two factor authentication presentation mcit
DESCRIPTION
TRANSCRIPT
![Page 1: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/1.jpg)
Some thing you know and Some thing you have.
Two Factor Authentication
Submitted By: Saba Hameed CT-025
![Page 2: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/2.jpg)
Agenda
Authentication
Authentication Factors
Two Factor Authentication (2FA)
Business Need for 2FA
2FA Using OTP Hard Tokens
2FA Using Mobile Tokens
Security Analysis
Conclusion & Recommendations
![Page 3: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/3.jpg)
Authentication
Authentication is the process of verifying the identity of user.
The most common technique to authenticate a user is to use username and passwords
![Page 4: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/4.jpg)
Authentication Factors
Something you know
Something you have
Something you are
![Page 5: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/5.jpg)
Threats to Passwords
Social engineering Phishing Brute force attacks Shoulder surfing Keystroke logging Eavesdropping Dictionary attacks
![Page 6: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/6.jpg)
Two factor Authentication
It is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are.
![Page 7: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/7.jpg)
Customer Confidence
Regulations & Best
Practices
EFT ACT 2007
PCI DSSNIST
Threat Prevention
Phishing and Packet
Replay and Man
in the middle attacks
Fraud Prevention
Business Benefits
![Page 8: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/8.jpg)
Tokens
Hard Token
USB Token Smart Card
Soft Token
Mobile Token
OTP is a second layer of security to verify your identity.
![Page 9: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/9.jpg)
Types of OTP
Software – OTP
An one-time password (OTP) generated by the company and sent to your mobile phone or PC.
Hardware – OTP
An OTP generated by a security device/token. You press the button on the security device/token to obtain the OTP.
Event Based OTP
Here the moving factor is triggered by an event
Time Based OTP
Here the moving factor is time.
![Page 10: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/10.jpg)
2FA Using Hard Token
Courtesy: RSA SecureID
![Page 11: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/11.jpg)
Security Analysis
Benefits It is secure against
packet replay attacks.
It prevents against phishing.
Threats User needs to carry
the device everywhere, and there is a risk that it may get stolen or lost.
Cost is very high. Vulnerable to active
attacks and Man in the middle attacks
![Page 12: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/12.jpg)
2FA Using Mobile Tokens
It makes use of: Application installed on user’s mobile IMEI Time Stamp Seed
Algorithm Used:Time based One Time Password Algorithm/ HMAC-SHA 1
![Page 13: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/13.jpg)
How it works
User Registration on Server
•Seed•Pin•IMEI number •Time Stamp difference
Mobile Applicatio
n
Mobile Applicatio
n
Auth Server
![Page 14: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/14.jpg)
How it works
OTP Generation
Same Seed
Algorithm
Time
Seed
Algorithm
Time
Seed
159759 159759
Same Time
Same OTPMobile
Application
Authentication Server
![Page 15: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/15.jpg)
How it works
Login session
![Page 16: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/16.jpg)
Security Analysis
Benefits A relatively cheaper
and flexible means of OTP.
User just need to carry their mobiles with them, no extra device is needed.
Threats Still vulnerable to
active attacks Man in the middle
attacks Man in the browser
attacks
![Page 17: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/17.jpg)
Solution?
1. Challenge Response Mechanism
For fund transfer transactions, the server generates a a code and sends to the user. The user enters the code provided to the Internet banking site in order to commit the transaction.
Challenges:• High Cost required• Hardware required
![Page 18: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/18.jpg)
Solution?
2. SMS with Transaction Details
![Page 19: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/19.jpg)
Security Analysis
Threat: Mobile is now single point of failure. OTP is
generated/ received on mobile and the verification code of transaction is also received via sms on mobile. If attacker has the possession of user’s mobile, then he can do everything.
My Recommendation: It is necessary that a different medium is used
for receiving OTP and receiving transaction verification code.
![Page 20: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/20.jpg)
Conclusions
Method Threats Effective Against Man in the Browser attak?
Static Passwords Can be lost and easily obtainedBrute force attacks possible
No
Biometric No
OTP Hard Tokens User has to carry the token
No
OTP Soft/ Mobile Token
Man in the middle attacks
No
OTP with Signature (Challenge Response)
Secure against man in the middle attacks
Yes, but inconvenient
OTP with SMS Transaction Detail
Secure against Phishing, Packet Replay, MIM and MITM
Yes!!
![Page 21: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/21.jpg)
My Recommendations
User should check and make sure the website has https in the URL, so that the password goes encrypted while transmission.
The OTP and PIN should be hashed before sending.
Mutual authentication should be established between the client and the server before the session starts to ensure the user that server can be trusted.
Using split key technique for authentication.
![Page 22: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/22.jpg)
References
Mohamed Hamdy Eldefrawy, Khaled Alghathbar, Muhammad Khurram Khan, “OTP-Based Two-Factor Authentication Using Mobile Phones”
Roland M. van Rijswijk – SURFnet bv, Utrecht, The Netherlands, “tiqr: a novel take on two factor authentication”
Fadi Aloul, Syed Zahidi, “Two Factor Authentication Using Mobile Phones”
Costin Andrei SOARE, “Internet Banking Two-Factor Authentication using Smartphones”
![Page 23: Two factor authentication presentation mcit](https://reader033.vdocuments.mx/reader033/viewer/2022061219/54b8debe4a795950148b4616/html5/thumbnails/23.jpg)
Q & A Session