User Security for e-Post Applications
Dr Chandana Gamage
University of Moratuwa
2
What is the process of securing a web
application?
4
What is the most common method of end user
security?
5
Password!
(user name and password combination)
6
What is the weakest method for end user
security?
8
Why do we keep using the weakest form of security as the most widely used
form of security?
9
Many reasons …
Historical reasonsEase of use reasons
Ease of deployment reasons
10
What are the alternatives for strengthening the
security of end users?
11
Change from the paradigm of
“something you know”to a
“something you have”or
“something you are”
12
What is practical for end users of web applications?
13
Something you have?
A physical token
Mag strip cardSmart card with chip
14
A physical token based end user security scheme
could be impractical
At present, need specialized hardware
This could change in the future
15
Something you are?
A biometric
Fingerprint scanIris scan
Retina scan
16
A biometric based end user security scheme could be impractical
At present, need specialized hardware
This could change in the future
17
What are the other alternatives?
18
Direct Two FactorSecurity Schemes
19
Combine
“Something you know”with
“Something you have”
ATM card with PIN
20
Combine
“Something you know”with
“Something you are”
Thumb print with Employee ID
21
The practical problems making direct two factor
security schemes impractical still persists...
22
Are there any more alternatives?
23
Indirect Two FactorSecurity Schemes
24
The key idea is to use
Two Channelsof
Communication
25
The First Channel
Web Application
Accessed through the computing device and Internet
26
The Second Channel
Indirect Communication
Email, SMS, Post
27
How does it work?
28
e-Post user enters theUser ID
Receives arandomly generated number
in a SMS
29
Prerequisites
Register the mobile phone number with e-Post Service
Can be done at the time of registering for service
30
e-Post user enters theUser ID
Enters random number
From a list of numbers received
through Post
31
Prerequisites
Receive the list of numbers periodically
Users registered for services receive through post
32
Important Lesson #1
No secret password that a user needs to remember
33
Important Lesson #2
No special hardware or software required
34
Important Lesson #3
Must be usableAnytime
Anywhere
35
Important Lesson #4
No single solution fits all users!
36
Important Lesson #5
Must be intuitive to use
No learning curveNo training
37
Important Lesson #6
Must be difficult for users to make mistakes
38
Important Lesson #7
Must be secure against hacking
No stored secrets to steal!
39
Important Lesson #8
Must be secure against phishing
No easy way to trick the user!
40
Important Lesson #9
Must be fast
No complicated processingat the user (front end) orat the service (back end)
41
Important Lesson #10
Important Lesson #11
Important Lesson #12
...
42
Thank You
[email protected]