www.owasp.org

The  Inmates  Are  Running  the  Asylum    Why  Some  Mul,-­‐Factor  Authen,ca,on  Technology    

is  Irresponsible      

Clare  Nelson,  CISSP                        clare.nelson@owasp.org                          @Safe_SaaS                        October  22,  2015                      AusFn,  TX    

www.owasp.org

Clare  Nelson,  CISSP  Independent:  not  an  analyst,  not  with  a  vendor  

 •  Scar  Fssue  

–  Encrypted  TCP/IP  variants  for  NSA  –  Product  Management  at  DEC  (HP),  EMC2  

–  Director  Global  Alliances  at  Dell,  Novell  (IAM)  –  VP  Business  Development,  MetaIntelli  (Mobile  Security)  –  CEO  ClearMark,  MFA  Technology  and  Architecture  

•  2001  CEO  ClearMark  ConsulFng    •  2014  Co-­‐founder  C1ph3r_Qu33ns  •  2015  April,  ISSA  Journal,  Mul,-­‐Factor  

Authen,ca,on:  What  to  Look  For  •  Talks:  OWASP  AppSec  USA,  HackFormers,  BSides,  

LASCON;  clients  including  Fortune  500  financial  services,  IdenFty  Management  

•  B.S.  MathemaFcs    

www.owasp.org

Scope  •  External  customers,  consumers  

–  Not  internal  employees,  no  hardware  tokens  –  IoT  preview  

•  No  authenFcaFon  protocols  –  OAuth,  OpenID,  UMA,  SCIM,  SAML  

•  United  States    –  EU  regulaFons  

o  France:  legal  constraints  for  biometrics  §  Need  authorizaFon  from  NaFonal  Commission  for  InformaFcs  

and  Liberty  (CNIL)1  –  India:  e-­‐commerce  Snapdeal,  Reserve  Bank  of  India  

o Move  from  two-­‐factor  to  single-­‐factor  authenFcaFon  for  transacFons  less  than  Rs.  3,0002  

    1Source:  h+p://www.diva-­‐portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl    2Source:  h+p://economicFmes.indiaFmes.com/industry/services/retail/snapdeal-­‐for-­‐single-­‐factor-­‐authenFcaFon-­‐for-­‐low-­‐value-­‐deals/arFcleshow/46251251.cms    

www.owasp.org

NIST  DefiniFon1  

Origin  of  definiFon?  •  NIST:  might  be  Gene  Spafford,  or  “ancient  lore”2  

– @TheRealSpaf,  “Nope  —  that's  even  older  than  me!”3  

–  1970s?  NSA?  Academia?  

 1Source:  h+p://nvlpubs.nist.gov/nistpubs/SpecialPublicaFons/NIST.SP.800-­‐63-­‐2.pdf    2Source:  February  26,  2015  email  response  from  a  NIST  SP  800-­‐63-­‐2  author  3Source:  February  27,  2015  response  from  @TheRealSpaf  (Gene  Spafford)    

www.owasp.org

How  can  one  write  a  guide  based  on  a  defini,on  of  unknown,  ancient  origin?    How  can  you  implement  MFA  without  a  current,  coherent  defini,on?  

Photo:  The  Thinker  by  Auguste  Rodin,  h+ps://commons.wikimedia.org/wiki/File:Auguste_Rodin-­‐The_Thinker-­‐Legion_of_Honor-­‐Lincoln_Park-­‐San_Francisco.jpg      

www.owasp.org

NIST  versus  New  DefiniFons  MulF-­‐Factor  AuthenFcaFon  (MFA)  Factors:  •  Knowledge    •  Possession    – Mobile  device  idenFficaFon  

•  Inherence    –  Biometrics:  Physical  or  Behavioral  

•  LocaFon    –  GeolocaFon  –  Geofencing  –  Geovelocity  

•  Time1  

    1Source:  h+p://searchsecurity.techtarget.com/definiFon/mulFfactor-­‐authenFcaFon-­‐MFA  

2Source:  h+p://nvlpubs.nist.gov/nistpubs/SpecialPublicaFons/NIST.SP.800-­‐63-­‐2.pdf    

NIST:  Device  idenFficaFon,  Fme,  and  geo-­‐locaFon  could  be  used  to  challenge  an  idenFty;  but  “they  are  not  considered  authenFcaFon  factors”2  

www.owasp.org

Authen,ca,on  in  an  Internet  Banking  Environment  •  OUT:  Simple  device  idenFficaFon  •  IN:  Complex  device  idenFficaFon,  “digital  fingerprinFng”  

use  PC  configuraFon,  IP  address,  geo-­‐locaFon,  other  factors  –  Implement  Fme  of  day  restricFons  for  funds  transfers  –  Consider  keystroke  dynamics,  biometric-­‐based  responses1    

1Source:  hjps://www.fdic.gov/news/news/press/2011/pr11111a.pdf    

“…virtually  every  authenFcaFon  technique  can  be  compromised”  

www.owasp.org

Why  200+  MFA  Vendors?  

Authen,ca,on  has  been  the  Holy  Grail  since  the  early  days  of  the  Web.1    

The  iPhone  of  Authen,ca,on  has  yet  to  be  invented.2  

1Source:  h+p://sciencewriters.ca/2014/03/26/will-­‐your-­‐brain-­‐waves-­‐become-­‐your-­‐new-­‐password/    2Source:  Clare  Nelson,  February  2015.    

www.owasp.org

               SubopFmal  Choices  

AuthenFcaFon  Factors/Technology  1.   Biometrics,  2D  fingerprint  2.   Short  Message  Service  (SMS)  

–  One-­‐Time  Password  (OTP)  3.   Quick  Response  (QR)  codes  4.   JavaScript  (behavioral  biometrics)  5.   Overreliance  on  GPS,  insufficient  geolocaFon  data  6.   Weak,  arcane,  account  recovery  7.   AssumpFon  mobile  devices  are  secure  8.   EncrypFon  (without  disclaimers)    

–  Quantum  compuFng  may  break  RSA  or  ECC  by  20301  •  Update  on  NSA’s  $80M  Penetra,ng  Hard  Targets  project2  

–  EncrypFon  backdoors,  is  it  NSA-­‐free  and  NIST-­‐free  cryptography?  –  No  mysterious  constants  or  “magic  numbers”  of  unknown  provenance”3  

1Source:  January  18,  2015:  Ralph  Spencer  Poore,  cryptologist,  AusFn  ISSA  guest  lecturer  2Source:  h+p://www.washingtonpost.com/world/naFonal-­‐security/nsa-­‐seeks-­‐to-­‐build-­‐quantum-­‐computer-­‐that-­‐could-­‐crack-­‐most-­‐types-­‐of-­‐encrypFon/2014/01/02/8fff297e-­‐7195-­‐11e3-­‐8def-­‐a33011492df2_story.html  3Source:  h+ps://www.grc.com/sqrl/sqrl.htm        

www.owasp.org

Juniper  Research:  •  By  2019,  770  million  apps  that  use  biometric  authenFcaFon  will  be  

downloaded  annually  -  Up  from  6  million  in  2015  

•  Fingerprint  authenFcaFon  will  account  for  an  overwhelming  majority  -  Driven  by  increase  of  fingerprint  scanners  in  smartphones1  

   

IrraFonal  Exuberance  of  Biometric  AdopFon  

Samsung  Pay  

1Source:  h+p://www.nfcworld.com/2015/01/22/333665/juniper-­‐forecasts-­‐biometric-­‐authenFcaFon-­‐market/      

www.owasp.org

1Source:  h+ps://www.youtube.com/watch?v=q3ymzRYXezI    

Apple  Touch  ID:  Cat  Demo  

www.owasp.org 1Source:  h+p://www.dw.de/image/0,,18154223_303,00.jpg      

www.owasp.org

2D  Fingerprint  Hacks  •  Starbug,  aka  Jan  Krissler  •  2014:  Cloned  fingerprint  of  German  Defense  Minister,  Ursula  Von  der  Leyen  –  From  photographs1,2  

•  2013:  Hacked  Apple’s  Touch  ID  on  iPhone  5S  ~24  hours  ater  release  in  Germany  – Won  IsTouchIDHackedYet.com  compeFFon3  

•  2006:  Published  research  on  hacking  fingerprint  recogniFon  systems4  

1Source:  h+ps://www.youtube.com/watch?v=vVivA0eoNGM    2Source:  h+p://www.forbes.com/sites/paulmonckton/2014/12/30/hacker-­‐clones-­‐fingerprint-­‐from-­‐photograph/    3Source:  h+p://istouchidhackedyet.com  4Source:  h+p://berlin.ccc.de/~starbug/talks/0611-­‐pacsec-­‐hacking_fingerprint_recogniFon_systems.pdf        

www.owasp.org

Starbug  Faking  Touch  ID  

1Source:  h+p://istouchidhackedyet.com    

www.owasp.org

Android:  Remote  Fingerprint  Thet  at  Scale1  

“…hackers  can  remotely  steal  fingerprints  without  the  owner  of  the  device  ever  knowing  about  it.  Even  more  dangerous,  this  can  be  done  on  a  “large  scale.”2  

   

1Source:  h+ps://www.blackhat.com/docs/us-­‐15/materials/us-­‐15-­‐Zhang-­‐Fingerprints-­‐On-­‐Mobile-­‐Devices-­‐Abusing-­‐And-­‐Leaking-­‐wp.pdf    2Source:  h+p://www.forbes.com/sites/thomasbrewster/2015/04/21/samsung-­‐galaxy-­‐s5-­‐fingerprint-­‐a+acks/        

Hardware  

User  Space  

Kernel  Space  

www.owasp.org

Krissler  versus  Riccio        “Don't  use  fingerprint  recogniFon  systems  for  security  relevant  applicaFons!”1  

 –  Jan  Krissler  (Starbug)    “Fingerprints  are  one  of  the  best  passwords  in  the  world.”2  

 –  Dan  Riccio          SVP,  Apple  

       

   1Source:  h+p://berlin.ccc.de/~starbug/talks/0611-­‐pacsec-­‐hacking_fingerprint_recogniFon_systems.pdf    2Source:  h+p://www.imore.com/how-­‐touch-­‐id-­‐works  Photo:  h+p://www.mirror.co.uk/news/world-­‐news/revealed-­‐ni-­‐believed-­‐legendary-­‐fight-­‐3181991          

www.owasp.org

Behavioral  Biometrics  

1Source:  h+p://www.behaviosec.com    

Issues  •  Requires  JavaScript  Learning  curve  

•  Privacy,  constant  monitoring  

•  Injury  to  hand  •  “Highly  intoxicated”  

www.owasp.org

Behavioral  Biometrics:  Invisible  Challenge  

•  Analyze  hundreds  of  bio-­‐behavioral,  cogniFve  and  physiological  parameters  –  Invisible  challenge  –  No  user  interacFon  for  step-­‐up  authenFcaFon  

–  How  you  find  missing  cursor1  

1Source:  h+p://www.biocatch.com    1Source:  h+p://www.biocatch.com    

www.owasp.org

Biometrics:  In  Use,  Proposed  •  Fingerprints  2D,  3D  via  ultrasonic  waves  •  Palms,  its  prints  and/or  the  whole  hand  (feet?)  •  Signature  •  Keystroke,  art  of  typing,  mouse,  touch  pad  •  Voice  •  Iris,  reFna,  features  of  eye  movements  •  Face,  head  –  its  shape,  specific  movements  •  Ears,  lip  prints  •  Gait,  Odor,  DNA,    •  ECG  (Bionym’s  Nymi  wristband,  smartphone,  laptop,  car,    

 home  security)  •  EEG1  

•  Methods:  Pills,  Tajoos  •  Smartphone/behavioral:  AirSig  authenFcates  based  on  g-­‐sensor  and  

gyroscope,  how  you  write  your  signature  in  the  air2  

1Source:  h+p://www.optel.pl/arFcle/future%20of%20biometrics.pdf    2Source:  h+p://www.airsig.com  Digital  Ta+oo:  h+p://motorola-­‐blog.blogspot.com/2014/07/-­‐unlock-­‐your-­‐moto-­‐x-­‐with-­‐a-­‐digital-­‐ta+oo.html      

www.owasp.org

“Thought  Auth”1  

EEG  Biosensor  •  MindWave™  headset2  

•  Measures  brainwave  signals  

•  EEG  monitor  •  InternaFonal  Conference  on  Financial  Cryptography  and  Data  Security3  

1Source:  Clare  Nelson,  March  2015  2Source:  h+p://neurosky.com/biosensors/eeg-­‐sensor/biosensors/  3Source:  h+p://www.technewsworld.com/story/77762.html    

www.owasp.org

3D  Fingerprint1  

1Source:  h+p://sonavaFon.com/technology/      

No  ma+er  how  advanced  the  biometric  is,  the  same  basic  threat  model  persists.  

www.owasp.org

         How  do  you  stump  an  MFA  vendor?  

Ask  for  a  threat  model.  

Photo:  h+p://www.huffingtonpost.co.uk/2015/08/09/parents-­‐reveal-­‐why-­‐quesFon-­‐woes_n_7963152.html    

www.owasp.org

“…  biometrics  cannot,  and  absolutely  must  not,  be  used    to  authen,cate  an  iden,ty”1  

           –  DusFn  Kirkland,  Ubuntu  Cloud  SoluFons  Product            

 Manager  and  Strategist  at  Canonical    

           1Source:  h+p://blog.dusFnkirkland.com/2013/10/fingerprints-­‐are-­‐user-­‐names-­‐not.html      

 

“Fingerprints  are  Usernames,  Not  Passwords”    

www.owasp.org

@drfuture  on  Biometrics  

1Source:  h+ps://www.blackhat.com/docs/us-­‐15/materials/us-­‐15-­‐Keenan-­‐Hidden-­‐Risks-­‐Of-­‐Biometric-­‐IdenFfiers-­‐And-­‐How-­‐To-­‐Avoid-­‐Them.pdf    Diagram  Source:    h+p://security.stackexchange.com/quesFons/57589/determining-­‐the-­‐accuracy-­‐of-­‐a-­‐biometric-­‐system        

Hidden  Risks  •  Biometric  reliability  and  the  

percep,on  of  it    •  Lack  of  discussion  of  the  

consequences  of  errors  •  Biometric  data’s  irreversibility  and  

the  implicaFons  •  Our  biometrics  can  be  grabbed  

without  our  consent  •  Our  behavior  can  rat  us  out  –  

someFmes  incorrectly  •  Giving  our  biometric  and  behavioral  

data  may  be  (de  facto)  mandatory  •  Biometric  data  thieves  and  

aggregators1          

Threshold    

www.owasp.org

1.   Difficult  to  reset,  revoke  2.   Exist  in  public  domain,  and  elsewhere  

(56M+  fingerprints  stolen  in  2015  OPM  breach1)  

3.   May  undermine  privacy,  make  idenFty  thet  more  likely2  

4.   Persist  in  government  and  private  databases,  accreFng  informaFon  whether  we  like  it  or  not3  

5.   Hygiene  (e.g.,  Bank  of  America  hand  geometry  scanner  for  safe  deposit  box  room  entry)  

6.   User  acceptance  or  preference  varies  by  geography,  demographic  

What  Will  Cause  Biometric  Backlash?  

1Source:  h+p://money.cnn.com/2015/07/10/technology/opm-­‐hack-­‐fingerprints/index.html    2Source:  h+p://www.diva-­‐portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl    3Source:  h+p://www.pbs.org/wgbh/nova/next/tech/biometrics-­‐and-­‐the-­‐future-­‐of-­‐idenFficaFon/    Photo:  h+p://www.rineypackard.com/facial-­‐recogniFon.php    

www.owasp.org

•  Intel’s  Dmientrienko,  et  al  -  Circumvented  SMS  OTP  of  4  large  banks1  

•  Northeastern  University  and  Technische  Universität  Berlin    -  “SMS  OTP  systems  cannot  be  

considered  secure  anymore”2  •  SMS  OTP  threat  model  -  Physical  access  to  phone  -  SIM  swap  ajack  - Wireless  intercepFon  - Mobile  phone  trojans3  

SMS  OTP  Ajacks  

1Source:  h+p://www.chrisFan-­‐rossow.de/publicaFons/mobile2FA-­‐intel2014.pdf    2,3Source:  h+ps://www.eecs.tu-­‐berlin.de/fileadmin/f4/TechReports/2014/tr_2014-­‐02.pdf    

www.owasp.org

•  OperaFon  Emmental  •  Defeated  2FA  -  2014,  discovered  by  Trend  Micro1  -  European,  Japanese  banks  -  Online  banking  

1.   Customer  enters  username,  password  

2.   Token  sent  to  mobile  device  (SMS  OTP)  

3.   Customer  enters  token  (OTP)  -  Ajackers  scraped  SMS  OTPs  off  

customers’  Android  phones2,  3    

SMS  OTP  Ajack:  Banking  Example  

1Source:  h+p://blog.trendmicro.com/finding-­‐holes-­‐operaFon-­‐emmental/    2Source:  h+p://www.trendmicro.com/cloud-­‐content/us/pdfs/security-­‐intelligence/white-­‐papers/wp-­‐finding-­‐holes-­‐operaFon-­‐emmental.pdf      3Source:  h+ps://www.youtube.com/watch?v=gchKFumYHWc    

www.owasp.org

SMS  OTP  Ajacks  

1Source:  h+p://www.chrisFan-­‐rossow.de/publicaFons/mobile2FA-­‐intel2014.pdf  Diagram  Source:  h+ps://devcentral.f5.com/arFcles/malware-­‐analysis-­‐report-­‐cridex-­‐cross-­‐device-­‐online-­‐banking-­‐trojan    

Banking  trojans  deploy  mobile  malware,  allow  ajackers  to  steal  SMS  OTP  1  

www.owasp.org

QR  Code  Risks1  

Example:  two-­‐factor  authenFcaFon  •  User  captures  QR  code  with  mobile  device  •  User  enters  PIN  code  to  log  on,  or  validate  transacFon2  

QR  code  redirects  user  to  URL  •  Even  if  the  URL  is  displayed,  not  everyone  reads  •  Could  link  to  a  malicious  website    

1Source:  h+p://www.csoonline.com/arFcle/2133890/mobile-­‐security/the-­‐dangers-­‐of-­‐qr-­‐codes-­‐for-­‐security.html  2Source:  h+ps://www.vasco.com/products/client_products/sotware_digipass/digipass_for_mobile.aspx          

www.owasp.org

GeolocaFon  

•  Are  laFtude  and  longitude  sufficient?  •  Digital  AuthenFcaFon  Technologies:  

Contextual  LocaFon  Fingerprint™1  

–  Not  based  on  geo-­‐locaFon  

•  Issues  in  buildings  •  Error  rates  •  GPS  spoofing2  

•  Cellphone  power  meter  can  be  turned  into  a  GPS3  

•  PowerSpy:  Android  phone’s  geolocaFon  by  tracking  its  power  use  over  Fme  –  Unlike  GPS  or  Wi-­‐Fi  locaFon  tracking,  

available  to  any  installed  app  without  user’s  permission4  

    1Source:  h+p://www.dathq.com/OurStrategy.aspx    

2Source:  h+p://news.utexas.edu/2013/07/29/ut-­‐ausFn-­‐researchers-­‐successfully-­‐spoof-­‐an-­‐80-­‐million-­‐yacht-­‐at-­‐sea    3Source:  Dan  Boneh,  quoted  in  h+p://cacm.acm.org/magazines/2015/9/191171-­‐qa-­‐a-­‐passion-­‐for-­‐pairings/abstract      4Source:  h+p://www.wired.com/2015/02/powerspy-­‐phone-­‐tracking/          

www.owasp.org

1Source:  h+p://www.zdnet.com/arFcle/google-­‐unveils-­‐5-­‐year-­‐roadmap-­‐for-­‐strong-­‐authenFcaFon/      

Account  recovery  is  the  Achilles  heel  of  2FA              

–    Eric  Sachs  Product  Management  Director,  IdenFty  at  Google    

www.owasp.org

Account  Recovery1  

1Source:  h+ps://support.google.com/accounts/answer/1187538?hl=en      

www.owasp.org

What’s  Wrong  with  Mobile  Device  as  AuthenFcaFon  Device?  

MetaIntelli  research:  sample  of  38,000  mobile  apps,  67%  had  M32  

Source:  h+ps://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks    Source:  h+p://metaintelli.com/blog/2015/01/06/industry-­‐first-­‐metaintelli-­‐research-­‐discovers-­‐large-­‐number-­‐of-­‐mobile-­‐apps-­‐affected-­‐by-­‐owasp-­‐mobile-­‐top-­‐10-­‐risks/    

www.owasp.org

MFA  Double  Standard  

Consumers  •  Facial  and  voice  for  

mobile  login2  

Employees  •  Symantec  VIP3  

1Source:  h+p://cdn.themetapicture.com/media/funny-­‐puppy-­‐poop-­‐double-­‐standards.jpg    2Source:  h+p://www.americanbanker.com/news/bank-­‐technology/biometric-­‐Fpping-­‐point-­‐usaa-­‐deploys-­‐face-­‐voice-­‐recogniFon-­‐1072509-­‐1.html    3Source:  h+p://www.slideshare.net/ExperianBIS/70-­‐006idenFtyauthenFcaFonandcredenFalinginpracFce      

1  

www.owasp.org

Perfect  Storm  •  Crowded  market  –  200+  MFA  vendors    –  ~$1.8B  market1  

•  Apple,  VISA,  Samsung  –  2D  fingerprint  authenFcaFon  is  cool,  secure  

•  Breaches  •  LegislaFon  •  FIDO  Alliance    

1Source:  h+p://www.slideshare.net/FrostandSullivan/analysis-­‐of-­‐the-­‐strong-­‐authenFcaFon-­‐and-­‐one-­‐Fme-­‐password-­‐otp-­‐market    

www.owasp.org

FIDO  Alliance  •  Fast  ID  Online  (FIDO)  Alliance  •  Proponent  of  interoperability  

–  Universal  2nd  Factor  (U2F)  –  Universal  AuthenFcaFon  Framework  (UAF)  

•  Triumph  of  markeFng  over  technology  •  Store  secrets  on  device  (Android  phone),  versus  

hardened  server  •  Network-­‐resident  versus  device-­‐resident  biometrics  

–  FIDO  advocates  device-­‐resident  •  Problems,  especially  with  voice1  

1Source:  January  2015,  “Network  vs  Device  Resident  Biometrics,”  ValidSot  

www.owasp.org

“Legacy  thinking  subverts    the  security  of  a    

well-­‐constructed  system”1    

       –  David  Birch,  Digital  Money  and  IdenFty  Consultant,              Author  of  IdenFty  is  the  New  Money2      

1Source:  h+ps://www.ted.com/talks/david_birch_idenFty_without_a_name?language=en#t-­‐112382  2Source:  h+p://www.amazon.com/IdenFty-­‐Is-­‐New-­‐Money-­‐PerspecFves/dp/1907994122        

www.owasp.org

1Source:  h+p://www.slideshare.net/IoTBruce/iot-­‐meets-­‐big-­‐data-­‐the-­‐opportuniFes-­‐and-­‐challenges-­‐by-­‐syed-­‐hoda-­‐of-­‐parstream            

Internet  of  Things  (IoT)    

1  

www.owasp.org

OWASP  IoT  Top  10  

1Source:  h+p://www.slideshare.net/SebasFenGioria/clusir-­‐infonord-­‐owasp-­‐iot-­‐2014        

A1:  Insecure  Web  Interface  

A2:  Insufficient  AuthenFcaFon,  AuthorizaFon  

A3:  Insecure  Network  Services  

A4:  Lack  of  Transport  EncrypFon  

A5:  Privacy  Concern  

A6  :  Insecure  Cloud  Interface  

A8:  Insecure  Security  

Configurability  

A10:    Poor  Physical  Security  

A7:  Insecure  Mobile  Interface  

A9:  Insecure  Sotware  /  Firmware  

www.owasp.org

IoT  PredicFons  Crea,ve  Cryptography,  Uneven  Protocol  Adop,ons  

•  Enhanced  Privacy  ID  (EPID®)  –   "ImplemenFng  Intel  EPID  offers  IoT  designers  …proven  

security  opFons”1  

•  PKI:  instead  of  one-­‐to-­‐one  mapping  public  and  private  key  pairs,  uses  one-­‐to-­‐many  mapping  of  public  to  private  keys  

•  Autobahn  to  dirt  road  –  E.g.,  HTTPS  to  Constrained  ApplicaFon  Protocol  (CoAP)  

with  OAuth2,  OpenID,  UMA  –  Different  implementaFon  constraints  –  “Security  of  these  …  mechanisms  is  highly  dependent  on  

the  ability  of  the  programmers  creaFng  it.”2  

1Source:  h+p://www.prnewswire.com/news-­‐releases/atmel-­‐collaborates-­‐with-­‐intel-­‐on-­‐epid-­‐technology-­‐to-­‐enable-­‐more-­‐secure-­‐iot-­‐applicaFons-­‐300130062.html    2Source:  Using  OAuth  for  Access  Control  on  the  Internet  of  Things,  Windley,  2015      

www.owasp.org

Consider  Risk-­‐Based  AuthenFcaFon  (aka  Context-­‐Based  AuthenFcaFon,  AdapFve  AuthenFcaFon)  

•  Device  registraFon  and  fingerprinFng    •  Source  IP  reputaFon  data    •  IdenFty  store  lookup    •  Geo-­‐locaFon,  geo-­‐fencing,  geo-­‐velocity    •  Behavioral  analysis1  •  AnalyFcs,  machine  learning,  conFnuous  authenFcaFon2    

1Source:  h+p://www.darkreading.com/endpoint/authenFcaFon/moving-­‐beyond-­‐2-­‐factor-­‐authenFcaFon-­‐with-­‐context/a/d-­‐id/1317911    2Source:  Clare  Nelson,  August  2015  

Layer  mulFple  contextual  factors.    Build  a  risk  profile.  

www.owasp.org

What  You  Can  Do  (1  of  2)  •  Request  threat  models  from  MFA  

vendors    •  Beware  

–  2D  fingerprints  –  Already-­‐hacked  biometrics  –  QR  codes  –  SMS  OTP  –  JavaScript  requirements  –  Overreliance  on  geolocaFon  –  Weak  account  recovery  –  Lack  of  mobile  device  risk  analysis  –  EncrypFon  with  backdoors  

Comic:  Greg  Larson,  h+ps://www.pinterest.com/pin/418834834066762730/      

www.owasp.org

What  You  Can  Do  (2  of  2)  •  Do  not  be  swayed  by  latest  InfoSec  fashion  

trends  –  Apple  Touch  ID  

•  IntegraFon  with  VISA  •  Samsung  Pay  

–  FIDO  Alliance  •  Rethink  MFA  definiFon  

–  Beware  of  odd  interpretaFons  •  AuthenFcaFon  as  a  conFnuous  process  

–  Not  just  login  and  transacFons  –  Cross-­‐channel  risk  

•  Depending  on  risk  and  use  case,  chain  or  combine  –  MFA  +  (locaFon,  Fme,  device  ID)  +  context-­‐

based  analyFcs  

Photo:  h+p://northonharper.com/2014/04/wish-­‐list-­‐mini-­‐midi-­‐maxi/      

www.owasp.org

QuesFons?      

Clare  Nelson,  CISSP                        clare.nelson@owasp.org                          @Safe_SaaS                        October  22,  2015                      AusFn,  TX  s  

www.owasp.org

QuesFons?  

Clare  Nelson,  CISSP  @Safe_SaaS    

 

clare.nelson@owasp.org  

www.owasp.org

AddiFonal  References  (1  of  3)  •  Stanislav,  Mark;  Two-­‐Factor  Authen9ca9on,  IT  Governance  Publishing  (2015)  •  Wouk,  Kristofer;  Flaw  in  Samsung  Galaxy  S5  Could  Give  Hackers  Access  to  Your  

Fingerprints,h+p://www.digitaltrends.com/mobile/galaxy-­‐s5-­‐fingerprint-­‐scanner-­‐flaw/  (April  2015)  

•  IDC  Technology  Spotlight,  sponsored  by  SecureAuth,  Dynamic  AuthenFcaFon:  Smarter  Security  to  Protect  User  AuthenFcaFon  (September  2014)  Six  technologies  that  are  taking  on  the  password.  —  UN/  HACKABLE  —  Medium    

•  Barbir,  Abbie,  Ph.D;  Mul9-­‐Factor  Authen9ca9on  Methods  Taxonomy,  h+p://docslide.us/documents/mulF-­‐factor-­‐authenFcaFon-­‐methods-­‐taxonomy-­‐abbie-­‐barbir.html  (2014)    

•  Nelson,  Clare,  Mul9-­‐Factor  Authen9ca9on:  What  to  Look  For,  InformaFon  Systems  Security  AssociaFon  (ISSA)  JournalhJp://www.bluetoad.com/publica9on/?i=252353    (April  2015)  

 

www.owasp.org

AddiFonal  References  (2  of  3)  •  Keenan,  Thomas;  Hidden  Risks  of  Biometric  Iden9fiers  and  How  to  Avoid  Them,  

University  of  Calgary,  Black  Hat  USA,  h+ps://www.blackhat.com/docs/us-­‐15/materials/us-­‐15-­‐Keenan-­‐Hidden-­‐Risks-­‐Of-­‐Biometric-­‐IdenFfiers-­‐And-­‐How-­‐To-­‐Avoid-­‐Them-­‐wp.pdf  (August  2015)  

•  Pagliery,  Jose;  OPM’s  hack’s  unprecedented  haul:  1.1  million  fingerprints:  h+p://money.cnn.com/2015/07/10/technology/opm-­‐hack-­‐fingerprints/index.html    (July  2015)  

•  Bonneau,  Joseph,  et  al,  Passwords  and  the  Evolu9on  of  Imperfect  Authen9ca9on,  CommunicaFons  of  the  ACM,  Vol.  58,  No.  7  (July  2015)  

•  White,  Conor;  CTO  Doan,  Biometrics  and  Cybersecurity,  h+p://www.slideshare.net/karthihaa/biometrics-­‐and-­‐cyber-­‐security  (2009,  published  2013)  

•  Gloria,  SébasFen,  OWASP  IoT  Top  10,  the  life  and  the  universe,  h+p://www.slideshare.net/SebasFenGioria/clusir-­‐infonord-­‐owasp-­‐iot-­‐2014  (December  2014)  

www.owasp.org

AddiFonal  References  (3  of  3)  •  Steves,  Michelle,  et  al,  NISTIR,  Report:  Authen9ca9on  Diary  Study,    

h+p://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7983.pdf    (February  2014)  •  Andres,  Joachim;  blog,  Smarter  Security  with  Device  Fingerprints,  

h+ps://forgerock.org/2015/09/smarter-­‐security-­‐with-­‐device-­‐fingerprints/?mkt_tok=3RkMMJWWfF9wsRonv6TIeu%2FhmjTEU5z16u8kWaSyhokz2EFye%2BLIHETpodcMTcFnM7DYDBceEJhqyQJxPr3GKtYNysBvRhXlDQ%3D%3D  (September  2015)  

•  Perrot,  Didier;  There’s  No  Ideal  Authen9ca9on  Solu9on,  h+p://www.inwebo.com/blog/theres-­‐no-­‐ideal-­‐authenFcaFon-­‐soluFon/  (August  2015)  

www.owasp.org

"A  rose  by  any  other  name  would  smell  as  sweet”1  

•  AdapFve  authenFcaFon  •  MulF-­‐modal  authenFcaFon  •  ConFnuous  authenFcaFon  •  2FA,  TFA,  Two-­‐factor  authenFcaFon  •  MulF-­‐factor  authenFcaFon  •  Strong  authenFcaFon  

–  United  States:  Many  interpretaFons,  depends  on  context  –  European  Central  Bank  (ECB):  strong  authenFcaFon,  or  strong  

customer  authenFcaFon,  set  of  specific  recommendaFons2  

•  Apple:  Two-­‐step  authenFcaFon  •  MulF-­‐step  authenFcaFon  •  SecureAuth:  AdapFve,  risk-­‐based,  context-­‐based  

authenFcaFon    •  IDC:  advanced  authenFcaFon,  dynamic  user  authenFcaFon,  

mulFform  authenFcaFon,  mulFframe  authenFcaFon,  standard  authenFcaFon,  tradiFonal  authenFcaFon  –  TradiFonal  authenFcaFon:  authenFcate  at  beginning  of  session  –  Dynamic  authenFcaFon:  users  may  be  asked  to  authenFcate  at  

“various  points  during  a  session,  for  various  reasons”3  •  Step-­‐up  authenFcaFon  •  Re-­‐AuthenFcaFon  •  Out-­‐of-­‐Band  AuthenFcaFons  

1Source:  Shakespeare,  Romeo  and  Juliet,  h+p://shakespeare.mit.edu/romeo_juliet/romeo_juliet.2.2.html    1Source:  IDC  Technology  Spotlight,  sponsored  by  SecureAuth,  Dynamic  AuthenFcaFon:  Smarter  Security  to  Protect  User  AuthenFcaFon  (September  2014)      2Source:  h+ps://www.ecb.europa.eu/press/pr/date/2013/html/pr130131_1.en.html      

www.owasp.org

Advice  for  Startups  •  For  startup  internal  employees:  

–  www.gluu.org,  100%  open  source  and  open  standards  –  Many  offer  free  service  for  a  small  team  

•  Apersona  free  up  to  5  users:  h+p://www.apersona.com/#!pricing/c1c8c    •  Duo  free  up  to  10  users:  h+ps://www.duosecurity.com/    

•  Build  authenFcaFon  into  your  products  –  Originally  cars  did  not  have  seat  belts.  In  the  future,  authenFcaFon  will  be  designed  in.