Jun 29 - 2016-MultiFactorAuthentication
Transcript of Jun 29 - 2016-MultiFactorAuthentication
![Page 1: Jun 29 - 2016-MultiFactorAuthentication](https://reader034.fdocuments.in/reader034/viewer/2022051705/58831b3b1a28ab31068b721f/html5/thumbnails/1.jpg)
![Page 2: Jun 29 - 2016-MultiFactorAuthentication](https://reader034.fdocuments.in/reader034/viewer/2022051705/58831b3b1a28ab31068b721f/html5/thumbnails/2.jpg)
EasyMultiFactorAuthenticationStrategiesandPCIDSS3.2
![Page 3: Jun 29 - 2016-MultiFactorAuthentication](https://reader034.fdocuments.in/reader034/viewer/2022051705/58831b3b1a28ab31068b721f/html5/thumbnails/3.jpg)
HELLO!I am Anirban Banerjee.I am the Founder and CEO of Onion ID.
https://calendly.com/anirban/enterprise-demo/
![Page 4: Jun 29 - 2016-MultiFactorAuthentication](https://reader034.fdocuments.in/reader034/viewer/2022051705/58831b3b1a28ab31068b721f/html5/thumbnails/4.jpg)
Two/Multi Factor Authentication
PCI DSS 3.2
Strategies
![Page 5: Jun 29 - 2016-MultiFactorAuthentication](https://reader034.fdocuments.in/reader034/viewer/2022051705/58831b3b1a28ab31068b721f/html5/thumbnails/5.jpg)
WhatisTwo-FactorAuthentication?
▸ Addsasecondlevelofverificationtothepassword-basedapproach.
▸ Example:atextmessagetoyourphone,avaluefromaRSAtoken.
▸ Ifahackergetsyourusernameandpasswordtheystillwon’tbeabletogetintoyouraccount.
![Page 6: Jun 29 - 2016-MultiFactorAuthentication](https://reader034.fdocuments.in/reader034/viewer/2022051705/58831b3b1a28ab31068b721f/html5/thumbnails/6.jpg)
Whydoweneedthis?
Usernames&Passwordscanbestolen!• Phishing attacks• Samecredentialsacrossapps• Key-loggers• Educatedguesses, socialengineering
2FApreventsattackersfromaccessingyouraccounteveniftheyobtainyourusernameandpassword.
MandatedinVersion3.2ofthePCIDataSecurityStandard
![Page 7: Jun 29 - 2016-MultiFactorAuthentication](https://reader034.fdocuments.in/reader034/viewer/2022051705/58831b3b1a28ab31068b721f/html5/thumbnails/7.jpg)
WhoUsesTwo-Factor?
![Page 8: Jun 29 - 2016-MultiFactorAuthentication](https://reader034.fdocuments.in/reader034/viewer/2022051705/58831b3b1a28ab31068b721f/html5/thumbnails/8.jpg)
MultiFactorAuthentication
![Page 9: Jun 29 - 2016-MultiFactorAuthentication](https://reader034.fdocuments.in/reader034/viewer/2022051705/58831b3b1a28ab31068b721f/html5/thumbnails/9.jpg)
AddingMoreFactors
• Increasethestrengthofauthenticationbyaddingfactors.
• Fivecategoriesofauthenticationmethods• whoyouare,• whatyouknow,• whatyouhave,• whatyoutypicallydo,• thecontext.
• Addingfactorsfromdifferentcategoriescanincreasestrengthonly iftheoverallsetofvulnerabilities isreduced.
![Page 10: Jun 29 - 2016-MultiFactorAuthentication](https://reader034.fdocuments.in/reader034/viewer/2022051705/58831b3b1a28ab31068b721f/html5/thumbnails/10.jpg)
Whatcanweadd?
PhysicalBiometric▸ immutableand
unique• Facial recognition• IrisScan• RetinalScan• FingerprintPalm
Scan• Voice• Livelinessbiometric
factorsinclude:• Pulse.
CAPTCHA;etc
Behavioral/Biometric • basedonperson’s
physicalbehaviouralactivitypatterns
• Keyboardsignature
• Voice
WhoYouAre
Biometric
whatyou
know
whatyou
have
whatyou
DoContext
• UserNameandPassword(UN/PW),
• Apassphrase• aPIN• Ananswertoa
secretquestion
• OneTimePassword(OTP)
• Smartcard• X.509and
PKI• Rarely
usedalone• Usedin
combinationwithUN/PWandaPIN
• Browsingpatterns
• Timeofaccess
• Typeofdevice
• UsedinCombinationwithothermethods
•
• Location;Timeofaccess;
• Subscriberidentitymodule(SIM)
• Frequencyofaccess;
• Usedwithothermethods
![Page 11: Jun 29 - 2016-MultiFactorAuthentication](https://reader034.fdocuments.in/reader034/viewer/2022051705/58831b3b1a28ab31068b721f/html5/thumbnails/11.jpg)
▸ Combiningtwoormoreauthenticationmethodscanpotentiallyincreaseauthenticationstrength.
▸ However!• Becarefulnottointroducevulnerabilities
• MorefactorsèMorecomplex/costlytoimplement&use.Themorethemerrier?
![Page 12: Jun 29 - 2016-MultiFactorAuthentication](https://reader034.fdocuments.in/reader034/viewer/2022051705/58831b3b1a28ab31068b721f/html5/thumbnails/12.jpg)
Themorethemerrier?
▸ Simplyaddingfactorsdoesnotguaranteemoreprotection
Source: Gartner
![Page 13: Jun 29 - 2016-MultiFactorAuthentication](https://reader034.fdocuments.in/reader034/viewer/2022051705/58831b3b1a28ab31068b721f/html5/thumbnails/13.jpg)
FindingtheBestFactorCombo
UseNeedsandConstraintstoDetermine• Authenticationstrength
• indicatedbythelevelofrisk• TotalCostofOwnership
• Constrainedbybudget• Easeofuse
• universallydesirable,but itislesscriticalthegreatertheconsistency
• Otherconstraints• consistencyandcontrolofthe
endpoint isaparticularconstraint;
Source - Gartner
![Page 14: Jun 29 - 2016-MultiFactorAuthentication](https://reader034.fdocuments.in/reader034/viewer/2022051705/58831b3b1a28ab31068b721f/html5/thumbnails/14.jpg)
PCIDSS3.2
![Page 15: Jun 29 - 2016-MultiFactorAuthentication](https://reader034.fdocuments.in/reader034/viewer/2022051705/58831b3b1a28ab31068b721f/html5/thumbnails/15.jpg)
▸ Feb12018
▸ MultiFactorauthentication foreveryone
▸ Needtoprotectbothconsoleandnonconsolebasedaccess
▸ Newrequirements10.8and10.8.1outlinethatservice providersneedtodetectandreportonfailuresofcritical securitycontrolsystems
▸ Newrequirement11.3.4.1indicatesthatserviceprovidersneedtoperformpenetration testingonsegmentationcontrolseverysixmonths
Highlights
![Page 16: Jun 29 - 2016-MultiFactorAuthentication](https://reader034.fdocuments.in/reader034/viewer/2022051705/58831b3b1a28ab31068b721f/html5/thumbnails/16.jpg)
▸ Serverdoesnotsupport2FAbydefault
▸ AppdoesnotsupportSAML/Oauth
▸ Apphasnonativesupportfor2FA
▸ Regularauditingofaccess
▸ DataPrivacyissues,datasegregationChallenges
![Page 17: Jun 29 - 2016-MultiFactorAuthentication](https://reader034.fdocuments.in/reader034/viewer/2022051705/58831b3b1a28ab31068b721f/html5/thumbnails/17.jpg)
▸ EnableMFAviaBrowserextensionsorWebFilters
▸ UseUXfriendlyMFA:Geo fencing,proximity,fingerprint
▸ SetupauditingsystemsbyparsingSIEMinfo
▸ SetupamonthlyPCImeeting togooverprocessandresults
▸ Commercial tools– OnionIDtodoprivilegemanagementStrategies
![Page 18: Jun 29 - 2016-MultiFactorAuthentication](https://reader034.fdocuments.in/reader034/viewer/2022051705/58831b3b1a28ab31068b721f/html5/thumbnails/18.jpg)
Conclusions
![Page 19: Jun 29 - 2016-MultiFactorAuthentication](https://reader034.fdocuments.in/reader034/viewer/2022051705/58831b3b1a28ab31068b721f/html5/thumbnails/19.jpg)
▸ Passwordbasedauthenticationisnotenoughanymore.
▸ MultiFactorauthentication isheretostay!
▸ Manydifferentoptions,eachwithitsowncostsandvulnerabilities.
▸ Besmart:addingmorefactorswilldefinitelyincreasecostandcomplexity,butmightnot(sufficiently)increasesecurity.
▸ Considerthetrade-offs,customize.Pickthecombinationthatworksforyou.
Conclusions
![Page 20: Jun 29 - 2016-MultiFactorAuthentication](https://reader034.fdocuments.in/reader034/viewer/2022051705/58831b3b1a28ab31068b721f/html5/thumbnails/20.jpg)
THANK YOU!Any questions?You can find more about us at:Onion ID – The Next Generation of Privilege Managementwww.onionid.com , [email protected]: +1-888-315-4745https://calendly.com/anirban/enterprise-demo/