SlideShare une entreprise Scribd logo

LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil

David Ochel
David Ochel

This document discusses multi-factor authentication and provides criteria for evaluating different multi-factor authentication solutions. It begins with an introduction to different authentication factors and why multi-factor authentication is used. It then outlines security-focused criteria like the number of authentication factors, communication channels used, and cryptographic standards. Less security-critical criteria covered include cost, usability, and integration capabilities. The document cautions against "snake oil" solutions that make unrealistic claims and stresses understanding your security needs and an solution's actual capabilities rather than just marketing.

Technologie
1  sur  33
Télécharger pour lire hors ligne
Multi-Factor Authentication: Weeding Out the Snake Oil LASCON 2014 David Ochel 2014-10-24 This work is licensed under a Creative Commons Attribution 4.0 International License.
Objectives •Understand what’s going on in the market of multi-factor authentication. •Look at solutions from a risk view… Which problems are we actually solving / trying to solve? Multi-Factor Authentication Criteria – LASCON 2014 Page 2
Agenda: Less Formalism, More Examples… •Motivation / Introduction –Authentication Factors –Why Multi-Factor? •Criteria and Industry Examples –Security-focused criteria –Less risky criteria •…and the Snake Oil? Page 3 Multi-Factor Authentication Criteria – LASCON 2014
INTRODUCTION Multi-Factor Authentication Criteria – LASCON 2014 Page 4
Authentication Factors •Knowledge-based “know” –Passwords –Security questions (?) –Pattern/image recognition, … •Token-based “have” –Time-based one-time-passwords –Crypto-based challenge response (e.g. X.509) –Various form factors: smart cards, RFID, USB, LED dongles, phones, smartphones (arguably) •Biometrics “are” –Behavioral –Physical •Context-/behavioral-based –As in “risk-based authentication”: IP addresses, locations, date/time, etc. Multi-Factor Authentication Criteria – LASCON 2014 Page 5
Why Do We Still Use Passwords? “The continued domination of passwords over all other methods of end-user authentication is a major embarrassment to security researchers.” [1] •Passwords –Highly deployable: infrastructure exists, users are accustomed, cheap, … –Security issues: observation, interception, replay, guessing, phishing –Pervasive assumption: General-purpose personal computers (laptops, PCs, …) cannot be secured/trusted •Issues with existing alternatives –Memory-based (“know”): no better than passwords? –Biometrics (“are”): privacy, liveness detection on unsupervised devices, hard to replace –Tokens (“have”): susceptible to theft, expensive, hard to replace –Contexts: unreliable proof of identity Page 6 Multi-Factor Authentication Criteria – LASCON 2014 [1] http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.html
Current Industry Trend: Combine Multiple Factors •Tokens –Hard(er) to compromise; susceptible to physical theft •Passwords –Interceptable (malware); hard to physically steal •Also in the running: –Biometrics •Convenient; but often trust issues when unsupervised (liveness detection) –Contexts •Back-end risk evaluation; not technically authentication Multi-Factor Authentication Criteria – LASCON 2014 Page 7
Authentication – A Piece of the Identity & Access Management Puzzle… Multi-Factor Authentication Criteria – LASCON 2014 Page 8 http://forgerock.com/products/open-identity-stack/
Which threats are we trying to counter? •Are we protecting: •Individual consumer accounts? •Corporate users and data? •Machine authentication? •Assets •Adversaries •Vulnerabilities •Etc… Page 9 Multi-Factor Authentication Criteria – LASCON 2014
CRITERIA – FROM A SECURITY POINT OF VIEW Page 10 Multi-Factor Authentication Criteria – LASCON 2014
Are there at least two factors? •Password + PIN = one factor •Password-protected private key? –…on a hardware token? Multi-Factor Authentication Criteria – LASCON 2014 Page 11 http://blog.mailchimp.com/introducing-alterego-1-5-factor-authentication-for-web-apps/, https://alteregoapp.com
Swivel PIN Safe – Human-Computed Challenge Response •But… password + PIN still aren’t two factors? –When used in browser, helps against keylogging –When used for SMS, actually helps!? Multi-Factor Authentication Criteria – LASCON 2014 Page 12 http://www.swivelsecure.com/devices/browser/
How many communication channels? One? More? Different physical band? Multi-Factor Authentication Criteria – LASCON 2014 Page 13
Communication channels (continued) •Securing smartphone apps with smartphone tokens…? •“plug and play” –Factors –Channels Multi-Factor Authentication Criteria – LASCON 2014 Page 14
When to pull another factor? •Once per session, at login. •For every high risk transaction, during session. •“Risk-based” –Determined by context analysis. Multi-Factor Authentication Criteria – LASCON 2014 Page 15 http://www.safenet-inc.com/multi-factor-authentication/context-based-authentication/
Enrolling users / tokens •Personalization/provisioning of tokens •Enrollment in service •Central management of credentials Multi-Factor Authentication Criteria – LASCON 2014 Page 16 https://www.yubico.com/wp-content/uploads/2012/10/Yubikey-Programming-Station- v1.0.pdf
Crypto •There’s crypto everywhere –Token challenge-response, digital signatures –Transportation security for authentication channels •Robustness/diversity –More than one set of algorithm types supported? •Trust –Algorithms –Implementations Multi-Factor Authentication Criteria – LASCON 2014 Page 17 https://www.securityinnovation.com/products/encryption-libraries/ntru-crypto/
EMV-based Multi-Factor Authentication Criteria – LASCON 2014 Page 18 •Mastercard CAP / VISA DPA •German Sm@art TAN •CrontoSign (photoTAN)… https://www.vasco.com/products/products.aspx •https://www.vasco.com/Images/DP% 20760_DS201309-v1b.pdf https://www.vasco.com/Images/DP%20836_DS201401_v4.pdf
CRITERIA – LESS SECURITY-RELEVANT Page 19 Multi-Factor Authentication Criteria – LASCON 2014
$$$ •OpEx vs. CapEx –Licensing fees (per user, server, year, …?) –Token cost –… Multi-Factor Authentication Criteria – LASCON 2014 20 http://www.entrust.com/products/entrust-identityguard/
Open Source? •Lots of freemium solutions •E.g. WikID Multi-Factor Authentication Criteria – LASCON 2014 Page 21 https://www.wikidsystems.com/learn-more/features
Integration with Identity & Access Management Solutions •Open Source, e.g. gluu or OpenAM •Commercial, e.g. SailPoint, and many more Multi-Factor Authentication Criteria – LASCON 2014 Page 22 http://www.gluu.org/gluu-server/strong-authentication/ http://www.sailpoint.com/solutions/products/identityiq/access-manager
Usability •Efficiency •Ease of use •Availability •Convenience –Is it realistic to expect that every user carries half a dozen hardware tokens with them? Multi-Factor Authentication Criteria – LASCON 2014 Page 23 © Edwin Sarmiento, https://www.flickr.com/photos/bassplayerdoc/6245647402/
(Security) architecture •Client-less vs. plug-ins, apps, … •Service –SaaS / cloud –In-house •Server side: –APIs –Logging –RADIUS, etc. interfaces Multi-Factor Authentication Criteria – LASCON 2014 Page 24
Availability •Does it scale? –Authentications per second •Capacity to bug/security-fix –Reputation, history, size, … •SLA, redundancy, … •Fallback if the cloud is unavailable? Multi-Factor Authentication Criteria – LASCON 2014 Page 25 http://www.earlychildhoodworksheets.com/nature-clipart.html
…AND THE SNAKE OIL? 26 Multi-Factor Authentication Criteria – LASCON 2014
How to find snake oil? •Wait until it finds you, or… Google it! •OWASP ‘Guide to Cryptography’ suggests: ‘A good understanding of crypto is required to be able to discern between solid products and snake oil. The inherent complexity of crypto makes it easy to fall for fantastic claims from vendors about their product. Typically, these are “a breakthrough in cryptography” or “unbreakable” or provide "military grade" security. If a vendor says "trust us, we have had experts look at this,” chances are they weren't experts!’ Multi-Factor Authentication Criteria – LASCON 2014 27 https://www.owasp.org/index.php/Guide_to_Cryptography
Multi-Factor Authentication Criteria Page 28
Unbreakable, impenetrable, etc. Multi-Factor Authentication Criteria – LASCON 2014 Page 29 from http://www.edulok.com – retrieved 2014-09-23
WWPass (aka EduLok): What might be going on? This is abstracted from their public online documentation… haven’t checked out the patents or anything else. Multi-Factor Authentication Criteria – LASCON 2014 Page 30
What about “Best in Class”? •E.g., SafeNet – “a consistent leader in the Magic Quadrant for User Authentication” •Not exempt from marketing blah? ;-) Multi-Factor Authentication Criteria – LASCON 2014 Page 31 http://www.safenet-inc.com/multi-factor-authentication/ - retrieved 2014-09-23
Conclusions •Don’t trust the marketing hype! •Understand your exposure. •Understand which solutions can reduce it. •And then look at usability, interoperability, etc. Multi-Factor Authentication Criteria – LASCON 2014 Page 36
Contact David Ochel Blog: http://secuilibrium.com Twitter: @lostgravity Multi-Factor Authentication Criteria – LASCON 2014 Page 37

Recommandé

Certificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operatorsCertificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operatorsDavid Ochel
 
Email Security with OpenPGP - An Appetizer
Email Security with OpenPGP - An AppetizerEmail Security with OpenPGP - An Appetizer
Email Security with OpenPGP - An AppetizerDavid Ochel
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core SecurityOWASP
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Mark Arena
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 

Recommandé

Certificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operatorsCertificates, PKI, and SSL/TLS for infrastructure builders and operators
Certificates, PKI, and SSL/TLS for infrastructure builders and operatorsDavid Ochel
 
Email Security with OpenPGP - An Appetizer
Email Security with OpenPGP - An AppetizerEmail Security with OpenPGP - An Appetizer
Email Security with OpenPGP - An AppetizerDavid Ochel
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scaleOWASP
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core SecurityOWASP
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Mark Arena
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentestOWASP
 
Hacking Cracking 2008
Hacking Cracking 2008Hacking Cracking 2008
Hacking Cracking 2008Jim Geovedi
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updatedInfosecTrain
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ..."Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...PROIDEA
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)HITCON GIRLS
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
Keynote - Jim Geovedi - professional-hackers
Keynote - Jim Geovedi - professional-hackersKeynote - Jim Geovedi - professional-hackers
Keynote - Jim Geovedi - professional-hackersidsecconf
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
How I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWSounil Yu
 
Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)Eduardo Arriols Nuñez
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation ApproachesPriyanka Aash
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
Comptia security-sy0-601-exam-objectives-(2-0)
Comptia security-sy0-601-exam-objectives-(2-0)Comptia security-sy0-601-exam-objectives-(2-0)
Comptia security-sy0-601-exam-objectives-(2-0)Rogerio Ferraz
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services SecurityOliver Pfaff
 
5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical Hacking5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical HackingKoenig Solutions Ltd.
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 

Contenu connexe

Tendances

Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentestOWASP
 
Hacking Cracking 2008
Hacking Cracking 2008Hacking Cracking 2008
Hacking Cracking 2008Jim Geovedi
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updatedInfosecTrain
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ..."Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...PROIDEA
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)HITCON GIRLS
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
Keynote - Jim Geovedi - professional-hackers
Keynote - Jim Geovedi - professional-hackersKeynote - Jim Geovedi - professional-hackers
Keynote - Jim Geovedi - professional-hackersidsecconf
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
How I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWSounil Yu
 
Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)Eduardo Arriols Nuñez
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation ApproachesPriyanka Aash
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
Comptia security-sy0-601-exam-objectives-(2-0)
Comptia security-sy0-601-exam-objectives-(2-0)Comptia security-sy0-601-exam-objectives-(2-0)
Comptia security-sy0-601-exam-objectives-(2-0)Rogerio Ferraz
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services SecurityOliver Pfaff
 
5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical Hacking5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical HackingKoenig Solutions Ltd.
 

Tendances (20)

Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
 
Hacking Cracking 2008
Hacking Cracking 2008Hacking Cracking 2008
Hacking Cracking 2008
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
 
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ..."Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
 
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
逃避可恥還沒有用- 你不可不知的物聯網安全問題與挑戰(Ashley Shen & Belinda Lai)
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
 
Keynote - Jim Geovedi - professional-hackers
Keynote - Jim Geovedi - professional-hackersKeynote - Jim Geovedi - professional-hackers
Keynote - Jim Geovedi - professional-hackers
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
How I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKWHow I Learned to Stop Information Sharing and Love the DIKW
How I Learned to Stop Information Sharing and Love the DIKW
 
Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)Physical Penetration Testing (RootedCON 2015)
Physical Penetration Testing (RootedCON 2015)
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches Deception Technology: Use Cases & Implementation Approaches
Deception Technology: Use Cases & Implementation Approaches
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
 
Comptia security-sy0-601-exam-objectives-(2-0)
Comptia security-sy0-601-exam-objectives-(2-0)Comptia security-sy0-601-exam-objectives-(2-0)
Comptia security-sy0-601-exam-objectives-(2-0)
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services Security
 
5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical Hacking5 Things You Should Know About Ethical Hacking
5 Things You Should Know About Ethical Hacking
 

En vedette

NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
 
What You Need to Know About Email Authentication
What You Need to Know About Email AuthenticationWhat You Need to Know About Email Authentication
What You Need to Know About Email AuthenticationKurt Andersen
 
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...CA Technologies
 
Email Security Presentation
Email Security PresentationEmail Security Presentation
Email Security PresentationYosef Gamble
 
NISTs Cybersecurity Framework -- Comparison with Best Practice
NISTs Cybersecurity Framework -- Comparison with Best PracticeNISTs Cybersecurity Framework -- Comparison with Best Practice
NISTs Cybersecurity Framework -- Comparison with Best PracticeDavid Ochel
 
S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)Prafull Johri
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapWAJAHAT IQBAL
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsUppala Anand
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview Ahmed Riad .
 
Brian Desmond - Quickly and easily protect your applications and services wit...
Brian Desmond - Quickly and easily protect your applications and services wit...Brian Desmond - Quickly and easily protect your applications and services wit...
Brian Desmond - Quickly and easily protect your applications and services wit...Nordic Infrastructure Conference
 
Email Security and Awareness
Email Security and AwarenessEmail Security and Awareness
Email Security and AwarenessSanjiv Arora
 

En vedette (18)

NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSS
 
What You Need to Know About Email Authentication
What You Need to Know About Email AuthenticationWhat You Need to Know About Email Authentication
What You Need to Know About Email Authentication
 
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...
Protect Against Security Breaches by Securing Endpoints with Multi-Factor Aut...
 
Powerful email protection
Powerful email protectionPowerful email protection
Powerful email protection
 
Email security
Email securityEmail security
Email security
 
Email Security Presentation
Email Security PresentationEmail Security Presentation
Email Security Presentation
 
NISTs Cybersecurity Framework -- Comparison with Best Practice
NISTs Cybersecurity Framework -- Comparison with Best PracticeNISTs Cybersecurity Framework -- Comparison with Best Practice
NISTs Cybersecurity Framework -- Comparison with Best Practice
 
Email Security Overview
Email Security OverviewEmail Security Overview
Email Security Overview
 
S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard Requirements
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
Brian Desmond - Quickly and easily protect your applications and services wit...
Brian Desmond - Quickly and easily protect your applications and services wit...Brian Desmond - Quickly and easily protect your applications and services wit...
Brian Desmond - Quickly and easily protect your applications and services wit...
 
Email Security and Awareness
Email Security and AwarenessEmail Security and Awareness
Email Security and Awareness
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 

Similaire à LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil

Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Emrah Alpa, CISSP CEH CCSK
 
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...SecureAuth
 
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...FINOS
 
Security Testing: What Testers Can Do
Security Testing: What Testers Can DoSecurity Testing: What Testers Can Do
Security Testing: What Testers Can DoTechWell
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinarkdinerman
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009Security Ninja
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationSylvain Maret
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" mycroftinc
 
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPasswords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPriyanka Aash
 
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web ThreatsUsing SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web ThreatsSurfWatch Labs
 
Webinar: Goodbye RSA. Hello Modern Authentication.
Webinar: Goodbye RSA. Hello Modern Authentication.Webinar: Goodbye RSA. Hello Modern Authentication.
Webinar: Goodbye RSA. Hello Modern Authentication.SecureAuth
 
Using SurfWatch Labs' Threat Intelligence to Monitor Your Digital Risk
Using SurfWatch Labs' Threat Intelligence to Monitor Your Digital RiskUsing SurfWatch Labs' Threat Intelligence to Monitor Your Digital Risk
Using SurfWatch Labs' Threat Intelligence to Monitor Your Digital RiskSurfWatch Labs
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 
Boosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeBoosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeNational Retail Federation
 
Slideshare fintech-may26th-def
Slideshare fintech-may26th-defSlideshare fintech-may26th-def
Slideshare fintech-may26th-defQafis
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryTim Mackey
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryBlack Duck by Synopsys
 
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlStopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlSecureAuth
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application SecurityJim Kaplan CIA CFE
 

Similaire à LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil (20)

Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
 
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
Protecting the Keys to the Kingdom - The Case for Adaptive Authentication for...
 
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
OSSF 2018 - Andrew Katz of Moorcrofts - OpenChain: a Tested Framework for Ope...
 
Security Testing: What Testers Can Do
Security Testing: What Testers Can DoSecurity Testing: What Testers Can Do
Security Testing: What Testers Can Do
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinar
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
 
Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise" Multi-Factor Authentication - "Moving Towards the Enterprise"
Multi-Factor Authentication - "Moving Towards the Enterprise"
 
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New AuthenticationPasswords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
Passwords and Fingerprints and Faces—Oh My! Comparing Old and New Authentication
 
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web ThreatsUsing SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
 
Webinar: Goodbye RSA. Hello Modern Authentication.
Webinar: Goodbye RSA. Hello Modern Authentication.Webinar: Goodbye RSA. Hello Modern Authentication.
Webinar: Goodbye RSA. Hello Modern Authentication.
 
Using SurfWatch Labs' Threat Intelligence to Monitor Your Digital Risk
Using SurfWatch Labs' Threat Intelligence to Monitor Your Digital RiskUsing SurfWatch Labs' Threat Intelligence to Monitor Your Digital Risk
Using SurfWatch Labs' Threat Intelligence to Monitor Your Digital Risk
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
 
Boosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk ImperativeBoosting IoT Protection: An Enterprise Risk Imperative
Boosting IoT Protection: An Enterprise Risk Imperative
 
Slideshare fintech-may26th-def
Slideshare fintech-may26th-defSlideshare fintech-may26th-def
Slideshare fintech-may26th-def
 
Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlStopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 

Dernier

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 

Dernier (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil

  • 1. Multi-Factor Authentication: Weeding Out the Snake Oil LASCON 2014 David Ochel 2014-10-24 This work is licensed under a Creative Commons Attribution 4.0 International License.
  • 2. Objectives •Understand what’s going on in the market of multi-factor authentication. •Look at solutions from a risk view… Which problems are we actually solving / trying to solve? Multi-Factor Authentication Criteria – LASCON 2014 Page 2
  • 3. Agenda: Less Formalism, More Examples… •Motivation / Introduction –Authentication Factors –Why Multi-Factor? •Criteria and Industry Examples –Security-focused criteria –Less risky criteria •…and the Snake Oil? Page 3 Multi-Factor Authentication Criteria – LASCON 2014
  • 4. INTRODUCTION Multi-Factor Authentication Criteria – LASCON 2014 Page 4
  • 5. Authentication Factors •Knowledge-based “know” –Passwords –Security questions (?) –Pattern/image recognition, … •Token-based “have” –Time-based one-time-passwords –Crypto-based challenge response (e.g. X.509) –Various form factors: smart cards, RFID, USB, LED dongles, phones, smartphones (arguably) •Biometrics “are” –Behavioral –Physical •Context-/behavioral-based –As in “risk-based authentication”: IP addresses, locations, date/time, etc. Multi-Factor Authentication Criteria – LASCON 2014 Page 5
  • 6. Why Do We Still Use Passwords? “The continued domination of passwords over all other methods of end-user authentication is a major embarrassment to security researchers.” [1] •Passwords –Highly deployable: infrastructure exists, users are accustomed, cheap, … –Security issues: observation, interception, replay, guessing, phishing –Pervasive assumption: General-purpose personal computers (laptops, PCs, …) cannot be secured/trusted •Issues with existing alternatives –Memory-based (“know”): no better than passwords? –Biometrics (“are”): privacy, liveness detection on unsupervised devices, hard to replace –Tokens (“have”): susceptible to theft, expensive, hard to replace –Contexts: unreliable proof of identity Page 6 Multi-Factor Authentication Criteria – LASCON 2014 [1] http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.html
  • 7. Current Industry Trend: Combine Multiple Factors •Tokens –Hard(er) to compromise; susceptible to physical theft •Passwords –Interceptable (malware); hard to physically steal •Also in the running: –Biometrics •Convenient; but often trust issues when unsupervised (liveness detection) –Contexts •Back-end risk evaluation; not technically authentication Multi-Factor Authentication Criteria – LASCON 2014 Page 7
  • 8. Authentication – A Piece of the Identity & Access Management Puzzle… Multi-Factor Authentication Criteria – LASCON 2014 Page 8 http://forgerock.com/products/open-identity-stack/
  • 9. Which threats are we trying to counter? •Are we protecting: •Individual consumer accounts? •Corporate users and data? •Machine authentication? •Assets •Adversaries •Vulnerabilities •Etc… Page 9 Multi-Factor Authentication Criteria – LASCON 2014
  • 10. CRITERIA – FROM A SECURITY POINT OF VIEW Page 10 Multi-Factor Authentication Criteria – LASCON 2014
  • 11. Are there at least two factors? •Password + PIN = one factor •Password-protected private key? –…on a hardware token? Multi-Factor Authentication Criteria – LASCON 2014 Page 11 http://blog.mailchimp.com/introducing-alterego-1-5-factor-authentication-for-web-apps/, https://alteregoapp.com
  • 12. Swivel PIN Safe – Human-Computed Challenge Response •But… password + PIN still aren’t two factors? –When used in browser, helps against keylogging –When used for SMS, actually helps!? Multi-Factor Authentication Criteria – LASCON 2014 Page 12 http://www.swivelsecure.com/devices/browser/
  • 13. How many communication channels? One? More? Different physical band? Multi-Factor Authentication Criteria – LASCON 2014 Page 13
  • 14. Communication channels (continued) •Securing smartphone apps with smartphone tokens…? •“plug and play” –Factors –Channels Multi-Factor Authentication Criteria – LASCON 2014 Page 14
  • 15. When to pull another factor? •Once per session, at login. •For every high risk transaction, during session. •“Risk-based” –Determined by context analysis. Multi-Factor Authentication Criteria – LASCON 2014 Page 15 http://www.safenet-inc.com/multi-factor-authentication/context-based-authentication/
  • 16. Enrolling users / tokens •Personalization/provisioning of tokens •Enrollment in service •Central management of credentials Multi-Factor Authentication Criteria – LASCON 2014 Page 16 https://www.yubico.com/wp-content/uploads/2012/10/Yubikey-Programming-Station- v1.0.pdf
  • 17. Crypto •There’s crypto everywhere –Token challenge-response, digital signatures –Transportation security for authentication channels •Robustness/diversity –More than one set of algorithm types supported? •Trust –Algorithms –Implementations Multi-Factor Authentication Criteria – LASCON 2014 Page 17 https://www.securityinnovation.com/products/encryption-libraries/ntru-crypto/
  • 18. EMV-based Multi-Factor Authentication Criteria – LASCON 2014 Page 18 •Mastercard CAP / VISA DPA •German Sm@art TAN •CrontoSign (photoTAN)… https://www.vasco.com/products/products.aspx •https://www.vasco.com/Images/DP% 20760_DS201309-v1b.pdf https://www.vasco.com/Images/DP%20836_DS201401_v4.pdf
  • 19. CRITERIA – LESS SECURITY-RELEVANT Page 19 Multi-Factor Authentication Criteria – LASCON 2014
  • 20. $$$ •OpEx vs. CapEx –Licensing fees (per user, server, year, …?) –Token cost –… Multi-Factor Authentication Criteria – LASCON 2014 20 http://www.entrust.com/products/entrust-identityguard/
  • 21. Open Source? •Lots of freemium solutions •E.g. WikID Multi-Factor Authentication Criteria – LASCON 2014 Page 21 https://www.wikidsystems.com/learn-more/features
  • 22. Integration with Identity & Access Management Solutions •Open Source, e.g. gluu or OpenAM •Commercial, e.g. SailPoint, and many more Multi-Factor Authentication Criteria – LASCON 2014 Page 22 http://www.gluu.org/gluu-server/strong-authentication/ http://www.sailpoint.com/solutions/products/identityiq/access-manager
  • 23. Usability •Efficiency •Ease of use •Availability •Convenience –Is it realistic to expect that every user carries half a dozen hardware tokens with them? Multi-Factor Authentication Criteria – LASCON 2014 Page 23 © Edwin Sarmiento, https://www.flickr.com/photos/bassplayerdoc/6245647402/
  • 24. (Security) architecture •Client-less vs. plug-ins, apps, … •Service –SaaS / cloud –In-house •Server side: –APIs –Logging –RADIUS, etc. interfaces Multi-Factor Authentication Criteria – LASCON 2014 Page 24
  • 25. Availability •Does it scale? –Authentications per second •Capacity to bug/security-fix –Reputation, history, size, … •SLA, redundancy, … •Fallback if the cloud is unavailable? Multi-Factor Authentication Criteria – LASCON 2014 Page 25 http://www.earlychildhoodworksheets.com/nature-clipart.html
  • 26. …AND THE SNAKE OIL? 26 Multi-Factor Authentication Criteria – LASCON 2014
  • 27. How to find snake oil? •Wait until it finds you, or… Google it! •OWASP ‘Guide to Cryptography’ suggests: ‘A good understanding of crypto is required to be able to discern between solid products and snake oil. The inherent complexity of crypto makes it easy to fall for fantastic claims from vendors about their product. Typically, these are “a breakthrough in cryptography” or “unbreakable” or provide "military grade" security. If a vendor says "trust us, we have had experts look at this,” chances are they weren't experts!’ Multi-Factor Authentication Criteria – LASCON 2014 27 https://www.owasp.org/index.php/Guide_to_Cryptography
  • 29. Unbreakable, impenetrable, etc. Multi-Factor Authentication Criteria – LASCON 2014 Page 29 from http://www.edulok.com – retrieved 2014-09-23
  • 30. WWPass (aka EduLok): What might be going on? This is abstracted from their public online documentation… haven’t checked out the patents or anything else. Multi-Factor Authentication Criteria – LASCON 2014 Page 30
  • 31. What about “Best in Class”? •E.g., SafeNet – “a consistent leader in the Magic Quadrant for User Authentication” •Not exempt from marketing blah? ;-) Multi-Factor Authentication Criteria – LASCON 2014 Page 31 http://www.safenet-inc.com/multi-factor-authentication/ - retrieved 2014-09-23
  • 32. Conclusions •Don’t trust the marketing hype! •Understand your exposure. •Understand which solutions can reduce it. •And then look at usability, interoperability, etc. Multi-Factor Authentication Criteria – LASCON 2014 Page 36
  • 33. Contact David Ochel Blog: http://secuilibrium.com Twitter: @lostgravity Multi-Factor Authentication Criteria – LASCON 2014 Page 37