This document discusses concerns with some commonly used multi-factor authentication technologies. It notes that SMS one-time passwords have been circumvented by intercepting SMS messages from phones. Biometric authentication using fingerprints can be fooled by high-quality images or lifts of fingerprints. Location-based authentication poses issues if GPS signals can be spoofed. The document argues that many multi-factor authentication methods in use may not adequately consider security threats.
2. www.owasp.org
Clare Nelson, CISSP
• Scar tissue
– Encrypted TCP/IP variants for NSA
– Product Management at DEC (HP), EMC2
– Director Global Alliances at Dell, Novell (IAM)
– VP Business Development, MetaIntelli (Mobile Security)
– CEO ClearMark, MFA Technology and Architecture
• 2001 CEO ClearMark Consulting
• 2014 Co-founder C1ph3r_Qu33ns
• 2015 April, ISSA Journal, Multi-Factor
Authentication: What to Look For
• Talks: HackFormers; BSides Austin; LASCON;
AppSec; clients including Fortune 500 financial
services, Identity Management
• B.S. Mathematics
3. www.owasp.org
Scope
• External customers, consumers
– Not internal employees, no hardware tokens
– IoT preview
• No authentication protocols
– OAuth, OpenID, UMA, SCIM, SAML
• United States
– EU regulations
o France: legal constraints for biometrics
Need authorization from National Commission for Informatics
and Liberty (CNIL)1
– India: e-commerce Snapdeal, Reserve Bank of India
o Move from two-factor to single-factor authentication for
transactions less than Rs. 3,0002
1Source: http://www.diva-portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl
2Source: http://economictimes.indiatimes.com/industry/services/retail/snapdeal-for-single-factor-authentication-for-
low-value-deals/articleshow/46251251.cms
4. www.owasp.org
NIST Definition1
Origin of definition?
• NIST: might be Gene Spafford, or “ancient lore”2
– @TheRealSpaf, “Nope — that's even older than me!”3
– 1970s? NSA? Academia?
1Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
2Source: February 26, 2015 email response from a NIST SP 800-63-2 author
3Source: February 27, 2015 response from @TheRealSpaf (Gene Spafford)
5. www.owasp.org
How can one write a guide
based on a definition of
unknown, ancient origin?
How can you implement
MFA without a current,
coherent definition?
Photo: The Thinker by Auguste Rodin, https://commons.wikimedia.org/wiki/File:Auguste_Rodin-The_Thinker-
Legion_of_Honor-Lincoln_Park-San_Francisco.jpg
6. www.owasp.org
NIST versus New Definitions
Multi-Factor Authentication (MFA) Factors:
• Knowledge
• Possession
– Mobile device identification
• Inherence
– Biometrics: Physical or Behavioral
• Location
– Geolocation
– Geofencing
– Geovelocity
• Time1
1Source: http://searchsecurity.techtarget.com/definition/multifactor-authentication-MFA
2Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
NIST:
Device identification, time, and geo-
location could be used to challenge
an identity; but “they are not
considered authentication factors”2
7. www.owasp.org
Authentication in an Internet Banking Environment
• OUT: Simple device identification
• IN: Complex device identification, “digital fingerprinting”
use PC configuration, IP address, geo-location, other
factors
– Implement time of day restrictions for funds transfers
– Consider keystroke dynamics, biometric-based responses1
1Source: https://www.fdic.gov/news/news/press/2011/pr11111a.pdf
“…virtually every authentication
technique can be compromised”
8. www.owasp.org
“…time to alter how authentication is
done …it doesn't meet today’s
demands
….the range of technologies, such as
soft tokens, hard tokens, Trusted
Platform Module (TPM), biometrics,
simple passwords and more have led
to a ‘Tower of Babel’ for
authentication.”1
– Phil Dunkelberger,
CEO Nok Nok Labs
State of the Market
1Source:http://www.networkworld.com/article/2161675/security/pgp-corp--co-founder-s-startup-targets-cloud-
authentication.html
9. www.owasp.org
Why 200+ MFA Vendors?
Authentication has been the
Holy Grail since the early days
of the Web.1
The iPhone of Authentication has
yet to be invented.2
1Source: http://sciencewriters.ca/2014/03/26/will-your-brain-waves-become-your-new-password/
2Source: Clare Nelson, February 2015.
10. www.owasp.org
Suboptimal Choices
Authentication Factors/Technology
1. Biometrics, 2D fingerprint
2. Short Message Service (SMS)
– One-Time Password (OTP)
3. Quick Response (QR) codes
4. Overreliance on GPS, location
5. JavaScript
6. Weak, arcane, account recovery
7. Assumption mobile devices are secure
8. Encryption (without disclaimers)
– Quantum computing may break RSA or ECC by 20301
• Update on NSA’s $80M Penetrating Hard Targets project2
– Encryption backdoors, is it NSA-free and NIST-free cryptography?
– No mysterious constants or “magic numbers” of unknown provenance”3
1Source: January 18, 2015: Ralph Spencer Poore, cryptologist, Austin ISSA guest lecturer
2Source: http://www.washingtonpost.com/world/national-security/nsa-seeks-to-build-quantum-computer-that-could-
crack-most-types-of-encryption/2014/01/02/8fff297e-7195-11e3-8def-a33011492df2_story.html
3Source: https://www.grc.com/sqrl/sqrl.htm
11. www.owasp.org
Juniper Research:
• By 2019, 770 million apps that use biometric authentication will be
downloaded annually
- Up from 6 million in 2015
• Fingerprint authentication will account for an overwhelming majority
- Driven by increase of fingerprint scanners in smartphones1
Irrational Exuberance of Biometric Adoption
Samsung Pay
1Source: http://www.nfcworld.com/2015/01/22/333665/juniper-forecasts-biometric-authentication-market/
14. www.owasp.org
2D Fingerprint Hacks
• Starbug, aka Jan Krissler
• 2014: Cloned fingerprint of German Defense
Minister, Ursula Von der Leyen
– From photographs1,2
• 2013: Hacked Apple’s Touch ID on iPhone 5S ~24
hours after release in Germany
– Won IsTouchIDHackedYet.com competition3
• 2006: Published research on hacking fingerprint
recognition systems4
1Source: https://www.youtube.com/watch?v=vVivA0eoNGM
2Source: http://www.forbes.com/sites/paulmonckton/2014/12/30/hacker-clones-fingerprint-from-photograph/
3Source: http://istouchidhackedyet.com
4Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf
16. www.owasp.org
Android: Remote Fingerprint Theft at Scale1
“…hackers can remotely steal fingerprints without the owner of the device ever
knowing about it. Even more dangerous, this can be done on a “large scale.”2
1Source: https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Fingerprints-On-Mobile-Devices-Abusing-And-
Leaking-wp.pdf
2Source: http://www.forbes.com/sites/thomasbrewster/2015/04/21/samsung-galaxy-s5-fingerprint-attacks/
Hardware
User Space
Kernel Space
17. www.owasp.org
Krissler versus Riccio
“Don't use fingerprint
recognition systems for
security relevant
applications!”1
– Jan Krissler (Starbug)
“Fingerprints are one of the
best passwords in the
world.”2
– Dan Riccio
SVP, Apple
1Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf
2Source: http://www.imore.com/how-touch-id-works
Photo: http://www.mirror.co.uk/news/world-news/revealed-fbi-believed-legendary-fight-3181991
19. www.owasp.org
Behavioral Biometrics: Invisible Challenge
• Detect threats based on user
interaction with online, and
mobile applications
• Analyze 400+ bio-behavioral,
cognitive and physiological
parameters
– Invisible challenge, no user
interaction for step-up
authentication
– How you find missing cursor1
1Source: http://www.biocatch.com
1Source: http://www.biocatch.com
20. www.owasp.org
Fingerprinting Web Users Via Font Metrics1
• Browser variations
– Version
– What fonts are installed
– Other settings
• Font metric–based
fingerprinting
– Measure onscreen size of font
glyphs
• Effective against Tor Browser
2Source: http://fc15.ifca.ai/preproceedings/paper_83.pdf
21. www.owasp.org
Biometrics: In Use, Proposed
• Fingerprints 2D, 3D via ultrasonic waves
• Palms, its prints and/or the whole hand (feet?)
• Signature
• Keystroke, art of typing, mouse, touch pad
• Voice
• Iris, retina, features of eye movements
• Face, head – its shape, specific movements
• Ears, lip prints
• Gait, Odor, DNA, Pills, Tattoos
• ECG (Bionym’s Nymi wristband, smartphone, laptop, car,
home security)
• EEG1
• Smartphone/behavioral: AirSig authenticates based on g-sensor and
gyroscope, how you write your signature in the air2
1Source: http://www.optel.pl/article/future%20of%20biometrics.pdf
2Source: http://www.airsig.com
Digital Tattoo: http://motorola-blog.blogspot.com/2014/07/-unlock-your-moto-x-with-a-digital-tattoo.html
22. www.owasp.org
“Thought Auth”1
EEG Biosensor
• MindWave™ headset2
• Measures brainwave
signals
• EEG monitor
• International
Conference on Financial
Cryptography and Data
Security3
1Source: Clare Nelson, March 2015
2Source: http://neurosky.com/biosensors/eeg-sensor/biosensors/
3Source: http://www.technewsworld.com/story/77762.html
24. www.owasp.org
How do you stump an MFA vendor?
Ask for a threat model.
Photo: http://www.huffingtonpost.co.uk/2015/08/09/parents-reveal-why-question-woes_n_7963152.html
25. www.owasp.org
“… biometrics cannot, and
absolutely must not, be used
to authenticate an identity”1
– Dustin Kirkland, Ubuntu Cloud Solutions Product
Manager and Strategist at Canonical
1Source: http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-not.html
“Fingerprints are Usernames, Not Passwords”
26. www.owasp.org
@drfuture on Biometrics
1Source: https://www.blackhat.com/docs/us-15/materials/us-15-Keenan-Hidden-Risks-Of-Biometric-Identifiers-
And-How-To-Avoid-Them.pdf
Diagram Source: http://security.stackexchange.com/questions/57589/determining-the-accuracy-of-a-biometric-
system
Hidden Risks
1. Biometric reliability and the
perception of it
2. Lack of discussion of the
consequences of errors
3. Biometric data’s irreversibility and
the implications
4. Our biometrics can be grabbed
without our consent
5. Our behavior can rat us out –
sometimes incorrectly
6. Giving our biometric and behavioral
data may be (de facto) mandatory
7. Biometric data thieves and
aggregators1
Threshold
27. www.owasp.org
• Difficult to reset, revoke
• Exist in public domain, and
elsewhere (1M+ fingerprints stolen
in 2015 OPM breach1)
• May undermine privacy, make
identity theft more likely2
• Persist in government and private
databases, accreting information
whether we like it or not3
• User acceptance or preference
varies by geography, demographic
What Will Cause Biometric Backlash?
1Source: http://money.cnn.com/2015/07/10/technology/opm-hack-fingerprints/index.html
2Source: http://www.diva-portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl
3Source: http://www.pbs.org/wgbh/nova/next/tech/biometrics-and-the-future-of-identification/
Photo: http://www.rineypackard.com/facial-recognition.php
28. www.owasp.org
• Intel’s Dmientrienko, et al
- Circumvented SMS OTP of 4 large
banks1
• Northeastern University and Technische
Universität Berlin
- “SMS OTP systems cannot be
considered secure anymore”2
• SMS OTP threat model
- Physical access to phone
- SIM swap attack
- Wireless interception
- Mobile phone trojans3
SMS OTP Attacks
1Source: http://www.christian-rossow.de/publications/mobile2FA-intel2014.pdf
2,3Source: https://www.eecs.tu-berlin.de/fileadmin/f4/TechReports/2014/tr_2014-02.pdf
29. www.owasp.org
• Operation Emmental
• Defeated 2FA
- 2014, discovered by Trend Micro1
- European, Japanese banks
- Online banking
1. Customer enters username,
password
2. Token sent to mobile device
(SMS OTP)
3. Customer enters token (OTP)
- Attackers scraped SMS OTPs off
customers’ Android phones2, 3
SMS OTP Attack: Banking Example
1Source: http://blog.trendmicro.com/finding-holes-operation-emmental/
2Source: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-
operation-emmental.pdf
3Source: https://www.youtube.com/watch?v=gchKFumYHWc
31. www.owasp.org
QR Code Risks1
VASCO two-factor authentication
• User captures QR code with mobile device
• User enters PIN code to log on, or validate transaction2
QR code redirects user to URL
• Even if the URL is displayed, not everyone reads
• Could link to a malicious website
1Source: http://www.csoonline.com/article/2133890/mobile-security/the-dangers-of-qr-codes-for-security.html
2Source: https://www.vasco.com/products/client_products/software_digipass/digipass_for_mobile.aspx
32. www.owasp.org
Overreliance on Location
• GPS spoofing1
• Cellphone power meter can be
turned into a GPS2
• PowerSpy gathers information
about an Android phone’s
geolocation by tracking its
power use over time
– That data, unlike GPS or Wi-Fi
location tracking, is freely available
to any installed app without a
requirement to ask the user’s
permission3
1Source: http://news.utexas.edu/2013/07/29/ut-austin-researchers-successfully-spoof-an-80-million-yacht-at-sea
2Source: Dan Boneh, quoted in http://cacm.acm.org/magazines/2015/9/191171-qa-a-passion-for-pairings/abstract
3Source: http://www.wired.com/2015/02/powerspy-phone-tracking/
35. www.owasp.org
Account Recovery1
Apple Two-Step Authentication
• What if I lose my Recovery Key?
• Go to My Apple ID, create a new Recovery Key using
your Apple ID password and one of your trusted
devices.1
1Source: https://support.apple.com/en-us/HT204152
36. www.owasp.org
“Mobile is the New Adversarial Ingress Point.”1
– Lee Cocking, VP Product Strategy at GuardTime
1Source: http://guardtime.com/blog/biggest-enterprise-risk-mobile-devices
37. www.owasp.org
What’s Wrong with Mobile Device as Authentication Device?
MetaIntelli research: sample of 38,000 mobile apps, 67% had M32
Source: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks
Source: http://metaintelli.com/blog/2015/01/06/industry-first-metaintelli-research-discovers-large-number-of-
mobile-apps-affected-by-owasp-mobile-top-10-risks/
38. www.owasp.org
MFA Double Standard
Consumers
• Facial and voice for
mobile login2
Employees
• Symantec VIP3
1Source: http://cdn.themetapicture.com/media/funny-puppy-poop-double-standards.jpg
2Source: http://www.americanbanker.com/news/bank-technology/biometric-tipping-point-usaa-deploys-face-voice-
recognition-1072509-1.html
3Source: http://www.slideshare.net/ExperianBIS/70-006identityauthenticationandcredentialinginpractice
1
40. www.owasp.org
FIDO Alliance
• Fast ID Online (FIDO) Alliance
• Proponent of interoperability
– Universal 2nd Factor (U2F)
– Universal Authentication Framework (UAF)
• Triumph of marketing over technology
• Network-resident versus device-resident
biometrics
– FIDO advocates device-resident
• Problems, especially with voice1
1Source: January 2015, “Network vs Device Resident Biometrics,” ValidSoft
41. www.owasp.org
“Legacy thinking subverts
the security of a
well-constructed system”1
– David Birch, Digital Money and Identity Consultant,
Author of Identity is the New Money2
1Source: https://www.ted.com/talks/david_birch_identity_without_a_name?language=en#t-112382
2Source: http://www.amazon.com/Identity-Is-New-Money-Perspectives/dp/1907994122
43. www.owasp.org
OWASP IoT Top 10
1Source: http://www.slideshare.net/SebastienGioria/clusir-infonord-owasp-iot-2014
A1: Insecure Web
Interface
A2: Insufficient
Authentication/A
utorization
A3: Insecure
Network Services
A4:Lack of
Transport
Encryption
A5: Privacy
Concern
A6 : Insecure Cloud
Interface
A8: Insecure
Security
Configurability
A10: Poor Physical
Security
A7: Insecure
Mobile Interface
A9: Insecure
Software /
Firmware
44. www.owasp.org
IoT Predictions
Creative Cryptography, Uneven Protocol Adaptations
• Enhanced Privacy ID (EPID®)
– "Implementing Intel EPID offers IoT designers …proven
security options”1
• PKI: instead of one-to-one mapping public and private key
pairs, uses one-to-many mapping of public to private keys
• Autobahn to dirt road
– E.g., HTTPS to Constrained Application Protocol (CoAP)
with OAuth2, OpenID, UMA
– Different implementation constraints
– “Security of these … mechanisms is highly dependent on
the ability of the programmers creating it.”2
1Source: http://www.prnewswire.com/news-releases/atmel-collaborates-with-intel-on-epid-technology-to-enable-more-
secure-iot-applications-300130062.html
2Source: Using OAuth for Access Control on the Internet of Things, Windley, 2015
45. www.owasp.org
Consider Risk-Based Authentication
(aka Context-Based Authentication, Adaptive Authentication)
• Device registration and fingerprinting
• Source IP reputation data
• Identity store lookup
• Geo-location, geo-fencing, geo-velocity
• Behavioral analysis1
• Analytics, machine learning, continuous authentication2
1Source: http://www.darkreading.com/endpoint/authentication/moving-beyond-2-factor-
authentication-with-context/a/d-id/1317911
2Source: Clare Nelson, August 2015
Layer multiple contextual factors. Build a risk profile.
46. www.owasp.org
What You Can Do (1 of 2)
• Request threat models from MFA
vendors
• Beware
– 2D fingerprints
– Already-hacked biometrics
– QR codes
– SMS OTP
– JavaScript requirements
– Weak account recovery
– Lack of mobile device risk analysis
– Encryption with backdoors
Comic: Greg Larson, https://www.pinterest.com/pin/418834834066762730/
47. www.owasp.org
What You Can Do (2 of 2)
• Do not be swayed by latest
InfoSec fashion trends
– Apple Touch ID
• Integration with VISA
• Samsung Pay
– FIDO Alliance
• Rethink the definition of
MFA
– Beware of new
interpretations
Photo: http://northonharper.com/2014/04/wish-list-mini-midi-maxi/
49. www.owasp.org
Additional References (1 of 3)
• Stanislav, Mark; Two-Factor Authentication, IT Governance Publishing (2015)
• Wouk, Kristofer; Flaw in Samsung Galaxy S5 Could Give Hackers Access to Your
Fingerprints,http://www.digitaltrends.com/mobile/galaxy-s5-fingerprint-scanner-
flaw/ (April 2015)
• IDC Technology Spotlight, sponsored by SecureAuth, Dynamic Authentication:
Smarter Security to Protect User Authentication (September 2014) Six
technologies that are taking on the password. — UN/ HACKABLE — Medium
• Barbir, Abbie, Ph.D; Multi-Factor Authentication Methods Taxonomy,
http://docslide.us/documents/multi-factor-authentication-methods-taxonomy-
abbie-barbir.html (2014)
• Nelson, Clare, Multi-Factor Authentication: What to Look For, Information Systems
Security Association (ISSA)
Journalhttp://www.bluetoad.com/publication/?i=252353 (April 2015)
50. www.owasp.org
Additional References (2 of 3)
• Keenan, Thomas; Hidden Risks of Biometric Identifiers and How to Avoid Them,
University of Calgary, Black Hat USA, https://www.blackhat.com/docs/us-
15/materials/us-15-Keenan-Hidden-Risks-Of-Biometric-Identifiers-And-How-To-
Avoid-Them-wp.pdf (August 2015)
• Pagliery, Jose; OPM’s hack’s unprecedented haul: 1.1 million fingerprints:
http://money.cnn.com/2015/07/10/technology/opm-hack-fingerprints/index.html
(July 2015)
• Bonneau, Joseph, et al, Passwords and the Evolution of Imperfect Authentication,
Communications of the ACM, Vol. 58, No. 7 (July 2015)
• White, Conor; CTO Doan, Biometrics and Cybersecurity,
http://www.slideshare.net/karthihaa/biometrics-and-cyber-security (2009,
published 2013)
• Gloria, Sébastien, OWASP IoT Top 10, the life and the universe,
http://www.slideshare.net/SebastienGioria/clusir-infonord-owasp-iot-2014
(December 2014)
52. www.owasp.org
"A rose by any other name would smell as sweet”1
• Adaptive authentication
• Multi-modal authentication
• Continuous authentication
• 2FA, TFA, Two-factor authentication
• Multi-factor authentication
• Strong authentication
– United States: Many interpretations, depends on context
– European Central Bank (ECB): strong authentication, or strong
customer authentication, set of specific recommendations2
• Apple: Two-step authentication
• Multi-step authentication
• SecureAuth: Adaptive, risk-based, context-based
authentication
• IDC: advanced authentication, dynamic user authentication,
multiform authentication, multiframe authentication,
standard authentication, traditional authentication
– Traditional authentication: authenticate at beginning of session
– Dynamic authentication: users may be asked to authenticate at
“various points during a session, for various reasons”3
• Step-up authentication
• Re-Authentication
1Source: Shakespeare, Romeo and Juliet, http://shakespeare.mit.edu/romeo_juliet/romeo_juliet.2.2.html
1Source: IDC Technology Spotlight, sponsored by SecureAuth, Dynamic Authentication: Smarter Security to Protect User
Authentication (September 2014)
2Source: https://www.ecb.europa.eu/press/pr/date/2013/html/pr130131_1.en.html