Post on 07-Jan-2017
15_PHO
SACON 2016
Kill The Password: new era of authentication
2012”…the age of password
has come to an end…
...we must find something new...”
How many of you keep the same password for all your accounts ?
55% of net users use the same password for most, if not all, websites. When will they learn?
427 million accounts 117 million accounts 38 million accounts
500 million accounts
600 thousand accounts
4 million accounts
1 million accounts70 million accounts
Password based attacks• Dictionary• Brute-force• MiTM
How strong is your password?
How many of you visit forget password page regularly?
14
Password Patterns – Connect the dots…
15
Password Patterns – Connect the dots…
Source - https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Marte-L0ge-I-will-Tell-you-your-Lock-Pattern-UPDATED.pdf
16
Common habits
Source - http://www.androidauthority.com/lock-pattern-predictable-636267/
• Average pattern score is 13.6• 44% of people usually start their
patterns from the top-left corner dot.
• 77% of users started their patterns in one of the corners.
• Most users used only 5 nodes, and a significant amount only used 4.
• Over 10% of lock patters were made in the shape of a letter (often representing the first initial of the person, or a loved one).
15_PHO
Humans are LAZY and PREDICTABLE!
35
“Hello. It’s me!”.
http://www.slideshare.net/iovationpdx/authentithings-the-pitfalls-and-promises-of-authentication-in-the-iot
Biometrics are ready now!(…for authentication, not identification)
AlibabaFace
VoicePinVoice
AppleFingerprint
Mastercard
Face
GoogleFingerprint
20
What’s common• A record of a person's unique characteristic is
captured and kept in a database• Later on, a new record is captured and
compared with the previous record in the database.
21
Three stages of usage• Identification• Authentication• Authorization
Two-part process• Enrollment• Enforcement
64
“Hello. It’s me!”.
http://www.slideshare.net/iovationpdx/authentithings-the-pitfalls-and-promises-of-authentication-in-the-iot
66
BIOMETRICS
IP ADDRESS
JAILBROKEN OR ROOTED
GEO LOCATION
ASSOCIATIONS
SECURITY RISK
http://www.slideshare.net/iovationpdx/authentithings-the-pitfalls-and-promises-of-authentication-in-the-iot
The problems behind biometrics today
Security or convenience?
Privacy Accessibility Usability
FRAGMENTATIONtoo many authentication
mechanisms to use.
No one is prevailing
15_PHO
Future?
Improvements in recognition algorithms
New biometric factors (iris, veins)
Face, voice, fingerprint will become dominant (iris?)
Raise of biometric-enabled IOT
Prediction for the next 5-10 years
No major changes in the biometric panorama(from a business perspective)
Efforts at minimum, security at maximum
Secure Open Standard Simple
29
Due diligence• Users• Enterprises• Developers
30
Users• Make your password hard to guess• Go as long and complex as you can• Consider using a password manager• One account, one password
Source: SOPHOS youtube video – how to pick a proper passwords
31
Enterprises• Provide unique focus on authentication
testing• Strong password validation• Role-based access validation• Assess password recovery etc.
32
Developers• Least privilege based integration• More in-depth analysis before integration to
identify the right library/frameworks etc. • Extensive customization to remove unwanted
features/APIs
Tamaghna Basutamaghna.basu@gmail.c
omHacker, speaker, trainer, developer
Thank you
34
References• http://
searchsecurity.techtarget.com/definition/biometric-verification • https://
www.dragonresearchgroup.org/insight/sshpwauth-cloud.html • https://nakedsecurity.sophos.com/2013/04/23/users-sa
me-password-most-websites/ • https://www.skyhighnetworks.com/cloud-security-blog/y
ou-wont-believe-the-20-most-popular-cloud-service-passwords/