lascon 2014: multi-factor authentication -- weeding out the snake oil
DESCRIPTION
My presentation given at LASCON 2014.TRANSCRIPT
Multi-Factor Authentication: Weeding Out the Snake Oil
LASCON 2014
David Ochel
2014-10-24
This work is licensed under a Creative Commons Attribution 4.0 International License.
Objectives
• Understand what’s going on in the market of multi-factor authentication.
• Look at solutions from a risk view… Which problems are we actually solving / trying to solve?
Multi-Factor Authentication Criteria – LASCON 2014 Page 2
Agenda: Less Formalism, More Examples…
• Motivation / Introduction
– Authentication Factors
– Why Multi-Factor?
• Criteria and Industry Examples
– Security-focused criteria
– Less risky criteria
• …and the Snake Oil?
Page 3 Multi-Factor Authentication Criteria – LASCON 2014
INTRODUCTION
Multi-Factor Authentication Criteria – LASCON 2014 Page 4
Authentication Factors • Knowledge-based “know”
– Passwords – Security questions (?) – Pattern/image recognition, …
• Token-based “have” – Time-based one-time-passwords – Crypto-based challenge response (e.g. X.509) – Various form factors: smart cards, RFID, USB, LED dongles, phones,
smartphones (arguably)
• Biometrics “are” – Behavioral – Physical
• Context-/behavioral-based – As in “risk-based authentication”: IP addresses, locations, date/time,
etc.
Multi-Factor Authentication Criteria – LASCON 2014 Page 5
Why Do We Still Use Passwords? “The continued domination of passwords over all other methods of end-user authentication is a major embarrassment to security researchers.” [1]
• Passwords
– Highly deployable: infrastructure exists, users are accustomed, cheap, … – Security issues: observation, interception, replay, guessing, phishing – Pervasive assumption: General-purpose personal computers (laptops, PCs, …)
cannot be secured/trusted
• Issues with existing alternatives – Memory-based (“know”): no better than passwords? – Biometrics (“are”): privacy, liveness detection on unsupervised devices, hard
to replace – Tokens (“have”): susceptible to theft, expensive, hard to replace – Contexts: unreliable proof of identity
Page 6 Multi-Factor Authentication Criteria – LASCON 2014
[1] http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.html
Current Industry Trend: Combine Multiple Factors
• Tokens – Hard(er) to compromise; susceptible to physical theft
• Passwords – Interceptable (malware); hard to physically steal
• Also in the running: – Biometrics
• Convenient; but often trust issues when unsupervised (liveness detection)
– Contexts • Back-end risk evaluation; not technically authentication
Multi-Factor Authentication Criteria – LASCON 2014 Page 7
Authentication – A Piece of the Identity & Access Management Puzzle…
Multi-Factor Authentication Criteria – LASCON 2014 Page 8
http://forgerock.com/products/open-identity-stack/
Which threats are we trying to counter?
• Are we protecting: • Individual consumer accounts?
• Corporate users and data?
• Machine authentication?
• Assets
• Adversaries
• Vulnerabilities
• Etc…
Page 9 Multi-Factor Authentication Criteria – LASCON 2014
CRITERIA – FROM A SECURITY POINT OF VIEW
Page 10 Multi-Factor Authentication Criteria – LASCON 2014
Are there at least two factors?
• Password + PIN = one factor
• Password-protected private key?
– …on a hardware token?
Multi-Factor Authentication Criteria – LASCON 2014 Page 11
http://blog.mailchimp.com/introducing-alterego-1-5-factor-authentication-for-web-apps/, https://alteregoapp.com
Swivel PIN Safe – Human-Computed Challenge Response
• But… password + PIN still aren’t two factors? – When used in browser, helps against keylogging
– When used for SMS, actually helps!?
Multi-Factor Authentication Criteria – LASCON 2014 Page 12
http://www.swivelsecure.com/devices/browser/
How many communication channels? One? More? Different physical band?
Multi-Factor Authentication Criteria – LASCON 2014 Page 13
Communication channels (continued)
• Securing smartphone apps with smartphone tokens…?
• “plug and play”
– Factors
– Channels
Multi-Factor Authentication Criteria – LASCON 2014 Page 14
When to pull another factor?
• Once per session, at login.
• For every high risk transaction, during session.
• “Risk-based”
– Determined by context analysis.
Multi-Factor Authentication Criteria – LASCON 2014 Page 15
http://www.safenet-inc.com/multi-factor-authentication/context-based-authentication/
Enrolling users / tokens
• Personalization/provisioning of tokens
• Enrollment in service
• Central management of credentials
Multi-Factor Authentication Criteria – LASCON 2014 Page 16
https://www.yubico.com/wp-content/uploads/2012/10/Yubikey-Programming-Station-v1.0.pdf
Crypto
• There’s crypto everywhere – Token challenge-response, digital signatures
– Transportation security for authentication channels
• Robustness/diversity – More than one set of algorithm types supported?
• Trust – Algorithms
– Implementations
Multi-Factor Authentication Criteria – LASCON 2014 Page 17
https://www.securityinnovation.com/products/encryption-libraries/ntru-crypto/
EMV-based
Multi-Factor Authentication Criteria – LASCON 2014 Page 18
• Mastercard CAP / VISA DPA
• German Sm@art TAN
• CrontoSign (photoTAN)…
https://www.vasco.com/products/products.aspx • https://www.vasco.com/Images/DP%
20760_DS201309-v1b.pdf
https://www.vasco.com/Images/DP%20836_DS201401_v4.pdf
CRITERIA – LESS SECURITY-RELEVANT
Page 19 Multi-Factor Authentication Criteria – LASCON 2014
$$$
• OpEx vs. CapEx
– Licensing fees (per user, server, year, …?)
– Token cost
– …
Multi-Factor Authentication Criteria – LASCON 2014 20
http://www.entrust.com/products/entrust-identityguard/
Open Source?
• Lots of freemium solutions
• E.g. WikID
Multi-Factor Authentication Criteria – LASCON 2014 Page 21
https://www.wikidsystems.com/learn-more/features
Integration with Identity & Access Management Solutions
• Open Source, e.g. gluu or OpenAM
• Commercial, e.g. SailPoint, and many more
Multi-Factor Authentication Criteria – LASCON 2014 Page 22
http://www.gluu.org/gluu-server/strong-authentication/
http://www.sailpoint.com/solutions/products/identityiq/access-manager
Usability
• Efficiency
• Ease of use
• Availability
• Convenience
– Is it realistic to expect that every user carries half a dozen hardware tokens with them?
Multi-Factor Authentication Criteria – LASCON 2014 Page 23
© Edwin Sarmiento, https://www.flickr.com/photos/bassplayerdoc/6245647402/
(Security) architecture
• Client-less vs. plug-ins, apps, …
• Service – SaaS / cloud – In-house
• Server side: – APIs – Logging – RADIUS, etc. interfaces
Multi-Factor Authentication Criteria – LASCON 2014 Page 24
Availability
• Does it scale? – Authentications per second
• Capacity to bug/security-fix – Reputation, history, size, …
• SLA, redundancy, …
• Fallback if the cloud is unavailable?
Multi-Factor Authentication Criteria – LASCON 2014 Page 25
http://www.earlychildhoodworksheets.com/nature-clipart.html
…AND THE SNAKE OIL?
26 Multi-Factor Authentication Criteria – LASCON 2014
How to find snake oil? • Wait until it finds you, or… Google it!
• OWASP ‘Guide to Cryptography’ suggests:
‘A good understanding of crypto is required to be able to discern between solid products and snake oil. The inherent complexity of crypto makes it easy to fall for fantastic claims from vendors about their product. Typically, these are “a breakthrough in cryptography” or “unbreakable” or provide "military grade" security. If a vendor says "trust us, we have had experts look at this,” chances are they weren't experts!’
Multi-Factor Authentication Criteria – LASCON 2014 27
https://www.owasp.org/index.php/Guide_to_Cryptography
Multi-Factor Authentication Criteria Page 28
Unbreakable, impenetrable, etc.
Multi-Factor Authentication Criteria – LASCON 2014 Page 29
from http://www.edulok.com – retrieved 2014-09-23
WWPass (aka EduLok): What might be going on?
This is abstracted from their public online
documentation… haven’t checked out the patents or
anything else.
Multi-Factor Authentication Criteria – LASCON 2014 Page 30
What about “Best in Class”?
• E.g., SafeNet – “a consistent leader in the Magic Quadrant for User Authentication”
• Not exempt from marketing blah? ;-)
Multi-Factor Authentication Criteria – LASCON 2014 Page 31
http://www.safenet-inc.com/multi-factor-authentication/ - retrieved 2014-09-23
Conclusions
• Don’t trust the marketing hype!
• Understand your exposure.
• Understand which solutions can reduce it.
• And then look at usability, interoperability, etc.
Multi-Factor Authentication Criteria – LASCON 2014 Page 36
Contact
David Ochel
Blog: http://secuilibrium.com
Twitter: @lostgravity
Multi-Factor Authentication Criteria – LASCON 2014 Page 37