Chris Calderon – February 2016

*Goodbye to Passwords

MIS 534 Information Security Management

*Contents*Problems with

passwords*Security risks*Authentication methods*The future - FIDO*Questions/Comments

* “Anyone who’s ever clicked on a ‘forgot your password?’ on a website or in an app – read: every single one of us – thinks there’s gotta be a better way. There is.” (CIO.com –

Aug – 2015)

*Too many, too long*Users don’t remember them*Users lack faith in passwords*Infrastructure to manage

passwords

* “Only 30% of users are confident that their passwords will protect the security of their online accounts.”(Telesign Consumer Account Security Report – June 2015)

*Problems with passwords

* Telesign Consumer Account Security Report – June 2015)

* N = 2,020; US & UK

*Weak passwords, lack of policies

*Using the same passwords on multiple accounts – Domino Effect

*Frequency of password changes*Password sharing *Shoulder surfing*Password storage

* “You don't need mad hacking skills to crack Password1, Hello123 and password – 86% of hackers surveyed at Black Hat said they weren't worried about being busted at any

rate.” (Network World.com – Aug 2014)

*Security Risks

* Network World.com –Aug 2014

* Top10 Corporate Environment Passwords

* ID & password authentication *Biometric authentication devices

& system*Enterprise single sign-on (SSO)*Public Key Infrastructure (PKI)

and digital certificate *Security Token and smart card

* 2FA & Multi-factor authentication* Knowledge, possession, inherent,

location and time.

* “With the approach used by Google, Apple, and Microsoft, two-step verification combines the first two of these factors—something known only by the user, which is the account password, and something that only the user possesses, such as the smartphone

or land line telephone.” (SecSign Technologies – Nov 2014)

*Authentication Methods

* SecSign Technologies – Nov 2014; 2FA: two factor authentication

*Fast Identity Online (FIDO) Alliance* non-profit founded in July 2012 and publicly announced in February 2013

*FIDO Members* Google, Samsung, Microsoft, Bank of America, Amex, MasterCard, Visa, etc.

*FIDO Protocol Standards

* “The FIDO method is more secure than current methods because no password of identifying information is sent out; instead, it is processed by software on the end user's

device that calculates cryptographic strings to be sent to a login server.” (TechTarget.com – May 2014)

*The future

*Questions/Comments

References:

* http://www.cio.com/article/2960634/security/why-it-s-time-to-say-goodbye-to-passwords.html

* http://lifehacker.com/5785420/the-only-secure-password-is-the-one-you-cant-remember

* https://www.telesign.com/resources/research-and-reports/telesign-consumer-account-security-report/

* https://www.telesign.com/wp-content/uploads/2015/06/TeleSign-Consumer-Account-Security-Report-2015-FINAL.pdf

* http://bankinnovation.net/2015/10/saying-goodbye-to-passwords/

* http://searchsecurity.techtarget.com/definition/single-factor-authentication-SFA

* http://searchsecurity.techtarget.com/feature/The-fundamentals-of-MFA-The-business-case-for-multifactor-authentication

* https://www.secsign.com/two-factor-authentication-vs-two-step-verification/

* http://www.scmagazine.com/is-the-password-dead-not-just-yet/article/421648/

* http://www.scmagazine.com/google-testing-password-free-logins/article/461472/

* http://searchsecurity.techtarget.com/feature/Password-free-authentication-Figuring-out-FIDO

* https://fidoalliance.org/

* https://app.box.com/s/cde21pmtcqaygdqfr7o1