15_PHO

SACON 2016

Kill The Password: new era of authentication

2012”…the age of password

has come to an end…

...we must find something new...”

How many of you keep the same password for all your accounts ?

55% of net users use the same password for most, if not all, websites. When will they learn?

427 million accounts 117 million accounts 38 million accounts

500 million accounts

600 thousand accounts

4 million accounts

1 million accounts70 million accounts

Password based attacks• Dictionary• Brute-force• MiTM

How strong is your password?

How many of you visit forget password page regularly?

14

Password Patterns – Connect the dots…

15

Password Patterns – Connect the dots…

Source - https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-Marte-L0ge-I-will-Tell-you-your-Lock-Pattern-UPDATED.pdf

16

Common habits

Source - http://www.androidauthority.com/lock-pattern-predictable-636267/

• Average pattern score is 13.6• 44% of people usually start their

patterns from the top-left corner dot.

• 77% of users started their patterns in one of the corners.

• Most users used only 5 nodes, and a significant amount only used 4.

• Over 10% of lock patters were made in the shape of a letter (often representing the first initial of the person, or a loved one).

15_PHO

Humans are LAZY and PREDICTABLE!

35

“Hello. It’s me!”.

http://www.slideshare.net/iovationpdx/authentithings-the-pitfalls-and-promises-of-authentication-in-the-iot

Biometrics are ready now!(…for authentication, not identification)

AlibabaFace

VoicePinVoice

AppleFingerprint

Mastercard

Face

GoogleFingerprint

20

What’s common• A record of a person's unique characteristic is

captured and kept in a database• Later on, a new record is captured and

compared with the previous record in the database.

21

Three stages of usage• Identification• Authentication• Authorization

Two-part process• Enrollment• Enforcement

64

“Hello. It’s me!”.

http://www.slideshare.net/iovationpdx/authentithings-the-pitfalls-and-promises-of-authentication-in-the-iot

66

BIOMETRICS

IP ADDRESS

JAILBROKEN OR ROOTED

GEO LOCATION

ASSOCIATIONS

SECURITY RISK

http://www.slideshare.net/iovationpdx/authentithings-the-pitfalls-and-promises-of-authentication-in-the-iot

The problems behind biometrics today

Security or convenience?

Privacy Accessibility Usability

FRAGMENTATIONtoo many authentication

mechanisms to use.

No one is prevailing

15_PHO

Future?

Improvements in recognition algorithms

New biometric factors (iris, veins)

Face, voice, fingerprint will become dominant (iris?)

Raise of biometric-enabled IOT

Prediction for the next 5-10 years

No major changes in the biometric panorama(from a business perspective)

Efforts at minimum, security at maximum

Secure Open Standard Simple

29

Due diligence• Users• Enterprises• Developers

30

Users• Make your password hard to guess• Go as long and complex as you can• Consider using a password manager• One account, one password

Source: SOPHOS youtube video – how to pick a proper passwords

31

Enterprises• Provide unique focus on authentication

testing• Strong password validation• Role-based access validation• Assess password recovery etc.

32

Developers• Least privilege based integration• More in-depth analysis before integration to

identify the right library/frameworks etc. • Extensive customization to remove unwanted

features/APIs

Tamaghna Basutamaghna.basu@gmail.c

omHacker, speaker, trainer, developer

Thank you

34

References• http://

searchsecurity.techtarget.com/definition/biometric-verification • https://

www.dragonresearchgroup.org/insight/sshpwauth-cloud.html • https://nakedsecurity.sophos.com/2013/04/23/users-sa

me-password-most-websites/ • https://www.skyhighnetworks.com/cloud-security-blog/y

ou-wont-believe-the-20-most-popular-cloud-service-passwords/