lascon 2014: multi-factor authentication -- weeding out the snake oil

Multi-Factor Authentication: Weeding Out the Snake Oil

LASCON 2014

David Ochel

2014-10-24

This work is licensed under a Creative Commons Attribution 4.0 International License.

http://creativecommons.org/licenses/by/4.0/

Objectives

• Understand what’s going on in the market of multi-factor authentication.

• Look at solutions from a risk view… Which problems are we actually solving / trying to solve?

Multi-Factor Authentication Criteria – LASCON 2014

Agenda: Less Formalism, More Examples…

• Motivation / Introduction

– Authentication Factors

– Why Multi-Factor?

• Criteria and Industry Examples

– Security-focused criteria

– Less risky criteria

• …and the Snake Oil?


INTRODUCTION


Authentication Factors • Knowledge-based “know”

– Passwords – Security questions (?) – Pattern/image recognition, …

• Token-based “have” – Time-based one-time-passwords – Crypto-based challenge response (e.g. X.509) – Various form factors: smart cards, RFID, USB, LED dongles, phones,

smartphones (arguably)

• Biometrics “are” – Behavioral – Physical

• Context-/behavioral-based – As in “risk-based authentication”: IP addresses, locations, date/time,

etc.


Why Do We Still Use Passwords? “The continued domination of passwords over all other methods of end-user authentication is a major embarrassment to security researchers.” [1]

• Passwords

– Highly deployable: infrastructure exists, users are accustomed, cheap, … – Security issues: observation, interception, replay, guessing, phishing – Pervasive assumption: General-purpose personal computers (laptops, PCs, …)

cannot be secured/trusted

• Issues with existing alternatives – Memory-based (“know”): no better than passwords? – Biometrics (“are”): privacy, liveness detection on unsupervised devices, hard

to replace – Tokens (“have”): susceptible to theft, expensive, hard to replace – Contexts: unreliable proof of identity


[1] http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.html

http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.html








Current Industry Trend: Combine Multiple Factors

• Tokens – Hard(er) to compromise; susceptible to physical theft

• Passwords – Interceptable (malware); hard to physically steal

• Also in the running: – Biometrics

• Convenient; but often trust issues when unsupervised (liveness detection)

– Contexts • Back-end risk evaluation; not technically authentication


Authentication – A Piece of the Identity & Access Management Puzzle…


http://forgerock.com/products/open-identity-stack/






Which threats are we trying to counter?

• Are we protecting: • Individual consumer accounts?

• Corporate users and data?

• Machine authentication?

• Assets

• Adversaries

• Vulnerabilities

• Etc…


CRITERIA – FROM A SECURITY POINT OF VIEW


Are there at least two factors?

• Password + PIN = one factor

• Password-protected private key?

– …on a hardware token?


http://blog.mailchimp.com/introducing-alterego-1-5-factor-authentication-for-web-apps/, https://alteregoapp.com

http://blog.mailchimp.com/introducing-alterego-1-5-factor-authentication-for-web-apps/


















https://alteregoapp.com

https://alteregoapp.com

Swivel PIN Safe – Human-Computed Challenge Response

• But… password + PIN still aren’t two factors? – When used in browser, helps against keylogging

– When used for SMS, actually helps!?


http://www.swivelsecure.com/devices/browser/



How many communication channels? One? More? Different physical band?


Communication channels (continued)

• Securing smartphone apps with smartphone tokens…?

• “plug and play”

– Factors

– Channels


When to pull another factor?

• Once per session, at login.

• For every high risk transaction, during session.

• “Risk-based”

– Determined by context analysis.


http://www.safenet-inc.com/multi-factor-authentication/context-based-authentication/













Enrolling users / tokens

• Personalization/provisioning of tokens

• Enrollment in service

• Central management of credentials


https://www.yubico.com/wp-content/uploads/2012/10/Yubikey-Programming-Station-v1.0.pdf











Crypto

• There’s crypto everywhere – Token challenge-response, digital signatures

– Transportation security for authentication channels

• Robustness/diversity – More than one set of algorithm types supported?

• Trust – Algorithms

– Implementations


https://www.securityinnovation.com/products/encryption-libraries/ntru-crypto/







EMV-based


• Mastercard CAP / VISA DPA

• German Sm@art TAN

• CrontoSign (photoTAN)…

https://www.vasco.com/products/products.aspx • https://www.vasco.com/Images/DP%

20760_DS201309-v1b.pdf

https://www.vasco.com/Images/DP%20836_DS201401_v4.pdf

https://www.vasco.com/products/products.aspx



https://www.vasco.com/Images/DP 760_DS201309-v1b.pdf




https://www.vasco.com/Images/DP 836_DS201401_v4.pdf

https://www.vasco.com/Images/DP 836_DS201401_v4.pdf

CRITERIA – LESS SECURITY-RELEVANT


$$$

• OpEx vs. CapEx

– Licensing fees (per user, server, year, …?)

– Token cost

– …

Multi-Factor Authentication Criteria – LASCON 2014 20

http://www.entrust.com/products/entrust-identityguard/





Open Source?

• Lots of freemium solutions

• E.g. WikID


https://www.wikidsystems.com/learn-more/features





Integration with Identity & Access Management Solutions

• Open Source, e.g. gluu or OpenAM

• Commercial, e.g. SailPoint, and many more


http://www.gluu.org/gluu-server/strong-authentication/

http://www.sailpoint.com/solutions/products/identityiq/access-manager











Usability

• Efficiency

• Ease of use

• Availability

• Convenience

– Is it realistic to expect that every user carries half a dozen hardware tokens with them?


© Edwin Sarmiento, https://www.flickr.com/photos/bassplayerdoc/6245647402/

(Security) architecture

• Client-less vs. plug-ins, apps, …

• Service – SaaS / cloud – In-house

• Server side: – APIs – Logging – RADIUS, etc. interfaces


Availability

• Does it scale? – Authentications per second

• Capacity to bug/security-fix – Reputation, history, size, …

• SLA, redundancy, …

• Fallback if the cloud is unavailable?


http://www.earlychildhoodworksheets.com/nature-clipart.html





…AND THE SNAKE OIL?

26 Multi-Factor Authentication Criteria – LASCON 2014

How to find snake oil? • Wait until it finds you, or… Google it!

• OWASP ‘Guide to Cryptography’ suggests:

‘A good understanding of crypto is required to be able to discern between solid products and snake oil. The inherent complexity of crypto makes it easy to fall for fantastic claims from vendors about their product. Typically, these are “a breakthrough in cryptography” or “unbreakable” or provide "military grade" security. If a vendor says "trust us, we have had experts look at this,” chances are they weren't experts!’

Multi-Factor Authentication Criteria – LASCON 2014 27

https://www.owasp.org/index.php/Guide_to_Cryptography

Multi-Factor Authentication Criteria

Unbreakable, impenetrable, etc.


from http://www.edulok.com – retrieved 2014-09-23

WWPass (aka EduLok): What might be going on?

This is abstracted from their public online

documentation… haven’t checked out the patents or

anything else.


What about “Best in Class”?

• E.g., SafeNet – “a consistent leader in the Magic Quadrant for User Authentication”

• Not exempt from marketing blah? ;-)


http://www.safenet-inc.com/multi-factor-authentication/ - retrieved 2014-09-23

http://www.safenet-inc.com/multi-factor-authentication/








Conclusions

• Don’t trust the marketing hype!

• Understand your exposure.

• Understand which solutions can reduce it.

• And then look at usability, interoperability, etc.

Multi-Factor Authentication Criteria – LASCON 2014 Page 36

Contact

David Ochel

Blog: http://secuilibrium.com

Twitter: @lostgravity

Multi-Factor Authentication Criteria – LASCON 2014 Page 37

http://secuilibrium.com/

lascon 2014: multi-factor authentication -- weeding out the snake oil

Technology