Electronic AuthenticationMore Than Just a Password

Nicholas DavisInformation Security

Cardinal Stritch Interview SessionMay 20, 2009

Session Overview

• What electronic authentication is and why it is important

• Definitions• Different types of authentication

factors (username/password)• Benefits and drawbacks of various

authentication technologies• “Strong Authentication”• Question and Answer Session

Presentation Style

• Blue = Topic

• Black = Informational Details

• Red = Discussion

• Audience participation is encouraged. Anytime you see red, you can begin to think about the discussion topic at hand

Authentication Defined

Authentication is the process of providingproof to a person or system that you areindeed who you claim to be.

Can you think of some examples?

Electronic authentication is similar in thatprovides a level of assurance as towhether someone or something is who orwhat it claims to be in a digitalenvironment.

Can you think of some examples?

Authentication Factors

• Three types of electronic authentication• Something you know –

username/password• Something you have – One time

password device• Something you are – Voiceprint or

retinal scan

• Let’s examine these in detail!

Username and PasswordSomething that you know

• Sometimes has rules associated with it, such as length, or has an expiration date.

• Can you think of some other password rules?

• Why do you think password rules are enforced?

Username and Password - Benefits• Most widely used

electronic authentication mechanism in the world. People understand how to use it.

• Low fixed cost to implement and virtually no variable cost

• Fairly good for low assurance applications

• No physical device required

Username and Password - Drawbacks

• Can be easily shared on purpose

• Can be easily stolen via Shoulder Surfing, Keyboard Logger Packet Sniffer

• Can be guessed• Can be hard to

remember• Password code is

easy to hack

Make Your Passwords Strong

• Be as long as possible (never shorter than 6 characters).

• Include mixed-case letters, if possible. • Include digits and punctuation marks, if possible. • Not be based on any personal information. • Not be based on any dictionary word, in any

language. • Expire on a regular basis and may not be reused• May not contain any portion of your name,

birthday, address or other publicly available information

One Time Password (OTP) DevicesSomething That You Have

• Have an assigned serial number which is tied to my userid

• Device generates a new password every 30 seconds

• Server on other end knows what to expect from the device assigned to me, at any point in time

One Time Password Device - Benefits

• Difficult to share• Constantly changing password means it

can’t be stolen, shoulder surfed or sniffed• Coolness factor!• Let’s try to circumvent the technology!• What would happen if I generated a one

time pass code, wrote it down and then tried to use it later?

One Time Passwords - Drawbacks

• Cost!• Rank very low on

the washability index

• Uncomfortable• Expiration• Battery Life• Can be forgotten

at home

BiometricsSomething That You Are

• Use a unique part of your body to authenticate you, such as your voice pattern, your retina, or your fingerprint

Biometrics Benefits

• Harder to steal than even a One Time Password since it is part of the user, not simply in their possession like and OTP device

• Absolute uniqueness of authentication factor

• Coolness factor

Biometrics Drawbacks

• Cost• Complexity of

Administration• Highly invasive• Not always

reliable – false negatives

• Not foolproof• The Gummi Bear

thief!

Single Factor vs. Multifactor vs Dual Factor

• Single Factor – Using one method to authenticate.

• Dual Factor – Using two different types of authentication mechanism to authenticate

• Multifactor – Using multiple forms of the same factor. (Password + identifying an image that only you would know)

• Some people claim multi factor is just a way around industry regulations. Good test is to ask, could I memorize both of these?

Key Concepts

• Current online password based authentication techniques are weak at best: Most rely on multiple single factors

• Password Credentials are easily stolen from consumers, and rarely change

• Lack of consistency in authentication processes confuse consumers

Summary

• There are three types of authentication technologies:– Something you know– Something you have– Something you are

Password is the weakest

Biometrics is the strongest

Audience Discussion and Q&A

• Describe which types of authentication technologies are incorporated into your ATM card

• How do you feel about the use of biometrics?

• Name a situation in which you think biometrics should be used for authentication