication
More Than Just a Password
Nicholas Davis, CISSP, CISA
Email: ndavis1@wisc.edu
May 15, 2014
Depar...
Session Overview
• What electronic authentication is
and why it is important
• Definitions
• Different types of authentica...
Presentation Style
• Blue = Topic
• Black = Informational Details
• Red = Discussion
• Audience participation is
encourage...
Authentication Defined
Authentication is the process of providing
proof to a person or system that you are
indeed who you ...
Authentication Factors
• Three types of electronic authentication
• Something you know –
username/password
• Something you...
Username and Password
Something that you know
• Sometimes has rules associated
with it, such as length, or has an
expirati...
Username and Password - Benefits
• Most widely used
electronic authentication
mechanism in the world.
People understand ho...
Username and Password - Drawbacks
• Can be easily shared
on purpose
• Can be easily stolen
via Shoulder Surfing,
Keyboard ...
Keylogger
Make Your Passwords Strong
• Be as long as possible (never shorter than 8
characters, should be at least 10, 12 is better)...
One Time Password (OTP) Devices
Something That You Have
• Have an assigned
serial number which
is tied to my userid
• Devi...
One Time Password Device - Benefits
• Difficult to share
• Constantly changing password means it
can’t be stolen, shoulder...
One Time Passwords - Drawbacks
• Cost!
• Rank very low on
the washability
index
• Uncomfortable
• Expiration
• Battery Lif...
Biometrics
Something That You Are
• Use a unique part
of your body to
authenticate you,
such as your voice
pattern, your
r...
Biometrics Benefits
• Harder to steal than even a One
Time Password since it is part of the
user, not simply in their poss...
Biometrics Drawbacks
• Cost
• Complexity of
Administration
• Highly invasive
• Not always
reliable – false
negatives
• Not...
Single Factor vs. Multifactor vs Dual
Factor
• Single Factor – Using one method to
authenticate.
• Dual Factor – Using two...
Key Concepts
• Current online password based
authentication techniques are weak at
best: Most rely on multiple single fact...
Summary
• There are three types of
authentication technologies:
– Something you know
– Something you have
– Something you ...
Audience Discussion and
Q&A
• Describe which types
of authentication
technologies are
incorporated into your
ATM card
• Ho...
Dual Factor Authentication
At UW-Madison
• Many of our systems contain
“sensitive” information. For
purposes of discussion...
Dual Factor Rollout
• Internal desire for best practices
• Audit findings
• HRS, across all UW-System
• 2000 users
• Now g...
We Use Symantec’s VIP
• Hard tokens
• Soft tokens
• Serial number bound to username
Concerns
• Forgot token at home
• Drove over token
• Accidently dropped token in
bathroom
• Shared token with my BFF (Best...
Dual Factor Authentication
The Most Important Slide
Q&A Session
• If you have questions, comments,
concerns, suggestions, contact:
• Nicholas Davis
• Email ndavis1@wisc.edu
•...
Upcoming SlideShare
Loading in …5
×

Electronic Authentication, More Than Just a Password

396 views

Published on

A Presentation which discusses the three different types of electronic authentication: username/password (something you know), One Time Password (something you have) and Biometrics (Something you are). The benefits and drawbacks of each type of authentication are also addressed. A helpful presentation for those people looking to strengthen their authentication system, but who are unsure which technology fits their situation appropriately.

Published in: Internet, Technology
2 Comments
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total views
396
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
2
Likes
0
Embeds 0
No embeds

No notes for slide

Electronic Authentication, More Than Just a Password

  1. 1. Electronic Authentication More Than Just a Password Nicholas Davis, CISSP, CISA Email: ndavis1@wisc.edu May 15, 2014 Department Information Services Council
  2. 2. Session Overview • What electronic authentication is and why it is important • Definitions • Different types of authentication factors (username/password) • Benefits and drawbacks of various authentication technologies • Strong Authentication • Question and Answer Session
  3. 3. Presentation Style • Blue = Topic • Black = Informational Details • Red = Discussion • Audience participation is encouraged. Anytime you see red, you can begin to think about the discussion topic at hand
  4. 4. Authentication Defined Authentication is the process of providing proof to a person or system that you are indeed who you claim to be. Can you think of some examples? Electronic authentication is similar in that provides a level of assurance as to whether someone or something is who or what it claims to be in a digital environment. Can you think of some examples?
  5. 5. Authentication Factors • Three types of electronic authentication • Something you know – username/password • Something you have – One time password device • Something you are – Voiceprint or retinal scan • Let’s examine these in detail!
  6. 6. Username and Password Something that you know • Sometimes has rules associated with it, such as length, or has an expiration date. • Can you think of some other password rules? • Why do you think password rules are enforced?
  7. 7. Username and Password - Benefits • Most widely used electronic authentication mechanism in the world. People understand how to use it. • Low fixed cost to implement and virtually no variable cost • Fairly good for low assurance applications • No physical device required
  8. 8. Username and Password - Drawbacks • Can be easily shared on purpose • Can be easily stolen via Shoulder Surfing, Keyboard Logger Packet Sniffer • Can be guessed • Can be hard to remember • Password code is easy to hack
  9. 9. Keylogger
  10. 10. Make Your Passwords Strong • Be as long as possible (never shorter than 8 characters, should be at least 10, 12 is better). • Include mixed-case letters, if possible. • Include digits and punctuation marks, if possible. • Not be based on any personal information. • Not be based on any dictionary word, in any language. • Expire on a regular basis and may not be reused • May not contain any portion of your name, birthday, address or other publicly available information • May not be easily guessed • What do you think is the most popular PIN?
  11. 11. One Time Password (OTP) Devices Something That You Have • Have an assigned serial number which is tied to my userid • Device generates a new password every 30 seconds • Server on other end knows what to expect from the device assigned to me, at any point in time
  12. 12. One Time Password Device - Benefits • Difficult to share • Constantly changing password means it can’t be stolen, shoulder surfed or sniffed • Coolness factor! • Let’s try to circumvent the technology! • What would happen if I generated a one time pass code, wrote it down and then tried to use it later?
  13. 13. One Time Passwords - Drawbacks • Cost! • Rank very low on the washability index • Uncomfortable • Expiration • Battery Life • Can be forgotten at home
  14. 14. Biometrics Something That You Are • Use a unique part of your body to authenticate you, such as your voice pattern, your retina, or your fingerprint
  15. 15. Biometrics Benefits • Harder to steal than even a One Time Password since it is part of the user, not simply in their possession like and OTP device • Absolute uniqueness of authentication factor • Coolness factor
  16. 16. Biometrics Drawbacks • Cost • Complexity of Administration • Highly invasive • Not always reliable – false negatives • Not foolproof • Quick story
  17. 17. Single Factor vs. Multifactor vs Dual Factor • Single Factor – Using one method to authenticate. • Dual Factor – Using two different types of authentication mechanism to authenticate • Multifactor – Using multiple forms of the same factor. (Password + identifying an image that only you would know) • Some people claim multi factor is just a way around industry regulations. Good test is to ask, could I memorize both of these?
  18. 18. Key Concepts • Current online password based authentication techniques are weak at best: Most rely on multiple single factors • Password Credentials are easily stolen from consumers, and rarely change • Lack of consistency in authentication processes confuse consumers
  19. 19. Summary • There are three types of authentication technologies: – Something you know – Something you have – Something you are Password is the weakest Biometrics is the strongest
  20. 20. Audience Discussion and Q&A • Describe which types of authentication technologies are incorporated into your ATM card • How do you feel about the use of biometrics? • Name a situation in which you think biometrics should be used for authentication
  21. 21. Dual Factor Authentication At UW-Madison • Many of our systems contain “sensitive” information. For purposes of discussion, “sensitive” = information which we do not want to be accessed by the general public • Three large systems come to mind: • HRS, SFS, and ISIS
  22. 22. Dual Factor Rollout • Internal desire for best practices • Audit findings • HRS, across all UW-System • 2000 users • Now going live on SFS • Other systems may follow • What this means for you
  23. 23. We Use Symantec’s VIP • Hard tokens • Soft tokens • Serial number bound to username
  24. 24. Concerns • Forgot token at home • Drove over token • Accidently dropped token in bathroom • Shared token with my BFF (Best Friend Forever) • Battery died • Support system
  25. 25. Dual Factor Authentication The Most Important Slide
  26. 26. Q&A Session • If you have questions, comments, concerns, suggestions, contact: • Nicholas Davis • Email ndavis1@wisc.edu • http://facebook.com/nicholas.a.davis

×