Slide 0

The Inmates Are Running the Asylum:

Why Some Multi-Factor Authentication Technology

is Irresponsible

Clare Nelson, CISSP

clare_nelson@clearmark.biz

@Safe_SaaSBsides Austin, March 13, 2015

Slide 1

Speaker Bio

• Clare Nelson, CISSP– clare_nelson@clearmark.biz, @Safe_SaaS

• B.S. Mathematics• 30+ years in industry

– Encrypted TCP/IP variants for NSA– Product Management at DEC (HP), EMC2

– Director Global Alliances at Dell, Novell– VP Business Development, MetaIntelli (Mobile Security)

• 2001 Founder ClearMark Consulting • 2012, 2013 Elected to Austin ISSA Board• 2014 Co-founder C1ph3r_Qu33ns • 2014 USA Yoga National Champion• Favorite tortilla chip: Sesame Blues

Slide 2

• Based on information in public domain

• Sources are cited, footnotes on most slides

Slide 3

Scope• Multi-Factor Authentication (MFA) use case:

– Focus on consumers and external customers

• No protocols (OAuth, OpenID Connect, SAML, etc.), that is a separate talk

• United States focus– EU regulations

o France: legal constraints for biometric, must be justified and authorized by the National Commission for Informatics and Liberty (CNIL)1

– India: e-commerce Snapdeal, Reserve Bank of Indiao Move from two-factor to single-factor authentication for transactions

less than Rs. 3,0002

1Source: http://www.diva-portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl2Source: http://economictimes.indiatimes.com/industry/services/retail/snapdeal-for-single-factor-authentication-for-low-value-deals/articleshow/46251251.cms

Slide 4

“The System of Doctor Tarrand Professor Fether”

– Edgar Allan Poe

Slide 5

NIST Definition

Multi-Factor Authentication (MFA)

• National Institute of Standards and Technology (NIST)

• SP 800-63-2 (August 2013), Electronic Authentication Guideline

1. Something you know (password)

2. Something you have (ID badge, cryptographic key)

3. Something you are (fingerprint, other biometric data)1

• What is the origin of this definition?

• NIST authors: might be Gene Spafford, or just “ancient lore”2

– @TheRealSpaf: “Nope — that's even older than me!”3

– 1970s? NSA? Academia?

1Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf2Source: February 26, 2015 email response from a NIST SP 800-63-2 author3Source: February 27, 2015 response from @TheRealSpaf (Gene Spafford)

Slide 6

How can you write a guide based on a definition of unknown, ancient origin?

How can you implement MFA without a current, coherent definition?

Slide 7

Updated Definitions (More Risk)

Multi-Factor Authentication (MFA) Factors:• Knowledge • Possession

– Mobile device identification

• Inherence – Biometrics: Physical or Behavioral

• Location – Geolocation– Geofencing– Geovelocity

• Time1

1Source: http://searchsecurity.techtarget.com/definition/multifactor-authentication-MFA2Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf

NIST:Device identification, time, and geo-location could be used to challenge an identity; but “they are not considered authentication factors”2

Slide 8

FFIEC MFA Definition

• Federal Financial Institutions Examination Council (FFIEC)• 2011 update to 2005 document, Authentication in an

Internet Banking Environment:– “…virtually every authentication technique can be

compromised”– Financial institutions should no longer consider simple device

identification (such as cookies, IP addresses, or geo-location information)

– Complex device identification, “digital fingerprinting,” incorporates a number of characteristics such as PC configuration, IP address, geo-location, and other factors

– Implement time of day restrictions for funds transfers– Consider keystroke dynamics, biometric-based responses1

1Source: https://www.fdic.gov/news/news/press/2011/pr11111a.pdf

Slide 9

Authentication silos predominate• 200+ MFA vendors offering fragmented,

custom, often proprietary solutions

“…time to alter how authentication is done …it doesn't meet today’s demands

….the range of technologies, such as soft tokens, hard tokens, Trusted Platform Module (TPM), biometrics, simple passwords and more have led to a ‘Tower of Babel’ for authentication.”1

– Phil Dunkelberger,CEO Nok Nok Labs

1Source: http://www.networkworld.com/article/2161675/security/pgp-corp--co-founder-s-startup-targets-cloud-authentication.html

State of the Market

Slide 10

Why 200+ MFA Vendors?

Authentication has been the Holy Grail since the early days of the Web.1

The iPhone of Authentication has yet to be invented.2

1Source: http://sciencewriters.ca/2014/03/26/will-your-brain-waves-become-your-new-password/2Source: Clare Nelson, February 2015.

Slide 11

Suboptimal Choices

Authentication Factors/Technology1. Biometrics, 2D fingerprint2. Short Message Service (SMS)

– One-Time Password (OTP)

3. Quick Response (QR) codes4. JavaScript5. Weak, arcane, account recovery6. Assumption mobile devices are secure7. Encryption (without disclaimers)

– Quantum computing may break RSA or ECC by 20301

• Update on NSA’s $80M Penetrating Hard Targets project2

– Encryption backdoors, is it NSA-free and NIST-free cryptography?– No mysterious constants or “magic numbers” of unknown provenance”3

1Source: January 18, 2015: Ralph Spencer Poore, cryptologist, Austin ISSA guest lecturer2Source: http://www.washingtonpost.com/world/national-security/nsa-seeks-to-build-quantum-computer-that-could-crack-most-types-of-encryption/2014/01/02/8fff297e-7195-11e3-8def-a33011492df2_story.html3Source: https://www.grc.com/sqrl/sqrl.htm

Slide 12

Juniper Research:• By 2019, 770 million apps that use biometric authentication will be

downloaded annually- Up from 6 million in 2015

• Fingerprint authentication will account for an overwhelming majority- Driven by increase of fingerprint scanners in smartphones1

Irrational Exuberance of Biometric Authentication Adoption

1Source: http://www.nfcworld.com/2015/01/22/333665/juniper-forecasts-biometric-authentication-market/

Samsung Pay

Slide 131Source: https://www.youtube.com/watch?v=q3ymzRYXezI

Apple TouchID: Cat Demo

Slide 14

• Cannot be revoked or re-issued- Easy to reset your password, not easy to reset your fingerprints

• 2D Fingerprints- Proven especially vulnerable to targeted attacks

• Your biometrics are in public domain, and elsewhere, easily accessed• Biometric identification systems may undermine privacy by making

identity theft more likely1

• Biometrics will likely persist in government and private databases, accreting information whether we like it or not2

• False positives, false negatives• High cost • Need to account for disabilities, injuries, other issues• User acceptance, preference for biometric factors varies by demographic

Issues with Biometrics

1Source: http://www.diva-portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl2Source: http://www.pbs.org/wgbh/nova/next/tech/biometrics-and-the-future-of-identification/

“Fingerprints scare me” - Anonymous (2015)

Slide 151Source: http://www.dw.de/image/0,,18154223_303,00.jpg

Slide 16

2D Fingerprint Hacks

• Starbug, aka Jan Krissler

• 2014: Cloned fingerprint of German Defense Minister, Ursula Von der Leyen– From photographs1,2

• 2013: Hacked Apple’s Touch ID on iPhone 5S ~24 hours after release in Germany– Won IsTouchIDHackedYet.com competition3

• 2006: Published research on hacking fingerprint recognition systems4

1Source: https://www.youtube.com/watch?v=vVivA0eoNGM2Source: http://www.forbes.com/sites/paulmonckton/2014/12/30/hacker-clones-fingerprint-from-photograph/3Source: http://istouchidhackedyet.com4Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf

Slide 17

2013: Starbug Faking TouchID

1Source: http://istouchidhackedyet.com

Slide 18Source: http://www.wellhappypeaceful.com/wp-content/uploads/2012/06/baby.jpg

Slide 19

Riccio versus Krissler

“Fingerprints are one of the best passwords in the world.”1

– Dan RiccioSenior vice president, Apple

“Don't use fingerprint recognition systems for security relevant applications!”2

– Jan Krissler (Starbug)

1Source: http://www.imore.com/how-touch-id-works2Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf

Slide 20

Biometrics Systems: Types of Attacks1

1Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf

Starbug’s Threat Model

Slide 21

3D Fingerprint1

1Source: http://sonavation.com/technology/

No matter how advanced the biometric is, the basic threat model persists.

Slide 22

Behavioral Biometrics: BehavioSec

1Source: http://www.behaviosec.com

Laptop: requires JavaScript, won’t work with Aviator browser, or if you disable JavaScript

Slide 23

Behavioral Biometrics: BioCatch

• Detect threats based on user interaction with online, and mobile applications

• Analyzes 400+ bio-behavioral, cognitive and physiological parameters

– How you find missing cursor1

1Source: http://www.biocatch.com

Slide 24

Fingerprinting Web Users Through Font Metrics1

• Browser variations

– Version

– What fonts are installed

– Other settings

• Font metric–based fingerprinting

– Measure onscreen size of font glyphs

• Effective against Tor Browser

2Source: http://fc15.ifca.ai/preproceedings/paper_83.pdf

Slide 25

Biometrics: In Use, Proposed• Fingerprints 2D, 3D via ultrasonic waves

• Palms, its prints and/or the whole hand (feet?)

• Signature

• Keystroke, art of typing, mouse, touch pad

• Voice

• Iris, retina, features of eye movements

• Face, head – its shape, specific movements

• Other elements of head, such as ears, lip prints

• Gait

• Odor

• DNA

• ECG (Beta: Bionym’s Nymi wristband, smartphone, laptop, car, home security)

• EEG1

• Smartphone/behavioral: AirSig authenticates based on g-sensor and gyroscope, how you write your signature in the air2

1Source: http://www.optel.pl/article/future%20of%20biometrics.pdf2Source: http://www.airsig.com

Slide 26

“Thought Auth”1

EEG Biosensor

• MindWave™headset2

• Measures brainwave signals

• EEG monitor

• International Conference on Financial Cryptography and Data Security

1Source: Clare Nelson, March 20152Source: http://neurosky.com/biosensors/eeg-sensor/biosensors/

Slide 27

SXSW Preview

“… biometrics cannot, and absolutely must not, be used to authenticate an identity”1

– Dustin Kirkland, Ubuntu Cloud Solutions Product

Manager and Strategist at Canonical

1Source: http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-not.html

SXSW: March 15: “Fingerprints are Usernames, Not Passwords”

Slide 28

• Many MFA vendors use SMS OTP- Send text with One-Time-Password

• 2014 Paper from Northeastern University and Technische Universität Berlin - “SMS OTP systems cannot be considered secure

anymore”• SMS OTP threat model

- Physical access to phone- SIM swap attack- Wireless interception- Mobile phone trojans1

1Source: https://www.eecs.tu-berlin.de/fileadmin/f4/TechReports/2014/tr_2014-02.pdf

SMS OTP Attacks

Slide 29

• Operation Emmental• Defeated two-factor authentication (2FA)

- 2014, discovered by Trend Micro1

- Targeted Swiss, Austrian, German, Swedish other European; plus Japanese banks

- Typical scenario: customer goes to online bank1. Customer enters username and password2. Session token sent to mobile device (SMS OTP)3. Customer enters session token (OTP)

- Attackers scraped SMS one-time passwords off customers’ Android phones2

1Source: http://blog.trendmicro.com/finding-holes-operation-emmental/2Source: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf

SMS OTP Attack: Banking Example

Slide 30

QR Code Risks1

• VASCO two-factor authentication

– User captures QR code with mobile device

– User enters PIN code to log on, or validate transaction2

• QR codes used by many MFA vendors

• QR code redirects user to URL, even if URL is displayed, not everyone reads

– Could link to a malicious website

1Source: http://www.csoonline.com/article/2133890/mobile-security/the-dangers-of-qr-codes-for-security.html2Source: https://www.vasco.com/products/client_products/software_digipass/digipass_for_mobile.aspx

Slide 311Source: http://www.zdnet.com/article/google-unveils-5-year-roadmap-for-strong-authentication/

Account recovery is the Achilles heel of 2FA

– Eric SachsProduct Management Director, Identityat Google

Slide 32

Account Recovery

• Recovering your account if you lost your 2FA credentials– If you've lost access to your account after enabling two-factor

authentication, <Vendor Name> can't help you

• Google Authenticator provides recovery codes– 10 codes, print hard copy, put in your wallet (purse)

• Apple Two-Step Authentication– What if I lose my Recovery Key?

– Go to My Apple ID, create a new Recovery Key using your Apple ID password and one of your trusted devices1

1Source: https://support.apple.com/en-us/HT204152

Slide 331Source: http://guardtime.com/blog/biggest-enterprise-risk-mobile-devices

“Mobile is the New Adversarial Ingress Point.”1

– Lee Cocking, VP Product Strategy at GuardTime

Slide 34

What’s Wrong with the Mobile Device Becoming the Authentication Device?

Source: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_RisksSource: http://metaintelli.com/blog/2015/01/06/industry-first-metaintelli-research-discovers-large-number-of-mobile-apps-affected-by-owasp-mobile-top-10-risks/

MetaIntelli research: sample of 38,000 mobile apps, 67% had M32

Slide 35

MFA Double Standard

Big Company (2015)

• Consumers may use facial and voice recognition for mobile login2

• Employees use Symantec Validation and ID Protection (VIP)3

1Source: http://cdn.themetapicture.com/media/funny-puppy-poop-double-standards.jpg2Source: http://www.americanbanker.com/news/bank-technology/biometric-tipping-point-usaa-deploys-face-voice-recognition-1072509-1.html3Source: http://www.slideshare.net/ExperianBIS/70-006identityauthenticationandcredentialinginpractice

1

Slide 36

Perfect Storm

• Fractured, crowded market, 200+ MFA vendors chasing ~$1.8B market1

• Apple, VISA, Samsung, others: fingerprint-based authentication is cool, secure

• FIDO Alliance

• 2014, year of the breach

• Increased legislation

1Source: http://www.slideshare.net/FrostandSullivan/analysis-of-the-strong-authentication-and-one-time-password-otp-market

Slide 37

FIDO Alliance

• Fast ID Online (FIDO) Alliance• Proponent of interoperability

– Universal 2nd Factor (U2F)– Universal Authentication

Framework (UAF)

• Triumph of marketing over technology

• Network-resident versus device-resident biometrics– FIDO advocates device-resident

• Problems, especially with voice– Phone-resident malware– Back-door vulnerability– Prohibits cross-channel usage, black

list processing1

1Source: January 2015, “Networks vs Device Resident Biometrics,” ValidSoft

Perhaps interoperability is a good thing. Bad guys have many different systems to hack.

Slide 38

“Legacy thinking subverts the security of a well-constructed system”1

– David Birch, Digital Money and Identity Consultant, Author of Identity is the New Money2

1Source: https://www.ted.com/talks/david_birch_identity_without_a_name?language=en#t-1123822Source: http://www.amazon.com/Identity-Is-New-Money-Perspectives/dp/1907994122

Slide 39

Consider Context-Based Authentication(aka Risk-Based Authentication, Adaptive Authentication)

• Device registration and fingerprinting

• Source IP reputation data

• Identity store lookup

• Geo-location

• Geo-fencing

• Geo-velocity

• Behavioral analysis

1Source: http://www.darkreading.com/endpoint/authentication/moving-beyond-2-factor-authentication-with-context/a/d-id/1317911

Layer multiple contextual factors. Build a risk profile.

Slide 40

What You Can Do

1. Request threat models from MFA vendors 2. Beware 2D fingerprints, already-hacked

biometrics, QR codes, SMS OTP, JavaScript requirements, weak account recovery, lack of mobile device risk analysis, and encryption with backdoors

3. Do not be swayed by latest InfoSec fashion trends– Apple TouchID, integration with VISA; Samsung Pay– FIDO Alliance

4. Rethink the definition of MFA, beware of new interpretations

Slide 41

Questions?

Clare Nelson, CISSPclare_nelson@clearmark.biz

@Safe_SaaS

Slide 42

Backup Slides

Slide 43

Additional References

1. 2014 December, Starbug (Jan Krissler) video, Iche sehe, also bin ich … Du, https://www.youtube.com/watch?v=vVivA0eoNGM&feature=youtu.be

2. OWASP Mobile Top 10 Risks, Insufficient Transport Layer Protection, https://www.owasp.org/index.php/Mobile_Top_10_2014-M3

3. OWASP Guide to Authentication, https://www.owasp.org/index.php/Guide_to_Authentication#What_is_two_factor_authentication.2C_really.3F

4. SANS, Two-Factor Authentication: Can You Choose the Right One? http://www.sans.org/reading-room/whitepapers/authentication/two-factor-authentication-choose-one-33093

5. Gluu blog, (January 15, 2014), Achilles Heel of Two-Factor Authentication, http://www.gluu.org/blog/2fa_achilles_heel/

6. Gartner, December 1, 2014, Magic Quadrant for User Authentication.7. Forrester, December 30, 2013; Market Overview: Employee and Customer

Authentication Solutions in 2013: Part 1 of 28. M2SYS Technology (July 24, 2014), The Impact of Biometrics in Banking,

http://blog.m2sys.com/financial-services/impact-biometrics-banking/9. Google Unveils 5-Year Roadmap for Strong Authentication,

http://www.zdnet.com/article/google-unveils-5-year-roadmap-for-strong-authentication/

Slide 44

• Biometrics, when employed as a single factor of authentication, do not constitute acceptable secrets for e-authentication

• Biometrics may be used in the registration process for higher levels of assurance to• Later help prevent a subscriber who is registered from

repudiating the registration• Help identify those who commit registration fraud• Unlock tokens1

1Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf

NIST on Biometrics

Slide 45

NIST: Threat Resistance by Threat Level1

1Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf

29 Long term authentication secrets shall be protected at this level. Short term secrets may or may not be protected.30 Although there are techniques used to resist flood attacks, no protocol has comprehensive resistance to stop flooding.

Slide 46

SecSign: Apple Watch 2FA

1Source: https://www.youtube.com/watch?v=Ub-hKlacN9I

Slide 471Source: http://www.creditconsumersassociation.org/wp-content/uploads/2013/08/sim-swap-fraud.png

Slide 48

Hacker Mentality

1Source: http://www.darkreading.com/identity-and-access-management/the-problem-with-two-factor-authentication/d/d-id/1113697

“The hackers are breaching the architecture, not the authentication mechanism.”1

– Garret Grajek, CSO at dinCloud

Slide 49

Biometrics: Imaginable

• Body shape recognition

• Internal structure of body parts

• Analysis of other electrical and magnetic fields created by body

• Analysis of face and head vibrations during speaking1

1Source: http://www.optel.pl/article/future%20of%20biometrics.pdf