The Password Is Dead: An Argument for Multifactor Biometric Authentication
-
Upload
veridium -
Category
Technology
-
view
88 -
download
0
Transcript of The Password Is Dead: An Argument for Multifactor Biometric Authentication
![Page 1: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/1.jpg)
An Argument for Multifactor Biometric Authentication
THE PASSWORD IS DEAD
© 2016 Veridium All Rights Reserved
![Page 2: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/2.jpg)
B E F O R E W E B E G I N
Attendees have been muted
You may submit questions at any time, but we will respond at the conclusion of the presentation during the Q&A session
© 2016 Veridium All Rights Reserved
![Page 3: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/3.jpg)
John Callahan, PhDChief Technology Officer
B E F O R E W E B E G I N
• PhD in Computer Science from University of Maryland, College Park
• Former Associate Director at the Office of Naval Research, Global, London office
• Previously Research Director at the NASA Independent Verification and Validation Facility
© 2016 Veridium All Rights Reserved
![Page 4: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/4.jpg)
A G E N DA
• History of username & password
• Password complexity is failing
• Biometrics• Physiological and behavioral
• Privacy needs for biometric data
© 2016 Veridium All Rights Reserved
![Page 5: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/5.jpg)
HISTORY OF USERNAME AND PASSWORD
© 2016 Veridium All Rights Reserved
![Page 6: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/6.jpg)
A T I M E O F C R I S I S
• The password is nearly 40 years old
• Username doesn’t truly represent Identity
© 2016 Veridium All Rights Reserved
![Page 7: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/7.jpg)
N U M B E R O F ACCO U N T S
Most people have 10-20 online accounts…
…and you are asked to use a different password for all of them!
© 2016 Veridium All Rights Reserved
![Page 8: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/8.jpg)
A F L U X P O I N T
• Passwords alone are no longer adequate for cybersecurity
© 2016 Veridium All Rights Reserved
![Page 9: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/9.jpg)
CO S T O F C H U R N
• Best practice is to change passwords every three months
• These password resets cost time and money
© 2016 Veridium All Rights Reserved
![Page 10: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/10.jpg)
H E L P D E S K CO S T S
• Lost password resets also cost time and money
• These costs are beyond tolerable
© 2016 Veridium All Rights Reserved
![Page 11: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/11.jpg)
CO M P R O M I S E S E X A C E R B AT E L O S S
• Lost/Stolen passwords contribute to other database compromises
• Users often reuse passwords
• Complexity rules become predictable
© 2016 Veridium All Rights Reserved
![Page 12: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/12.jpg)
PASSWORD COMPLEXITY IS FAILING
© 2016 Veridium All Rights Reserved
![Page 13: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/13.jpg)
CO M P L E X I T Y R U L E S
• Frequency of change
• Minimum Length
• Mixture of “ulsd” (upper, lower, special, digit)
• Topologies
• Difficulty meters: A risk themselves
© 2016 Veridium All Rights Reserved
![Page 14: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/14.jpg)
CREDIT: XKCD
CO M P L E X I T Y R U L E S ( CO N T. )
© 2016 Veridium All Rights Reserved
![Page 15: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/15.jpg)
A N A LY S I S
Source: Rick Redman’s 2014 OWASP AppSec USA 2014 talk
© 2016 Veridium All Rights Reserved
![Page 16: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/16.jpg)
A N A LY S I S
Source: Rick Redman’s 2014 OWASP AppSec USA 2014 talk
© 2016 Veridium All Rights Reserved
![Page 17: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/17.jpg)
A N A LY S I S
Source: Rick Redman’s 2014 OWASP AppSec USA 2014 talk
Top 50 Most Commonly Used Topology IDs Across All Samples
Frequency of Common Topologies Across All SamplesPe
rcen
t of P
assw
ords
Mat
chin
g G
iven
Pat
tern
per
Sam
ple
Set
© 2016 Veridium All Rights Reserved
![Page 18: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/18.jpg)
PA S S W O R D VA U L T S
• Examples• LastPass• 1Password• Browser extensions
• Single point of failure
• Non-portable w/o risk of compromise
© 2016 Veridium All Rights Reserved
![Page 19: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/19.jpg)
T W O - F A C T O R A U T H E N T I C AT I O N ( 2 F A )
• An additional step AFTER username & password
• The one real cybersecurity improvement in 20 years
• Channels• SMS (Twitter & Apple)• Google Authenticator
(software app)• RSA dongle (hardware)• Bingo card (A1, F3, H1)
© 2016 Veridium All Rights Reserved
![Page 20: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/20.jpg)
P R O B L E M S W I T H 2 F A
• Fails if device(s) lost or stolen
• NIST recently (25 July 2016) recommended against SMS• SMS can be intercepted/redirected• Codes can be “swiped” if they appear in lock-screen notifications• The algorithms used to generate the 2FA codes can be cracked• 2FA codes can be “phished” from the user
Biometrics: The next portable 2FA?
© 2016 Veridium All Rights Reserved
![Page 21: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/21.jpg)
BIOMETRICS
© 2016 Veridium All Rights Reserved
![Page 22: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/22.jpg)
B I O M E T R I C S : T H E PA S S W O R D I S Y O U
• Face• Fingerprint• Hand• Iris• Voice• DNA• …
Physiological
• Keystroke• Signature• Voice• Date/Time• Geolocation• …
Behavioral
Divided, none of these are perfect.Combined, they are a much more robust form of authentication.
© 2016 Veridium All Rights Reserved
![Page 23: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/23.jpg)
A H I S T O R Y O F P O O R S TA R T S ,B U T H O P E R E M A I N S E T E R N A L
There have been many attempts at biometrics,but mobile devices have changed the game entirely.
© 2016 Veridium All Rights Reserved
![Page 24: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/24.jpg)
F I D O S TA N D A R D
FIDO StandardMobile storage & authentication
Source: FIDO Alliance
© 2016 Veridium All Rights Reserved
![Page 25: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/25.jpg)
IEEE 2410 Biometric Open Protocol Standard (BOPS)Mobile – FIDO-compliant
Or, split mobile-server
I E E E 2 4 1 0 B O P S
© 2016 Veridium All Rights Reserved
![Page 26: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/26.jpg)
V E R I D I U M I D A U T H E N T I C AT I O N
© 2016 Veridium All Rights Reserved
![Page 27: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/27.jpg)
V E R I D I U M I D E N R O L L M E N T
© 2016 Veridium All Rights Reserved
![Page 28: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/28.jpg)
AVA I L A B L E B I O M E T R I C P L U G I N S
- Touch ID/Android Fingerprint
- 4 Fingers TouchlessID
- Face
- Iris
- Voice
- Behavioral
And whatever the next biometric on the horizon is…
© 2016 Veridium All Rights Reserved
![Page 29: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/29.jpg)
G O O G L E A B A C U S
• Behavioral
• Multifactor
• Trust Score
© 2016 Veridium All Rights Reserved
![Page 30: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/30.jpg)
PRIVACY NEEDS FOR BIOMETRIC DATA
© 2016 Veridium All Rights Reserved
![Page 31: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/31.jpg)
Y O U R P H Y S I C A L B I O M E T R I C S D O N OT C H A N G E
• Cannot change your biometrics like you can a password
• Therefore, they must be carefully protected
• This is why regulations have been created for:• Storage• Transport• Encryption
© 2016 Veridium All Rights Reserved
![Page 32: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/32.jpg)
R E G U L AT I O N S O N B I O M E T R I C D ATA P R I VA C Y
© 2016 Veridium All Rights Reserved
![Page 33: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/33.jpg)
P R I VA C Y P R OT E C T I O N
• Split Biometric: 1/2 on server & 1/2 on mobile or desktop device
• Server- and Client-side PKI certificates
• Behavioral patterns for risk management
• Business rules require multifactor authentication steps
© 2016 Veridium All Rights Reserved
![Page 34: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/34.jpg)
S P L I T T I N G B I O M E T R I C V E C T O R S
© 2016 Veridium All Rights Reserved
![Page 35: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/35.jpg)
M AT C H I N G W I T H S P L I T B I O M E T R I C S
© 2016 Veridium All Rights Reserved
![Page 36: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/36.jpg)
T H E PA S S W O R D I S D E A D
• Biometrics are already replacing 2FA
• Multifactor Authentication, including biometrics, is proving to be highly effective.
• But will biometrics replace passwords completely?
© 2016 Veridium All Rights Reserved
![Page 37: The Password Is Dead: An Argument for Multifactor Biometric Authentication](https://reader031.fdocuments.in/reader031/viewer/2022030317/587080731a28ab57368b63f7/html5/thumbnails/37.jpg)
QUESTIONS?
Twitter: @Veridium
Request a demo at:www.VeridiumID.com/Contact-Us
© 2016 Veridium All Rights Reserved