MODERN TWO-FACTOR AUTHENTICATION 

ABOUT DUO ˒ Est. 2009, founders & management from ˒ Backed by top-tier investors ($7m seed / Series A) ˒ Breakthrough DoD-sponsored security research ˒ 800+ organizations with users in over 80 countries 

ABOUT DUG Technology Break Build Firewalls A Stateful Inspection of FW-1 OpenBSD PF Network authentication krb4 dictionary a ack (JtR) krb5 / RPCSEC_GSS IDS/IPS fragroute Anzen / NFR (Check Point) Secure network protocols dsniff OpenSSH Network availability DDoS Arbor Networks 

MISSION ˒ To solve the biggest problems in security today: Account Takeover and Online Fraud ˒ By making security easy and scalable, eliminating the cost and complexity of traditional point solutions ˒ Democratize two-factor authentication ˒ For enterprise, provider, consumer web ˒ Leverage and secure mobile devices for account access 

AGENDA ˒ A (Brief) History of Internet Security ˒ Modern user-targeted a acks ˒ Overview of two-factor authentication ˒ Evolution of two-factor authentication ˒ Summary 

1985–1995: SALAD DAYS OF THE INTERNET Password guessing, cracking 

1985–1995: SALAD DAYS OF THE INTERNET Password guessing, cracking 

1995–2000: BATTEN DOWN THE HATCHES Phishing Sniffing Password guessing, cracking 

1995–2000: BATTEN DOWN THE HATCHES Phishing Sniffing Password guessing, cracking 

2000–2005: OPEN FOR BUSINESS^W ATTACK Phishing Sniffing Password guessing, cracking Malware Web app a acks (XSS, XSRF, SQLI) 

2000–2005: OPEN FOR BUSINESS^W ATTACK Phishing Sniffing Password guessing, cracking Malware Web app a acks (XSS, XSRF, SQLI) 

2005–2012: MOBILE, VIRTUAL, INFECTED Phishing Sniffing Password guessing, cracking Malware Web app a acks (XSS, XSRF, SQLI) Botnets, RATs APTs 

No Antivirus 31% Out of Date 14% Up to Date 55% No Antivirus Out of Date Up to Date Zeus beats Anti-Virus Hackers entice users to click on contaminated websites or trick users to open e-mail a achments Users open the file, installing the malware The malware sends back stored logins and data typed into web pages The malware checks in periodically for updates, providing a gateway to the internal network Trojan 66% Adware 18% 7% 6% 3% Trojan Adware Virus Spyware Worm Other Users are Backdoors Source: Panda Labs, 2010 Source: Trusteer, 2009 PolyPack: An Automated Online Packing Service for Optimal Antivirus Evasion Jon Oberheide, M. Bailey, & F. Jahanian MODERN USER-TARGETED ATTACKS 

MALWARE AUTOMATION AND TARGETING ˒ ex. SilentBanker ˒ 3-line modification to a configuration file ˒ h p://PhishMe.com 

MALWARE & CYBERCRIME SUCCESS Delaware FINCEN SARs AV-Test Malware Samples 

2006 2007 2008 2009 2010 2011 Google buys Postini: $625M July 2007 Barracuda buys Purewire October 2009 IBM buys ISS: $1.2B October 2006 Entrust buys Business Signatures: $50M July 2006 Heartland settles w/ Visa: $60M January 2010 SYMC buys MessageLabs: $695M October 2008 Banking trojans 2005 Chinese "Aurora" attacks January 2010 CVS HIPAA Fine: $2.25M February 2010 FFIEC multifactor requirement: Dec 2006 June 2005 FTC Red Flags Rule January 2008 Deadline extended 7 times now Jan 2011 HIPAA HITECH Act October 2009 HITECH: CT Attorney General vs. Health Net January 2010 HIPAA Security Rule Deadline April 2005 RSA buys Cyota: $145M December 2005 FBI Alert: Rampant ACH Fraud November 2009 “malware and work-at-home scams” Thoma Bravo buys Entrust July 2009 ABA: Commercial Banking Under Attack August 2009 “Only use dedicated PC for online banking” EMC buys RSA: $2.1B June 2006 ISS OEM's Arbor February 2006 Oracle buys Bharosa: $48M July 2007 McAfee buys MX Logic: $140M July 2009 RSA buys Passmark: $44M April 2006 Cisco buys ScanSafe: $183M December 2009 SYMC buys VRSN auth: $1.2B May 2010 MARKET FAIL Delaware FINCEN SARs 

BREACHED/INFECTED IN THE LAST YEAR Gov & Defense Media Cyber Supply Chain Tech Enterprise + countless others... 

˒ Stolen - sniffed, phished ˒ Shared - between users, sites ˒ Guessed - weak / default ˒ Cracked - John the Ripper ˒ Forgo en - account recovery THE PROBLEM WITH PASSWORDS 

STRONG AUTHENTICATION = TWO-FACTOR KNOW HAVE ARE DO Passwords ID Questions Secret Images Token (Smart) Card Phone Face Iris Hand/Finger Behavior Location Reputation 

WHAT YOU KNOW + WHAT YOU HATE ˒ Two factors: cost & complexity ˒ Driven by regulatory requirements ˒ 

TWO-FACTOR PROBLEMS ˒ Deployment ˒ Integration ˒ Management ˒ Usability ˒ Security 

PROBLEM: 2FA DEPLOYMENT ˒ Complex footprint across distributed environments ˒ Security independence? 

TREND: AUTHENTICATION AS A SERVICE +;A>%1>B1>ȵ'!%1>B5/1 +;A>'?1> Your User Your System + Our Service ˒ Easy to Deploy – no hardware or so ware ˒ Easy to Scale – on-demand infrastructure ˒ Easy to Secure – wholly independent 

PROBLEM: 2FA INTEGRATION ˒ Interfaces optimized for machines, not humans ˒ Difficult/sub-standard: GSSAPI, PAM ˒ Outdated/limited: RADIUS (UDP?!), TACACS+, SASL, SAML (web only, federation only) ˒ More wonky web protocols: OpenID, BrowserID ˒ Missing/wrong: 2FA for mobile devices; login reduced to a bearer token, vs. transaction authz 

TREND: OPEN SOURCE, APIS, STANDARDS ˒ OATH HOTP, TOTP standards ˒ Google Authenticator ˒ MailChimp’s AlterEgo service ˒ Yubico’s APIs and OSS ˒ Duo Security’s Web APIs and OSS ˒ NIST 800-63 LOAs, NSTIC, etc. 

PROBLEM: 2FA USABILITY 

TREND: FLEXIBLE CHOICES (BYOD) smart dumb online offline DUO PUSH (2010s) SOFT TOKENS (90s) CALLBACK / SMS (2000s) HARDWARE TOKENS (80s) (patent-pending) 

TREND: FLEXIBLE CHOICES (BYOD) smart dumb online offline DUO PUSH (2010s) SOFT TOKENS (90s) CALLBACK / SMS (2000s) HARDWARE TOKENS (80s) (patent-pending) 

EASY DOES IT ˒ Duo Push: One tap to login! ˒ Defeats MITM, MITB a acks ˒ Offline? Use One-Time Passcodes ˒ Supports all mobile platforms 

EASY DOES IT ˒ Duo Push: One tap to login! ˒ Defeats MITM, MITB a acks ˒ Offline? Use One-Time Passcodes ˒ Supports all mobile platforms 

EASY DOES IT ˒ Duo Push: One tap to login! ˒ Defeats MITM, MITB a acks ˒ Offline? Use One-Time Passcodes ˒ Supports all mobile platforms 

EASY DOES IT ˒ Duo Push: One tap to login! ˒ Defeats MITM, MITB a acks ˒ Offline? Use One-Time Passcodes ˒ Supports all mobile platforms 

EASY DOES IT ˒ Duo Push: One tap to login! ˒ Defeats MITM, MITB a acks ˒ Offline? Use One-Time Passcodes ˒ Supports all mobile platforms 

EASY DOES IT ˒ Duo Push: One tap to login! ˒ Defeats MITM, MITB a acks ˒ Offline? Use One-Time Passcodes ˒ Supports all mobile platforms 

EASY DOES IT ˒ Duo Push: One tap to login! ˒ Defeats MITM, MITB a acks ˒ Offline? Use One-Time Passcodes ˒ Supports all mobile platforms 

EASY DOES IT ˒ Duo Push: One tap to login! ˒ Defeats MITM, MITB a acks ˒ Offline? Use One-Time Passcodes ˒ Supports all mobile platforms 

TWO-FACTOR GONE MAINSTREAM ˒ Hacked, then got serious ˒ Blizzard ˒ Paypal ˒ Facebook ˒ Google ˒ Amazon ˒ Lasspass ˒ Dropbox ˒ ArenaNet 

PROBLEM: 2FA MANAGEMENT ˒ Provisioning ˒ Issuance ˒ Training ˒ Reset ˒ Revocation 

TREND: SELF-SERVICE ENROLLMENT ˒ Most users are trustworthy ˒ Distribute responsibility to users ˒ Self-authorize transactions over trusted path ˒ Granular authorization ˒ Trust-On-First-Use self-enrollment ˒ e.g. SSH hostkeys ˒ Exposure window mitigated by feedback ˒ Natural transition from 1-factor login 

TREND: WEB OR API-BASED ADMINISTRATION 

TREND: WEB OR API-BASED ADMINISTRATION 

PROBLEM: 2FA SECURITY ˒ Know: Intercepted ˒ Have: Hijacked ˒ Are: Forged ˒ Do: Mimicked 

REAL-WORLD TWO-FACTOR FAILURES ˒ EMI vs. Comerica ˒ RSA MITM - two-factors, one channel ˒ “Failure to implement monitoring” ˒ CloudFlare breach ˒ Gmail recovery PIN sent to redirected AT&T voicemail ˒ EMC/RSA breach ˒ Cobbler’s son... 

AN AUTHENTICATION THREAT MODEL A acker A acker A acker Span of Control Degree of Control Technique App/Server access Passive/Offline Guess/reset Auth DB access Passive/Offline Crack/SQLI Network Passive/Offline Sniff Conversation Passive/Offline Phish/Forge Conversation Active/Online MITM Endpoint Active/Online Trojan/Keylog Endpoint Real-Time Sidejack/MITB Transaction Persistent Modify Multiple Devices Coordinated MITMobile Remote User 

PASSWORDS / KNOWLEDGE-BASED AUTH ˒ Knowledge-based authentication ˒ Challenges ˒ Weak ˒ Forge able (hence weak recovery modes) ˒ Easily shared ˒ Failure modes ˒ Guessable / dictionary a ack ˒ Credential recovery / reset ˒ Sniffed / stolen / relayed 

PASSWORDS / KNOWLEDGE-BASED AUTH A acker A acker A acker Factor Span of Control Degree of Control Technique Passwords App/Server access Passive/Offline Guess/reset ✘ Auth DB access Passive/Offline Crack/SQLI ✘ Network Passive/Offline Sniff ✘ Conversation Passive/Offline Phish/Forge ✘ Conversation Active/Online MITM ✘ Endpoint Active/Online Trojan/Keylog ✘ Endpoint Real-Time Sidejack/MITB ✘ Transaction Persistent Modify ✘ Multiple Devices Coordinated MITMobile ✘ 

WEAK BIOMETRICS ˒ Convenient: Face, Finger ˒ Challenges ˒ Enrollment & Privacy ˒ Accuracy ˒ Failure modes ˒ Forgery & Replay ˒ “Gummy fingers” ˒ “Your Face Is Not Your PW” ˒ Untrustworthy 

WEAK BIOMETRICS A acker A acker A acker Factor Span of Control Degree of Control Technique Weak Biometric App/Server access Passive/Offline Guess/reset ✔ Auth DB access Passive/Offline Crack/SQLI ✔ Network Passive/Offline Sniff ✔ Conversation Passive/Offline Phish/Forge ✘ Conversation Active/Online MITM ✘ Endpoint Active/Online Trojan/Keylog ✘ Endpoint Real-Time Sidejack/MITB ✘ Transaction Persistent Modify ✘ Multiple Devices Coordinated MITMobile ✘ 

OTP TOKEN / CARD ˒ Challenges ˒ Easily lost ˒ Multiple device burden ˒ Poor usability ˒ Failure modes ˒ MITM relay ˒ Clonable: RSA breach, Cain & Abel ˒ Forgeable (SecurID KDF)? ˒ Dictionary a ack: OPIE, S/Key


OTP TOKEN / CARD A acker A acker A acker Factor Span of Control Degree of Control Technique OTP Token/Card App/Server access Passive/Offline Guess/reset ✔ Auth DB access Passive/Offline Crack/SQLI ✔ Network Passive/Offline Sniff ✔ Conversation Passive/Offline Phish/Forge ✔ Conversation Active/Online MITM ✘ Endpoint Active/Online Trojan/Keylog ✘ Endpoint Real-Time Sidejack/MITB ✘ Transaction Persistent Modify ✘ Multiple Devices Coordinated MITMobile ✘ 

CERT / SMARTCARD / STRONG BIOMETRIC ˒ Challenges ˒ Enrollment/Provisioning ˒ Deployment ˒ Credential management & Revocation ˒ Failures ˒ CA compromise (ComodoHacker, 2011) ˒ Supply chain breach (EMV readers, 2008) ˒ Malware (Sykipot DoD CAC trojan, 2012) ˒ Bodily harm! (Big Lebowski, 1998)


CERT / SMARTCARD / STRONG BIOMETRIC A acker A acker A acker Factor Span of Control Degree of Control Technique Cert/SCard/Bio App/Server access Passive/Offline Guess/reset ✔ Auth DB access Passive/Offline Crack/SQLI ✔ Network Passive/Offline Sniff ✔ Conversation Passive/Offline Phish/Forge ✔ Conversation Active/Online MITM ✔ Endpoint Active/Online Trojan/Keylog ✘ Endpoint Real-Time Sidejack/MITB ✘ Transaction Persistent Modify ✘ Multiple Devices Coordinated MITMobile ✘ 

PHONE CALL / SMS OTP ˒ e.g. Modem callback in the 80’s ˒ Challenges ˒ Online requirement ˒ Used for other purposes ˒ Platform security ˒ Failure modes ˒ No cell service, no login ˒ Social engineering ˒ Smartphone malware 

PHONE CALL / SMS OTP A acker A acker A acker Factor Span of Control Degree of Control Technique Phone/SMS App/Server access Passive/Offline Guess/reset ✔ Auth DB access Passive/Offline Crack/SQLI ✔ Network Passive/Offline Sniff ✔ Conversation Passive/Offline Phish/Forge ✔ Conversation Active/Online MITM ✔ Endpoint Active/Online Trojan/Keylog ✔ Endpoint Real-Time Sidejack/MITB ✘ Transaction Persistent Modify ✘ Multiple Devices Coordinated MITMobile ✘ 

ANOMALY DETECTION ˒ Challenges ˒ Training ˒ Deployment ˒ Probabilistic accuracy ˒ Failure modes ˒ False training leads to false negatives ˒ Baseline a acks as normal ˒ False positives: Bayesian base rate fallacy ˒ False negatives: Authentication fail 

ANOMALY DETECTION A acker A acker A acker Factor Span of Control Degree of Control Technique Behavior App/Server access Passive/Offline Guess/reset ✔ Auth DB access Passive/Offline Crack/SQLI ✔ Network Passive/Offline Sniff ✔ Conversation Passive/Offline Phish/Forge ✔ Conversation Active/Online MITM ✔ Endpoint Active/Online Trojan/Keylog ✔ Endpoint Real-Time Sidejack/MITB ✔ Transaction Persistent Modify ✘ Multiple Devices Coordinated MITMobile ✘ 

TRANSACTION VERIFICATION ˒ “Sign what you see” – Gartner ˒ User-verified behavioral policy ˒ Challenges ˒ Online requirement ˒ Platform security ˒ Failure modes ˒ Mobile malware ˒ Coercion - but potential for duress signalling 

TRANSACTION VERIFICATION A acker A acker A acker Factor Span of Control Degree of Control Technique Duo Push App/Server access Passive/Offline Guess/reset ✔ Auth DB access Passive/Offline Crack/SQLI ✔ Network Passive/Offline Sniff ✔ Conversation Passive/Offline Phish/Forge ✔ Conversation Active/Online MITM ✔ Endpoint Active/Online Trojan/Keylog ✔ Endpoint Real-Time Sidejack/MITB ✔ Transaction Persistent Modify ✔ Multiple Devices Coordinated MITMobile ✘ 

HARDENED AUTHENTICATOR ˒ “Trusted Path” (DoD Orange Book) ˒ AuthN → AuthZ ˒ IBM Zurich ZTIC ˒ Bloomberg B-Unit ˒ Chip & PIN ˒ Duo Push 

˒ Anti-virus/malware ˒ Vulnerability assessment ˒ Hardware-assisted security ˒ Device compliance & policy ˒ Risk-parameterized login MOBILE SECURITY IN DEPTH » xray.io 

SUMMARY ˒ User-targeted, automated malware renders nearly all other security controls impotent ˒ Authentication factors can be mapped to risk ˒ Users can be empowered against endpoint compromise through a mobile Trusted Path ˒ Two-factor must be easy to deploy and use to be relevant 

No content