SlideShare uma empresa Scribd logo
1 de 46
Baixar para ler offline
Authentication
     Who’s There?
       Nicholas A. Davis
   Information Systems 365
University of Wisconsin-Madison
Today’s Chocolate Bar
• Baby Ruth
• Created in 1920 by the Curtiss
  Candy Company, in Chicago, now
  made by Nestle
• Originally named Kandy Kake
• Named after President Grover
  Cleveland’s daughter, Ruth
  Cleveland, not after baseball
  player, Babe Ruth
Passwords – Reading Discussion
     • Define the root of a password?
     • Define the appendage of a
       password
     • ! % & $ _zipcode have gotten too
       easy for password crackers
     • Mix upper and lower case in the
       middle of password
     • Put the appendage in the middle of
       your root
University Networks --
          Reading
• Centralized vs.
  decentralized
• Faculty and Staff
  demand freedom
• Central data
  handling policies
  are weak
• What should
  universities do to
  make their
  network more
  secure?
Overview
•   Authentication defined
•   Different types of electronic authentication factors
•   Username and Password
•   Dialog Spoofing Authentication Attacks
•   One Time Password devices (OTP), how they work and don’t work
•   Biometrics
•   Digital Certificates
•   Existing devices which can be used for authentication, Blackberry, Mobile Phone
•   Shared Secret/Ticket based authentication systems
•   Knowledge Based Authenticaition
•   The Initial Credentialing Challenge
•   Review of Key Concepts
•   Who is to Blame For This Authentication Mess?
•   SSO Authentication, the realities
•   Federated Authentication
•   Wireless Authentication issues
•   Remaining Issues With Authentication
•   What Does the Future Hold?
Authentication Defined
 “Electronic authentication provides a
   level of assurance as to whether
   someone or something is who or what it
   claims to be in a digital environment.
   Thus, electronic authentication
   plays a key role in the establishment of
   trust relationships for electronic
   commerce, electronic government and
   many other social interactions. It is also
   an essential component of any strategy
   to protect information systems and
   networks, financial data, personal
   information and other assets from
   unauthorised access or identity theft.
   Electronic authentication is therefore
   essential for establishing
   accountability online.”
Authentication Factors
• Three types of electronic
  authentication
• Something you know –
  username/password
• Something you have –
  One time password device
• Something you are –
  Voiceprint or retinal scan
Single Factor vs. Multifactor vs Dual
               Factor
       • Single Factor – Using one method to
         authenticate.
       • Dual Factor – Using two different types of
         authentication mechanism to authenticate
       • Multifactor – Using multiple forms of the
         same factor. (Password + identifying an
         image)
       • Some people claim multi factor is just a
         way around industry regulations. Good
         test is to ask, could I memorize both of
         these?
Username and Password - Benefits
      • Most widely used
        electronic
        authentication
        mechanism in the
        world
      • Low fixed cost to
        implement and
        virtually no variable
        cost
      • Fairly good for low
        assurance
        applications
      • No physical device
        required
Username and Password - Drawbacks
      • Can be easily shared
        on purpose
      • Can be easily stolen
        via Shoulder Surfing,
        Keyboard Logger
        Packet Sniffer
      • Can be guessed
      • Can be hard to
        remember
      • Password code is
        easy to hack
      • Video 3
If You Choose to Use Passwords..
      • Be as long as possible (never shorter than 6
        characters).
      • Include mixed-case letters, if possible.
      • Include digits and punctuation marks, if possible.
      • Not be based on any personal information.
      • Not be based on any dictionary word, in any
        language.
      • Expire on a regular basis and may not be reused
      • May not contain any portion of your name,
        birthday, address or other publicly available
        information
Dialog Spoofing Authentication Attacks
        • The biggest threat to authentication
          security is users unintentionally giving
          away their credentials to a “harvester”
        • Dialog spoofing attack makes the user
          think they are communicating with a
          trusted source, but actually grabs the
          credentials for its own malicious use
One Time Password Devices
       Demystified
  • Have an assigned
    serial number which
    relates to user-id.
    For example, ndavis
    = serial QB43
  • Device generates a
    new password every
    30 seconds
  • Server on other end
    knows what to expect
    from serial QB43 at
    any point in time
One Time Password
          Devices
• Time based
• Event based
• Sold by RSA,
  Vasco, Verisign,
  Aladdin, Entrust
  and others
• How can event
  based OTPs be
  defeated?
Entrust Identity Guard Can Be Beaten
          With a Photocopier!
One Time Passwords - Benefits
       • Provides true Dual Factor
         authentication, making it very
         difficult to share
       • Constantly changing password
         means it can’t be stolen, shoulder
         surfed or sniffed
       • Coolness factor!
One Time Passwords - Drawbacks
      • Cost!
      • Rank very low on
        the washability
        index
      • Uncomfortable
      • Expiration
      • Battery Life
      • Can be forgotten
        at home
      • Video 1
Biometrics
• Use a unique part
  of your body to
  authenticate you,
  such as your voice
  pattern, your
  retina, or your
  fingerprint
Biometrics Benefits
• Harder to steal than even a One
  Time Password since it is part of the
  user, not simply in their possession
  like and OTP device
• Absolute uniqueness of
  authentication factor
• Coolness factor
Biometrics Drawbacks
• Cost
• Complexity of
  Administration
• Highly invasive
• Not always
  reliable – false
  negatives
• Not foolproof
• The Gummi Bear
  thief!
Other Biometric Methods and
     Associated Issues
   • comparing the face with that on a passport
     photograph
   • fingerprints
   • DNA fingerprinting
   • Iris scan
   • Retina scan
   • other biometrics
   • signature
   • Birthmarks - May be duplicated cosmetically
   • Dentition - Identity may be mistaken by lack of or
     falsification of dental X-ray records
Today’s Agenda
• Collect homework!
• Look at a few password cracking
  tools, demonstrating why username
  and password is weak!
• Finish lecture on Authentication!
• Class Discussion!
• Maybe Start Lecture on
  Cryptography!
Today’s Chocolate Bar! - Twix
    • Made by Mars
    • Called “Raider” in Europe until 1991
    • First produced in the UK in 1967
    • Introduced to the US in 1979
    • Twix, Peanut Butter Twix, Cookies –
      n- Cream Twix, Chocolate Fudge
      Twix, Triple Chocolate Twix, Choc –
      n- Orange Twix
    • Not suitable for strict vegetarians!
Digital Certificates
• A digital passport,
  either contained on a
  secure device, or on
  a hard disk
• Secured with a
  password, making
  them truly a dual
  factor solution
• Can be used to
  authenticate
  machines as well as
  humans
Digital Certificate Benefits
   • True Dual Factor Authentication
   • Low variable cost to produce
   • Can contain authorization data as
     well as authentication data
Digital Certificate Drawbacks
   • High fixed cost to build initial
     infrastructure
   • Can be copied and shared if not
     properly stored
   • Expiration
   • Often require access to an interface
     such as a card reader of USB port,
     not always available at kiosks
Taking Advantage of Existing
        Technology
   • Your mobile phone can serve as a
     powerful dual factor authentication
     device
Shared Secret Based Authentication
          Mechanisms
      •   Kerberos
      •   Needham-Schroeder protocol
      •   Secure Shell
      •   Encrypted key exchange (EKE)
      •   Secure remote password protocol (SRP)
      •   Closed-loop authentication
      •   RADIUS
      •   Diameter (protocol)
      •   HMAC
      •   EAP
      •   Authentication OSID
      •   CAPTCHA
      •   Java Authentication and Authorization Service
      •   Chip Authentication Program
Knowledge Based Authentication
     •   Authenticates the user via
         verification of life events,
         usually financial in nature,
         such as:
     •   Looks great at first!
     •   However, most of this is
         public information and
         that which isn’t public can
         be easily stolen
     •   The credit reports on
         which this knowledge
         based authentication is
         based are often contain
         factual errors
     •   Cost!
Initial Credentialing
• The verification of an individual’s or
  machine’s identity prior to assignment of
  an authentication identifier (DMV,
  Passport Agency, Library Card, Credit
  Card Application)
• An authentication credential is only as
  trustworthy as the underlying
  credentialing process
• SSN# often serves as base identifier
• What do you think about that?
• Can you think of a more secure base
  identifier than SSN#? When would It have
  to be assigned and by whom?
Key Concepts
• Current online authentication
  techniques are weak at best: Most
  rely on multiple single factors
• Credentials are easily stolen from
  consumers and rarely change
• Lack of consistency in
  authentication processes confuse
  consumers
Who Is to Blame For the State of
    Digital Authentication?
    •   No individual contributor is at fault
    •   This is really a failure of multiple parties
    •   OS Providers
    •   Browser Providers
    •   Financial & Commerce
    •   Software Providers
    •   Security Vendors
    •   The Financial and Commerce Institutions
It All Starts With a Better OS
   • OS Must have security/auth
     services baked-in
   • Must not rely on 3rd party
     applications to enforce security/auth
     processes
   • Best position within the consumer
     access stack to enforce consistency
Unified Browser and Web Design
       Standards Needed
     • The Internet access browser must
       contain consistent security/auth
       processes and indicators for consumers
     • Must not try and re-invent the security
       wheel continuously
     • This is usually why users pick weak
       passwords – to preserve their sanity and
       avoid “token necklace” or “fat wallet
       syndrome”
Single Sign On (SSO), More like RSO
       • Single Sign On (SSO) (also known
         as Enterprise Single Sign On or
         "ESSO") is the ability for a user to
         enter the same id and password to
         logon to multiple applications within
         an enterprise.
       • True SSO is rare, but Reduced Sign
         On is quite workable
Single Sign On Benefits
 • Ability to enforce uniform enterprise
   authentication and/or authorization
   policies across the enterprise
 • End to end user audit sessions to
   improve security reporting and auditing
 • Removes application developers from
   having to understand and implement
   identity security in their applications
 • Usually results in significant password
   help desk cost savings
Document Authentication
  • Humans and machines are easy to
    authenticate, but what about
    documents?
  • Digital certificates to the rescue
  • A digital signature, generated by a
    private key can prove who authored
    the document and can verify that the
    contents have not been altered from
    their original form
Authentication Federation
  • The average user today interacts with all
    sorts of social, business, financial and
    government agencies digitally.
  • Each of these requires their own id and
    password as user authentication.
  • As a result, the user is increasingly
    frustrated with:
  • Having to remember multiple user id and
    passwords
  • Providing more identity information than
    they would otherwise chose to each entity
Authentication Federation
  • Allows transitional trust among
    institutional membership
  • For example, If Nick wants to look up a
    scholarly article at Penn State, UW can
    tell Penn State that this request comes
    from an authenticated and authorized
    user without giving out my name, etc.
  • Hard to enforce credentialing standards
  • Relies a LOT on trusting that the other
    institution did the right thing
Wireless Authentication
 • Wiring actually provides an additional layer of
   protection, requiring physical access
 • Once this goes away, as is the case on a
   wireless network, you need to find another
   method to make up for the loss of physical
   security which best emulates physical access
 • Authenticate with username/password + MAC
   address, for example.
 • Put the wireless network on a firewalled subnet
 • WPA is better than WEP, but not the answer to
   everything.
 • “Opportunity to Authenticate” is the principle to
   keep in mind here as the most serious threat…
Securing Wireless Network
     Authentication
  •   All wireless LAN devices need to
      be secured, MAC address, static
      IP address, secure subnet, etc.
  •   All users of the wireless network
      need to be educated in wireless
      network security
  •   All wireless networks need to be
      actively monitored for weaknesses
      and breaches
Wireless is Still Too New to Be Trusted
        • Too many competing protocols,
          each of which can have its own set
          of security risks
        • WEP encryption, WPA, WPA2,
          802.1X, LEAP, PEAP, TKIP,
          RADIUS, WAPI…The list goes on!
Remaining Issues With Authentication
        • Authenticating the originator is as important as
          authenticating the receiver, but few people pay
          attention to this issue
        • Currently, when we send email, we simply trust
          that george.bush@whitehouse.gov really is the
          President…This isn’t sufficient
        • We need a method to lookup people in a
          trustworthy manner
        • Trusted and centralized LDAP to the rescue!
        • Sadly, inter-organizational trusted LDAP access
          isn’t used.
The Best Solution is a Hybrid Solution
        • No, not that kind of
          hybrid! Way overused
          term
        • Passwords can be
          guessed or hacked
        • Physical devices can
          be stolen
        • Biometrics are costly
          and unreliable
        • Use a mix of the
          above technologies to
          achieve the best
          authentication
          security
        • Audit, Audit, Audit!!!
What Does the Future Hold?
   • Will the federal government get involved
     with **official** electronic credentials such
     as a “U.S. Citizen Digital Identity”?
   • Benefits of a federal digital identity
     system?
   • Drawbacks of a federal digital identity
     system?
   • How do you feel about the current state
     of electronic authentication systems?
Authentication technologies

Mais conteúdo relacionado

Mais procurados

Trust elevation-abbie-v1
Trust elevation-abbie-v1Trust elevation-abbie-v1
Trust elevation-abbie-v1Abbie Barbir
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
 
Client Cert Deployment Models and Hardware Tokens/Smart Cards
Client Cert Deployment Models and Hardware Tokens/Smart CardsClient Cert Deployment Models and Hardware Tokens/Smart Cards
Client Cert Deployment Models and Hardware Tokens/Smart CardsEd Dodds
 
User-Friendly Digital Signatures
User-Friendly Digital SignaturesUser-Friendly Digital Signatures
User-Friendly Digital SignaturesJon Matonis
 
GTB Data Loss Prevention
GTB Data Loss PreventionGTB Data Loss Prevention
GTB Data Loss Preventionrefaeli
 
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPasswords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPriyanka Aash
 
IoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureIoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureVinod Wilson
 
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsHow to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsMaxim Salnikov
 
Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned  - K.K. Mookhey Sql injection to enterprise Owned  - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey OWASP-Qatar Chapter
 

Mais procurados (10)

Trust elevation-abbie-v1
Trust elevation-abbie-v1Trust elevation-abbie-v1
Trust elevation-abbie-v1
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSS
 
Client Cert Deployment Models and Hardware Tokens/Smart Cards
Client Cert Deployment Models and Hardware Tokens/Smart CardsClient Cert Deployment Models and Hardware Tokens/Smart Cards
Client Cert Deployment Models and Hardware Tokens/Smart Cards
 
User-Friendly Digital Signatures
User-Friendly Digital SignaturesUser-Friendly Digital Signatures
User-Friendly Digital Signatures
 
GTB Data Loss Prevention
GTB Data Loss PreventionGTB Data Loss Prevention
GTB Data Loss Prevention
 
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPasswords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
 
IoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architectureIoT mobile app device cloud identity and security architecture
IoT mobile app device cloud identity and security architecture
 
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsHow to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
 
Sql injection to enterprise Owned - K.K. Mookhey
Sql injection to enterprise Owned  - K.K. Mookhey Sql injection to enterprise Owned  - K.K. Mookhey
Sql injection to enterprise Owned - K.K. Mookhey
 

Destaque

Introduction to information systems security 365 765
Introduction to information systems security 365 765Introduction to information systems security 365 765
Introduction to information systems security 365 765Nicholas Davis
 
It security awareness overview
It security awareness overviewIt security awareness overview
It security awareness overviewNicholas Davis
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securityNicholas Davis
 
The IT Security Jungle of Higher Education
The IT Security Jungle of Higher EducationThe IT Security Jungle of Higher Education
The IT Security Jungle of Higher EducationNicholas Davis
 
Electronic Authentication, More Than Just a Password
Electronic Authentication, More Than Just a PasswordElectronic Authentication, More Than Just a Password
Electronic Authentication, More Than Just a PasswordNicholas Davis
 
It Security Awareness Overview
It Security Awareness OverviewIt Security Awareness Overview
It Security Awareness OverviewNicholas Davis
 
Electronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordElectronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordNicholas Davis
 
Describing The Challenges Of Securing Information
Describing The Challenges Of Securing InformationDescribing The Challenges Of Securing Information
Describing The Challenges Of Securing InformationNicholas Davis
 
Exam II Review Session Information Security 365/765
Exam II Review Session Information Security 365/765Exam II Review Session Information Security 365/765
Exam II Review Session Information Security 365/765Nicholas Davis
 
Describing the challenges of securing information
Describing the challenges of securing informationDescribing the challenges of securing information
Describing the challenges of securing informationNicholas Davis
 
Security Related Issues Associated With Migrating to Cloud Services
Security Related Issues Associated With Migrating to Cloud ServicesSecurity Related Issues Associated With Migrating to Cloud Services
Security Related Issues Associated With Migrating to Cloud ServicesNicholas Davis
 
Desktop pc computer security
Desktop pc computer securityDesktop pc computer security
Desktop pc computer securityNicholas Davis
 
Computer Security Basics for UW-Madison Emeritus Faculty and Staff
Computer Security Basics for UW-Madison Emeritus Faculty and StaffComputer Security Basics for UW-Madison Emeritus Faculty and Staff
Computer Security Basics for UW-Madison Emeritus Faculty and StaffNicholas Davis
 
Cybersecurity, Hacking, and Privacy
Cybersecurity, Hacking, and Privacy Cybersecurity, Hacking, and Privacy
Cybersecurity, Hacking, and Privacy Nicholas Davis
 

Destaque (16)

Introduction to information systems security 365 765
Introduction to information systems security 365 765Introduction to information systems security 365 765
Introduction to information systems security 365 765
 
It security awareness overview
It security awareness overviewIt security awareness overview
It security awareness overview
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical security
 
The IT Security Jungle of Higher Education
The IT Security Jungle of Higher EducationThe IT Security Jungle of Higher Education
The IT Security Jungle of Higher Education
 
Electronic Authentication, More Than Just a Password
Electronic Authentication, More Than Just a PasswordElectronic Authentication, More Than Just a Password
Electronic Authentication, More Than Just a Password
 
It Security Awareness Overview
It Security Awareness OverviewIt Security Awareness Overview
It Security Awareness Overview
 
Electronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordElectronic Authentication More Than Just A Password
Electronic Authentication More Than Just A Password
 
Describing The Challenges Of Securing Information
Describing The Challenges Of Securing InformationDescribing The Challenges Of Securing Information
Describing The Challenges Of Securing Information
 
Exam II Review Session Information Security 365/765
Exam II Review Session Information Security 365/765Exam II Review Session Information Security 365/765
Exam II Review Session Information Security 365/765
 
Describing the challenges of securing information
Describing the challenges of securing informationDescribing the challenges of securing information
Describing the challenges of securing information
 
Security Related Issues Associated With Migrating to Cloud Services
Security Related Issues Associated With Migrating to Cloud ServicesSecurity Related Issues Associated With Migrating to Cloud Services
Security Related Issues Associated With Migrating to Cloud Services
 
Desktop pc computer security
Desktop pc computer securityDesktop pc computer security
Desktop pc computer security
 
The Deep Hidden Web
The Deep Hidden WebThe Deep Hidden Web
The Deep Hidden Web
 
Computer Security Basics for UW-Madison Emeritus Faculty and Staff
Computer Security Basics for UW-Madison Emeritus Faculty and StaffComputer Security Basics for UW-Madison Emeritus Faculty and Staff
Computer Security Basics for UW-Madison Emeritus Faculty and Staff
 
Cybersecurity, Hacking, and Privacy
Cybersecurity, Hacking, and Privacy Cybersecurity, Hacking, and Privacy
Cybersecurity, Hacking, and Privacy
 
Internet security
Internet securityInternet security
Internet security
 

Semelhante a Authentication technologies

Electronic authentication more than just a password
Electronic authentication more than just a passwordElectronic authentication more than just a password
Electronic authentication more than just a passwordNicholas Davis
 
Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...Nicholas Davis
 
Pki & personal digital certificates, the key to securing sensitive electronic...
Pki & personal digital certificates, the key to securing sensitive electronic...Pki & personal digital certificates, the key to securing sensitive electronic...
Pki & personal digital certificates, the key to securing sensitive electronic...Nicholas Davis
 
Date security identifcation and authentication
Date security   identifcation and authenticationDate security   identifcation and authentication
Date security identifcation and authenticationLeo Mark Villar
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authenticationMecklerMedia
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKelly Robertson
 
Why and how to implement strong authentication on the web cartes 2010 - pat...
Why and how to implement strong authentication on the web   cartes 2010 - pat...Why and how to implement strong authentication on the web   cartes 2010 - pat...
Why and how to implement strong authentication on the web cartes 2010 - pat...Keynectis
 
Securing Email And Electronic Documents With Digital Certificates, By Nichola...
Securing Email And Electronic Documents With Digital Certificates, By Nichola...Securing Email And Electronic Documents With Digital Certificates, By Nichola...
Securing Email And Electronic Documents With Digital Certificates, By Nichola...Nicholas Davis
 
Securing email and electronic documents with digital certificates, by nichola...
Securing email and electronic documents with digital certificates, by nichola...Securing email and electronic documents with digital certificates, by nichola...
Securing email and electronic documents with digital certificates, by nichola...Nicholas Davis
 
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/SovrinFOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/SovrinCalvin Cheng
 
Authentication Simple as a Selfie - How Biometrics are Reducing Customer Fric...
Authentication Simple as a Selfie - How Biometrics are Reducing Customer Fric...Authentication Simple as a Selfie - How Biometrics are Reducing Customer Fric...
Authentication Simple as a Selfie - How Biometrics are Reducing Customer Fric...Easy Solutions Inc
 
It security in healthcare
It security in healthcareIt security in healthcare
It security in healthcareNicholas Davis
 
Public Key Infrastructures
Public Key InfrastructuresPublic Key Infrastructures
Public Key InfrastructuresZefren Edior
 

Semelhante a Authentication technologies (20)

Electronic authentication more than just a password
Electronic authentication more than just a passwordElectronic authentication more than just a password
Electronic authentication more than just a password
 
Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...
 
Pki & personal digital certificates, the key to securing sensitive electronic...
Pki & personal digital certificates, the key to securing sensitive electronic...Pki & personal digital certificates, the key to securing sensitive electronic...
Pki & personal digital certificates, the key to securing sensitive electronic...
 
Date security identifcation and authentication
Date security   identifcation and authenticationDate security   identifcation and authentication
Date security identifcation and authentication
 
Cryptography
CryptographyCryptography
Cryptography
 
Security audit
Security auditSecurity audit
Security audit
 
Security Audit
Security AuditSecurity Audit
Security Audit
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authentication
 
Keeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKeeping Secrets on the Internet of Things - Mobile Web Application Security
Keeping Secrets on the Internet of Things - Mobile Web Application Security
 
Electronic security
Electronic securityElectronic security
Electronic security
 
Electronic Security
Electronic SecurityElectronic Security
Electronic Security
 
Why and how to implement strong authentication on the web cartes 2010 - pat...
Why and how to implement strong authentication on the web   cartes 2010 - pat...Why and how to implement strong authentication on the web   cartes 2010 - pat...
Why and how to implement strong authentication on the web cartes 2010 - pat...
 
Authentication
AuthenticationAuthentication
Authentication
 
Securing Email And Electronic Documents With Digital Certificates, By Nichola...
Securing Email And Electronic Documents With Digital Certificates, By Nichola...Securing Email And Electronic Documents With Digital Certificates, By Nichola...
Securing Email And Electronic Documents With Digital Certificates, By Nichola...
 
Securing email and electronic documents with digital certificates, by nichola...
Securing email and electronic documents with digital certificates, by nichola...Securing email and electronic documents with digital certificates, by nichola...
Securing email and electronic documents with digital certificates, by nichola...
 
RSA SecurID Access
RSA SecurID AccessRSA SecurID Access
RSA SecurID Access
 
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/SovrinFOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
 
Authentication Simple as a Selfie - How Biometrics are Reducing Customer Fric...
Authentication Simple as a Selfie - How Biometrics are Reducing Customer Fric...Authentication Simple as a Selfie - How Biometrics are Reducing Customer Fric...
Authentication Simple as a Selfie - How Biometrics are Reducing Customer Fric...
 
It security in healthcare
It security in healthcareIt security in healthcare
It security in healthcare
 
Public Key Infrastructures
Public Key InfrastructuresPublic Key Infrastructures
Public Key Infrastructures
 

Mais de Nicholas Davis

Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentNicholas Davis
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessNicholas Davis
 
UW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsUW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsNicholas Davis
 
Software Development Methodologies
Software Development MethodologiesSoftware Development Methodologies
Software Development MethodologiesNicholas Davis
 
Information systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityInformation systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityNicholas Davis
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Nicholas Davis
 
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Nicholas Davis
 
Information Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewInformation Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewNicholas Davis
 
Cyberwar Gets Personal
Cyberwar Gets PersonalCyberwar Gets Personal
Cyberwar Gets PersonalNicholas Davis
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...Nicholas Davis
 
Bringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectBringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectNicholas Davis
 
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...Nicholas Davis
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Nicholas Davis
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryInformation Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryNicholas Davis
 
Organizational Phishing Education
Organizational Phishing EducationOrganizational Phishing Education
Organizational Phishing EducationNicholas Davis
 
Security Operations -- An Overview
Security Operations -- An OverviewSecurity Operations -- An Overview
Security Operations -- An OverviewNicholas Davis
 
Network Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNetwork Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNicholas Davis
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations,  Industry Compli...Information Security 365/765 Lecture 13 – Legal Regulations,  Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Nicholas Davis
 

Mais de Nicholas Davis (20)

Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) Assessment
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
 
UW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsUW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support Systems
 
Lecture blockchain
Lecture blockchainLecture blockchain
Lecture blockchain
 
Software Development Methodologies
Software Development MethodologiesSoftware Development Methodologies
Software Development Methodologies
 
Information systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityInformation systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD Security
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids
 
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
 
Information Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewInformation Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things Overview
 
Cyberwar Gets Personal
Cyberwar Gets PersonalCyberwar Gets Personal
Cyberwar Gets Personal
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
 
Bringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectBringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team Project
 
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryInformation Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up Summary
 
Organizational Phishing Education
Organizational Phishing EducationOrganizational Phishing Education
Organizational Phishing Education
 
Security Operations -- An Overview
Security Operations -- An OverviewSecurity Operations -- An Overview
Security Operations -- An Overview
 
Network Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNetwork Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security Implications
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations,  Industry Compli...Information Security 365/765 Lecture 13 – Legal Regulations,  Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
 

Último

Web Development Solutions 2024 A Beginner's Comprehensive Handbook.pdf
Web Development Solutions 2024 A Beginner's Comprehensive Handbook.pdfWeb Development Solutions 2024 A Beginner's Comprehensive Handbook.pdf
Web Development Solutions 2024 A Beginner's Comprehensive Handbook.pdfSeasia Infotech
 
Leveraging Tiered Storage in Strimzi-Operated Kafka for Cost-Effective Stream...
Leveraging Tiered Storage in Strimzi-Operated Kafka for Cost-Effective Stream...Leveraging Tiered Storage in Strimzi-Operated Kafka for Cost-Effective Stream...
Leveraging Tiered Storage in Strimzi-Operated Kafka for Cost-Effective Stream...HostedbyConfluent
 
Aggregating Ad Events with Kafka Streams and Interactive Queries at Invidi
Aggregating Ad Events with Kafka Streams and Interactive Queries at InvidiAggregating Ad Events with Kafka Streams and Interactive Queries at Invidi
Aggregating Ad Events with Kafka Streams and Interactive Queries at InvidiHostedbyConfluent
 
Error Handling with Kafka: From Patterns to Code
Error Handling with Kafka: From Patterns to CodeError Handling with Kafka: From Patterns to Code
Error Handling with Kafka: From Patterns to CodeHostedbyConfluent
 
Attacking (and Defending) Apache Kafka | Kafka Summit London
Attacking (and Defending) Apache Kafka | Kafka Summit LondonAttacking (and Defending) Apache Kafka | Kafka Summit London
Attacking (and Defending) Apache Kafka | Kafka Summit LondonHostedbyConfluent
 
Bridge to the Future: Migrating to KRaft
Bridge to the Future: Migrating to KRaftBridge to the Future: Migrating to KRaft
Bridge to the Future: Migrating to KRaftHostedbyConfluent
 
Technology Governance & Migration In The AI Era
Technology Governance & Migration In The AI EraTechnology Governance & Migration In The AI Era
Technology Governance & Migration In The AI Era2toLead Limited
 
AsyncAPI v3: What’s New? | Kafka Summit London
AsyncAPI v3: What’s New? | Kafka Summit LondonAsyncAPI v3: What’s New? | Kafka Summit London
AsyncAPI v3: What’s New? | Kafka Summit LondonHostedbyConfluent
 
Case Study: Implementing a Data Mesh at NORD/LB
Case Study: Implementing a Data Mesh at NORD/LBCase Study: Implementing a Data Mesh at NORD/LB
Case Study: Implementing a Data Mesh at NORD/LBHostedbyConfluent
 
Women in Automation 2024: Technical session - Get your career started in auto...
Women in Automation 2024: Technical session - Get your career started in auto...Women in Automation 2024: Technical session - Get your career started in auto...
Women in Automation 2024: Technical session - Get your career started in auto...DianaGray10
 
The Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data EcosystemThe Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data EcosystemSafe Software
 
How Do You Query a Stream? | Kafka Summit London
How Do You Query a Stream? | Kafka Summit LondonHow Do You Query a Stream? | Kafka Summit London
How Do You Query a Stream? | Kafka Summit LondonHostedbyConfluent
 
Tecnogravura, Cylinder Engraving for Rotogravure
Tecnogravura, Cylinder Engraving for RotogravureTecnogravura, Cylinder Engraving for Rotogravure
Tecnogravura, Cylinder Engraving for RotogravureAntonio de Llamas
 
Automation Ops Series: Session 3 - Solutions management
Automation Ops Series: Session 3 - Solutions managementAutomation Ops Series: Session 3 - Solutions management
Automation Ops Series: Session 3 - Solutions managementDianaGray10
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024BookNet Canada
 
Data Contracts In Practice With Debezium and Apache Flink
Data Contracts In Practice With Debezium and Apache FlinkData Contracts In Practice With Debezium and Apache Flink
Data Contracts In Practice With Debezium and Apache FlinkHostedbyConfluent
 
Exactly-once Stream Processing with Arroyo and Kafka
Exactly-once Stream Processing with Arroyo and KafkaExactly-once Stream Processing with Arroyo and Kafka
Exactly-once Stream Processing with Arroyo and KafkaHostedbyConfluent
 
Build Copilots on Streaming Data with Generative AI, Kafka Streams and Flink SQL
Build Copilots on Streaming Data with Generative AI, Kafka Streams and Flink SQLBuild Copilots on Streaming Data with Generative AI, Kafka Streams and Flink SQL
Build Copilots on Streaming Data with Generative AI, Kafka Streams and Flink SQLHostedbyConfluent
 
Apache Kafka's Common Pitfalls & Intricacies: A Customer Support Perspective
Apache Kafka's Common Pitfalls & Intricacies: A Customer Support PerspectiveApache Kafka's Common Pitfalls & Intricacies: A Customer Support Perspective
Apache Kafka's Common Pitfalls & Intricacies: A Customer Support PerspectiveHostedbyConfluent
 

Último (20)

Web Development Solutions 2024 A Beginner's Comprehensive Handbook.pdf
Web Development Solutions 2024 A Beginner's Comprehensive Handbook.pdfWeb Development Solutions 2024 A Beginner's Comprehensive Handbook.pdf
Web Development Solutions 2024 A Beginner's Comprehensive Handbook.pdf
 
Leveraging Tiered Storage in Strimzi-Operated Kafka for Cost-Effective Stream...
Leveraging Tiered Storage in Strimzi-Operated Kafka for Cost-Effective Stream...Leveraging Tiered Storage in Strimzi-Operated Kafka for Cost-Effective Stream...
Leveraging Tiered Storage in Strimzi-Operated Kafka for Cost-Effective Stream...
 
Aggregating Ad Events with Kafka Streams and Interactive Queries at Invidi
Aggregating Ad Events with Kafka Streams and Interactive Queries at InvidiAggregating Ad Events with Kafka Streams and Interactive Queries at Invidi
Aggregating Ad Events with Kafka Streams and Interactive Queries at Invidi
 
Error Handling with Kafka: From Patterns to Code
Error Handling with Kafka: From Patterns to CodeError Handling with Kafka: From Patterns to Code
Error Handling with Kafka: From Patterns to Code
 
Attacking (and Defending) Apache Kafka | Kafka Summit London
Attacking (and Defending) Apache Kafka | Kafka Summit LondonAttacking (and Defending) Apache Kafka | Kafka Summit London
Attacking (and Defending) Apache Kafka | Kafka Summit London
 
Bridge to the Future: Migrating to KRaft
Bridge to the Future: Migrating to KRaftBridge to the Future: Migrating to KRaft
Bridge to the Future: Migrating to KRaft
 
Technology Governance & Migration In The AI Era
Technology Governance & Migration In The AI EraTechnology Governance & Migration In The AI Era
Technology Governance & Migration In The AI Era
 
AsyncAPI v3: What’s New? | Kafka Summit London
AsyncAPI v3: What’s New? | Kafka Summit LondonAsyncAPI v3: What’s New? | Kafka Summit London
AsyncAPI v3: What’s New? | Kafka Summit London
 
Case Study: Implementing a Data Mesh at NORD/LB
Case Study: Implementing a Data Mesh at NORD/LBCase Study: Implementing a Data Mesh at NORD/LB
Case Study: Implementing a Data Mesh at NORD/LB
 
Women in Automation 2024: Technical session - Get your career started in auto...
Women in Automation 2024: Technical session - Get your career started in auto...Women in Automation 2024: Technical session - Get your career started in auto...
Women in Automation 2024: Technical session - Get your career started in auto...
 
The Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data EcosystemThe Critical Role of Spatial Data in Today's Data Ecosystem
The Critical Role of Spatial Data in Today's Data Ecosystem
 
How Do You Query a Stream? | Kafka Summit London
How Do You Query a Stream? | Kafka Summit LondonHow Do You Query a Stream? | Kafka Summit London
How Do You Query a Stream? | Kafka Summit London
 
Tecnogravura, Cylinder Engraving for Rotogravure
Tecnogravura, Cylinder Engraving for RotogravureTecnogravura, Cylinder Engraving for Rotogravure
Tecnogravura, Cylinder Engraving for Rotogravure
 
Automation Ops Series: Session 3 - Solutions management
Automation Ops Series: Session 3 - Solutions managementAutomation Ops Series: Session 3 - Solutions management
Automation Ops Series: Session 3 - Solutions management
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
 
Data Contracts In Practice With Debezium and Apache Flink
Data Contracts In Practice With Debezium and Apache FlinkData Contracts In Practice With Debezium and Apache Flink
Data Contracts In Practice With Debezium and Apache Flink
 
Exactly-once Stream Processing with Arroyo and Kafka
Exactly-once Stream Processing with Arroyo and KafkaExactly-once Stream Processing with Arroyo and Kafka
Exactly-once Stream Processing with Arroyo and Kafka
 
Build Copilots on Streaming Data with Generative AI, Kafka Streams and Flink SQL
Build Copilots on Streaming Data with Generative AI, Kafka Streams and Flink SQLBuild Copilots on Streaming Data with Generative AI, Kafka Streams and Flink SQL
Build Copilots on Streaming Data with Generative AI, Kafka Streams and Flink SQL
 
Apache Kafka's Common Pitfalls & Intricacies: A Customer Support Perspective
Apache Kafka's Common Pitfalls & Intricacies: A Customer Support PerspectiveApache Kafka's Common Pitfalls & Intricacies: A Customer Support Perspective
Apache Kafka's Common Pitfalls & Intricacies: A Customer Support Perspective
 

Authentication technologies

  • 1. Authentication Who’s There? Nicholas A. Davis Information Systems 365 University of Wisconsin-Madison
  • 2. Today’s Chocolate Bar • Baby Ruth • Created in 1920 by the Curtiss Candy Company, in Chicago, now made by Nestle • Originally named Kandy Kake • Named after President Grover Cleveland’s daughter, Ruth Cleveland, not after baseball player, Babe Ruth
  • 3. Passwords – Reading Discussion • Define the root of a password? • Define the appendage of a password • ! % & $ _zipcode have gotten too easy for password crackers • Mix upper and lower case in the middle of password • Put the appendage in the middle of your root
  • 4. University Networks -- Reading • Centralized vs. decentralized • Faculty and Staff demand freedom • Central data handling policies are weak • What should universities do to make their network more secure?
  • 5. Overview • Authentication defined • Different types of electronic authentication factors • Username and Password • Dialog Spoofing Authentication Attacks • One Time Password devices (OTP), how they work and don’t work • Biometrics • Digital Certificates • Existing devices which can be used for authentication, Blackberry, Mobile Phone • Shared Secret/Ticket based authentication systems • Knowledge Based Authenticaition • The Initial Credentialing Challenge • Review of Key Concepts • Who is to Blame For This Authentication Mess? • SSO Authentication, the realities • Federated Authentication • Wireless Authentication issues • Remaining Issues With Authentication • What Does the Future Hold?
  • 6. Authentication Defined “Electronic authentication provides a level of assurance as to whether someone or something is who or what it claims to be in a digital environment. Thus, electronic authentication plays a key role in the establishment of trust relationships for electronic commerce, electronic government and many other social interactions. It is also an essential component of any strategy to protect information systems and networks, financial data, personal information and other assets from unauthorised access or identity theft. Electronic authentication is therefore essential for establishing accountability online.”
  • 7. Authentication Factors • Three types of electronic authentication • Something you know – username/password • Something you have – One time password device • Something you are – Voiceprint or retinal scan
  • 8. Single Factor vs. Multifactor vs Dual Factor • Single Factor – Using one method to authenticate. • Dual Factor – Using two different types of authentication mechanism to authenticate • Multifactor – Using multiple forms of the same factor. (Password + identifying an image) • Some people claim multi factor is just a way around industry regulations. Good test is to ask, could I memorize both of these?
  • 9. Username and Password - Benefits • Most widely used electronic authentication mechanism in the world • Low fixed cost to implement and virtually no variable cost • Fairly good for low assurance applications • No physical device required
  • 10. Username and Password - Drawbacks • Can be easily shared on purpose • Can be easily stolen via Shoulder Surfing, Keyboard Logger Packet Sniffer • Can be guessed • Can be hard to remember • Password code is easy to hack • Video 3
  • 11. If You Choose to Use Passwords.. • Be as long as possible (never shorter than 6 characters). • Include mixed-case letters, if possible. • Include digits and punctuation marks, if possible. • Not be based on any personal information. • Not be based on any dictionary word, in any language. • Expire on a regular basis and may not be reused • May not contain any portion of your name, birthday, address or other publicly available information
  • 12. Dialog Spoofing Authentication Attacks • The biggest threat to authentication security is users unintentionally giving away their credentials to a “harvester” • Dialog spoofing attack makes the user think they are communicating with a trusted source, but actually grabs the credentials for its own malicious use
  • 13. One Time Password Devices Demystified • Have an assigned serial number which relates to user-id. For example, ndavis = serial QB43 • Device generates a new password every 30 seconds • Server on other end knows what to expect from serial QB43 at any point in time
  • 14. One Time Password Devices • Time based • Event based • Sold by RSA, Vasco, Verisign, Aladdin, Entrust and others • How can event based OTPs be defeated?
  • 15. Entrust Identity Guard Can Be Beaten With a Photocopier!
  • 16. One Time Passwords - Benefits • Provides true Dual Factor authentication, making it very difficult to share • Constantly changing password means it can’t be stolen, shoulder surfed or sniffed • Coolness factor!
  • 17. One Time Passwords - Drawbacks • Cost! • Rank very low on the washability index • Uncomfortable • Expiration • Battery Life • Can be forgotten at home • Video 1
  • 18. Biometrics • Use a unique part of your body to authenticate you, such as your voice pattern, your retina, or your fingerprint
  • 19. Biometrics Benefits • Harder to steal than even a One Time Password since it is part of the user, not simply in their possession like and OTP device • Absolute uniqueness of authentication factor • Coolness factor
  • 20. Biometrics Drawbacks • Cost • Complexity of Administration • Highly invasive • Not always reliable – false negatives • Not foolproof • The Gummi Bear thief!
  • 21. Other Biometric Methods and Associated Issues • comparing the face with that on a passport photograph • fingerprints • DNA fingerprinting • Iris scan • Retina scan • other biometrics • signature • Birthmarks - May be duplicated cosmetically • Dentition - Identity may be mistaken by lack of or falsification of dental X-ray records
  • 22. Today’s Agenda • Collect homework! • Look at a few password cracking tools, demonstrating why username and password is weak! • Finish lecture on Authentication! • Class Discussion! • Maybe Start Lecture on Cryptography!
  • 23. Today’s Chocolate Bar! - Twix • Made by Mars • Called “Raider” in Europe until 1991 • First produced in the UK in 1967 • Introduced to the US in 1979 • Twix, Peanut Butter Twix, Cookies – n- Cream Twix, Chocolate Fudge Twix, Triple Chocolate Twix, Choc – n- Orange Twix • Not suitable for strict vegetarians!
  • 24. Digital Certificates • A digital passport, either contained on a secure device, or on a hard disk • Secured with a password, making them truly a dual factor solution • Can be used to authenticate machines as well as humans
  • 25. Digital Certificate Benefits • True Dual Factor Authentication • Low variable cost to produce • Can contain authorization data as well as authentication data
  • 26. Digital Certificate Drawbacks • High fixed cost to build initial infrastructure • Can be copied and shared if not properly stored • Expiration • Often require access to an interface such as a card reader of USB port, not always available at kiosks
  • 27. Taking Advantage of Existing Technology • Your mobile phone can serve as a powerful dual factor authentication device
  • 28. Shared Secret Based Authentication Mechanisms • Kerberos • Needham-Schroeder protocol • Secure Shell • Encrypted key exchange (EKE) • Secure remote password protocol (SRP) • Closed-loop authentication • RADIUS • Diameter (protocol) • HMAC • EAP • Authentication OSID • CAPTCHA • Java Authentication and Authorization Service • Chip Authentication Program
  • 29. Knowledge Based Authentication • Authenticates the user via verification of life events, usually financial in nature, such as: • Looks great at first! • However, most of this is public information and that which isn’t public can be easily stolen • The credit reports on which this knowledge based authentication is based are often contain factual errors • Cost!
  • 30. Initial Credentialing • The verification of an individual’s or machine’s identity prior to assignment of an authentication identifier (DMV, Passport Agency, Library Card, Credit Card Application) • An authentication credential is only as trustworthy as the underlying credentialing process • SSN# often serves as base identifier • What do you think about that? • Can you think of a more secure base identifier than SSN#? When would It have to be assigned and by whom?
  • 31. Key Concepts • Current online authentication techniques are weak at best: Most rely on multiple single factors • Credentials are easily stolen from consumers and rarely change • Lack of consistency in authentication processes confuse consumers
  • 32. Who Is to Blame For the State of Digital Authentication? • No individual contributor is at fault • This is really a failure of multiple parties • OS Providers • Browser Providers • Financial & Commerce • Software Providers • Security Vendors • The Financial and Commerce Institutions
  • 33. It All Starts With a Better OS • OS Must have security/auth services baked-in • Must not rely on 3rd party applications to enforce security/auth processes • Best position within the consumer access stack to enforce consistency
  • 34. Unified Browser and Web Design Standards Needed • The Internet access browser must contain consistent security/auth processes and indicators for consumers • Must not try and re-invent the security wheel continuously • This is usually why users pick weak passwords – to preserve their sanity and avoid “token necklace” or “fat wallet syndrome”
  • 35. Single Sign On (SSO), More like RSO • Single Sign On (SSO) (also known as Enterprise Single Sign On or "ESSO") is the ability for a user to enter the same id and password to logon to multiple applications within an enterprise. • True SSO is rare, but Reduced Sign On is quite workable
  • 36. Single Sign On Benefits • Ability to enforce uniform enterprise authentication and/or authorization policies across the enterprise • End to end user audit sessions to improve security reporting and auditing • Removes application developers from having to understand and implement identity security in their applications • Usually results in significant password help desk cost savings
  • 37. Document Authentication • Humans and machines are easy to authenticate, but what about documents? • Digital certificates to the rescue • A digital signature, generated by a private key can prove who authored the document and can verify that the contents have not been altered from their original form
  • 38. Authentication Federation • The average user today interacts with all sorts of social, business, financial and government agencies digitally. • Each of these requires their own id and password as user authentication. • As a result, the user is increasingly frustrated with: • Having to remember multiple user id and passwords • Providing more identity information than they would otherwise chose to each entity
  • 39. Authentication Federation • Allows transitional trust among institutional membership • For example, If Nick wants to look up a scholarly article at Penn State, UW can tell Penn State that this request comes from an authenticated and authorized user without giving out my name, etc. • Hard to enforce credentialing standards • Relies a LOT on trusting that the other institution did the right thing
  • 40. Wireless Authentication • Wiring actually provides an additional layer of protection, requiring physical access • Once this goes away, as is the case on a wireless network, you need to find another method to make up for the loss of physical security which best emulates physical access • Authenticate with username/password + MAC address, for example. • Put the wireless network on a firewalled subnet • WPA is better than WEP, but not the answer to everything. • “Opportunity to Authenticate” is the principle to keep in mind here as the most serious threat…
  • 41. Securing Wireless Network Authentication • All wireless LAN devices need to be secured, MAC address, static IP address, secure subnet, etc. • All users of the wireless network need to be educated in wireless network security • All wireless networks need to be actively monitored for weaknesses and breaches
  • 42. Wireless is Still Too New to Be Trusted • Too many competing protocols, each of which can have its own set of security risks • WEP encryption, WPA, WPA2, 802.1X, LEAP, PEAP, TKIP, RADIUS, WAPI…The list goes on!
  • 43. Remaining Issues With Authentication • Authenticating the originator is as important as authenticating the receiver, but few people pay attention to this issue • Currently, when we send email, we simply trust that george.bush@whitehouse.gov really is the President…This isn’t sufficient • We need a method to lookup people in a trustworthy manner • Trusted and centralized LDAP to the rescue! • Sadly, inter-organizational trusted LDAP access isn’t used.
  • 44. The Best Solution is a Hybrid Solution • No, not that kind of hybrid! Way overused term • Passwords can be guessed or hacked • Physical devices can be stolen • Biometrics are costly and unreliable • Use a mix of the above technologies to achieve the best authentication security • Audit, Audit, Audit!!!
  • 45. What Does the Future Hold? • Will the federal government get involved with **official** electronic credentials such as a “U.S. Citizen Digital Identity”? • Benefits of a federal digital identity system? • Drawbacks of a federal digital identity system? • How do you feel about the current state of electronic authentication systems?