LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
-
Upload
david-ochel -
Category
Technology
-
view
1.132 -
download
4
description
Transcript of LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
![Page 1: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/1.jpg)
Multi-Factor Authentication: Weeding Out the Snake Oil
LASCON 2014
David Ochel
2014-10-24
This work is licensed under a Creative Commons Attribution 4.0 International License.
![Page 2: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/2.jpg)
Objectives
• Understand what’s going on in the market of multi-factor authentication.
• Look at solutions from a risk view… Which problems are we actually solving / trying to solve?
Multi-Factor Authentication Criteria – LASCON 2014 Page 2
![Page 3: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/3.jpg)
Agenda: Less Formalism, More Examples…
• Motivation / Introduction
– Authentication Factors
– Why Multi-Factor?
• Criteria and Industry Examples
– Security-focused criteria
– Less risky criteria
• …and the Snake Oil?
Page 3 Multi-Factor Authentication Criteria – LASCON 2014
![Page 4: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/4.jpg)
INTRODUCTION
Multi-Factor Authentication Criteria – LASCON 2014 Page 4
![Page 5: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/5.jpg)
Authentication Factors • Knowledge-based “know”
– Passwords – Security questions (?) – Pattern/image recognition, …
• Token-based “have” – Time-based one-time-passwords – Crypto-based challenge response (e.g. X.509) – Various form factors: smart cards, RFID, USB, LED dongles, phones,
smartphones (arguably)
• Biometrics “are” – Behavioral – Physical
• Context-/behavioral-based – As in “risk-based authentication”: IP addresses, locations, date/time,
etc.
Multi-Factor Authentication Criteria – LASCON 2014 Page 5
![Page 6: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/6.jpg)
Why Do We Still Use Passwords? “The continued domination of passwords over all other methods of end-user authentication is a major embarrassment to security researchers.” [1]
• Passwords
– Highly deployable: infrastructure exists, users are accustomed, cheap, … – Security issues: observation, interception, replay, guessing, phishing – Pervasive assumption: General-purpose personal computers (laptops, PCs, …)
cannot be secured/trusted
• Issues with existing alternatives – Memory-based (“know”): no better than passwords? – Biometrics (“are”): privacy, liveness detection on unsupervised devices, hard
to replace – Tokens (“have”): susceptible to theft, expensive, hard to replace – Contexts: unreliable proof of identity
Page 6 Multi-Factor Authentication Criteria – LASCON 2014
[1] http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.html
![Page 7: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/7.jpg)
Current Industry Trend: Combine Multiple Factors
• Tokens – Hard(er) to compromise; susceptible to physical theft
• Passwords – Interceptable (malware); hard to physically steal
• Also in the running: – Biometrics
• Convenient; but often trust issues when unsupervised (liveness detection)
– Contexts • Back-end risk evaluation; not technically authentication
Multi-Factor Authentication Criteria – LASCON 2014 Page 7
![Page 8: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/8.jpg)
Authentication – A Piece of the Identity & Access Management Puzzle…
Multi-Factor Authentication Criteria – LASCON 2014 Page 8
http://forgerock.com/products/open-identity-stack/
![Page 9: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/9.jpg)
Which threats are we trying to counter?
• Are we protecting: • Individual consumer accounts?
• Corporate users and data?
• Machine authentication?
• Assets
• Adversaries
• Vulnerabilities
• Etc…
Page 9 Multi-Factor Authentication Criteria – LASCON 2014
![Page 10: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/10.jpg)
CRITERIA – FROM A SECURITY POINT OF VIEW
Page 10 Multi-Factor Authentication Criteria – LASCON 2014
![Page 11: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/11.jpg)
Are there at least two factors?
• Password + PIN = one factor
• Password-protected private key?
– …on a hardware token?
Multi-Factor Authentication Criteria – LASCON 2014 Page 11
http://blog.mailchimp.com/introducing-alterego-1-5-factor-authentication-for-web-apps/, https://alteregoapp.com
![Page 12: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/12.jpg)
Swivel PIN Safe – Human-Computed Challenge Response
• But… password + PIN still aren’t two factors? – When used in browser, helps against keylogging
– When used for SMS, actually helps!?
Multi-Factor Authentication Criteria – LASCON 2014 Page 12
http://www.swivelsecure.com/devices/browser/
![Page 13: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/13.jpg)
How many communication channels? One? More? Different physical band?
Multi-Factor Authentication Criteria – LASCON 2014 Page 13
![Page 14: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/14.jpg)
Communication channels (continued)
• Securing smartphone apps with smartphone tokens…?
• “plug and play”
– Factors
– Channels
Multi-Factor Authentication Criteria – LASCON 2014 Page 14
![Page 15: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/15.jpg)
When to pull another factor?
• Once per session, at login.
• For every high risk transaction, during session.
• “Risk-based”
– Determined by context analysis.
Multi-Factor Authentication Criteria – LASCON 2014 Page 15
http://www.safenet-inc.com/multi-factor-authentication/context-based-authentication/
![Page 16: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/16.jpg)
Enrolling users / tokens
• Personalization/provisioning of tokens
• Enrollment in service
• Central management of credentials
Multi-Factor Authentication Criteria – LASCON 2014 Page 16
https://www.yubico.com/wp-content/uploads/2012/10/Yubikey-Programming-Station-v1.0.pdf
![Page 17: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/17.jpg)
Crypto
• There’s crypto everywhere – Token challenge-response, digital signatures
– Transportation security for authentication channels
• Robustness/diversity – More than one set of algorithm types supported?
• Trust – Algorithms
– Implementations
Multi-Factor Authentication Criteria – LASCON 2014 Page 17
https://www.securityinnovation.com/products/encryption-libraries/ntru-crypto/
![Page 18: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/18.jpg)
EMV-based
Multi-Factor Authentication Criteria – LASCON 2014 Page 18
• Mastercard CAP / VISA DPA
• German Sm@art TAN
• CrontoSign (photoTAN)…
https://www.vasco.com/products/products.aspx • https://www.vasco.com/Images/DP%
20760_DS201309-v1b.pdf
https://www.vasco.com/Images/DP%20836_DS201401_v4.pdf
![Page 19: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/19.jpg)
CRITERIA – LESS SECURITY-RELEVANT
Page 19 Multi-Factor Authentication Criteria – LASCON 2014
![Page 20: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/20.jpg)
$$$
• OpEx vs. CapEx
– Licensing fees (per user, server, year, …?)
– Token cost
– …
Multi-Factor Authentication Criteria – LASCON 2014 20
http://www.entrust.com/products/entrust-identityguard/
![Page 21: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/21.jpg)
Open Source?
• Lots of freemium solutions
• E.g. WikID
Multi-Factor Authentication Criteria – LASCON 2014 Page 21
https://www.wikidsystems.com/learn-more/features
![Page 22: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/22.jpg)
Integration with Identity & Access Management Solutions
• Open Source, e.g. gluu or OpenAM
• Commercial, e.g. SailPoint, and many more
Multi-Factor Authentication Criteria – LASCON 2014 Page 22
http://www.gluu.org/gluu-server/strong-authentication/
http://www.sailpoint.com/solutions/products/identityiq/access-manager
![Page 23: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/23.jpg)
Usability
• Efficiency
• Ease of use
• Availability
• Convenience
– Is it realistic to expect that every user carries half a dozen hardware tokens with them?
Multi-Factor Authentication Criteria – LASCON 2014 Page 23
© Edwin Sarmiento, https://www.flickr.com/photos/bassplayerdoc/6245647402/
![Page 24: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/24.jpg)
(Security) architecture
• Client-less vs. plug-ins, apps, …
• Service – SaaS / cloud – In-house
• Server side: – APIs – Logging – RADIUS, etc. interfaces
Multi-Factor Authentication Criteria – LASCON 2014 Page 24
![Page 25: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/25.jpg)
Availability
• Does it scale? – Authentications per second
• Capacity to bug/security-fix – Reputation, history, size, …
• SLA, redundancy, …
• Fallback if the cloud is unavailable?
Multi-Factor Authentication Criteria – LASCON 2014 Page 25
http://www.earlychildhoodworksheets.com/nature-clipart.html
![Page 26: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/26.jpg)
…AND THE SNAKE OIL?
26 Multi-Factor Authentication Criteria – LASCON 2014
![Page 27: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/27.jpg)
How to find snake oil? • Wait until it finds you, or… Google it!
• OWASP ‘Guide to Cryptography’ suggests:
‘A good understanding of crypto is required to be able to discern between solid products and snake oil. The inherent complexity of crypto makes it easy to fall for fantastic claims from vendors about their product. Typically, these are “a breakthrough in cryptography” or “unbreakable” or provide "military grade" security. If a vendor says "trust us, we have had experts look at this,” chances are they weren't experts!’
Multi-Factor Authentication Criteria – LASCON 2014 27
https://www.owasp.org/index.php/Guide_to_Cryptography
![Page 28: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/28.jpg)
Multi-Factor Authentication Criteria Page 28
![Page 29: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/29.jpg)
Unbreakable, impenetrable, etc.
Multi-Factor Authentication Criteria – LASCON 2014 Page 29
from http://www.edulok.com – retrieved 2014-09-23
![Page 30: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/30.jpg)
WWPass (aka EduLok): What might be going on?
This is abstracted from their public online
documentation… haven’t checked out the patents or
anything else.
Multi-Factor Authentication Criteria – LASCON 2014 Page 30
![Page 31: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/31.jpg)
What about “Best in Class”?
• E.g., SafeNet – “a consistent leader in the Magic Quadrant for User Authentication”
• Not exempt from marketing blah? ;-)
Multi-Factor Authentication Criteria – LASCON 2014 Page 31
http://www.safenet-inc.com/multi-factor-authentication/ - retrieved 2014-09-23
![Page 32: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/32.jpg)
Conclusions
• Don’t trust the marketing hype!
• Understand your exposure.
• Understand which solutions can reduce it.
• And then look at usability, interoperability, etc.
Multi-Factor Authentication Criteria – LASCON 2014 Page 36
![Page 33: LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil](https://reader034.fdocuments.in/reader034/viewer/2022052622/5594a9551a28ab6a728b456e/html5/thumbnails/33.jpg)
Contact
David Ochel
Blog: http://secuilibrium.com
Twitter: @lostgravity
Multi-Factor Authentication Criteria – LASCON 2014 Page 37