Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Why Some Multi-Factor Authentication Technology is Irresponsible

Why Some Multi-Factor Authentication Technology is Irresponsible

As German defense minister, Ursula von der Leyen can attest, fingerprints can be hacked. So can facial and other biometrics. Why, then, is biometric-based authentication so fashionable? Why did USAA just announce it is rolling out fingerprint and facial recognition for its customers (while it uses Symantec VIP for internal employees)? Did product management and marketing conduct a study that concluded customers feel safer with fingerprint and facial?

This is a case of marketing triumph over common sense. Even a sixth grader can grasp the problems with biometric authentication.

Apple’s Touch ID, and VISA’s integration with it are shaping the fashionable trend faster than a Milan runway. Hopefully these atrociously short hemlines will fade soon. Apple’s senior vice president, Dan Riccio, irresponsibly claims, “Fingerprints are one of the best passwords in the world.” He probably understands it is easy to reset a password. He probably does not understand how hard it is to reset his fingerprints. Truly the inmates are running the asylum.

C1ph3r_Qu33n

March 07, 2015
Tweet

Other Decks in Technology

Transcript

  1.                Slide  1  

    Disclaimer   •  Content  is   based  on   informa2on  in   public  domain   •  Sources  are   cited,  footnotes   on  most  slides  
  2.                Slide  2  

    Scope   •  Mul2-­‐Factor  Authen2ca2on  (MFA)  use  case:   –  Focus  on  consumers  and  external  customers   –  Ease  of  use,  (no  hardware  tokens)   o  Internal  employees  typically  follow  corporate  guidelines   o  External  customers  are  fickle,  the  compe;;on  is  just  a  click  away   •  No  protocols  (OATH,  OAuth,  SAML,  etc.),  that  is  a  separate  talk   •  United  States   –  EU  regula2ons   o  France:  legal  constraints  for  biometric,  must  be  jus2fied  and  authorized  by  the   Na2onal  Commission  for  Informa2cs  and  Liberty  (CNIL)1   –  India:  e-­‐commerce  Snapdeal,  Reserve  Bank  of  India   o  Move  from  two-­‐factor  to  single-­‐factor  authen2ca2on  for  transac2ons  less  than   Rs.  3,0002   o  Possibly  Rs.  10,000  in  future   1Source:  h/p://www.diva-­‐portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl     2Source:  February  2015    h/p://economicHmes.indiaHmes.com/industry/services/retail/snapdeal-­‐for-­‐single-­‐factor-­‐authenHcaHon-­‐for-­‐low-­‐value-­‐deals/arHcleshow/46251251.cms        
  3.                Slide  3  

    Speaker  Bio   •  Clare  Nelson,  CISSP   –  [email protected],  @Safe_SaaS     •  B.S.  Mathema2cs   •  30+  years  in  industry   –  Encrypted  TCP/IP  variants  for  NSA   –  Product  Mangement  at  DEC  (HP),  EMC2   –  Director  Global  Alliances,  Dell,  Novell   –  VP  Business  Development,  MetaIntelli  (Mobile  Security)     •  2001  Founder  ClearMark  Consul2ng     •  2012,  2013  Elected  to  Aus2n  ISSA  Board   •  2014  Co-­‐founder  C1ph3r_Qu33ns     •  2014  USA  Yoga  Na2onal  Champion   •  Favorite  tor2lla  chip:  Sesame  Blues  
  4.                Slide  4  

    “The  System  of  Doctor  Tarr   and  Professor  Fether”      –  Edgar  Allan  Poe    
  5.                Slide  5  

    NIST  Defini2on   Mul2-­‐Factor  Authen2ca2on  (MFA)   •  Na2onal  Ins2tute  of  Standards  and  Technology  (NIST)   •  SP  800-­‐63-­‐2  (August  2013),  Electronic  Authen;ca;on   Guideline   1.  Something  you  know    (password)   2.  Something  you  have  (ID  badge,  cryptographic  key)   3.  Something  you  are  (fingerprint,  other  biometric  data)1     •  What  is  the  origin  of  this  defini2on?   •  NIST  authors:  might  be  Gene  Spafford,  or  just   “ancient  lore”2   –  @TheRealSpaf:  “Nope  —  that's  even  older  than  me!”3   –  1970s?  NSA?  Academia?     1Source:  h/p://nvlpubs.nist.gov/nistpubs/SpecialPublicaHons/NIST.SP.800-­‐63-­‐2.pdf     2Source:  February  26,  2015  email  response  from  a  NIST  SP  800-­‐63-­‐2  author   3Source:  February  27,  2015  response  from  @TheRealSpaf  (Gene  Spafford)  
  6.                Slide  6  

    How  can  you  write  a  guide   based  on  a  defini;on  of   unknown,  ancient  origin?     How  can  you  implement   MFA  without  a  current,   coherent  defini;on?  
  7.                Slide  7  

    Updated  Defini2ons  (More  Risk)   Mul2-­‐Factor  Authen2ca2on  (MFA)  Factors:   •  Knowledge     •  Possession     –  Mobile  device  iden2fica2on   •  Inherence     –  Biometrics:  Physical  or  Behavioral   •  Loca2on     –  Geoloca2on   –  Geofencing   –  Geovelocity   •  Time1       1Source:  h/p://searchsecurity.techtarget.com/definiHon/mulHfactor-­‐authenHcaHon-­‐MFA   2Source:  h/p://nvlpubs.nist.gov/nistpubs/SpecialPublicaHons/NIST.SP.800-­‐63-­‐2.pdf     NIST:   Device  iden2fica2on,  2me,  and  geo-­‐ loca2on  could  be  used  to  challenge   an  iden2ty;  but  “they  are  not   considered  authen2ca2on  factors”2  
  8.                Slide  8  

    FFIEC  MFA  Defini2on   •  Federal  Financial  Ins2tu2ons  Examina2on  Council  (FFIEC)   •  2011  update  to  2005  document,  Authen;ca;on  in  an   Internet  Banking  Environment:   –  “…virtually  every  authen2ca2on  technique  can  be   compromised”   –  Financial  ins2tu2ons  should  no  longer  consider  simple  device   iden2fica2on  (such  as  cookies,  IP  addresses,  or  geo-­‐loca2on   informa2on)     –  Complex  device  iden2fica2on,  “digital  fingerprin2ng,”   incorporates  a  number  of  characteris2cs  such  as  PC   configura2on,  IP  address,  geo-­‐loca2on,  and  other  factors   –  Implement  2me  of  day  restric2ons  for  funds  transfers   –  Consider  keystroke  dynamics,  biometric-­‐based  responses1     1Source:  hlps://www.fdic.gov/news/news/press/2011/pr11111a.pdf    
  9.                Slide  9  

    Behavioral  Biometrics:  BehavioSec   1Source:  h/p://www.behaviosec.com     Laptop  version:  Requires  JavaScript,  won’t  work  with     Aviator  browser,  or  if  you  disable  JavaScript  
  10.                Slide  10  

    Behavioral  Biometrics:  BioCatch   •  Detect  threats  based  on  user   interac2on  with  online,  and   mobile  applica2ons   •  Analyzes  400+  bio-­‐behavioral,   cogni2ve  and  physiological   parameters   –  How  you  find  missing  cursor1   1Source:  h/p://www.biocatch.com    
  11.                Slide  11  

    Fingerprin2ng  Web  Users  Through  Font  Metrics1     •  Browser  varia2ons   –  Version   –  What  fonts  are  installed   –  Other  semngs   •  Font  metric–based   fingerprin2ng   –  Measure  onscreen  size  of  font   glyphs   •  Effec2ve  against  Tor  Browser   2Source:  h/p://fc15.ifca.ai/preproceedings/paper_83.pdf    
  12.                Slide  12  

     Authen2ca2on  silos  predominate   •  200+  MFA  vendors  offering  fragmented,   custom,  ooen  proprietary  solu2ons         “…;me  to  alter  how  authen;ca;on  is  done  … doesn't  meet  today’s  demands     ….the  range  of  technologies,  such  as  soW   tokens,  hard  tokens,  Trusted  PlaZorm  Module   (TPM),  biometrics,  simple  passwords  and  more   have  led  to  a  ‘Tower  of  Babel’  for   authen;ca;on.”1      –    Phil  Dunkelberger,  CEO  Nok  Nok  Labs   1Source:  h/p://www.networkworld.com/arHcle/2161675/security/pgp-­‐corp-­‐-­‐co-­‐founder-­‐s-­‐startup-­‐targets-­‐cloud-­‐authenHcaHon.html     State  of  the  Market  
  13.                Slide  13  

    Why  200+  MFA  Vendors?   Authen;ca;on  has  been  the   Holy  Grail  since  the  early  days   of  the  Web.1     The  iPhone  of  Authen;ca;on  has   yet  to  be  invented.2   1Source:  h/p://sciencewriters.ca/2014/03/26/will-­‐your-­‐brain-­‐waves-­‐become-­‐your-­‐new-­‐password/     2Source:  Clare  Nelson,  February  2015.    
  14.                Slide  14  

    Subop2mal  Choices   Authen2ca2on  Factors/Technology   •  Biometrics,  2D  fingerprint   •  Short  Message  Service  (SMS)   –  One-­‐Time  Password  (OTP)   •  Quick  Response  (QR)  codes   •  JavaScript   •  Weak,  arcane,  account  recovery   •  Assump2on  mobile  devices  are  secure   •  Encryp2on  (without  disclaimers)     –  Quantum  compu2ng  may  break  RSA  or  ECC  by  20301   •  Update  on  NSA’s  $80M  Penetra;ng  Hard  Targets  project2   –  Encryp2on  backdoors,  is  it  NSA-­‐free  and  NIST-­‐free  cryptography?   –  No  mysterious  constants  or  “magic  numbers”  of  unknown  provenance”3   1Source:  January  18,  2015:  Ralph  Spencer  Poore,  cryptologist,  AusHn  ISSA  guest  lecturer   2Source:   h/p://www.washingtonpost.com/world/naHonal-­‐security/nsa-­‐seeks-­‐to-­‐build-­‐quantum-­‐computer-­‐that-­‐could-­‐crack-­‐most-­‐types-­‐of-­‐encrypHon/ 2014/01/02/8fff297e-­‐7195-­‐11e3-­‐8def-­‐a33011492df2_story.html   3Source:  h/ps://www.grc.com/sqrl/sqrl.htm    
  15.                Slide  15  

    Juniper  Research:   •  By  2019,  770  million  apps  that  use  biometric  authen2ca2on  will  be   downloaded  annually   -  Up  from  6  million  in  2015   •  Fingerprint  authen2ca2on  will  account  for  an  overwhelming   majority   -  Driven  by  increase  of  fingerprint  scanners  in  smartphones1       Irra2onal  Exuberance  of  Biometric  Authen2ca2on  Adop2on   1Source:  h/p://www.nfcworld.com/2015/01/22/333665/juniper-­‐forecasts-­‐biometric-­‐authenHcaHon-­‐market/       Samsung  Pay  
  16.                Slide  16  

    1Source:  h/ps://www.youtube.com/watch?v=q3ymzRYXezI     Apple  TouchID:  Cat  Demo  
  17.                Slide  17  

    •  Cannot  be  revoked  or  re-­‐issued   -  Easy  to  reset  your  password,  not  easy  to  reset  your  fingerprints     •  2D  Fingerprints:  proven  especially  vulnerable  to  targeted  alacks   •  Your  biometrics  are  in  public  domain,  and  elsewhere,  easily  accessed   •  Biometric  iden2fica2on  systems  may  undermine  privacy  by  making   iden2ty  theo  more  likely1   •  Biometrics  will  likely  persist  in  government  and  private  databases,   accre2ng  informa2on  whether  we  like  it  or  not2   •  False  posi2ves,  false  nega2ves   •  High  cost     •  Need  to  account  for  disabili2es,  injuries,  other  issues   •  User  acceptance,  preference  for  biometric  factors  varies  by  demographic   Issues  with  Biometrics   1Source:  h/p://www.diva-­‐portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl     2Source:  h/p://www.pbs.org/wgbh/nova/next/tech/biometrics-­‐and-­‐the-­‐future-­‐of-­‐idenHficaHon/     “Fingerprints  scare  me”        -­‐  Anonymous  (2015)  
  18.                Slide  18  

    1Source:  h/p://www.dw.de/image/0,,18154223_303,00.jpg      
  19.                Slide  19  

    2D  Fingerprint  Hacks   •  Starbug,  aka  Jan  Krissler   •  2014:  Cloned  fingerprint  of  German  Defense   Minister,  Ursula  Von  der  Leyen   – From  photographs1,2   •  2013:  Hacked  Apple’s  Touch  ID  on  iPhone  5S   ~24  hours  aoer  release  in  Germany   – Won  IsTouchIDHackedYet.com  compe22on3   •  2006:  Published  research  on  hacking   fingerprint  recogni2on  systems4   1Source:  h/ps://www.youtube.com/watch?v=vVivA0eoNGM     2Source:  h/p://www.forbes.com/sites/paulmonckton/2014/12/30/hacker-­‐clones-­‐fingerprint-­‐from-­‐photograph/     3Source:  h/p://istouchidhackedyet.com   4Source:  h/p://berlin.ccc.de/~starbug/talks/0611-­‐pacsec-­‐hacking_fingerprint_recogniHon_systems.pdf    
  20.                Slide  20  

    2013:  Starbug  Faking  TouchID   1Source:  h/p://istouchidhackedyet.com    
  21.                Slide  21  

    Source:  h/p://www.wellhappypeaceful.com/wp-­‐content/uploads/2012/06/baby.jpg    
  22.                Slide  22  

    Riccio  versus  Krissler     “Fingerprints  are  one  of  the  best  passwords  in   the  world.”1          –  Dan  Riccio          Senior  vice  president,  Apple         “Don't  use  fingerprint  recogni2on  systems  for   security  relevant  applica2ons!”2          –  Jan  Krissler  (Starbug)             1Source:  h/p://www.imore.com/how-­‐touch-­‐id-­‐works   2Source:  h/p://berlin.ccc.de/~starbug/talks/0611-­‐pacsec-­‐hacking_fingerprint_recogniHon_systems.pdf    
  23.                Slide  23  

    3D  Fingerprint1   1Source:  h/p://sonavaHon.com/technology/   No  ma/er  how  advanced  the  biometric  is,  the  basic  threat  model  persists.  
  24.                Slide  24  

    Biometrics  Systems:  Types  of  Alacks1   1Source:  h/p://berlin.ccc.de/~starbug/talks/0611-­‐pacsec-­‐hacking_fingerprint_recogniHon_systems.pdf     Starbug’s  Threat  Model  
  25.                Slide  25  

    Hacker  Mentality   1Source:  h/p://www.darkreading.com/idenHty-­‐and-­‐access-­‐management/the-­‐problem-­‐with-­‐two-­‐factor-­‐authenHcaHon/d/d-­‐id/1113697         “The  hackers  are  breaching   the  architecture,  not  the   authen;ca;on  mechanism.”1                            –  Garret  Grajek,  CSO  at  dinCloud          
  26.                Slide  26  

    Biometrics:  In  Use,  Proposed   •  Fingerprints  2D,  3D  via  ultrasonic  waves   •  Palms,  its  prints  and/or  the  whole  hand  (feet?)   •  Signature   •  Keystroke,  art  of  typing,  mouse,  touch  pad   •  Voice   •  Iris,  re2na,  features  of  eye  movements   •  Face,  head  –  its  shape,  specific  movements   •  Other  elements  of  head,  such  as  ears,  lip  prints   •  Gait   •  Odor   •  DNA   •  ECG  (Beta:  Bionym’s  Nymi  wristband,  smartphone,  laptop,  car,  home  security)   •  EEG1   •  Smartphone/behavioral:  AirSig  authen2cates  based  on  g-­‐sensor  and  gyroscope,  how   you  write  your  signature  in  the  air2   1Source:  h/p://www.optel.pl/arHcle/future%20of%20biometrics.pdf     2Source:  h/p://www.airsig.com    
  27.                Slide  27  

    Biometrics:  Imaginable   •  Body  shape  recogni2on   •  Internal  structure  of  body   parts     •  Analysis  of  other  electrical  and   magne2c  fields  created  by   body     •  Analysis  of  face  and  head   vibra2ons  during  speaking1   1Source:  h/p://www.optel.pl/arHcle/future%20of%20biometrics.pdf    
  28.                Slide  28  

    “Thought  Auth”1   EEG  Biosensor   •  MindWave™   headset2   •  Measures   brainwave  signals   •  EEG  monitor   •  InternaHonal   Conference  on   Financial   Cryptography  and   Data  Security   1Source:  Clare  Nelson,  March  2015   2Source:  h/p://neurosky.com/biosensors/eeg-­‐sensor/biosensors/    
  29.                Slide  29  

    SXSW  Preview   “…  biometrics  cannot,  and  absolutely   must  not,  be  used  to  authen;cate  an   iden;ty”1            –  Dus2n  Kirkland,  Ubuntu  Cloud  SoluHons  Product              Manager  and  Strategist  at  Canonical                 1Source:  h/p://blog.dusHnkirkland.com/2013/10/fingerprints-­‐are-­‐user-­‐names-­‐not.html       SXSW:  March  15:  “Fingerprints  are  Usernames,  Not  Passwords”    
  30.                Slide  30  

    •  Many  MFA  vendors  use  SMS  OTP   -  Send  text  with  One-­‐Time-­‐Password   •  2014  Paper  from  Northeastern  University  and   Technische  Universität  Berlin     -  “SMS  OTP  systems  cannot  be  considered  secure   anymore”   •  SMS  OTP  threat  model   - Physical  access  to  phone   - SIM  swap  alack   - Wireless  intercep2on   - Mobile  phone  trojans1   1Source:  h/ps://www.eecs.tu-­‐berlin.de/fileadmin/f4/TechReports/2014/tr_2014-­‐02.pdf   SMS  OTP  Alacks  
  31.                Slide  31  

    •  Opera2on  Emmental   •  Defeated  two-­‐factor  authen2ca2on  (2FA)   -  2014,  discovered  by  Trend  Micro1   -  Targeted  Swiss,  Austrian,  German,  Swedish  other  European;   plus  Japanese  banks   -  Typical  scenario:  customer  goes  to  online  bank   1.  Customer  enters  username  and  password   2.  Session  token  sent  to  mobile  device  (SMS  OTP)   3.  Customer  enters  session  token  (OTP)   -  Alackers  scraped  SMS  one-­‐2me  passwords  off  customers’   Android  phones2     1Source:  h/p://blog.trendmicro.com/finding-­‐holes-­‐operaHon-­‐emmental/     2Source:  h/p://www.trendmicro.com/cloud-­‐content/us/pdfs/security-­‐intelligence/white-­‐papers/wp-­‐finding-­‐holes-­‐operaHon-­‐emmental.pdf         SMS  OTP  Alack:  Banking  Example  
  32.                Slide  32  

    QR  Code  Risks1   •  VASCO  two-­‐factor  authen2ca2on   – User  captures  QR  code  with  mobile  device   – User  enters  PIN  code  to  log  on,  or  validate   transac2on2   •  QR  codes  used  by  many  MFA  vendors   •  QR  code  redirects  user  to  URL,  even  if  URL  is   displayed,  not  everyone  reads   – Could  link  to  a  malicious  website     1Source:  h/ps://www.vasco.com/products/client_products/soqware_digipass/digipass_for_mobile.aspx     2Source:  h/p://www.csoonline.com/arHcle/2133890/mobile-­‐security/the-­‐dangers-­‐of-­‐qr-­‐codes-­‐for-­‐security.html    
  33.                Slide  33  

    1Source:  h/p://www.zdnet.com/arHcle/google-­‐unveils-­‐5-­‐year-­‐roadmap-­‐for-­‐strong-­‐authenHcaHon/       Account  recovery   is  the  Achilles  heel   of  2FA         –    Eric  Sachs   Product  Management  Director,  Iden2ty   at  Google    
  34.                Slide  34  

    Account  Recovery   •  Recovering  your  account  if  you  lost  your  2FA   creden2als   –  If  you've  lost  access  to  your  account  aoer  enabling  two-­‐factor   authen2ca2on,  <Vendor  Name>  can't  help  you   •   Google  Authen2cator  provides  recovery  codes   –  10  codes,  print  hard  copy,  put  in  your  wallet  (purse)   •  Apple  Two-­‐Step  Authen2ca2on   –  What  if  I  lose  my  Recovery  Key?   –  Go  to  My  Apple  ID,  create  a  new  Recovery  Key  using  your   Apple  ID  password  and  one  of  your  trusted  devices1   1Source:  h/ps://support.apple.com/en-­‐us/HT204152    
  35.                Slide  35  

    1Source:  h/p://guardHme.com/blog/biggest-­‐enterprise-­‐risk-­‐mobile-­‐devices                     “Mobile  is  the  New  Adversarial  Ingress  Point.”1          –  Lee  Cocking,  VP  Product  Strategy  at  GuardTime      
  36.                Slide  36  

    What’s  Wrong  with  the  Mobile  Device  Becoming  the  Authen2ca2on  Device?   Source:  h/ps://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks     Source:  h/p://metaintelli.com/blog/2015/01/06/industry-­‐first-­‐metaintelli-­‐research-­‐discovers-­‐large-­‐number-­‐of-­‐mobile-­‐apps-­‐affected-­‐by-­‐owasp-­‐mobile-­‐top-­‐10-­‐risks/     MetaIntelli  research:  sample  of  38,000  mobile  apps,  67%  had  M32  
  37.                Slide  37  

    MFA  Double  Standard   Big  Company  (2015)   •  Consumers  may   use  voice  and   facial  recogniHon   for  mobile  login2   •  Employees  use   Symantec   ValidaHon  and  ID   ProtecHon  (VIP)3   1Source:  h/p://cdn.themetapicture.com/media/funny-­‐puppy-­‐poop-­‐double-­‐standards.jpg     2Source:  h/p://www.americanbanker.com/news/bank-­‐technology/biometric-­‐Hpping-­‐point-­‐usaa-­‐deploys-­‐face-­‐voice-­‐recogniHon-­‐1072509-­‐1.html     3Source:  h/p://www.slideshare.net/ExperianBIS/70-­‐006idenHtyauthenHcaHonandcredenHalinginpracHce     1  
  38.                Slide  38  

    Perfect  Storm   •  Fractured,  crowded   market,  200+  MFA   vendors  chasing  ~$1.8B   market1   •  Apple,  VISA,  Samsung,   others:  fingerprint-­‐based   authen2ca2on  is  cool,   secure   •  FIDO  Alliance     •  2014,  year  of  the  breach   •  Increased  legisla2on   1Source:  h/p://www.slideshare.net/FrostandSullivan/analysis-­‐of-­‐the-­‐strong-­‐authenHcaHon-­‐and-­‐one-­‐Hme-­‐password-­‐otp-­‐market    
  39.                Slide  39  

    FIDO  Alliance   •  Fast  ID  Online  (FIDO)  Alliance   •  Proponent  of  interoperability   –  Universal  2nd  Factor  (U2F)   –  Universal  Authen2ca2on   Framework  (UAF)   •  Triumph  of  marke2ng  over   technology   •  Network-­‐resident  versus   device-­‐resident  biometrics   –  FIDO  advocates  device-­‐resident   •  Problems,  especially  with  voice   –  Phone-­‐resident  malware   –  Back-­‐door  vulnerability   –  Prohibits  cross-­‐channel  usage,  black   list  processing1   1Source:  January  2015,  “Networks  vs  Device  Resident  Biometrics,”  ValidSoq   Perhaps  interoperability  is  a   good  thing.  Bad  guys  have   many  different  systems  to   hack.  
  40.                Slide  40  

    “Legacy  thinking  subverts  the   security  of  a  well-­‐constructed   system”1          –  David  Birch,  Digital  Money  and  Iden2ty  Consultant,              Author  of  Iden2ty  is  the  New  Money2       1Source:  h/ps://www.ted.com/talks/david_birch_idenHty_without_a_name?language=en#t-­‐112382   2Source:  h/p://www.amazon.com/IdenHty-­‐Is-­‐New-­‐Money-­‐PerspecHves/dp/1907994122    
  41.                Slide  41  

    What  You  Can  Do   •  Request  full  disclosure  and  threat  models  from  MFA  vendors     •  Train  your  external  customers,  consumers   –  MFA  is  just  one  part  of  a  layered  defense   –  Don’t  have  a  false  sense  of  security   •   Just  because  you  used  your  2D  fingerprint  to  login,  especially  if  you  are   vulnerable  to  targeted  alacks   •  Implement  loyalty  programs  or  other  behavioral  modifica2on   techniques  to  en2ce  consumers  to  adopt  secure  MFA   –  Zumigo  (backed  by  Intel  Capital  and  Wells  Fargo  Startup  Accelerator)   •  Do  not  be  swayed  by  latest  InfoSec  fashion  trends   –  Apple  TouchID,  integra2on  with  VISA   –  FIDO  Alliance   •  Beware  2D  fingerprints,  already-­‐hacked  biometrics,  QR  codes,   SMS  OTP,  JavaScript  requirements,  weak  account  recovery,  lack  of   mobile  device  risk  analysis,  and  encryp2on  with  backdoors   •  Rethink  the  defini2on  of  MFA,  beware  of  new  interpreta2ons  
  42.                Slide  42  

    Consider  Context-­‐Based  Authen2ca2on   (aka  Risk-­‐Based  Authen2ca2on,  Adap2ve  Authen2ca2on)   •  Device  registra2on  and  fingerprin2ng     •  Source  IP  reputa2on  data     •  Iden2ty  store  lookup     •  Geo-­‐loca2on     •  Geo-­‐fencing     •  Geo-­‐velocity     •  Behavioral  analysis     1Source:  h/p://www.darkreading.com/endpoint/authenHcaHon/moving-­‐beyond-­‐2-­‐factor-­‐authenHcaHon-­‐with-­‐context/a/d-­‐id/1317911     Layer  mul2ple  contextual  factors.    Build  a  risk  profile.  
  43.                Slide  43  

    Ques2ons?   Clare  Nelson,  CISSP   [email protected]   @Safe_SaaS    
  44.                Slide  44  

    Addi2onal  References   1.  2014  December,  Starbug  (Jan  Krissler)  video,  Iche  sehe,  also  bin  ich  …  Du,   hlps://www.youtube.com/watch?v=vVivA0eoNGM&feature=youtu.be     2.  OWASP  Mobile  Top  10  Risks,  Insufficient  Transport  Layer  Protec2on,   hlps://www.owasp.org/index.php/Mobile_Top_10_2014-­‐M3     3.  OWASP  Guide  to  Authen2ca2on,   hlps://www.owasp.org/index.php/ Guide_to_Authen2ca2on#What_is_two_factor_authen2ca2on.2C_really.3F     4.  SANS,  Two-­‐Factor  Authen2ca2on:  Can  You  Choose  the  Right  One?   hlp://www.sans.org/reading-­‐room/whitepapers/authen2ca2on/two-­‐ factor-­‐authen2ca2on-­‐choose-­‐one-­‐33093     5.  Gluu  blog,  (January  15,  2014),  Achilles  Heel  of  Two-­‐Factor  Authen;ca;on,   hlp://www.gluu.org/blog/2fa_achilles_heel/   6.  Gartner,  December  1,  2014,  Magic  Quadrant  for  User  Authen;ca;on.   7.  Forrester,  December  30,  2013;  Market  Overview:  Employee  and  Customer   Authen;ca;on  Solu;ons  in  2013:  Part  1  of  2   8.  M2SYS  Technology  (July  24,  2014),  The  Impact  of  Biometrics  in  Banking,   hlp://blog.m2sys.com/financial-­‐services/impact-­‐biometrics-­‐banking/     9.  Google  Unveils  5-­‐Year  Roadmap  for  Strong  Authen2ca2on,   hlp://www.zdnet.com/ar2cle/google-­‐unveils-­‐5-­‐year-­‐roadmap-­‐for-­‐strong-­‐ authen2ca2on/    
  45.                Slide  45  

    •  Biometrics,  when  employed  as  a  single  factor  of   authen2ca2on,  do  not  cons2tute  acceptable  secrets  for  e-­‐ authen2ca2on   •  Biometrics  may  be  used  in  the  registra2on  process  for   higher  levels  of  assurance  to   •  Later  help  prevent  a  subscriber  who  is  registered  from   repudia2ng  the  registra2on   •  Help  iden2fy  those  who  commit  registra2on  fraud   •  Unlock  tokens1   1Source:  h/p://nvlpubs.nist.gov/nistpubs/SpecialPublicaHons/NIST.SP.800-­‐63-­‐2.pdf     NIST  on  Biometrics  
  46.                Slide  46  

    NIST:  Threat  Resistance  by  Threat  Level1   1Source:  h/p://nvlpubs.nist.gov/nistpubs/SpecialPublicaHons/NIST.SP.800-­‐63-­‐2.pdf     29  Long  term  authen/ca/on  secrets  shall  be  protected  at  this  level.  Short  term  secrets  may  or  may  not  be  protected.   30  Although  there  are  techniques  used  to  resist  flood  a@acks,  no  protocol  has  comprehensive  resistance  to  stop  flooding.  
  47.                Slide  47  

    Protec2mus   1Source:  www.protecHmus.com    
  48.                Slide  48  

    SecSign:  Apple  Watch  2FA   1Source:  h/ps://www.youtube.com/watch?v=Ub-­‐hKlacN9I      
  49.                Slide  49  

    1Source:  h/p://www.creditconsumersassociaHon.org/wp-­‐content/uploads/2013/08/sim-­‐swap-­‐fraud.png