lascon 2014: multi-factor authentication -- weeding out the snake oil

Multi-Factor Authentication: Weeding Out the Snake Oil

LASCON 2014

David Ochel

2014-10-24

This work is licensed under a Creative Commons Attribution 4.0 International License.

Objectives

• Understand what’s going on in the market of multi-factor authentication.

• Look at solutions from a risk view… Which problems are we actually solving / trying to solve?

Multi-Factor Authentication Criteria – LASCON 2014 Page 2

Agenda: Less Formalism, More Examples…

• Motivation / Introduction

– Authentication Factors

– Why Multi-Factor?

• Criteria and Industry Examples

– Security-focused criteria

– Less risky criteria

• …and the Snake Oil?

Multi-Factor Authentication Criteria – LASCON 2014

INTRODUCTION

Authentication Factors • Knowledge-based “know”

– Passwords – Security questions (?) – Pattern/image recognition, …

• Token-based “have” – Time-based one-time-passwords – Crypto-based challenge response (e.g. X.509) – Various form factors: smart cards, RFID, USB, LED dongles, phones,

smartphones (arguably)

• Biometrics “are” – Behavioral – Physical

• Context-/behavioral-based – As in “risk-based authentication”: IP addresses, locations, date/time,

Why Do We Still Use Passwords? “The continued domination of passwords over all other methods of end-user authentication is a major embarrassment to security researchers.” [1]

• Passwords

– Highly deployable: infrastructure exists, users are accustomed, cheap, … – Security issues: observation, interception, replay, guessing, phishing – Pervasive assumption: General-purpose personal computers (laptops, PCs, …)

cannot be secured/trusted

• Issues with existing alternatives – Memory-based (“know”): no better than passwords? – Biometrics (“are”): privacy, liveness detection on unsupervised devices, hard

to replace – Tokens (“have”): susceptible to theft, expensive, hard to replace – Contexts: unreliable proof of identity

[1] http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.html

Current Industry Trend: Combine Multiple Factors

• Tokens – Hard(er) to compromise; susceptible to physical theft

• Passwords – Interceptable (malware); hard to physically steal

• Also in the running: – Biometrics

• Convenient; but often trust issues when unsupervised (liveness detection)

– Contexts • Back-end risk evaluation; not technically authentication

Authentication – A Piece of the Identity & Access Management Puzzle…

http://forgerock.com/products/open-identity-stack/

Which threats are we trying to counter?

• Are we protecting: • Individual consumer accounts?

• Corporate users and data?

• Machine authentication?

• Assets

• Adversaries

• Vulnerabilities

• Etc…

CRITERIA – FROM A SECURITY POINT OF VIEW

Are there at least two factors?

• Password + PIN = one factor

• Password-protected private key?

– …on a hardware token?

http://blog.mailchimp.com/introducing-alterego-1-5-factor-authentication-for-web-apps/, https://alteregoapp.com

Swivel PIN Safe – Human-Computed Challenge Response

• But… password + PIN still aren’t two factors? – When used in browser, helps against keylogging

– When used for SMS, actually helps!?

http://www.swivelsecure.com/devices/browser/

How many communication channels? One? More? Different physical band?

Communication channels (continued)

• Securing smartphone apps with smartphone tokens…?

• “plug and play”

– Factors

– Channels

When to pull another factor?

• Once per session, at login.

• For every high risk transaction, during session.

• “Risk-based”

– Determined by context analysis.

http://www.safenet-inc.com/multi-factor-authentication/context-based-authentication/

Enrolling users / tokens

• Personalization/provisioning of tokens

• Enrollment in service

• Central management of credentials

https://www.yubico.com/wp-content/uploads/2012/10/Yubikey-Programming-Station-v1.0.pdf

Crypto

• There’s crypto everywhere – Token challenge-response, digital signatures

– Transportation security for authentication channels

• Robustness/diversity – More than one set of algorithm types supported?

• Trust – Algorithms

– Implementations

https://www.securityinnovation.com/products/encryption-libraries/ntru-crypto/

EMV-based

• Mastercard CAP / VISA DPA

• German Sm@art TAN

• CrontoSign (photoTAN)…

https://www.vasco.com/products/products.aspx • https://www.vasco.com/Images/DP%

20760_DS201309-v1b.pdf

https://www.vasco.com/Images/DP%20836_DS201401_v4.pdf

CRITERIA – LESS SECURITY-RELEVANT

• OpEx vs. CapEx

– Licensing fees (per user, server, year, …?)

– Token cost

– …

Multi-Factor Authentication Criteria – LASCON 2014 20

http://www.entrust.com/products/entrust-identityguard/

Open Source?

• Lots of freemium solutions

• E.g. WikID

https://www.wikidsystems.com/learn-more/features

Integration with Identity & Access Management Solutions

• Open Source, e.g. gluu or OpenAM

• Commercial, e.g. SailPoint, and many more

http://www.gluu.org/gluu-server/strong-authentication/

http://www.sailpoint.com/solutions/products/identityiq/access-manager

Usability

• Efficiency

• Ease of use

• Availability

• Convenience

– Is it realistic to expect that every user carries half a dozen hardware tokens with them?

(Security) architecture

• Client-less vs. plug-ins, apps, …

• Service – SaaS / cloud – In-house

• Server side: – APIs – Logging – RADIUS, etc. interfaces

Availability

• Does it scale? – Authentications per second

• Capacity to bug/security-fix – Reputation, history, size, …

• SLA, redundancy, …

• Fallback if the cloud is unavailable?

http://www.earlychildhoodworksheets.com/nature-clipart.html

…AND THE SNAKE OIL?

26 Multi-Factor Authentication Criteria – LASCON 2014

How to find snake oil? • Wait until it finds you, or… Google it!

• OWASP ‘Guide to Cryptography’ suggests:

‘A good understanding of crypto is required to be able to discern between solid products and snake oil. The inherent complexity of crypto makes it easy to fall for fantastic claims from vendors about their product. Typically, these are “a breakthrough in cryptography” or “unbreakable” or provide "military grade" security. If a vendor says "trust us, we have had experts look at this,” chances are they weren't experts!’

Multi-Factor Authentication Criteria – LASCON 2014 27

https://www.owasp.org/index.php/Guide_to_Cryptography

Multi-Factor Authentication Criteria Page 28

Unbreakable, impenetrable, etc.

from http://www.edulok.com – retrieved 2014-09-23

WWPass (aka EduLok): What might be going on?

This is abstracted from their public online

documentation… haven’t checked out the patents or

anything else.

What about “Best in Class”?

• E.g., SafeNet – “a consistent leader in the Magic Quadrant for User Authentication”

• Not exempt from marketing blah? ;-)

http://www.safenet-inc.com/multi-factor-authentication/ - retrieved 2014-09-23

Conclusions

• Don’t trust the marketing hype!

• Understand your exposure.

• Understand which solutions can reduce it.

• And then look at usability, interoperability, etc.

Contact

David Ochel

Blog: http://secuilibrium.com

Twitter: @lostgravity

lascon 2014: multi-factor authentication -- weeding out the snake oil

Technology

lascon storage - tsm database and log

allelopathy for auto-weeding -

lean security - lascon 2016

paperless online weeding (pow)

catalogo - weeding on demand

weeding the school library collection

serverless security at lascon 2017

lascon - pietria.co.za

weeding croom

deep learning: miracle or snake oil? · deep learning:...

appsec usa - lascon edition

weeding/deselection - nyla presentation.… ·...

italy weeding

weeding the collection

weeding in the msc

lascon 2015

info 266 weeding exercise

an automatic weeding robot

5 proven success strategies for your software security...

selection and weeding policy