why two-factor isn't enough
TRANSCRIPT
SecureAuthWhy Two-Factor Authentication Isn’t Enough
Ryan RowcliffeDirector, Solution [email protected]
Damon TepeDirector, Product [email protected]
November 16, 2016
2Copyright SecureAuth Corporation 2016
+ All attendee audio lines are muted + Submit questions via Q&A panel at any time+ Questions will be answered during Q&A at the end of the
presentation+ Slides and recording will be sent later this week+ Contact us at [email protected]
Webinar Housekeeping
3Copyright SecureAuth Corporation 2016
Single Factor….NOT Enough+ 63% of reported 2015 breaches involve
the use of compromised credentials (Verizon DBIR 2016)
+ Attackers will find weakest link & move laterally
+ Frequent PW changes/complex PWs = poor security practices & rising costs
+ PW re-use is common and creates vulnerabilities
+ Poor user experience
44% of assets are protected by
username/password or nothing at all
1 - Wakefield Survey, Sept, 20162 - http://www.darkreading.com/risk/average-cost-of-data-breaches-rises-past-$4-million-ponemon-says/d/d-id/1325921
4Copyright SecureAuth Corporation 2016
A) More than 90%B) 75% - 90%C) 50% - 75%D) 25%- 50%E) Less than 25%
+ What percentage of your assets/resources are protected with 2-factor authentication today?All answers are anonymous – we only see the accumulated results
POLLING QUESTION
5Copyright SecureAuth Corporation 2016
The Next Step…2FA & SSO+ Single Sign-On (SSO) reduce number of
log-ins & increases user productivity but…
+ 99% of IT decision makers feel that 2-factor authentication is best way to protect
+ Then why only cover 56% of assets?
+ Anonymity networks (e.g. Tor) pose a threat1
Why not deploy 2FA more?
Resistance from company executives (42%)
Worry about disrupting users (42%)Lack of resources to support (40%)Steep user learning curve (30%)Fear improvements wouldn’t work (26%)
1. The Trouble with Tor – Mathew Prince - https://blog.cloudflare.com/the-trouble-with-tor
6Copyright SecureAuth Corporation 2016
A) YesB) No
+ Do you feel 2-Factor Authentication is the best way to protect assets/resources?All answers are anonymous – we only see the accumulated results
POLLING QUESTION
7Copyright SecureAuth Corporation 2016
Calculating Business Value
5000 User Organization7500 Password Reset Calls/year$40/call$300,000 spent annually on PW Resets
++=
Passwords Can Be Expensive
5000 User OrganizationSave 3 minutes/day (240 x 3mins = 12hr/yr)$40/hr x 12hr/yr = $480/yr
$2,400,000 in saved labor costs/productivity gains=
Removing Disruptions Has Benefits
$480/yr x 5000 employees
www2.secureauth.com/Password_Calculator
www2.secureauth.com/SSO_Calculator
8Copyright SecureAuth Corporation 2016
Popular 2FA Methods Have Flaws
Knowledge based questions & answers
One-time passcodes (OTPs), delivered via SMS/Text or email
Push-to-acceptHard Tokens
9Copyright SecureAuth Corporation 2016
How Easy Can An Attacker Get Past Security?
https://youtu.be/lc7scxvKQOo
10Copyright SecureAuth Corporation 2016
Quick Summary+ Username & password doesn’t protect
+ Self-service tools save costs
+ SSO is great if properly protected
+ User experience is important
+ Some popular 2FA methods have flaws
There is a better way…..
11Copyright SecureAuth Corporation 2016
SecureAuth Uniquely Positioned
Raise Confidence in Authenticating Identities
&
Provide a Good and Positive User Experience
12Copyright SecureAuth Corporation 2016
• Recognizes people• Makes it easy• Is part of a community• Adjusts over time
13Copyright SecureAuth Corporation 2016
Employees
Partners
Customers
Adaptive Authentication
Risk checks without users knowing
1
SMS OTP
Telephony OTP
Email OTP
Fingerprint Biometric
Push-to-Accept
Multi-FactorAuthentication
25+ methods to choose from
2
ContinuousAuthentication
Post-authentication continual monitoring
3 4
Flexible Workflows
Admins MUST MFA every time
On campus logons don’t require MFA
Deny ANY user posing a serious threat/risk
Best Possible Security5
Data Visualization & Sharing
Dashboard
SIEM Integration
Faster Intrusion detection & remediation
14Copyright SecureAuth Corporation 2016
Device Recognition
Threat Service
Directory Lookup
Geo-Location
Geo-Velocity
Geo-Fencing
Phone Number Fraud Prevention
Behavioral Biometrics
Identity Governance
User & Entity Behavior Analytics
Pre-Authentication Risk AnalysisAdaptive Authentication
Do we recognize this device?Associated with a user we know?
Real-time Threat IntelligenceIP Address Interrogation
Group membership and attribute checking Request coming from a known location?
Do we have employees, partners or customers here?Has an improbable travel
event taken place?
Track normal behaviorLooking for anomalies
Who should/does have access rights?High Access Rights = greater
risk/vulnerability
Access request coming from within or outside a geographic barrier
Typing Sequences & Mouse MovementsUnique to each user on each device
Reduce # of OTPs, Block device class,Identify “porting” status, Block by carrier
15Copyright SecureAuth Corporation 2016
Multi-Layered Risk Analysis Only require a MFA Step if risk present
Single Sign-OnConvenience of removing log-in
across multiple systems
User Self-ServiceAllow user to help themselves
without a Help Desk call
More pre-authentication risk checks than any other vendor –
bullet proof vest
• Library of over 8000+ apps• All Federation protocols supported
• Support custom branding
• Password Resets• Account Unlocking
• Enrollment• User Personal Info
MFA Step
Deny
Redirect
Allow
Best Possible User Experience
On-Prem AppsHomegrown AppsSaaS AppsVPNData Stores
16Copyright SecureAuth Corporation 2016
Matt Articulates HIS User’s Experience
“The end users love the new system. When they’re on premise, they don’t even have to be prompted for their credentials, however if they take that same device off network, they’re automatically prompted for credentials. It’s really a nice solution and a lot of time people don’t even realize they are using it”- Matt Johnson, Manager, Server Engineering, Houston Methodist Hospital www.secureauth.com/
resources/case-study-houston-methodist
17Copyright SecureAuth Corporation 2016
Adaptive Authentication
Low
MediumHigh
Medium Medium Medium MediumHigh High High
Normal Day Travel Day Lost/New Laptop Stolen Credentials Stolen Laptop
AllowMFA Step
Deny
AllowMFA Step
Deny
AllowMFA Step
Deny
Allow
Deny
***********[email protected]
***********[email protected]
**********
**********
Device Recognition
Threat Service
Directory Lookup
Geo-Location
Geo-Velocity
Geo-Fencing
Phone Number Fraud Prevention
Behavioral Biometrics
Identity Governance
User & Entity Behavior Analytics
AllowMFA Step
Deny
Redirect Redirect Redirect Redirect Redirect
MFA Step
18Copyright SecureAuth Corporation 2016
The New Adaptive
Visit www.secureauth.com
The intellectual content within this document is the property of SecureAuth and must not be shared without prior consent.