BARRY CAPL
IN
3 FACTO
RS OF
FAIL
WED. M
AY 1
5, 2013, 2
:35P
WELCOME TO SECURE360 2013
Don’t forget to pick up your Certificate of Attendance at the end of each day.
Please complete the Session Survey front and back, and leave it on your seat.
Are you tweeting? #Sec360
The Authentication Problem
Secure360
Wed. May 15, 2013
[email protected] @bcaplin
http://about.me/barrycaplin
http://securityandcoffee.blogspot.com
Barry CaplinChief Information Security Officer
MN Dept of Human Services
http://about.me/barrycaplin
securityandcoffee.blogspot.com
Authentication is Authentication is thethe Challenge Challenge
And The Challenge is…And The Challenge is… People need to:
Enter BuildingsUse SystemsUse Data
And The Challenge is…And The Challenge is…The Right People need to:Enter BuildingsUse SystemsUse Data
Guiding PrincipleGuiding Principle
Minimum Necessary
We Usually Think Of…We Usually Think Of…SS
It was a busy year
And Passwords Get StolenAnd Passwords Get Stolen
And Bad Choices Are MadeAnd Bad Choices Are Made
3 Factors of Authentication3 Factors of Authentication1. Something You Know2. Something You Have3. Something You Are (or Do)
3 Factors of Auth FAIL3 Factors of Auth FAIL1. Something You Forgot2. Something You Lost3. Something You Were (or
Did)
1. Something You Forgot1. Something You ForgotP@sswOrd5PINsCombinations“Secret” PhrasesPicture IdentificationPatterns
Used by…Used by…
Not SimpleNot SimpleCan’t be easily guessableFalse positives
Grant rights to wrong personActions attributable to you!
So not simple/guessable…But simple is memorable…
Complexity RequirementsComplexity RequirementsMake Guessing Difficult
Common: 8 char, upper/lower, numeric, special
Smart Users CircumventNonsense/Random great
But impossible to remember
To Make It WorseTo Make It WorseExpiration
“best practice”Like changing your house locks every 30 days!
Secret Questions – too simple, too guessableAnswers on FacebookRemember… don’ t have to be true!
Help Deskssocial engineering and process hacks (ask Mat
Honan)
3 More Issues3 More IssuesBad Choices
NYG1@nts! meets requirements
Shoulder SurfingComplex => slow to enter
Writing DownNot bad if done well
To Make It WorseTo Make It WorseSocial EngineeringPhishing
SolutionsSolutionsLength
Better than Complexity!Long phrases easier to rememberWhy do some sites have max
length???Vaults
Use ‘em!Don’t forget the main password!
OTP (One Time Passwords)Fixes many issues except delivery
Something You LostSomething You Losta.k.a. 2-factor auth – id/pw + hard
tokenStatic/Dynamic
OTP DeliveryOTP DeliveryHard Token
Time (RFC 6238) or Sequence-basedAlso Smart Cards, Key Cards
Soft TokensProgram or AppDevice independence
SMSPaper
ChallengesChallengesHard Tokens
Can be lostWorse – often kept with laptopMultiple systems = multiple tokens
Soft Tokens – better because people don’t lose their phones…
… Oh Wait…
SolutionSolutionI still like this when implemented well
Google AuthSMSSmart phonesPaper
Something You WereSomething You WereUsually means biometricsOldest form of IDAnimals, babies, tribes/groups –
sensesMixed reliability
BiometricsBiometricsFalse Positives – bad for securityFalse Negatives – bad for business
BiometricsBiometricsSome common choicesIris/retinal scan, fingerprint, palm print/geometryLess commonVoice, typing cadence, “bottom” print
BiometricsBiometricsBest auth method for use in
movies!
ChallengesChallengesLogisticsRegistration, hardware/people,
“failure to enroll” (FER), contaminants on readers
HygienePerception (movie story)Back-end systems
2 Biggest Issues2 Biggest IssuesCan’t change your biometric when you
need toYour biometric can change when it
wants to
Hard to fake (getting easier)Easy to stealNearly impossible to change/fix
Solutions?Solutions?Not bad if used correctlyLocal physical accessVoice-print for automated pw reset
The 4The 4thth Factor FactorRisk-based, location-based, adaptive
auth“somewhere you are” or “something you
are doing”Key need – “rich” user profileCheck against profile, then:
AllowDenyChallenge
Biggest IssueBiggest IssueEstablishing profile
Takes timeHighly non-trivialNeeds much info and/or long/ongoing
relationship
Otherwise degenerates to 1-factor
Newer but promising
Multi-Factor (MFA)Multi-Factor (MFA)Take 2 bad things and combine them together!That makes sense!
Multi-Factor (MFA)Multi-Factor (MFA)Typically 2-factor
ID/pw + tokenSteal one, you can’t get inEither can be “easily” changed
Multi-Factor (MFA)Multi-Factor (MFA)But…
SolutionsSolutionsTypical
1-factor – id/pw for login ; badges for entryOccasional hard token useBut 1-factor only safe in “controlled”
environments
Challenge:Positively id a personEasy to use
User/UseUser/UseCustomerStaffTech workerNewbie
Hardware/softwareControl over hw/swData classificationRegulatoryThreats/Risks
Replay attackAvailabilityWork-aroundsSingle/multi-useEasy to use?
Then do what makes sense!
ExampleExampleBiometrics for entrance into high-security
areaBadges can be lost or used by anyone
Combine with measures like Keywatcher
OTPGoogle Auth or YubikeySmartPhones – can be lost but are often kept
close and rarely left with computerGood choice for online/web-based services
ExampleExampleOnline BankingSystem auth ->
Preselected word/picture ->Id/pw ->
Reauth for large/unusual transaction
ExampleExampleLong passwords + vault
pw’s – with us for a whilePeople make poor pw choicesLong phrases easier to rememberLong random strings better
Better – Add easy-to-use soft fobRemote access + risk-based auth
We have more info about staff
The FutureThe Future