lascon 2015
TRANSCRIPT
www.owasp.org
The Inmates Are Running the Asylum Why Some Mul,-‐Factor Authen,ca,on Technology
is Irresponsible
Clare Nelson, CISSP [email protected] @Safe_SaaS October 22, 2015 AusFn, TX
www.owasp.org
Clare Nelson, CISSP Independent: not an analyst, not with a vendor
• Scar Fssue
– Encrypted TCP/IP variants for NSA – Product Management at DEC (HP), EMC2
– Director Global Alliances at Dell, Novell (IAM) – VP Business Development, MetaIntelli (Mobile Security) – CEO ClearMark, MFA Technology and Architecture
• 2001 CEO ClearMark ConsulFng • 2014 Co-‐founder C1ph3r_Qu33ns • 2015 April, ISSA Journal, Mul,-‐Factor
Authen,ca,on: What to Look For • Talks: OWASP AppSec USA, HackFormers, BSides,
LASCON; clients including Fortune 500 financial services, IdenFty Management
• B.S. MathemaFcs
www.owasp.org
Scope • External customers, consumers
– Not internal employees, no hardware tokens – IoT preview
• No authenFcaFon protocols – OAuth, OpenID, UMA, SCIM, SAML
• United States – EU regulaFons
o France: legal constraints for biometrics § Need authorizaFon from NaFonal Commission for InformaFcs
and Liberty (CNIL)1 – India: e-‐commerce Snapdeal, Reserve Bank of India
o Move from two-‐factor to single-‐factor authenFcaFon for transacFons less than Rs. 3,0002
1Source: h+p://www.diva-‐portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl 2Source: h+p://economicFmes.indiaFmes.com/industry/services/retail/snapdeal-‐for-‐single-‐factor-‐authenFcaFon-‐for-‐low-‐value-‐deals/arFcleshow/46251251.cms
www.owasp.org
NIST DefiniFon1
Origin of definiFon? • NIST: might be Gene Spafford, or “ancient lore”2
– @TheRealSpaf, “Nope — that's even older than me!”3
– 1970s? NSA? Academia?
1Source: h+p://nvlpubs.nist.gov/nistpubs/SpecialPublicaFons/NIST.SP.800-‐63-‐2.pdf 2Source: February 26, 2015 email response from a NIST SP 800-‐63-‐2 author 3Source: February 27, 2015 response from @TheRealSpaf (Gene Spafford)
www.owasp.org
How can one write a guide based on a defini,on of unknown, ancient origin? How can you implement MFA without a current, coherent defini,on?
Photo: The Thinker by Auguste Rodin, h+ps://commons.wikimedia.org/wiki/File:Auguste_Rodin-‐The_Thinker-‐Legion_of_Honor-‐Lincoln_Park-‐San_Francisco.jpg
www.owasp.org
NIST versus New DefiniFons MulF-‐Factor AuthenFcaFon (MFA) Factors: • Knowledge • Possession – Mobile device idenFficaFon
• Inherence – Biometrics: Physical or Behavioral
• LocaFon – GeolocaFon – Geofencing – Geovelocity
• Time1
1Source: h+p://searchsecurity.techtarget.com/definiFon/mulFfactor-‐authenFcaFon-‐MFA
2Source: h+p://nvlpubs.nist.gov/nistpubs/SpecialPublicaFons/NIST.SP.800-‐63-‐2.pdf
NIST: Device idenFficaFon, Fme, and geo-‐locaFon could be used to challenge an idenFty; but “they are not considered authenFcaFon factors”2
www.owasp.org
Authen,ca,on in an Internet Banking Environment • OUT: Simple device idenFficaFon • IN: Complex device idenFficaFon, “digital fingerprinFng”
use PC configuraFon, IP address, geo-‐locaFon, other factors – Implement Fme of day restricFons for funds transfers – Consider keystroke dynamics, biometric-‐based responses1
1Source: hjps://www.fdic.gov/news/news/press/2011/pr11111a.pdf
“…virtually every authenFcaFon technique can be compromised”
www.owasp.org
Why 200+ MFA Vendors?
Authen,ca,on has been the Holy Grail since the early days of the Web.1
The iPhone of Authen,ca,on has yet to be invented.2
1Source: h+p://sciencewriters.ca/2014/03/26/will-‐your-‐brain-‐waves-‐become-‐your-‐new-‐password/ 2Source: Clare Nelson, February 2015.
www.owasp.org
SubopFmal Choices
AuthenFcaFon Factors/Technology 1. Biometrics, 2D fingerprint 2. Short Message Service (SMS)
– One-‐Time Password (OTP) 3. Quick Response (QR) codes 4. JavaScript (behavioral biometrics) 5. Overreliance on GPS, insufficient geolocaFon data 6. Weak, arcane, account recovery 7. AssumpFon mobile devices are secure 8. EncrypFon (without disclaimers)
– Quantum compuFng may break RSA or ECC by 20301 • Update on NSA’s $80M Penetra,ng Hard Targets project2
– EncrypFon backdoors, is it NSA-‐free and NIST-‐free cryptography? – No mysterious constants or “magic numbers” of unknown provenance”3
1Source: January 18, 2015: Ralph Spencer Poore, cryptologist, AusFn ISSA guest lecturer 2Source: h+p://www.washingtonpost.com/world/naFonal-‐security/nsa-‐seeks-‐to-‐build-‐quantum-‐computer-‐that-‐could-‐crack-‐most-‐types-‐of-‐encrypFon/2014/01/02/8fff297e-‐7195-‐11e3-‐8def-‐a33011492df2_story.html 3Source: h+ps://www.grc.com/sqrl/sqrl.htm
www.owasp.org
Juniper Research: • By 2019, 770 million apps that use biometric authenFcaFon will be
downloaded annually - Up from 6 million in 2015
• Fingerprint authenFcaFon will account for an overwhelming majority - Driven by increase of fingerprint scanners in smartphones1
IrraFonal Exuberance of Biometric AdopFon
Samsung Pay
1Source: h+p://www.nfcworld.com/2015/01/22/333665/juniper-‐forecasts-‐biometric-‐authenFcaFon-‐market/
www.owasp.org
1Source: h+ps://www.youtube.com/watch?v=q3ymzRYXezI
Apple Touch ID: Cat Demo
www.owasp.org 1Source: h+p://www.dw.de/image/0,,18154223_303,00.jpg
www.owasp.org
2D Fingerprint Hacks • Starbug, aka Jan Krissler • 2014: Cloned fingerprint of German Defense Minister, Ursula Von der Leyen – From photographs1,2
• 2013: Hacked Apple’s Touch ID on iPhone 5S ~24 hours ater release in Germany – Won IsTouchIDHackedYet.com compeFFon3
• 2006: Published research on hacking fingerprint recogniFon systems4
1Source: h+ps://www.youtube.com/watch?v=vVivA0eoNGM 2Source: h+p://www.forbes.com/sites/paulmonckton/2014/12/30/hacker-‐clones-‐fingerprint-‐from-‐photograph/ 3Source: h+p://istouchidhackedyet.com 4Source: h+p://berlin.ccc.de/~starbug/talks/0611-‐pacsec-‐hacking_fingerprint_recogniFon_systems.pdf
www.owasp.org
Starbug Faking Touch ID
1Source: h+p://istouchidhackedyet.com
www.owasp.org
Android: Remote Fingerprint Thet at Scale1
“…hackers can remotely steal fingerprints without the owner of the device ever knowing about it. Even more dangerous, this can be done on a “large scale.”2
1Source: h+ps://www.blackhat.com/docs/us-‐15/materials/us-‐15-‐Zhang-‐Fingerprints-‐On-‐Mobile-‐Devices-‐Abusing-‐And-‐Leaking-‐wp.pdf 2Source: h+p://www.forbes.com/sites/thomasbrewster/2015/04/21/samsung-‐galaxy-‐s5-‐fingerprint-‐a+acks/
Hardware
User Space
Kernel Space
www.owasp.org
Krissler versus Riccio “Don't use fingerprint recogniFon systems for security relevant applicaFons!”1
– Jan Krissler (Starbug) “Fingerprints are one of the best passwords in the world.”2
– Dan Riccio SVP, Apple
1Source: h+p://berlin.ccc.de/~starbug/talks/0611-‐pacsec-‐hacking_fingerprint_recogniFon_systems.pdf 2Source: h+p://www.imore.com/how-‐touch-‐id-‐works Photo: h+p://www.mirror.co.uk/news/world-‐news/revealed-‐ni-‐believed-‐legendary-‐fight-‐3181991
www.owasp.org
Behavioral Biometrics
1Source: h+p://www.behaviosec.com
Issues • Requires JavaScript Learning curve
• Privacy, constant monitoring
• Injury to hand • “Highly intoxicated”
www.owasp.org
Behavioral Biometrics: Invisible Challenge
• Analyze hundreds of bio-‐behavioral, cogniFve and physiological parameters – Invisible challenge – No user interacFon for step-‐up authenFcaFon
– How you find missing cursor1
1Source: h+p://www.biocatch.com 1Source: h+p://www.biocatch.com
www.owasp.org
Biometrics: In Use, Proposed • Fingerprints 2D, 3D via ultrasonic waves • Palms, its prints and/or the whole hand (feet?) • Signature • Keystroke, art of typing, mouse, touch pad • Voice • Iris, reFna, features of eye movements • Face, head – its shape, specific movements • Ears, lip prints • Gait, Odor, DNA, • ECG (Bionym’s Nymi wristband, smartphone, laptop, car,
home security) • EEG1
• Methods: Pills, Tajoos • Smartphone/behavioral: AirSig authenFcates based on g-‐sensor and
gyroscope, how you write your signature in the air2
1Source: h+p://www.optel.pl/arFcle/future%20of%20biometrics.pdf 2Source: h+p://www.airsig.com Digital Ta+oo: h+p://motorola-‐blog.blogspot.com/2014/07/-‐unlock-‐your-‐moto-‐x-‐with-‐a-‐digital-‐ta+oo.html
www.owasp.org
“Thought Auth”1
EEG Biosensor • MindWave™ headset2
• Measures brainwave signals
• EEG monitor • InternaFonal Conference on Financial Cryptography and Data Security3
1Source: Clare Nelson, March 2015 2Source: h+p://neurosky.com/biosensors/eeg-‐sensor/biosensors/ 3Source: h+p://www.technewsworld.com/story/77762.html
www.owasp.org
3D Fingerprint1
1Source: h+p://sonavaFon.com/technology/
No ma+er how advanced the biometric is, the same basic threat model persists.
www.owasp.org
How do you stump an MFA vendor?
Ask for a threat model.
Photo: h+p://www.huffingtonpost.co.uk/2015/08/09/parents-‐reveal-‐why-‐quesFon-‐woes_n_7963152.html
www.owasp.org
“… biometrics cannot, and absolutely must not, be used to authen,cate an iden,ty”1
– DusFn Kirkland, Ubuntu Cloud SoluFons Product
Manager and Strategist at Canonical
1Source: h+p://blog.dusFnkirkland.com/2013/10/fingerprints-‐are-‐user-‐names-‐not.html
“Fingerprints are Usernames, Not Passwords”
www.owasp.org
@drfuture on Biometrics
1Source: h+ps://www.blackhat.com/docs/us-‐15/materials/us-‐15-‐Keenan-‐Hidden-‐Risks-‐Of-‐Biometric-‐IdenFfiers-‐And-‐How-‐To-‐Avoid-‐Them.pdf Diagram Source: h+p://security.stackexchange.com/quesFons/57589/determining-‐the-‐accuracy-‐of-‐a-‐biometric-‐system
Hidden Risks • Biometric reliability and the
percep,on of it • Lack of discussion of the
consequences of errors • Biometric data’s irreversibility and
the implicaFons • Our biometrics can be grabbed
without our consent • Our behavior can rat us out –
someFmes incorrectly • Giving our biometric and behavioral
data may be (de facto) mandatory • Biometric data thieves and
aggregators1
Threshold
www.owasp.org
1. Difficult to reset, revoke 2. Exist in public domain, and elsewhere
(56M+ fingerprints stolen in 2015 OPM breach1)
3. May undermine privacy, make idenFty thet more likely2
4. Persist in government and private databases, accreFng informaFon whether we like it or not3
5. Hygiene (e.g., Bank of America hand geometry scanner for safe deposit box room entry)
6. User acceptance or preference varies by geography, demographic
What Will Cause Biometric Backlash?
1Source: h+p://money.cnn.com/2015/07/10/technology/opm-‐hack-‐fingerprints/index.html 2Source: h+p://www.diva-‐portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl 3Source: h+p://www.pbs.org/wgbh/nova/next/tech/biometrics-‐and-‐the-‐future-‐of-‐idenFficaFon/ Photo: h+p://www.rineypackard.com/facial-‐recogniFon.php
www.owasp.org
• Intel’s Dmientrienko, et al - Circumvented SMS OTP of 4 large banks1
• Northeastern University and Technische Universität Berlin - “SMS OTP systems cannot be
considered secure anymore”2 • SMS OTP threat model - Physical access to phone - SIM swap ajack - Wireless intercepFon - Mobile phone trojans3
SMS OTP Ajacks
1Source: h+p://www.chrisFan-‐rossow.de/publicaFons/mobile2FA-‐intel2014.pdf 2,3Source: h+ps://www.eecs.tu-‐berlin.de/fileadmin/f4/TechReports/2014/tr_2014-‐02.pdf
www.owasp.org
• OperaFon Emmental • Defeated 2FA - 2014, discovered by Trend Micro1 - European, Japanese banks - Online banking
1. Customer enters username, password
2. Token sent to mobile device (SMS OTP)
3. Customer enters token (OTP) - Ajackers scraped SMS OTPs off
customers’ Android phones2, 3
SMS OTP Ajack: Banking Example
1Source: h+p://blog.trendmicro.com/finding-‐holes-‐operaFon-‐emmental/ 2Source: h+p://www.trendmicro.com/cloud-‐content/us/pdfs/security-‐intelligence/white-‐papers/wp-‐finding-‐holes-‐operaFon-‐emmental.pdf 3Source: h+ps://www.youtube.com/watch?v=gchKFumYHWc
www.owasp.org
SMS OTP Ajacks
1Source: h+p://www.chrisFan-‐rossow.de/publicaFons/mobile2FA-‐intel2014.pdf Diagram Source: h+ps://devcentral.f5.com/arFcles/malware-‐analysis-‐report-‐cridex-‐cross-‐device-‐online-‐banking-‐trojan
Banking trojans deploy mobile malware, allow ajackers to steal SMS OTP 1
www.owasp.org
QR Code Risks1
Example: two-‐factor authenFcaFon • User captures QR code with mobile device • User enters PIN code to log on, or validate transacFon2
QR code redirects user to URL • Even if the URL is displayed, not everyone reads • Could link to a malicious website
1Source: h+p://www.csoonline.com/arFcle/2133890/mobile-‐security/the-‐dangers-‐of-‐qr-‐codes-‐for-‐security.html 2Source: h+ps://www.vasco.com/products/client_products/sotware_digipass/digipass_for_mobile.aspx
www.owasp.org
GeolocaFon
• Are laFtude and longitude sufficient? • Digital AuthenFcaFon Technologies:
Contextual LocaFon Fingerprint™1
– Not based on geo-‐locaFon
• Issues in buildings • Error rates • GPS spoofing2
• Cellphone power meter can be turned into a GPS3
• PowerSpy: Android phone’s geolocaFon by tracking its power use over Fme – Unlike GPS or Wi-‐Fi locaFon tracking,
available to any installed app without user’s permission4
1Source: h+p://www.dathq.com/OurStrategy.aspx
2Source: h+p://news.utexas.edu/2013/07/29/ut-‐ausFn-‐researchers-‐successfully-‐spoof-‐an-‐80-‐million-‐yacht-‐at-‐sea 3Source: Dan Boneh, quoted in h+p://cacm.acm.org/magazines/2015/9/191171-‐qa-‐a-‐passion-‐for-‐pairings/abstract 4Source: h+p://www.wired.com/2015/02/powerspy-‐phone-‐tracking/
www.owasp.org
1Source: h+p://www.zdnet.com/arFcle/google-‐unveils-‐5-‐year-‐roadmap-‐for-‐strong-‐authenFcaFon/
Account recovery is the Achilles heel of 2FA
– Eric Sachs Product Management Director, IdenFty at Google
www.owasp.org
Account Recovery1
1Source: h+ps://support.google.com/accounts/answer/1187538?hl=en
www.owasp.org
What’s Wrong with Mobile Device as AuthenFcaFon Device?
MetaIntelli research: sample of 38,000 mobile apps, 67% had M32
Source: h+ps://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks Source: h+p://metaintelli.com/blog/2015/01/06/industry-‐first-‐metaintelli-‐research-‐discovers-‐large-‐number-‐of-‐mobile-‐apps-‐affected-‐by-‐owasp-‐mobile-‐top-‐10-‐risks/
www.owasp.org
MFA Double Standard
Consumers • Facial and voice for
mobile login2
Employees • Symantec VIP3
1Source: h+p://cdn.themetapicture.com/media/funny-‐puppy-‐poop-‐double-‐standards.jpg 2Source: h+p://www.americanbanker.com/news/bank-‐technology/biometric-‐Fpping-‐point-‐usaa-‐deploys-‐face-‐voice-‐recogniFon-‐1072509-‐1.html 3Source: h+p://www.slideshare.net/ExperianBIS/70-‐006idenFtyauthenFcaFonandcredenFalinginpracFce
1
www.owasp.org
Perfect Storm • Crowded market – 200+ MFA vendors – ~$1.8B market1
• Apple, VISA, Samsung – 2D fingerprint authenFcaFon is cool, secure
• Breaches • LegislaFon • FIDO Alliance
1Source: h+p://www.slideshare.net/FrostandSullivan/analysis-‐of-‐the-‐strong-‐authenFcaFon-‐and-‐one-‐Fme-‐password-‐otp-‐market
www.owasp.org
FIDO Alliance • Fast ID Online (FIDO) Alliance • Proponent of interoperability
– Universal 2nd Factor (U2F) – Universal AuthenFcaFon Framework (UAF)
• Triumph of markeFng over technology • Store secrets on device (Android phone), versus
hardened server • Network-‐resident versus device-‐resident biometrics
– FIDO advocates device-‐resident • Problems, especially with voice1
1Source: January 2015, “Network vs Device Resident Biometrics,” ValidSot
www.owasp.org
“Legacy thinking subverts the security of a
well-‐constructed system”1
– David Birch, Digital Money and IdenFty Consultant, Author of IdenFty is the New Money2
1Source: h+ps://www.ted.com/talks/david_birch_idenFty_without_a_name?language=en#t-‐112382 2Source: h+p://www.amazon.com/IdenFty-‐Is-‐New-‐Money-‐PerspecFves/dp/1907994122
www.owasp.org
1Source: h+p://www.slideshare.net/IoTBruce/iot-‐meets-‐big-‐data-‐the-‐opportuniFes-‐and-‐challenges-‐by-‐syed-‐hoda-‐of-‐parstream
Internet of Things (IoT)
1
www.owasp.org
OWASP IoT Top 10
1Source: h+p://www.slideshare.net/SebasFenGioria/clusir-‐infonord-‐owasp-‐iot-‐2014
A1: Insecure Web Interface
A2: Insufficient AuthenFcaFon, AuthorizaFon
A3: Insecure Network Services
A4: Lack of Transport EncrypFon
A5: Privacy Concern
A6 : Insecure Cloud Interface
A8: Insecure Security
Configurability
A10: Poor Physical Security
A7: Insecure Mobile Interface
A9: Insecure Sotware / Firmware
www.owasp.org
IoT PredicFons Crea,ve Cryptography, Uneven Protocol Adop,ons
• Enhanced Privacy ID (EPID®) – "ImplemenFng Intel EPID offers IoT designers …proven
security opFons”1
• PKI: instead of one-‐to-‐one mapping public and private key pairs, uses one-‐to-‐many mapping of public to private keys
• Autobahn to dirt road – E.g., HTTPS to Constrained ApplicaFon Protocol (CoAP)
with OAuth2, OpenID, UMA – Different implementaFon constraints – “Security of these … mechanisms is highly dependent on
the ability of the programmers creaFng it.”2
1Source: h+p://www.prnewswire.com/news-‐releases/atmel-‐collaborates-‐with-‐intel-‐on-‐epid-‐technology-‐to-‐enable-‐more-‐secure-‐iot-‐applicaFons-‐300130062.html 2Source: Using OAuth for Access Control on the Internet of Things, Windley, 2015
www.owasp.org
Consider Risk-‐Based AuthenFcaFon (aka Context-‐Based AuthenFcaFon, AdapFve AuthenFcaFon)
• Device registraFon and fingerprinFng • Source IP reputaFon data • IdenFty store lookup • Geo-‐locaFon, geo-‐fencing, geo-‐velocity • Behavioral analysis1 • AnalyFcs, machine learning, conFnuous authenFcaFon2
1Source: h+p://www.darkreading.com/endpoint/authenFcaFon/moving-‐beyond-‐2-‐factor-‐authenFcaFon-‐with-‐context/a/d-‐id/1317911 2Source: Clare Nelson, August 2015
Layer mulFple contextual factors. Build a risk profile.
www.owasp.org
What You Can Do (1 of 2) • Request threat models from MFA
vendors • Beware
– 2D fingerprints – Already-‐hacked biometrics – QR codes – SMS OTP – JavaScript requirements – Overreliance on geolocaFon – Weak account recovery – Lack of mobile device risk analysis – EncrypFon with backdoors
Comic: Greg Larson, h+ps://www.pinterest.com/pin/418834834066762730/
www.owasp.org
What You Can Do (2 of 2) • Do not be swayed by latest InfoSec fashion
trends – Apple Touch ID
• IntegraFon with VISA • Samsung Pay
– FIDO Alliance • Rethink MFA definiFon
– Beware of odd interpretaFons • AuthenFcaFon as a conFnuous process
– Not just login and transacFons – Cross-‐channel risk
• Depending on risk and use case, chain or combine – MFA + (locaFon, Fme, device ID) + context-‐
based analyFcs
Photo: h+p://northonharper.com/2014/04/wish-‐list-‐mini-‐midi-‐maxi/
www.owasp.org
QuesFons?
Clare Nelson, CISSP [email protected] @Safe_SaaS October 22, 2015 AusFn, TX s
www.owasp.org
AddiFonal References (1 of 3) • Stanislav, Mark; Two-‐Factor Authen9ca9on, IT Governance Publishing (2015) • Wouk, Kristofer; Flaw in Samsung Galaxy S5 Could Give Hackers Access to Your
Fingerprints,h+p://www.digitaltrends.com/mobile/galaxy-‐s5-‐fingerprint-‐scanner-‐flaw/ (April 2015)
• IDC Technology Spotlight, sponsored by SecureAuth, Dynamic AuthenFcaFon: Smarter Security to Protect User AuthenFcaFon (September 2014) Six technologies that are taking on the password. — UN/ HACKABLE — Medium
• Barbir, Abbie, Ph.D; Mul9-‐Factor Authen9ca9on Methods Taxonomy, h+p://docslide.us/documents/mulF-‐factor-‐authenFcaFon-‐methods-‐taxonomy-‐abbie-‐barbir.html (2014)
• Nelson, Clare, Mul9-‐Factor Authen9ca9on: What to Look For, InformaFon Systems Security AssociaFon (ISSA) JournalhJp://www.bluetoad.com/publica9on/?i=252353 (April 2015)
www.owasp.org
AddiFonal References (2 of 3) • Keenan, Thomas; Hidden Risks of Biometric Iden9fiers and How to Avoid Them,
University of Calgary, Black Hat USA, h+ps://www.blackhat.com/docs/us-‐15/materials/us-‐15-‐Keenan-‐Hidden-‐Risks-‐Of-‐Biometric-‐IdenFfiers-‐And-‐How-‐To-‐Avoid-‐Them-‐wp.pdf (August 2015)
• Pagliery, Jose; OPM’s hack’s unprecedented haul: 1.1 million fingerprints: h+p://money.cnn.com/2015/07/10/technology/opm-‐hack-‐fingerprints/index.html (July 2015)
• Bonneau, Joseph, et al, Passwords and the Evolu9on of Imperfect Authen9ca9on, CommunicaFons of the ACM, Vol. 58, No. 7 (July 2015)
• White, Conor; CTO Doan, Biometrics and Cybersecurity, h+p://www.slideshare.net/karthihaa/biometrics-‐and-‐cyber-‐security (2009, published 2013)
• Gloria, SébasFen, OWASP IoT Top 10, the life and the universe, h+p://www.slideshare.net/SebasFenGioria/clusir-‐infonord-‐owasp-‐iot-‐2014 (December 2014)
www.owasp.org
AddiFonal References (3 of 3) • Steves, Michelle, et al, NISTIR, Report: Authen9ca9on Diary Study,
h+p://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7983.pdf (February 2014) • Andres, Joachim; blog, Smarter Security with Device Fingerprints,
h+ps://forgerock.org/2015/09/smarter-‐security-‐with-‐device-‐fingerprints/?mkt_tok=3RkMMJWWfF9wsRonv6TIeu%2FhmjTEU5z16u8kWaSyhokz2EFye%2BLIHETpodcMTcFnM7DYDBceEJhqyQJxPr3GKtYNysBvRhXlDQ%3D%3D (September 2015)
• Perrot, Didier; There’s No Ideal Authen9ca9on Solu9on, h+p://www.inwebo.com/blog/theres-‐no-‐ideal-‐authenFcaFon-‐soluFon/ (August 2015)
www.owasp.org
"A rose by any other name would smell as sweet”1
• AdapFve authenFcaFon • MulF-‐modal authenFcaFon • ConFnuous authenFcaFon • 2FA, TFA, Two-‐factor authenFcaFon • MulF-‐factor authenFcaFon • Strong authenFcaFon
– United States: Many interpretaFons, depends on context – European Central Bank (ECB): strong authenFcaFon, or strong
customer authenFcaFon, set of specific recommendaFons2
• Apple: Two-‐step authenFcaFon • MulF-‐step authenFcaFon • SecureAuth: AdapFve, risk-‐based, context-‐based
authenFcaFon • IDC: advanced authenFcaFon, dynamic user authenFcaFon,
mulFform authenFcaFon, mulFframe authenFcaFon, standard authenFcaFon, tradiFonal authenFcaFon – TradiFonal authenFcaFon: authenFcate at beginning of session – Dynamic authenFcaFon: users may be asked to authenFcate at
“various points during a session, for various reasons”3 • Step-‐up authenFcaFon • Re-‐AuthenFcaFon • Out-‐of-‐Band AuthenFcaFons
1Source: Shakespeare, Romeo and Juliet, h+p://shakespeare.mit.edu/romeo_juliet/romeo_juliet.2.2.html 1Source: IDC Technology Spotlight, sponsored by SecureAuth, Dynamic AuthenFcaFon: Smarter Security to Protect User AuthenFcaFon (September 2014) 2Source: h+ps://www.ecb.europa.eu/press/pr/date/2013/html/pr130131_1.en.html
www.owasp.org
Advice for Startups • For startup internal employees:
– www.gluu.org, 100% open source and open standards – Many offer free service for a small team
• Apersona free up to 5 users: h+p://www.apersona.com/#!pricing/c1c8c • Duo free up to 10 users: h+ps://www.duosecurity.com/
• Build authenFcaFon into your products – Originally cars did not have seat belts. In the future, authenFcaFon will be designed in.