SlideShare une entreprise Scribd logo

Two-Factor Authentication and Swivel Secure Platform

Hai Nguyen
Hai Nguyen
Technologie
1  sur  9
Télécharger pour lire hors ligne
Two-Factor Authentication and Swivel Abstract This document looks at why the username and password are no longer sufficient for authentication and how the Swivel Secure authentication platform can provide a strong, cost-effective authentication solution that is easy to use and to manage. 2012
White Paper Heading 2 Contents  Introduction .............................................................................................................................3 Single-Factor Authentication............................................................................................4 Threats against Usernames and Passwords............................................................4 Malware Attack ..................................................................................................................5 Guess the Password .........................................................................................................5 Steal the Password ...........................................................................................................5 Shoulder Surfing ................................................................................................................5 Phishing.................................................................................................................................5 Dual-Factor Authentication...............................................................................................6 Attacks against Dual Factor Authentication...........................................................6 Steal the Token ..................................................................................................................6 Phishing.................................................................................................................................6 Dual-Factor Authentication and Swivel....................................................................6 Tokenless..............................................................................................................................7 One-Time Code Extraction............................................................................................7 Attacks against Swivel ........................................................................................................8 Stealing the token .............................................................................................................8 Phishing.................................................................................................................................8 Conclusion................................................................................................................................9
White Paper Heading 3 Introduction The increasing use of remote access and web-based commerce has increased the need for convenient, cost-effective, yet strong authentication models. Relying on a single factor of authentication, i.e. username and password, is no longer appropriate for many applications. This has led to the increasing use of multi-factor authentication; whereby authentication requires the user to know something (e.g. a password) and possess something (e.g. some form of authentication token). Swivel’s approach to two-factor authentication has the advantage that the user does not need a dedicated authentication token. Add to this PINsafe, our patented one-time code extraction protocol, Swivel can provide a strong, cost-effective authentication solution that is easy to use and to manage.
White Paper Heading 4 Single-Factor Authentication When a user authenticates they need to present credentials to the authentication server. A credential maybe based on:  Something they know, e.g. a password  Something they have, e.g. a security string provided by a token  Something they are, e.g. a finger print or retina scan. Each one of these is a factor of authentication. In the early days of authentication (and in many systems still today) authentication is based upon just a single factor of authentication, specifically a combination of a username and a password (UNP). There is an increasing awareness that this is not sufficient for many systems. This realisation is showing itself not only in the increasing number of organizations that are moving to multi-factor authentication but also in more regulations and legislation that are mandating multi-factor authentication. There are three driving forces are behind this. Firstly the increasing value of the systems being protected by authentication systems, secondly the increasing availability and variety of tools that can be used effectively against simple UNP authentication, and thirdly the increase in cybercrime. Threats against Usernames and Passwords One of the weaknesses of UNP is the fact that the password is static; i.e. it does not change from one authentication attempt to the next. Administrators may insist that passwords are changed every 3 months, or even every month, however that still gives an attacker a significant amount of time to aim at a stationary target. Another issue with passwords is that users and helpdesk administrators want them to be easy to remember but IT managers and security managers want them to be difficult to guess. These requirements tend to work against one another. It is much easier to remember words than it is a series of random characters, but it is much easier to guess a word than a series of random characters. Or order for users to help themselves remember more complex passwords they are more inclined to re-use the same password for different applications and interfaces. One final weakness of UNP as an authentication model stems from the fact that username and passwords have been around for so long. This means there are many software-based attacks out there that are, thanks to the internet, widely available. So what are the threats against username and password? The following list is not meant to be exhaustive; it focuses on technical attacks against the
White Paper Heading 5 client rather than attacks against server or social engineering based attacks such as con-tricks, blackmail etc. Malware Attack Deploy malicious code on target’s computer, for example, a key logger that records a user’s keystrokes. By looking at the details of the keys pressed so the password can be determined. Searching the log for a username and the password is likely to follow. Some software attacks are more sophisticated and look for specific actions before starting to log, e.g. accessing banking URL. The static nature of passwords means that this form of attack can be very effective. Guess the Password There are a range of guessing attacks against passwords which are based on how much or how little information the attacker has about the target. On one extreme there is a brute force attack whereby an attacker just guesses different possibilities until they succeed; not very effective but can be used if the attacker can gain access to the file of encrypted passwords. Slightly more targeted is a dictionary attack, where rather than just guess random values, the attacker restricts the attack to words or phrases that are likely, as most people choose passwords that are words. Finally, if the attacker knows personal information about the target, they may try their favourite sports teams or their children’s names as password. The need to make passwords memorable makes this kind of attack an option. Steal the Password One way of satisfying the IT security manager’s insistence on a complicated password is to write it down somewhere; in an envelope in the desk drawer etc. Whereas this form of attack requires physical access, it is surprisingly common practice for people to write passwords down unencrypted. Shoulder Surfing To find out what someone’s password is you just watch them type it in. Another attack that requires physical access, but as passwords are static, you have plenty of attempts at watching the user type in their password to manage to discern the whole thing. This form of attack has become more recognised since the use of Chip and PIN technology with people being asked to hide their fingers as they type in their PIN. Phishing It is particularly difficult to defend against phishing attacks, partly because it is so easy to mount such an attack. You can get all the corporate imagery you need from the real website to build a mocked-up site then you can mass email a mock email to any valid email address. The user goes to the mock site and enters their username and password. The attacker then has the password that they need and they can do what they will with it.
White Paper Heading 6 Dual-Factor Authentication Adding another factor of authentication adds another task for the attacker to complete before their attack is successful. The basic model is that the token provides the user with a one-time code that they must enter in order to authenticate; the security string is dynamic in that it is different for each authentication. We can see that there are many and varied ways of gaining one factor, the password, but having succeeded in that what does an attacker need to do in addition to succeed in defeating two-factor authentication systems? Attacks against Dual Factor Authentication There would appear to be two obvious approaches: Steal the Token An attacker may be lucky in that the token may be kept in the same drawer as the user’s password! But clearly an attack that combines a software attack determining the password and physically obtaining the token could be a successful attack. The first element being straightforward, the second one less so, however in an e-commerce B2C scenario with many tokens being physically distributed; there may be vulnerabilities that could be exploited. Phishing Phishing can still have some success even against dual factor authentication as the attacker obtains the users password and one-time code and can therefore use those credentials to fraudulently authenticate as the user. Unlike the phishing attack for single factor this does not allow the attacker to steal the user identity as the user still has the token. This means the attacker cannot re-authenticate without re-phishing the required one-time code. This means that a web application that requires repeated authentication provides a good defense against phishing attacks. For example a banking website that requires authentication for every monetary transaction. Dual-Factor Authentication and Swivel Swivel authentication platform is a dual factor authentication solution with subtle but important differences. As with many dual factor authentication systems, Swivel sends a security string to the user that the user needs to authenticate but security strings are sent to the user’s mobile phone either in the form of a voice call, SMS or via a mobile app; therefore there is no need for dedicated security tokens.
White Paper Heading 7 The received security string is not entered by the user; it is combined by the user with a PIN to extract the one-time code which is then entered. The advantages of these differences are described below. Tokenless The fact that Swivel does not require a dedicated security token (it uses the mobile phone as a token) has a number of advantages. There is nothing that needs to be physically distributed; therefore you are not at the mercy of postal systems etc. to provision users. Users can be provisioned instantly. Just as importantly there is nothing to physically reclaim once a user no longer requires access. This is particularly relevant where you have a population of users that has a high churn rate such as an academic institution. People treat their mobile phone as something vital; they need it for business but also to keep in contact with their friends and families when they are at work. They are less likely to leave it behind; or leave it in a pocket of a garment destined for the laundry. They are also more likely to notice when they have lost it or it has been stolen. As Swivel reuses an existing device as a security token there is no additional cost. If someone loses of damages their mobile phone a replacement is borne by the telecoms budget; not the security budget! One-Time Code Extraction The use of the Swivel one-time code extraction protocol means that both factors of authentication can be combined into a single credential. This means:
White Paper Heading 8 The user only needs a 4 digit one-time code to authenticate; (Swivel can be configured to use PINs of 4 to 10 numbers long and it can also be used in conjunction with a password). As the PIN is never entered the attacks described earlier, such as key loggers, cannot be used to ascertain one of the two factors of authentication. So the use of Swivel Dual Factor solution makes some of the attacks discussed before even harder. There is no physical token to distribute, the loss of a mobile phone is likely to be noticed and reported sooner than a security token. In the event that an attack gains access to a mobile phone, security is still not compromised as the attack still needs the PIN, and the PIN cannot be ascertained by key- logging attacks as it is never entered by the user. Attacks against Swivel Stealing the token In the Swivel example this attack still leaves the attacker the problem of the PIN, as the PIN is never entered it cannot be obtained via key logging type attacks. Phishing No authentication product is immune from attack. Forms of phishing attacks may have some success against Swivel; it is very difficult to stop users entering credentials onto a mock web site as discussed before. Once entered these valid credentials can be used by the attacker; as before this does not allow the attacker to steal the account as they cannot re- authenticate without the mobile phone. A mock web site can send a user a false security string and by examining the returned one-time code ascertain the user’s PIN. However this requires knowledge of the target’s mobile phone number and the means to send an SMS. Once the PIN is known, physical access to the mobile phone is still required.
White Paper Heading 9 Conclusion Two-factor authentication is a much stronger form of authentication than single-factor. Swivel’s implementation of two-factor authentication, with its unique one-time code extraction protocol and its use of the mobile phone as a security token, provides a number of advantages including increased strength of authenticated and decreased running costs.

Recommandé

M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolIJERD Editor
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication IJMER
 
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd Iaetsd
 
OlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_FinalOlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_FinalOlger Hoxha, CISSP CISM
 
SECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTAL
SECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTALSECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTAL
SECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTALcscpconf
 
Sms based otp
Sms based otpSms based otp
Sms based otpHai Nguyen
 
Frost & Sullivan: Moving Forward with Distributed Cryptography
Frost & Sullivan: Moving Forward with Distributed CryptographyFrost & Sullivan: Moving Forward with Distributed Cryptography
Frost & Sullivan: Moving Forward with Distributed CryptographyEMC
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authenticationHai Nguyen
 

Recommandé

M-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolM-Pass: Web Authentication Protocol
M-Pass: Web Authentication ProtocolIJERD Editor
 
An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication An Enhanced Security System for Web Authentication
An Enhanced Security System for Web Authentication IJMER
 
Iaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd fpga implementation of rf technology and biometric authentication
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd Iaetsd
 
OlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_FinalOlgerHoxha_Thesis_Final
OlgerHoxha_Thesis_FinalOlger Hoxha, CISSP CISM
 
SECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTAL
SECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTALSECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTAL
SECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTALcscpconf
 
Sms based otp
Sms based otpSms based otp
Sms based otpHai Nguyen
 
Frost & Sullivan: Moving Forward with Distributed Cryptography
Frost & Sullivan: Moving Forward with Distributed CryptographyFrost & Sullivan: Moving Forward with Distributed Cryptography
Frost & Sullivan: Moving Forward with Distributed CryptographyEMC
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authenticationHai Nguyen
 
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDAN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDIJNSA Journal
 
The Immune System of Internet
The Immune System of InternetThe Immune System of Internet
The Immune System of InternetMohit Kanwar
 
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...IRJET Journal
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_faHai Nguyen
 
C0210014017
C0210014017C0210014017
C0210014017researchinventy
 
I1804015458
I1804015458I1804015458
I1804015458IOSR Journals
 
E0962833
E0962833E0962833
E0962833IOSR Journals
 
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usenProtecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usenCMR WORLD TECH
 
IRJET - Secure Banking Application with Image and GPS Location
IRJET - Secure Banking Application with Image and GPS LocationIRJET - Secure Banking Application with Image and GPS Location
IRJET - Secure Banking Application with Image and GPS LocationIRJET Journal
 
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...IOSR Journals
 
120 i143
120 i143120 i143
120 i143Hai Nguyen
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authenticationHai Nguyen
 
IRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET Journal
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Behavioural biometrics and cognitive security authentication comparison study
Behavioural biometrics and cognitive security authentication comparison studyBehavioural biometrics and cognitive security authentication comparison study
Behavioural biometrics and cognitive security authentication comparison studyacijjournal
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) ijceronline
 
Security analysis of a single sign on mechanism for distributed computer netw...
Security analysis of a single sign on mechanism for distributed computer netw...Security analysis of a single sign on mechanism for distributed computer netw...
Security analysis of a single sign on mechanism for distributed computer netw...IEEEFINALYEARPROJECTS
 
76 s201923
76 s20192376 s201923
76 s201923IJRAT
 
Three Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern SecurityThree Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern Securityijtsrd
 
C02
C02C02
C02newbie2019
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authenticationHai Nguyen
 

Contenu connexe

Tendances

AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDAN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDIJNSA Journal
 
The Immune System of Internet
The Immune System of InternetThe Immune System of Internet
The Immune System of InternetMohit Kanwar
 
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...IRJET Journal
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_faHai Nguyen
 
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usenProtecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usenCMR WORLD TECH
 
IRJET - Secure Banking Application with Image and GPS Location
IRJET - Secure Banking Application with Image and GPS LocationIRJET - Secure Banking Application with Image and GPS Location
IRJET - Secure Banking Application with Image and GPS LocationIRJET Journal
 
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...IOSR Journals
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authenticationHai Nguyen
 
IRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET Journal
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
Behavioural biometrics and cognitive security authentication comparison study
Behavioural biometrics and cognitive security authentication comparison studyBehavioural biometrics and cognitive security authentication comparison study
Behavioural biometrics and cognitive security authentication comparison studyacijjournal
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailarHai Nguyen
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) ijceronline
 
Security analysis of a single sign on mechanism for distributed computer netw...
Security analysis of a single sign on mechanism for distributed computer netw...Security analysis of a single sign on mechanism for distributed computer netw...
Security analysis of a single sign on mechanism for distributed computer netw...IEEEFINALYEARPROJECTS
 
76 s201923
76 s20192376 s201923
76 s201923IJRAT
 

Tendances (19)

AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDAN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORD
 
The Immune System of Internet
The Immune System of InternetThe Immune System of Internet
The Immune System of Internet
 
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
IRJET-Enhancement of Security using 2-Factor Authentication, 2nd Factor being...
 
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_faSecuring corporate assets_with_2_fa
Securing corporate assets_with_2_fa
 
C0210014017
C0210014017C0210014017
C0210014017
 
I1804015458
I1804015458I1804015458
I1804015458
 
E0962833
E0962833E0962833
E0962833
 
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usenProtecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
Protecting Corporete Credentials Against Threats 4 48159 wgw03071_usen
 
IRJET - Secure Banking Application with Image and GPS Location
IRJET - Secure Banking Application with Image and GPS LocationIRJET - Secure Banking Application with Image and GPS Location
IRJET - Secure Banking Application with Image and GPS Location
 
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...
 
120 i143
120 i143120 i143
120 i143
 
Mobile authentication
Mobile authenticationMobile authentication
Mobile authentication
 
IRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure Authentication
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
Behavioural biometrics and cognitive security authentication comparison study
Behavioural biometrics and cognitive security authentication comparison studyBehavioural biometrics and cognitive security authentication comparison study
Behavioural biometrics and cognitive security authentication comparison study
 
Session 7 e_raja_kailar
Session 7 e_raja_kailarSession 7 e_raja_kailar
Session 7 e_raja_kailar
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)
 
Security analysis of a single sign on mechanism for distributed computer netw...
Security analysis of a single sign on mechanism for distributed computer netw...Security analysis of a single sign on mechanism for distributed computer netw...
Security analysis of a single sign on mechanism for distributed computer netw...
 
76 s201923
76 s20192376 s201923
76 s201923
 

Similaire à Two-Factor Authentication and Swivel Secure Platform

Three Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern SecurityThree Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern Securityijtsrd
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authenticationHai Nguyen
 
Android Based Total Security for System Authentication
Android Based Total Security for System AuthenticationAndroid Based Total Security for System Authentication
Android Based Total Security for System AuthenticationIJERA Editor
 
Brafton White Paper Example
Brafton White Paper ExampleBrafton White Paper Example
Brafton White Paper ExampleKayla Perry
 
Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4skimil
 
Running head CHALLENGES OF CYBER SECURITY9.docx
Running head CHALLENGES OF CYBER SECURITY9.docxRunning head CHALLENGES OF CYBER SECURITY9.docx
Running head CHALLENGES OF CYBER SECURITY9.docxsusanschei
 
Strong Authentication in Cyberspace 8 key principles for policymakers
Strong Authentication in Cyberspace 8 key principles for policymakersStrong Authentication in Cyberspace 8 key principles for policymakers
Strong Authentication in Cyberspace 8 key principles for policymakersMark Gibson
 
Multi Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignMulti Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignRajat Jain
 
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAPNt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAPEvelyn Donaldson
 
Multi Factor Authentication
Multi Factor AuthenticationMulti Factor Authentication
Multi Factor AuthenticationPing Identity
 
A security strategy against steal and pass
A security strategy against steal and passA security strategy against steal and pass
A security strategy against steal and passIJNSA Journal
 
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKSA SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKSIJNSA Journal
 
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKSA SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKSIJNSA Journal
 
5 Reasons Why Your Business Should Consider Strong Authentication!
5 Reasons Why Your Business Should Consider Strong Authentication!5 Reasons Why Your Business Should Consider Strong Authentication!
5 Reasons Why Your Business Should Consider Strong Authentication!Caroline Johnson
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-PracticesOctogence
 
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...ijistjournal
 
A novel multifactor authentication system ensuring usability and security
A novel multifactor authentication system ensuring usability and securityA novel multifactor authentication system ensuring usability and security
A novel multifactor authentication system ensuring usability and securityijsptm
 
Engineering Project of Venkata Krishna
Engineering Project of Venkata KrishnaEngineering Project of Venkata Krishna
Engineering Project of Venkata Krishnabanda5630
 

Similaire à Two-Factor Authentication and Swivel Secure Platform (20)

Three Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern SecurityThree Step Multifactor Authentication Systems for Modern Security
Three Step Multifactor Authentication Systems for Modern Security
 
C02
C02C02
C02
 
Two factor authentication
Two factor authenticationTwo factor authentication
Two factor authentication
 
Android Based Total Security for System Authentication
Android Based Total Security for System AuthenticationAndroid Based Total Security for System Authentication
Android Based Total Security for System Authentication
 
Brafton White Paper Example
Brafton White Paper ExampleBrafton White Paper Example
Brafton White Paper Example
 
Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4
 
Running head CHALLENGES OF CYBER SECURITY9.docx
Running head CHALLENGES OF CYBER SECURITY9.docxRunning head CHALLENGES OF CYBER SECURITY9.docx
Running head CHALLENGES OF CYBER SECURITY9.docx
 
Strong Authentication in Cyberspace 8 key principles for policymakers
Strong Authentication in Cyberspace 8 key principles for policymakersStrong Authentication in Cyberspace 8 key principles for policymakers
Strong Authentication in Cyberspace 8 key principles for policymakers
 
Multi Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignMulti Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect Design
 
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAPNt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
Nt1330 Week 1 Case Study Of EAP.pdfNt1330 Week 1 Case Study Of EAP
 
Multi Factor Authentication
Multi Factor AuthenticationMulti Factor Authentication
Multi Factor Authentication
 
A security strategy against steal and pass
A security strategy against steal and passA security strategy against steal and pass
A security strategy against steal and pass
 
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKSA SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
 
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKSA SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
 
Class paper final
Class paper finalClass paper final
Class paper final
 
5 Reasons Why Your Business Should Consider Strong Authentication!
5 Reasons Why Your Business Should Consider Strong Authentication!5 Reasons Why Your Business Should Consider Strong Authentication!
5 Reasons Why Your Business Should Consider Strong Authentication!
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
 
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...
 
A novel multifactor authentication system ensuring usability and security
A novel multifactor authentication system ensuring usability and securityA novel multifactor authentication system ensuring usability and security
A novel multifactor authentication system ensuring usability and security
 
Engineering Project of Venkata Krishna
Engineering Project of Venkata KrishnaEngineering Project of Venkata Krishna
Engineering Project of Venkata Krishna
 

Plus de Hai Nguyen

Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheetHai Nguyen
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthenticationHai Nguyen
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Hai Nguyen
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_briefHai Nguyen
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 enHai Nguyen
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationHai Nguyen
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseHai Nguyen
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Hai Nguyen
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheetHai Nguyen
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheetHai Nguyen
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationHai Nguyen
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationxHai Nguyen
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingHai Nguyen
 
Citrix sb 0707-lowres
Citrix sb 0707-lowresCitrix sb 0707-lowres
Citrix sb 0707-lowresHai Nguyen
 
Attachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseAttachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseHai Nguyen
 
Ams 2 fa april 2013
Ams 2 fa april 2013Ams 2 fa april 2013
Ams 2 fa april 2013Hai Nguyen
 
10695 sidtfa sb_0210
10695 sidtfa sb_021010695 sidtfa sb_0210
10695 sidtfa sb_0210Hai Nguyen
 

Plus de Hai Nguyen (20)

Scc soft token datasheet
Scc soft token datasheetScc soft token datasheet
Scc soft token datasheet
 
Rsa two factorauthentication
Rsa two factorauthenticationRsa two factorauthentication
Rsa two factorauthentication
 
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
 
Pg 2 fa_tech_brief
Pg 2 fa_tech_briefPg 2 fa_tech_brief
Pg 2 fa_tech_brief
 
Ouch 201211 en
Ouch 201211 enOuch 201211 en
Ouch 201211 en
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
 
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterpriseMultiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
 
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheet
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheet
 
Gambling
GamblingGambling
Gambling
 
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authenticationDs netsuite-two-factor-authentication
Ds netsuite-two-factor-authentication
 
Datasheet two factor-authenticationx
Datasheet two factor-authenticationxDatasheet two factor-authenticationx
Datasheet two factor-authenticationx
 
Csd6059
Csd6059Csd6059
Csd6059
 
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for bankingCryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
 
Citrix sb 0707-lowres
Citrix sb 0707-lowresCitrix sb 0707-lowres
Citrix sb 0707-lowres
 
Bi guardotp
Bi guardotpBi guardotp
Bi guardotp
 
Attachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromiseAttachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromise
 
Ams 2 fa april 2013
Ams 2 fa april 2013Ams 2 fa april 2013
Ams 2 fa april 2013
 
10695 sidtfa sb_0210
10695 sidtfa sb_021010695 sidtfa sb_0210
10695 sidtfa sb_0210
 

Dernier

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 

Dernier (20)

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 

Two-Factor Authentication and Swivel Secure Platform

  • 1. Two-Factor Authentication and Swivel Abstract This document looks at why the username and password are no longer sufficient for authentication and how the Swivel Secure authentication platform can provide a strong, cost-effective authentication solution that is easy to use and to manage. 2012
  • 2. White Paper Heading 2 Contents  Introduction .............................................................................................................................3 Single-Factor Authentication............................................................................................4 Threats against Usernames and Passwords............................................................4 Malware Attack ..................................................................................................................5 Guess the Password .........................................................................................................5 Steal the Password ...........................................................................................................5 Shoulder Surfing ................................................................................................................5 Phishing.................................................................................................................................5 Dual-Factor Authentication...............................................................................................6 Attacks against Dual Factor Authentication...........................................................6 Steal the Token ..................................................................................................................6 Phishing.................................................................................................................................6 Dual-Factor Authentication and Swivel....................................................................6 Tokenless..............................................................................................................................7 One-Time Code Extraction............................................................................................7 Attacks against Swivel ........................................................................................................8 Stealing the token .............................................................................................................8 Phishing.................................................................................................................................8 Conclusion................................................................................................................................9
  • 3. White Paper Heading 3 Introduction The increasing use of remote access and web-based commerce has increased the need for convenient, cost-effective, yet strong authentication models. Relying on a single factor of authentication, i.e. username and password, is no longer appropriate for many applications. This has led to the increasing use of multi-factor authentication; whereby authentication requires the user to know something (e.g. a password) and possess something (e.g. some form of authentication token). Swivel’s approach to two-factor authentication has the advantage that the user does not need a dedicated authentication token. Add to this PINsafe, our patented one-time code extraction protocol, Swivel can provide a strong, cost-effective authentication solution that is easy to use and to manage.
  • 4. White Paper Heading 4 Single-Factor Authentication When a user authenticates they need to present credentials to the authentication server. A credential maybe based on:  Something they know, e.g. a password  Something they have, e.g. a security string provided by a token  Something they are, e.g. a finger print or retina scan. Each one of these is a factor of authentication. In the early days of authentication (and in many systems still today) authentication is based upon just a single factor of authentication, specifically a combination of a username and a password (UNP). There is an increasing awareness that this is not sufficient for many systems. This realisation is showing itself not only in the increasing number of organizations that are moving to multi-factor authentication but also in more regulations and legislation that are mandating multi-factor authentication. There are three driving forces are behind this. Firstly the increasing value of the systems being protected by authentication systems, secondly the increasing availability and variety of tools that can be used effectively against simple UNP authentication, and thirdly the increase in cybercrime. Threats against Usernames and Passwords One of the weaknesses of UNP is the fact that the password is static; i.e. it does not change from one authentication attempt to the next. Administrators may insist that passwords are changed every 3 months, or even every month, however that still gives an attacker a significant amount of time to aim at a stationary target. Another issue with passwords is that users and helpdesk administrators want them to be easy to remember but IT managers and security managers want them to be difficult to guess. These requirements tend to work against one another. It is much easier to remember words than it is a series of random characters, but it is much easier to guess a word than a series of random characters. Or order for users to help themselves remember more complex passwords they are more inclined to re-use the same password for different applications and interfaces. One final weakness of UNP as an authentication model stems from the fact that username and passwords have been around for so long. This means there are many software-based attacks out there that are, thanks to the internet, widely available. So what are the threats against username and password? The following list is not meant to be exhaustive; it focuses on technical attacks against the
  • 5. White Paper Heading 5 client rather than attacks against server or social engineering based attacks such as con-tricks, blackmail etc. Malware Attack Deploy malicious code on target’s computer, for example, a key logger that records a user’s keystrokes. By looking at the details of the keys pressed so the password can be determined. Searching the log for a username and the password is likely to follow. Some software attacks are more sophisticated and look for specific actions before starting to log, e.g. accessing banking URL. The static nature of passwords means that this form of attack can be very effective. Guess the Password There are a range of guessing attacks against passwords which are based on how much or how little information the attacker has about the target. On one extreme there is a brute force attack whereby an attacker just guesses different possibilities until they succeed; not very effective but can be used if the attacker can gain access to the file of encrypted passwords. Slightly more targeted is a dictionary attack, where rather than just guess random values, the attacker restricts the attack to words or phrases that are likely, as most people choose passwords that are words. Finally, if the attacker knows personal information about the target, they may try their favourite sports teams or their children’s names as password. The need to make passwords memorable makes this kind of attack an option. Steal the Password One way of satisfying the IT security manager’s insistence on a complicated password is to write it down somewhere; in an envelope in the desk drawer etc. Whereas this form of attack requires physical access, it is surprisingly common practice for people to write passwords down unencrypted. Shoulder Surfing To find out what someone’s password is you just watch them type it in. Another attack that requires physical access, but as passwords are static, you have plenty of attempts at watching the user type in their password to manage to discern the whole thing. This form of attack has become more recognised since the use of Chip and PIN technology with people being asked to hide their fingers as they type in their PIN. Phishing It is particularly difficult to defend against phishing attacks, partly because it is so easy to mount such an attack. You can get all the corporate imagery you need from the real website to build a mocked-up site then you can mass email a mock email to any valid email address. The user goes to the mock site and enters their username and password. The attacker then has the password that they need and they can do what they will with it.
  • 6. White Paper Heading 6 Dual-Factor Authentication Adding another factor of authentication adds another task for the attacker to complete before their attack is successful. The basic model is that the token provides the user with a one-time code that they must enter in order to authenticate; the security string is dynamic in that it is different for each authentication. We can see that there are many and varied ways of gaining one factor, the password, but having succeeded in that what does an attacker need to do in addition to succeed in defeating two-factor authentication systems? Attacks against Dual Factor Authentication There would appear to be two obvious approaches: Steal the Token An attacker may be lucky in that the token may be kept in the same drawer as the user’s password! But clearly an attack that combines a software attack determining the password and physically obtaining the token could be a successful attack. The first element being straightforward, the second one less so, however in an e-commerce B2C scenario with many tokens being physically distributed; there may be vulnerabilities that could be exploited. Phishing Phishing can still have some success even against dual factor authentication as the attacker obtains the users password and one-time code and can therefore use those credentials to fraudulently authenticate as the user. Unlike the phishing attack for single factor this does not allow the attacker to steal the user identity as the user still has the token. This means the attacker cannot re-authenticate without re-phishing the required one-time code. This means that a web application that requires repeated authentication provides a good defense against phishing attacks. For example a banking website that requires authentication for every monetary transaction. Dual-Factor Authentication and Swivel Swivel authentication platform is a dual factor authentication solution with subtle but important differences. As with many dual factor authentication systems, Swivel sends a security string to the user that the user needs to authenticate but security strings are sent to the user’s mobile phone either in the form of a voice call, SMS or via a mobile app; therefore there is no need for dedicated security tokens.
  • 7. White Paper Heading 7 The received security string is not entered by the user; it is combined by the user with a PIN to extract the one-time code which is then entered. The advantages of these differences are described below. Tokenless The fact that Swivel does not require a dedicated security token (it uses the mobile phone as a token) has a number of advantages. There is nothing that needs to be physically distributed; therefore you are not at the mercy of postal systems etc. to provision users. Users can be provisioned instantly. Just as importantly there is nothing to physically reclaim once a user no longer requires access. This is particularly relevant where you have a population of users that has a high churn rate such as an academic institution. People treat their mobile phone as something vital; they need it for business but also to keep in contact with their friends and families when they are at work. They are less likely to leave it behind; or leave it in a pocket of a garment destined for the laundry. They are also more likely to notice when they have lost it or it has been stolen. As Swivel reuses an existing device as a security token there is no additional cost. If someone loses of damages their mobile phone a replacement is borne by the telecoms budget; not the security budget! One-Time Code Extraction The use of the Swivel one-time code extraction protocol means that both factors of authentication can be combined into a single credential. This means:
  • 8. White Paper Heading 8 The user only needs a 4 digit one-time code to authenticate; (Swivel can be configured to use PINs of 4 to 10 numbers long and it can also be used in conjunction with a password). As the PIN is never entered the attacks described earlier, such as key loggers, cannot be used to ascertain one of the two factors of authentication. So the use of Swivel Dual Factor solution makes some of the attacks discussed before even harder. There is no physical token to distribute, the loss of a mobile phone is likely to be noticed and reported sooner than a security token. In the event that an attack gains access to a mobile phone, security is still not compromised as the attack still needs the PIN, and the PIN cannot be ascertained by key- logging attacks as it is never entered by the user. Attacks against Swivel Stealing the token In the Swivel example this attack still leaves the attacker the problem of the PIN, as the PIN is never entered it cannot be obtained via key logging type attacks. Phishing No authentication product is immune from attack. Forms of phishing attacks may have some success against Swivel; it is very difficult to stop users entering credentials onto a mock web site as discussed before. Once entered these valid credentials can be used by the attacker; as before this does not allow the attacker to steal the account as they cannot re- authenticate without the mobile phone. A mock web site can send a user a false security string and by examining the returned one-time code ascertain the user’s PIN. However this requires knowledge of the target’s mobile phone number and the means to send an SMS. Once the PIN is known, physical access to the mobile phone is still required.
  • 9. White Paper Heading 9 Conclusion Two-factor authentication is a much stronger form of authentication than single-factor. Swivel’s implementation of two-factor authentication, with its unique one-time code extraction protocol and its use of the mobile phone as a security token, provides a number of advantages including increased strength of authenticated and decreased running costs.