electronic authentication more than just a password
TRANSCRIPT
![Page 1: Electronic Authentication More Than Just A Password](https://reader036.vdocuments.mx/reader036/viewer/2022062711/55c5a21cbb61eb5c468b47a9/html5/thumbnails/1.jpg)
Electronic AuthenticationMore Than Just a Password
Nicholas DavisInformation Security
Cardinal Stritch Interview SessionMay 20, 2009
![Page 2: Electronic Authentication More Than Just A Password](https://reader036.vdocuments.mx/reader036/viewer/2022062711/55c5a21cbb61eb5c468b47a9/html5/thumbnails/2.jpg)
Session Overview
• What electronic authentication is and why it is important
• Definitions• Different types of authentication
factors (username/password)• Benefits and drawbacks of various
authentication technologies• “Strong Authentication”• Question and Answer Session
![Page 3: Electronic Authentication More Than Just A Password](https://reader036.vdocuments.mx/reader036/viewer/2022062711/55c5a21cbb61eb5c468b47a9/html5/thumbnails/3.jpg)
Presentation Style
• Blue = Topic
• Black = Informational Details
• Red = Discussion
• Audience participation is encouraged. Anytime you see red, you can begin to think about the discussion topic at hand
![Page 4: Electronic Authentication More Than Just A Password](https://reader036.vdocuments.mx/reader036/viewer/2022062711/55c5a21cbb61eb5c468b47a9/html5/thumbnails/4.jpg)
Authentication Defined
Authentication is the process of providingproof to a person or system that you areindeed who you claim to be.
Can you think of some examples?
Electronic authentication is similar in thatprovides a level of assurance as towhether someone or something is who orwhat it claims to be in a digitalenvironment.
Can you think of some examples?
![Page 5: Electronic Authentication More Than Just A Password](https://reader036.vdocuments.mx/reader036/viewer/2022062711/55c5a21cbb61eb5c468b47a9/html5/thumbnails/5.jpg)
Authentication Factors
• Three types of electronic authentication• Something you know –
username/password• Something you have – One time
password device• Something you are – Voiceprint or
retinal scan
• Let’s examine these in detail!
![Page 6: Electronic Authentication More Than Just A Password](https://reader036.vdocuments.mx/reader036/viewer/2022062711/55c5a21cbb61eb5c468b47a9/html5/thumbnails/6.jpg)
Username and PasswordSomething that you know
• Sometimes has rules associated with it, such as length, or has an expiration date.
• Can you think of some other password rules?
• Why do you think password rules are enforced?
![Page 7: Electronic Authentication More Than Just A Password](https://reader036.vdocuments.mx/reader036/viewer/2022062711/55c5a21cbb61eb5c468b47a9/html5/thumbnails/7.jpg)
Username and Password - Benefits• Most widely used
electronic authentication mechanism in the world. People understand how to use it.
• Low fixed cost to implement and virtually no variable cost
• Fairly good for low assurance applications
• No physical device required
![Page 8: Electronic Authentication More Than Just A Password](https://reader036.vdocuments.mx/reader036/viewer/2022062711/55c5a21cbb61eb5c468b47a9/html5/thumbnails/8.jpg)
Username and Password - Drawbacks
• Can be easily shared on purpose
• Can be easily stolen via Shoulder Surfing, Keyboard Logger Packet Sniffer
• Can be guessed• Can be hard to
remember• Password code is
easy to hack
![Page 9: Electronic Authentication More Than Just A Password](https://reader036.vdocuments.mx/reader036/viewer/2022062711/55c5a21cbb61eb5c468b47a9/html5/thumbnails/9.jpg)
Make Your Passwords Strong
• Be as long as possible (never shorter than 6 characters).
• Include mixed-case letters, if possible. • Include digits and punctuation marks, if possible. • Not be based on any personal information. • Not be based on any dictionary word, in any
language. • Expire on a regular basis and may not be reused• May not contain any portion of your name,
birthday, address or other publicly available information
![Page 10: Electronic Authentication More Than Just A Password](https://reader036.vdocuments.mx/reader036/viewer/2022062711/55c5a21cbb61eb5c468b47a9/html5/thumbnails/10.jpg)
One Time Password (OTP) DevicesSomething That You Have
• Have an assigned serial number which is tied to my userid
• Device generates a new password every 30 seconds
• Server on other end knows what to expect from the device assigned to me, at any point in time
![Page 11: Electronic Authentication More Than Just A Password](https://reader036.vdocuments.mx/reader036/viewer/2022062711/55c5a21cbb61eb5c468b47a9/html5/thumbnails/11.jpg)
One Time Password Device - Benefits
• Difficult to share• Constantly changing password means it
can’t be stolen, shoulder surfed or sniffed• Coolness factor!• Let’s try to circumvent the technology!• What would happen if I generated a one
time pass code, wrote it down and then tried to use it later?
![Page 12: Electronic Authentication More Than Just A Password](https://reader036.vdocuments.mx/reader036/viewer/2022062711/55c5a21cbb61eb5c468b47a9/html5/thumbnails/12.jpg)
One Time Passwords - Drawbacks
• Cost!• Rank very low on
the washability index
• Uncomfortable• Expiration• Battery Life• Can be forgotten
at home
![Page 13: Electronic Authentication More Than Just A Password](https://reader036.vdocuments.mx/reader036/viewer/2022062711/55c5a21cbb61eb5c468b47a9/html5/thumbnails/13.jpg)
BiometricsSomething That You Are
• Use a unique part of your body to authenticate you, such as your voice pattern, your retina, or your fingerprint
![Page 14: Electronic Authentication More Than Just A Password](https://reader036.vdocuments.mx/reader036/viewer/2022062711/55c5a21cbb61eb5c468b47a9/html5/thumbnails/14.jpg)
Biometrics Benefits
• Harder to steal than even a One Time Password since it is part of the user, not simply in their possession like and OTP device
• Absolute uniqueness of authentication factor
• Coolness factor
![Page 15: Electronic Authentication More Than Just A Password](https://reader036.vdocuments.mx/reader036/viewer/2022062711/55c5a21cbb61eb5c468b47a9/html5/thumbnails/15.jpg)
Biometrics Drawbacks
• Cost• Complexity of
Administration• Highly invasive• Not always
reliable – false negatives
• Not foolproof• The Gummi Bear
thief!
![Page 16: Electronic Authentication More Than Just A Password](https://reader036.vdocuments.mx/reader036/viewer/2022062711/55c5a21cbb61eb5c468b47a9/html5/thumbnails/16.jpg)
Single Factor vs. Multifactor vs Dual Factor
• Single Factor – Using one method to authenticate.
• Dual Factor – Using two different types of authentication mechanism to authenticate
• Multifactor – Using multiple forms of the same factor. (Password + identifying an image that only you would know)
• Some people claim multi factor is just a way around industry regulations. Good test is to ask, could I memorize both of these?
![Page 17: Electronic Authentication More Than Just A Password](https://reader036.vdocuments.mx/reader036/viewer/2022062711/55c5a21cbb61eb5c468b47a9/html5/thumbnails/17.jpg)
Key Concepts
• Current online password based authentication techniques are weak at best: Most rely on multiple single factors
• Password Credentials are easily stolen from consumers, and rarely change
• Lack of consistency in authentication processes confuse consumers
![Page 18: Electronic Authentication More Than Just A Password](https://reader036.vdocuments.mx/reader036/viewer/2022062711/55c5a21cbb61eb5c468b47a9/html5/thumbnails/18.jpg)
Summary
• There are three types of authentication technologies:– Something you know– Something you have– Something you are
Password is the weakest
Biometrics is the strongest
![Page 19: Electronic Authentication More Than Just A Password](https://reader036.vdocuments.mx/reader036/viewer/2022062711/55c5a21cbb61eb5c468b47a9/html5/thumbnails/19.jpg)
Audience Discussion and Q&A
• Describe which types of authentication technologies are incorporated into your ATM card
• How do you feel about the use of biometrics?
• Name a situation in which you think biometrics should be used for authentication
![Page 20: Electronic Authentication More Than Just A Password](https://reader036.vdocuments.mx/reader036/viewer/2022062711/55c5a21cbb61eb5c468b47a9/html5/thumbnails/20.jpg)