SlideShare uma empresa Scribd logo

LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil

David Ochel
David Ochel

This document discusses multi-factor authentication and provides criteria for evaluating different multi-factor authentication solutions. It begins with an introduction to different authentication factors and why multi-factor authentication is used. It then outlines security-focused criteria like the number of authentication factors, communication channels used, and cryptographic standards. Less security-critical criteria covered include cost, usability, and integration capabilities. The document cautions against "snake oil" solutions that make unrealistic claims and stresses understanding your security needs and an solution's actual capabilities rather than just marketing.

Tecnologia
1 de 33
Baixar para ler offline
Multi-Factor Authentication: Weeding Out the Snake Oil LASCON 2014 David Ochel 2014-10-24 This work is licensed under a Creative Commons Attribution 4.0 International License.
Objectives •Understand what’s going on in the market of multi-factor authentication. •Look at solutions from a risk view… Which problems are we actually solving / trying to solve? Multi-Factor Authentication Criteria – LASCON 2014 Page 2
Agenda: Less Formalism, More Examples… •Motivation / Introduction –Authentication Factors –Why Multi-Factor? •Criteria and Industry Examples –Security-focused criteria –Less risky criteria •…and the Snake Oil? Page 3 Multi-Factor Authentication Criteria – LASCON 2014
INTRODUCTION Multi-Factor Authentication Criteria – LASCON 2014 Page 4
Authentication Factors •Knowledge-based “know” –Passwords –Security questions (?) –Pattern/image recognition, … •Token-based “have” –Time-based one-time-passwords –Crypto-based challenge response (e.g. X.509) –Various form factors: smart cards, RFID, USB, LED dongles, phones, smartphones (arguably) •Biometrics “are” –Behavioral –Physical •Context-/behavioral-based –As in “risk-based authentication”: IP addresses, locations, date/time, etc. Multi-Factor Authentication Criteria – LASCON 2014 Page 5
Why Do We Still Use Passwords? “The continued domination of passwords over all other methods of end-user authentication is a major embarrassment to security researchers.” [1] •Passwords –Highly deployable: infrastructure exists, users are accustomed, cheap, … –Security issues: observation, interception, replay, guessing, phishing –Pervasive assumption: General-purpose personal computers (laptops, PCs, …) cannot be secured/trusted •Issues with existing alternatives –Memory-based (“know”): no better than passwords? –Biometrics (“are”): privacy, liveness detection on unsupervised devices, hard to replace –Tokens (“have”): susceptible to theft, expensive, hard to replace –Contexts: unreliable proof of identity Page 6 Multi-Factor Authentication Criteria – LASCON 2014 [1] http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.html
Current Industry Trend: Combine Multiple Factors •Tokens –Hard(er) to compromise; susceptible to physical theft •Passwords –Interceptable (malware); hard to physically steal •Also in the running: –Biometrics •Convenient; but often trust issues when unsupervised (liveness detection) –Contexts •Back-end risk evaluation; not technically authentication Multi-Factor Authentication Criteria – LASCON 2014 Page 7
Authentication – A Piece of the Identity & Access Management Puzzle… Multi-Factor Authentication Criteria – LASCON 2014 Page 8 http://forgerock.com/products/open-identity-stack/
Which threats are we trying to counter? •Are we protecting: •Individual consumer accounts? •Corporate users and data? •Machine authentication? •Assets •Adversaries •Vulnerabilities •Etc… Page 9 Multi-Factor Authentication Criteria – LASCON 2014
CRITERIA – FROM A SECURITY POINT OF VIEW Page 10 Multi-Factor Authentication Criteria – LASCON 2014
Are there at least two factors? •Password + PIN = one factor •Password-protected private key? –…on a hardware token? Multi-Factor Authentication Criteria – LASCON 2014 Page 11 http://blog.mailchimp.com/introducing-alterego-1-5-factor-authentication-for-web-apps/, https://alteregoapp.com
Swivel PIN Safe – Human-Computed Challenge Response •But… password + PIN still aren’t two factors? –When used in browser, helps against keylogging –When used for SMS, actually helps!? Multi-Factor Authentication Criteria – LASCON 2014 Page 12 http://www.swivelsecure.com/devices/browser/
How many communication channels? One? More? Different physical band? Multi-Factor Authentication Criteria – LASCON 2014 Page 13
Communication channels (continued) •Securing smartphone apps with smartphone tokens…? •“plug and play” –Factors –Channels Multi-Factor Authentication Criteria – LASCON 2014 Page 14
When to pull another factor? •Once per session, at login. •For every high risk transaction, during session. •“Risk-based” –Determined by context analysis. Multi-Factor Authentication Criteria – LASCON 2014 Page 15 http://www.safenet-inc.com/multi-factor-authentication/context-based-authentication/
Enrolling users / tokens •Personalization/provisioning of tokens •Enrollment in service •Central management of credentials Multi-Factor Authentication Criteria – LASCON 2014 Page 16 https://www.yubico.com/wp-content/uploads/2012/10/Yubikey-Programming-Station- v1.0.pdf
Crypto •There’s crypto everywhere –Token challenge-response, digital signatures –Transportation security for authentication channels •Robustness/diversity –More than one set of algorithm types supported? •Trust –Algorithms –Implementations Multi-Factor Authentication Criteria – LASCON 2014 Page 17 https://www.securityinnovation.com/products/encryption-libraries/ntru-crypto/
EMV-based Multi-Factor Authentication Criteria – LASCON 2014 Page 18 •Mastercard CAP / VISA DPA •German Sm@art TAN •CrontoSign (photoTAN)… https://www.vasco.com/products/products.aspx •https://www.vasco.com/Images/DP% 20760_DS201309-v1b.pdf https://www.vasco.com/Images/DP%20836_DS201401_v4.pdf
CRITERIA – LESS SECURITY-RELEVANT Page 19 Multi-Factor Authentication Criteria – LASCON 2014
$$$ •OpEx vs. CapEx –Licensing fees (per user, server, year, …?) –Token cost –… Multi-Factor Authentication Criteria – LASCON 2014 20 http://www.entrust.com/products/entrust-identityguard/
Open Source? •Lots of freemium solutions •E.g. WikID Multi-Factor Authentication Criteria – LASCON 2014 Page 21 https://www.wikidsystems.com/learn-more/features
Integration with Identity & Access Management Solutions •Open Source, e.g. gluu or OpenAM •Commercial, e.g. SailPoint, and many more Multi-Factor Authentication Criteria – LASCON 2014 Page 22 http://www.gluu.org/gluu-server/strong-authentication/ http://www.sailpoint.com/solutions/products/identityiq/access-manager
Usability •Efficiency •Ease of use •Availability •Convenience –Is it realistic to expect that every user carries half a dozen hardware tokens with them? Multi-Factor Authentication Criteria – LASCON 2014 Page 23 © Edwin Sarmiento, https://www.flickr.com/photos/bassplayerdoc/6245647402/
(Security) architecture •Client-less vs. plug-ins, apps, … •Service –SaaS / cloud –In-house •Server side: –APIs –Logging –RADIUS, etc. interfaces Multi-Factor Authentication Criteria – LASCON 2014 Page 24
Availability •Does it scale? –Authentications per second •Capacity to bug/security-fix –Reputation, history, size, … •SLA, redundancy, … •Fallback if the cloud is unavailable? Multi-Factor Authentication Criteria – LASCON 2014 Page 25 http://www.earlychildhoodworksheets.com/nature-clipart.html
…AND THE SNAKE OIL? 26 Multi-Factor Authentication Criteria – LASCON 2014
How to find snake oil? •Wait until it finds you, or… Google it! •OWASP ‘Guide to Cryptography’ suggests: ‘A good understanding of crypto is required to be able to discern between solid products and snake oil. The inherent complexity of crypto makes it easy to fall for fantastic claims from vendors about their product. Typically, these are “a breakthrough in cryptography” or “unbreakable” or provide "military grade" security. If a vendor says "trust us, we have had experts look at this,” chances are they weren't experts!’ Multi-Factor Authentication Criteria – LASCON 2014 27 https://www.owasp.org/index.php/Guide_to_Cryptography
Multi-Factor Authentication Criteria Page 28
Unbreakable, impenetrable, etc. Multi-Factor Authentication Criteria – LASCON 2014 Page 29 from http://www.edulok.com – retrieved 2014-09-23
WWPass (aka EduLok): What might be going on? This is abstracted from their public online documentation… haven’t checked out the patents or anything else. Multi-Factor Authentication Criteria – LASCON 2014 Page 30
What about “Best in Class”? •E.g., SafeNet – “a consistent leader in the Magic Quadrant for User Authentication” •Not exempt from marketing blah? ;-) Multi-Factor Authentication Criteria – LASCON 2014 Page 31 http://www.safenet-inc.com/multi-factor-authentication/ - retrieved 2014-09-23
Conclusions •Don’t trust the marketing hype! •Understand your exposure. •Understand which solutions can reduce it. •And then look at usability, interoperability, etc. Multi-Factor Authentication Criteria – LASCON 2014 Page 36
Contact David Ochel Blog: http://secuilibrium.com Twitter: @lostgravity Multi-Factor Authentication Criteria – LASCON 2014 Page 37

Recomendados

Certificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operatorsCertificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operators
David Ochel
 
Email Security with OpenPGP - An Appetizer
Email Security with OpenPGP - An AppetizerEmail Security with OpenPGP - An Appetizer
Email Security with OpenPGP - An Appetizer
David Ochel
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
OWASP
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
PROIDEA
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security
OWASP
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Mark Arena
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
Mark Arena
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 

Recomendados

Certificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operatorsCertificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operators
David Ochel
 
Email Security with OpenPGP - An Appetizer
Email Security with OpenPGP - An AppetizerEmail Security with OpenPGP - An Appetizer
Email Security with OpenPGP - An Appetizer
David Ochel
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
OWASP
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
PROIDEA
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security
OWASP
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Mark Arena
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
Mark Arena
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
Tim Mackey
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
OWASP
 
Hacking Cracking 2008
Hacking Cracking 2008Hacking Cracking 2008
Hacking Cracking 2008
Jim Geovedi
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
InfosecTrain
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
Satria Ady Pradana
 
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ..."Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
PROIDEA
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
HITCON GIRLS
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
OWASP
 
Keynote - Jim Geovedi - professional-hackers
Keynote - Jim Geovedi - professional-hackersKeynote - Jim Geovedi - professional-hackers
Keynote - Jim Geovedi - professional-hackers
idsecconf
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
PROIDEA
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
How I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKW
Sounil Yu
 
Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)
Eduardo Arriols Nuñez
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches
Priyanka Aash
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
MITRE ATT&CK
 
Comptia security-sy0-601-exam-objectives-(2-0)
Comptia security-sy0-601-exam-objectives-(2-0)Comptia security-sy0-601-exam-objectives-(2-0)
Comptia security-sy0-601-exam-objectives-(2-0)
Rogerio Ferraz
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services Security
Oliver Pfaff
 
5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical Hacking5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical Hacking
Koenig Solutions Ltd.
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
Ramesh Nagappan
 

Mais conteúdo relacionado

Mais procurados

[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
OWASP
 
Hacking Cracking 2008
Hacking Cracking 2008Hacking Cracking 2008
Hacking Cracking 2008
Jim Geovedi
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
HITCON GIRLS
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
OWASP
 
Keynote - Jim Geovedi - professional-hackers
Keynote - Jim Geovedi - professional-hackersKeynote - Jim Geovedi - professional-hackers
Keynote - Jim Geovedi - professional-hackers
idsecconf
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
PROIDEA
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)
Eduardo Arriols Nuñez
 

Mais procurados (20)

Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
 
Hacking Cracking 2008
Hacking Cracking 2008Hacking Cracking 2008
Hacking Cracking 2008
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
 
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ..."Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
 
Keynote - Jim Geovedi - professional-hackers
Keynote - Jim Geovedi - professional-hackersKeynote - Jim Geovedi - professional-hackers
Keynote - Jim Geovedi - professional-hackers
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
How I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKW
 
Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
 
Comptia security-sy0-601-exam-objectives-(2-0)
Comptia security-sy0-601-exam-objectives-(2-0)Comptia security-sy0-601-exam-objectives-(2-0)
Comptia security-sy0-601-exam-objectives-(2-0)
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services Security
 
5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical Hacking5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical Hacking
 

Destaque

NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
Ramesh Nagappan
 
Email Security Presentation
Email Security PresentationEmail Security Presentation
Email Security Presentation
Yosef Gamble
 
Brian Desmond - Quickly and easily protect your applications and services wit...
Brian Desmond - Quickly and easily protect your applications and services wit...Brian Desmond - Quickly and easily protect your applications and services wit...
Brian Desmond - Quickly and easily protect your applications and services wit...
Nordic Infrastructure Conference
 

Destaque (18)

NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSS
 
What You Need to Know About Email Authentication
What You Need to Know About Email AuthenticationWhat You Need to Know About Email Authentication
What You Need to Know About Email Authentication
 
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...
 
Powerful email protection
Powerful email protectionPowerful email protection
Powerful email protection
 
Email security
Email securityEmail security
Email security
 
Email Security Presentation
Email Security PresentationEmail Security Presentation
Email Security Presentation
 
NISTs Cybersecurity Framework -- Comparison with Best Practice
NISTs Cybersecurity Framework -- Comparison with Best PracticeNISTs Cybersecurity Framework -- Comparison with Best Practice
NISTs Cybersecurity Framework -- Comparison with Best Practice
 
Email Security Overview
Email Security OverviewEmail Security Overview
Email Security Overview
 
S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard Requirements
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
Brian Desmond - Quickly and easily protect your applications and services wit...
Brian Desmond - Quickly and easily protect your applications and services wit...Brian Desmond - Quickly and easily protect your applications and services wit...
Brian Desmond - Quickly and easily protect your applications and services wit...
 
Email Security and Awareness
Email Security and AwarenessEmail Security and Awareness
Email Security and Awareness
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 

Semelhante a LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil

OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
FINOS
 
Security Testing: What Testers Can Do
Security Testing: What Testers Can DoSecurity Testing: What Testers Can Do
Security Testing: What Testers Can Do
TechWell
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise"
mycroftinc
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013
Federation for Identity and Cross-Credentialing Systems (FiXs)
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Tim Mackey
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
Black Duck by Synopsys
 
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlStopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
SecureAuth
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 

Semelhante a LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil (20)

Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
 
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
 
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
 
Security Testing: What Testers Can Do
Security Testing: What Testers Can DoSecurity Testing: What Testers Can Do
Security Testing: What Testers Can Do
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinar
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise"
 
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPasswords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
 
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web ThreatsUsing SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
 
Webinar: Goodbye RSA. Hello Modern Authentication.
Webinar: Goodbye RSA. Hello Modern Authentication.Webinar: Goodbye RSA. Hello Modern Authentication.
Webinar: Goodbye RSA. Hello Modern Authentication.
 
Using SurfWatch Labs' Threat Intelligence to Monitor Your Digital Risk
Using SurfWatch Labs' Threat Intelligence to Monitor Your Digital RiskUsing SurfWatch Labs' Threat Intelligence to Monitor Your Digital Risk
Using SurfWatch Labs' Threat Intelligence to Monitor Your Digital Risk
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
 
Boosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeBoosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk Imperative
 
Slideshare fintech-may26th-def
Slideshare fintech-may26th-defSlideshare fintech-may26th-def
Slideshare fintech-may26th-def
 
Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlStopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Último (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil

  • 1. Multi-Factor Authentication: Weeding Out the Snake Oil LASCON 2014 David Ochel 2014-10-24 This work is licensed under a Creative Commons Attribution 4.0 International License.
  • 2. Objectives •Understand what’s going on in the market of multi-factor authentication. •Look at solutions from a risk view… Which problems are we actually solving / trying to solve? Multi-Factor Authentication Criteria – LASCON 2014 Page 2
  • 3. Agenda: Less Formalism, More Examples… •Motivation / Introduction –Authentication Factors –Why Multi-Factor? •Criteria and Industry Examples –Security-focused criteria –Less risky criteria •…and the Snake Oil? Page 3 Multi-Factor Authentication Criteria – LASCON 2014
  • 4. INTRODUCTION Multi-Factor Authentication Criteria – LASCON 2014 Page 4
  • 5. Authentication Factors •Knowledge-based “know” –Passwords –Security questions (?) –Pattern/image recognition, … •Token-based “have” –Time-based one-time-passwords –Crypto-based challenge response (e.g. X.509) –Various form factors: smart cards, RFID, USB, LED dongles, phones, smartphones (arguably) •Biometrics “are” –Behavioral –Physical •Context-/behavioral-based –As in “risk-based authentication”: IP addresses, locations, date/time, etc. Multi-Factor Authentication Criteria – LASCON 2014 Page 5
  • 6. Why Do We Still Use Passwords? “The continued domination of passwords over all other methods of end-user authentication is a major embarrassment to security researchers.” [1] •Passwords –Highly deployable: infrastructure exists, users are accustomed, cheap, … –Security issues: observation, interception, replay, guessing, phishing –Pervasive assumption: General-purpose personal computers (laptops, PCs, …) cannot be secured/trusted •Issues with existing alternatives –Memory-based (“know”): no better than passwords? –Biometrics (“are”): privacy, liveness detection on unsupervised devices, hard to replace –Tokens (“have”): susceptible to theft, expensive, hard to replace –Contexts: unreliable proof of identity Page 6 Multi-Factor Authentication Criteria – LASCON 2014 [1] http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.html
  • 7. Current Industry Trend: Combine Multiple Factors •Tokens –Hard(er) to compromise; susceptible to physical theft •Passwords –Interceptable (malware); hard to physically steal •Also in the running: –Biometrics •Convenient; but often trust issues when unsupervised (liveness detection) –Contexts •Back-end risk evaluation; not technically authentication Multi-Factor Authentication Criteria – LASCON 2014 Page 7
  • 8. Authentication – A Piece of the Identity & Access Management Puzzle… Multi-Factor Authentication Criteria – LASCON 2014 Page 8 http://forgerock.com/products/open-identity-stack/
  • 9. Which threats are we trying to counter? •Are we protecting: •Individual consumer accounts? •Corporate users and data? •Machine authentication? •Assets •Adversaries •Vulnerabilities •Etc… Page 9 Multi-Factor Authentication Criteria – LASCON 2014
  • 10. CRITERIA – FROM A SECURITY POINT OF VIEW Page 10 Multi-Factor Authentication Criteria – LASCON 2014
  • 11. Are there at least two factors? •Password + PIN = one factor •Password-protected private key? –…on a hardware token? Multi-Factor Authentication Criteria – LASCON 2014 Page 11 http://blog.mailchimp.com/introducing-alterego-1-5-factor-authentication-for-web-apps/, https://alteregoapp.com
  • 12. Swivel PIN Safe – Human-Computed Challenge Response •But… password + PIN still aren’t two factors? –When used in browser, helps against keylogging –When used for SMS, actually helps!? Multi-Factor Authentication Criteria – LASCON 2014 Page 12 http://www.swivelsecure.com/devices/browser/
  • 13. How many communication channels? One? More? Different physical band? Multi-Factor Authentication Criteria – LASCON 2014 Page 13
  • 14. Communication channels (continued) •Securing smartphone apps with smartphone tokens…? •“plug and play” –Factors –Channels Multi-Factor Authentication Criteria – LASCON 2014 Page 14
  • 15. When to pull another factor? •Once per session, at login. •For every high risk transaction, during session. •“Risk-based” –Determined by context analysis. Multi-Factor Authentication Criteria – LASCON 2014 Page 15 http://www.safenet-inc.com/multi-factor-authentication/context-based-authentication/
  • 16. Enrolling users / tokens •Personalization/provisioning of tokens •Enrollment in service •Central management of credentials Multi-Factor Authentication Criteria – LASCON 2014 Page 16 https://www.yubico.com/wp-content/uploads/2012/10/Yubikey-Programming-Station- v1.0.pdf
  • 17. Crypto •There’s crypto everywhere –Token challenge-response, digital signatures –Transportation security for authentication channels •Robustness/diversity –More than one set of algorithm types supported? •Trust –Algorithms –Implementations Multi-Factor Authentication Criteria – LASCON 2014 Page 17 https://www.securityinnovation.com/products/encryption-libraries/ntru-crypto/
  • 18. EMV-based Multi-Factor Authentication Criteria – LASCON 2014 Page 18 •Mastercard CAP / VISA DPA •German Sm@art TAN •CrontoSign (photoTAN)… https://www.vasco.com/products/products.aspx •https://www.vasco.com/Images/DP% 20760_DS201309-v1b.pdf https://www.vasco.com/Images/DP%20836_DS201401_v4.pdf
  • 19. CRITERIA – LESS SECURITY-RELEVANT Page 19 Multi-Factor Authentication Criteria – LASCON 2014
  • 20. $$$ •OpEx vs. CapEx –Licensing fees (per user, server, year, …?) –Token cost –… Multi-Factor Authentication Criteria – LASCON 2014 20 http://www.entrust.com/products/entrust-identityguard/
  • 21. Open Source? •Lots of freemium solutions •E.g. WikID Multi-Factor Authentication Criteria – LASCON 2014 Page 21 https://www.wikidsystems.com/learn-more/features
  • 22. Integration with Identity & Access Management Solutions •Open Source, e.g. gluu or OpenAM •Commercial, e.g. SailPoint, and many more Multi-Factor Authentication Criteria – LASCON 2014 Page 22 http://www.gluu.org/gluu-server/strong-authentication/ http://www.sailpoint.com/solutions/products/identityiq/access-manager
  • 23. Usability •Efficiency •Ease of use •Availability •Convenience –Is it realistic to expect that every user carries half a dozen hardware tokens with them? Multi-Factor Authentication Criteria – LASCON 2014 Page 23 © Edwin Sarmiento, https://www.flickr.com/photos/bassplayerdoc/6245647402/
  • 24. (Security) architecture •Client-less vs. plug-ins, apps, … •Service –SaaS / cloud –In-house •Server side: –APIs –Logging –RADIUS, etc. interfaces Multi-Factor Authentication Criteria – LASCON 2014 Page 24
  • 25. Availability •Does it scale? –Authentications per second •Capacity to bug/security-fix –Reputation, history, size, … •SLA, redundancy, … •Fallback if the cloud is unavailable? Multi-Factor Authentication Criteria – LASCON 2014 Page 25 http://www.earlychildhoodworksheets.com/nature-clipart.html
  • 26. …AND THE SNAKE OIL? 26 Multi-Factor Authentication Criteria – LASCON 2014
  • 27. How to find snake oil? •Wait until it finds you, or… Google it! •OWASP ‘Guide to Cryptography’ suggests: ‘A good understanding of crypto is required to be able to discern between solid products and snake oil. The inherent complexity of crypto makes it easy to fall for fantastic claims from vendors about their product. Typically, these are “a breakthrough in cryptography” or “unbreakable” or provide "military grade" security. If a vendor says "trust us, we have had experts look at this,” chances are they weren't experts!’ Multi-Factor Authentication Criteria – LASCON 2014 27 https://www.owasp.org/index.php/Guide_to_Cryptography
  • 29. Unbreakable, impenetrable, etc. Multi-Factor Authentication Criteria – LASCON 2014 Page 29 from http://www.edulok.com – retrieved 2014-09-23
  • 30. WWPass (aka EduLok): What might be going on? This is abstracted from their public online documentation… haven’t checked out the patents or anything else. Multi-Factor Authentication Criteria – LASCON 2014 Page 30
  • 31. What about “Best in Class”? •E.g., SafeNet – “a consistent leader in the Magic Quadrant for User Authentication” •Not exempt from marketing blah? ;-) Multi-Factor Authentication Criteria – LASCON 2014 Page 31 http://www.safenet-inc.com/multi-factor-authentication/ - retrieved 2014-09-23
  • 32. Conclusions •Don’t trust the marketing hype! •Understand your exposure. •Understand which solutions can reduce it. •And then look at usability, interoperability, etc. Multi-Factor Authentication Criteria – LASCON 2014 Page 36
  • 33. Contact David Ochel Blog: http://secuilibrium.com Twitter: @lostgravity Multi-Factor Authentication Criteria – LASCON 2014 Page 37