BARRY CAPL

IN

3 FACTO

RS OF

FAIL

WED. M

AY 1

5, 2013, 2

:35P

WELCOME TO SECURE360 2013

Don’t forget to pick up your Certificate of Attendance at the end of each day.

Please complete the Session Survey front and back, and leave it on your seat.

Are you tweeting? #Sec360

The Authentication Problem

Secure360

Wed. May 15, 2013

barry.caplin@state.mn.us

bc@bjb.org @bcaplin

http://about.me/barrycaplin

http://securityandcoffee.blogspot.com

Barry CaplinChief Information Security Officer

MN Dept of Human Services

http://about.me/barrycaplin

securityandcoffee.blogspot.com

Authentication is Authentication is thethe Challenge Challenge

And The Challenge is…And The Challenge is… People need to:

Enter BuildingsUse SystemsUse Data

And The Challenge is…And The Challenge is…The Right People need to:Enter BuildingsUse SystemsUse Data

Guiding PrincipleGuiding Principle

Minimum Necessary

We Usually Think Of…We Usually Think Of…SS

It was a busy year

And Passwords Get StolenAnd Passwords Get Stolen

And Bad Choices Are MadeAnd Bad Choices Are Made

3 Factors of Authentication3 Factors of Authentication1. Something You Know2. Something You Have3. Something You Are (or Do)

3 Factors of Auth FAIL3 Factors of Auth FAIL1. Something You Forgot2. Something You Lost3. Something You Were (or

Did)

1. Something You Forgot1. Something You ForgotP@sswOrd5PINsCombinations“Secret” PhrasesPicture IdentificationPatterns

Used by…Used by…

Not SimpleNot SimpleCan’t be easily guessableFalse positives

Grant rights to wrong personActions attributable to you!

So not simple/guessable…But simple is memorable…

Complexity RequirementsComplexity RequirementsMake Guessing Difficult

Common: 8 char, upper/lower, numeric, special

Smart Users CircumventNonsense/Random great

But impossible to remember

To Make It WorseTo Make It WorseExpiration

“best practice”Like changing your house locks every 30 days!

Secret Questions – too simple, too guessableAnswers on FacebookRemember… don’ t have to be true!

Help Deskssocial engineering and process hacks (ask Mat

Honan)

3 More Issues3 More IssuesBad Choices

NYG1@nts! meets requirements

Shoulder SurfingComplex => slow to enter

Writing DownNot bad if done well

To Make It WorseTo Make It WorseSocial EngineeringPhishing

SolutionsSolutionsLength

Better than Complexity!Long phrases easier to rememberWhy do some sites have max

length???Vaults

Use ‘em!Don’t forget the main password!

OTP (One Time Passwords)Fixes many issues except delivery

Something You LostSomething You Losta.k.a. 2-factor auth – id/pw + hard

tokenStatic/Dynamic

OTP DeliveryOTP DeliveryHard Token

Time (RFC 6238) or Sequence-basedAlso Smart Cards, Key Cards

Soft TokensProgram or AppDevice independence

SMSPaper

ChallengesChallengesHard Tokens

Can be lostWorse – often kept with laptopMultiple systems = multiple tokens

Soft Tokens – better because people don’t lose their phones…

… Oh Wait…

SolutionSolutionI still like this when implemented well

Google AuthSMSSmart phonesPaper

Something You WereSomething You WereUsually means biometricsOldest form of IDAnimals, babies, tribes/groups –

sensesMixed reliability

BiometricsBiometricsFalse Positives – bad for securityFalse Negatives – bad for business

BiometricsBiometricsSome common choicesIris/retinal scan, fingerprint, palm print/geometryLess commonVoice, typing cadence, “bottom” print

BiometricsBiometricsBest auth method for use in

movies!

ChallengesChallengesLogisticsRegistration, hardware/people,

“failure to enroll” (FER), contaminants on readers

HygienePerception (movie story)Back-end systems

2 Biggest Issues2 Biggest IssuesCan’t change your biometric when you

need toYour biometric can change when it

wants to

Hard to fake (getting easier)Easy to stealNearly impossible to change/fix

Solutions?Solutions?Not bad if used correctlyLocal physical accessVoice-print for automated pw reset

The 4The 4thth Factor FactorRisk-based, location-based, adaptive

auth“somewhere you are” or “something you

are doing”Key need – “rich” user profileCheck against profile, then:

AllowDenyChallenge

Biggest IssueBiggest IssueEstablishing profile

Takes timeHighly non-trivialNeeds much info and/or long/ongoing

relationship

Otherwise degenerates to 1-factor

Newer but promising

Multi-Factor (MFA)Multi-Factor (MFA)Take 2 bad things and combine them together!That makes sense!

Multi-Factor (MFA)Multi-Factor (MFA)Typically 2-factor

ID/pw + tokenSteal one, you can’t get inEither can be “easily” changed

Multi-Factor (MFA)Multi-Factor (MFA)But…

SolutionsSolutionsTypical

1-factor – id/pw for login ; badges for entryOccasional hard token useBut 1-factor only safe in “controlled”

environments

Challenge:Positively id a personEasy to use

User/UseUser/UseCustomerStaffTech workerNewbie

Hardware/softwareControl over hw/swData classificationRegulatoryThreats/Risks

Replay attackAvailabilityWork-aroundsSingle/multi-useEasy to use?

Then do what makes sense!

ExampleExampleBiometrics for entrance into high-security

areaBadges can be lost or used by anyone

Combine with measures like Keywatcher

OTPGoogle Auth or YubikeySmartPhones – can be lost but are often kept

close and rarely left with computerGood choice for online/web-based services

ExampleExampleOnline BankingSystem auth ->

Preselected word/picture ->Id/pw ->

Reauth for large/unusual transaction

ExampleExampleLong passwords + vault

pw’s – with us for a whilePeople make poor pw choicesLong phrases easier to rememberLong random strings better

Better – Add easy-to-use soft fobRemote access + risk-based auth

We have more info about staff

The FutureThe Future