SlideShare ist ein Scribd-Unternehmen logo

Multi-factor Authentication Methods Taxonomy

Abbie Barbir
Abbie Barbir

1. The document discusses multi-factor authentication and provides a taxonomy for categorizing different authentication methods. 2. It analyzes authentication methods and categories them as something you are (biometrics), something you know, something you have, something you do (behaviors), and context. 3. The document provides guidance on how to evaluate the strength of different authentication methods and factors, noting that combining factors from different categories increases security more than combining factors from the same category.

1 von 17
Downloaden Sie, um offline zu lesen
Multi-factor Authentication Methods Taxonomy Some Thoughts Abbie Barbir, Ph.D Co-chair OASIS Trust Elevation TC https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=trust-el
Authentication Strength • (entity) authentication: A process used to achieve sufficient confidence in the binding between the entity and the presented identity. • What is Authentication Strength (or Trust in the Authentication Step)? – Measures how difficult it is for imposter to masquerade as the legitimate user – Authentication strength is often more formally expressed as a "level of assurance“ (ITU X.1254 and ISO 29115 (Based on NIST 800 63)) • Two-factor authentication (TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more factors from the same or different category • Multi-factor authentication uses more that 2 factors from different categories • Analysis – Overall objective is to elevate Trust in the Authentication step – Established terms, such as “2FA" are no longer precise enough to guide technology decisions – Choosing the method or methods appropriate for the needs of securing the enterprise using appropriate comparisons of different vendors' products and services require a more granular taxonomy 2
How to determine the "Best" Authentication Method Use Needs and Constraints to Determine • Authentication strength • indicated by the level of risk • Total Cost of Ownership • Constrained by budget • Ease of use • universally desirable • Other constraints • consistency and control of the endpoint important Source Gartner 3
Elevating Trust in Authentication Strength Level • Increasing the strength of authentication can be done by adding factors from the same or different kinds of authentication categories that don’t have the same vulnerabilities. • There are five categories of authentication methods • who you are, • what you know, • what you have, • what you typically do and • the context. • What you typically do consists of behavioral habits that are independent of physical biometric attributes. • Context includes, “but is not limited” to, location, time, party, prior relationship, social relationship and source. • Authentication assurance or elevation can be within the classic four X.1254 ITU-T LoA (ISO 29115 (NIST 800-063)) • Adding factors from different categories can increase strength only if the overall set of vulnerabilities is reduced. 4
Authentication Categories Who You Are what you what you what you Biometric know have Do Context Physical • User Name and • One Time Password (UN/PW), Password • Browsing • Location; Biometric A passphrase, a PIN (OTP) patterns Time of • immutable and unique • Time of access; • Very often used • Smart card • Facial recognition alone or in access • Subscriber • X.509 and • Iris Scan combinations with PKI • Type of identity KBA methods. device module (SIM) • Retinal Scan • Rarely used • Knowledge Based • Used in • Frequency of • Fingerprint Palm Scan Authentication alone Combinatio access; • Voice (KBA) • Used in n with other • Source and • Liveliness biometric • Static KBA combination methods with UN/PW endpoint factors include: • • Dynamic and a PIN identity • Pulse. KBA attributes such CAPTCHA; etc as Behavioral • Used in Biometric Combination • based on person’s of other physical behavioural methods activity patterns • Keyboard signature • Voice Mostly used to provide Secondary Attributes 5
How to Evaluate Authentication Strength 1. Two aspects to consider • Method's resistance to attack – how difficult is it for an attacker to directly compromise or undermine the authentication method (without the user's knowing collusion) • Method resistance to wilful misuse – how difficult is it for a user to deliberately allow others to share his account? 2. Authentication Strength • Measures how hard it is for another person to masquerade as the legitimate user – Authentication may be undermined by two kinds of attacks: – Masquerade attacks, in which an attacker is (by some means) able to corroborate a falsely claimed digital identity and, thus, log in as a legitimate user. – Session hijacking attacks, such as a man-in-the browser attack, which take control of or parasitize an already-authenticated session after a legitimate user's claimed digital identity has been corroborated. Session hijacking attacks bypass authentication and, thus, can succeed no matter how strong the authentication method is. There is always a need for fraud detection, misuse monitoring and other compensating controls in order to elevate trust . Source : Gartner 6
How to Evaluate Authentication Strength • Combining two or more authentication methods can potentially increases authentication strength, compared with using either one. – For example, passwords are vulnerable to key logging – adding a second, partial password entered via drop down menu may reduce vulnerability to this attack. • Point of Caution – Each type of authentication attribute has a set of overlapping and intrinsic vulnerabilities with other attributes – A combination of two attributes of the same type tends to share many of vulnerabilities – It is a big mistake to assume that strong authentication always result when combining multiple authentication attributes/factors. Only by combining attributes of different kinds (that is, different factors) with different (non-overlapping) sets of vulnerabilities is there a significant increase in resistance to attack and, thus, in authentication strength 7 Source: OASIS, ITU, NIST, Gartner
How to Evaluate Authentication Strength • Not any MFA method is stronger than an authentication method based on a single authentication factor/attribute. • For example, a biometric authentication method using heart beat is stronger than a password + OTP • For some type of attacks, a 2FA method might not be stronger than one of its components if used alone. – For example, a "fly-phishing" attack that captures and immediately use an OTP will be equally successful whether the OTP token was PIN-protected or not. • Some issues to consider • How Unique is the credential • Level Trust of Binding of credential to entity Source: NIST, Gartner 8
Evaluating Authentication Strength “Take Away” • Counting Factors is not enough to evaluate authentication strength Source: Gartner 9
Authentication Process Threats • Online guessing • Eavesdropping • Phishing • Replay • Pharming • Session hijack • Man-in-the-middle Threat Resistance per Assurance Level Source: ITU-T, NIST 10
Example Calculating Overall Authentication Assurance Level (LOA 3) • Overall authentication assurance level is based on the weakest link of the assurance levels for each components • For instance, to achieve an overall assurance level of 3: – The registration and identity proofing process shall, at a minimum, use Level 3 processes or higher. – Token (or combination of tokens) used shall have an assurance level of 3 or higher. – The binding between the identity proofing and the token(s), if proofing is done separately from token issuance, shall be established at level 3. – The authentication protocols used shall have a Level 3 assurance level or higher. – The token and credential management processes shall use a Level 3 assurance level or higher – Authentication assertions (if used) shall have a Level 3 assurance or higher 11
Tokens • A Token is something that the Claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the Claimant’s identity • Single-factor Token – • A token that uses one of the three factors to achieve authentication. • For example, a password is something you know. • There are no additional factors required to activate the token, so this is considered single factor. • Multi-factor Token – • A token that uses two or more factors to achieve authentication. • For example, a private key on a smart card that is activated via PIN is a multi-factor token. • The smart card is something you have, and something you know 12 (the PIN) is required to activate the token.
Tokens “Token Style” 1. Memorized Secret Token – A secret shared between the Subscriber and the CSP 2. Pre-registered Knowledge Token – A series of responses to a set of prompts or challenges 3. Look-up Secret Token – A physical or electronic token that stores a set of secrets shared between the Claimant and the CSP. The token authenticator is the secret(s) identified by the prompt. Look-up secret tokens are something you have. 4. Out of Band Token – A physical token that is uniquely addressable and can receive a Verifier- selected secret for one-time use. The device is possessed and controlled by the Claimant and supports private communication19 over a channel that is separate from the primary channel for e-authentication. 5. Single-factor (SF) One-Time Password (OTP) Device – A hardware device that supports the spontaneous generation of one-time passwords 13
Tokens “Token Style” 6. Single-factor (SF) Cryptographic Device – A hardware device that performs cryptographic operations on input provided to the device. This device does not require activation through a second factor of authentication 7. Multi-factor (MF) Software Cryptographic Token – A cryptographic key is stored on disk or some other “soft” media and requires activation through a second factor of authentication. 8. Multi-factor (MF) One-Time Password (OTP) Device – A hardware device that generates one-time passwords for use in authentication and which requires activation through a second factor of authentication 9. Multi-factor (MF) Cryptographic Device – A hardware device that contains a protected cryptographic key that requires activation through a second authentication factor. Authentication is accomplished by proving possession of the device and control of the key. The token authenticator is highly dependent on the specific cryptographic device and protocol, but it is generally some type of signed message. For example, in TLS, there is a “certificate verify” message. The MF Cryptographic device is something you have, and it may be activated by either something you know or something you are. 14
Token Threats Source: NIST, ITU-T 15
Token Threat Mitigation Strategies 16
NIST: Assurance Levels for Multi-Token E-Authentication Schemes 17

Empfohlen

Trust elevation-abbie-v1
Trust elevation-abbie-v1Trust elevation-abbie-v1
Trust elevation-abbie-v1Abbie Barbir
 
Identity Assertions Draftv5
Identity Assertions Draftv5Identity Assertions Draftv5
Identity Assertions Draftv5Salvatore D'Agostino
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methodslapao2014
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
 
Electronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordElectronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordNicholas Davis
 
Iss lecture 5
Iss lecture 5Iss lecture 5
Iss lecture 5Ali Habeeb
 

Empfohlen

Trust elevation-abbie-v1
Trust elevation-abbie-v1Trust elevation-abbie-v1
Trust elevation-abbie-v1Abbie Barbir
 
Identity Assertions Draftv5
Identity Assertions Draftv5Identity Assertions Draftv5
Identity Assertions Draftv5Salvatore D'Agostino
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methodslapao2014
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 
Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Authentication(pswrd,token,certificate,biometric)
Authentication(pswrd,token,certificate,biometric)Ali Raw
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
 
Electronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordElectronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordNicholas Davis
 
Iss lecture 5
Iss lecture 5Iss lecture 5
Iss lecture 5Ali Habeeb
 
Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication TechnologiesNicholas Davis
 
Authentication technologies
Authentication technologiesAuthentication technologies
Authentication technologiesNicholas Davis
 
Security audit
Security auditSecurity audit
Security auditNicholas Davis
 
Security Audit
Security AuditSecurity Audit
Security AuditNicholas Davis
 
Cryptography in user authentication
Cryptography in user authenticationCryptography in user authentication
Cryptography in user authenticationRishikesh Jha
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
Date security identifcation and authentication
Date security identifcation and authenticationDate security identifcation and authentication
Date security identifcation and authenticationLeo Mark Villar
 
Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust ModelYash
 
Keystroke dynamics
Keystroke dynamicsKeystroke dynamics
Keystroke dynamicsTushar Kayande
 
Biometrics_basicsandcharacteristics_.pdf
Biometrics_basicsandcharacteristics_.pdfBiometrics_basicsandcharacteristics_.pdf
Biometrics_basicsandcharacteristics_.pdfshivagreenevv
 
Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Hai Nguyen
 
E collaborationscottrea
E collaborationscottreaE collaborationscottrea
E collaborationscottreaCollaborative Health Consortium
 
74560 computer controlled biometric based access control
74560 computer controlled biometric based access control74560 computer controlled biometric based access control
74560 computer controlled biometric based access controlArsalan Mohammad
 
Context Based Authentication
Context Based AuthenticationContext Based Authentication
Context Based AuthenticationPortalGuard dba PistolStar, Inc.
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA Ping Identity
 
Electronic authentication more than just a password
Electronic authentication more than just a passwordElectronic authentication more than just a password
Electronic authentication more than just a passwordNicholas Davis
 
Basic of Biometrics Technology
Basic of Biometrics Technology Basic of Biometrics Technology
Basic of Biometrics Technology NEHA SINGH
 
Biometrics
BiometricsBiometrics
BiometricsRaga Deepthi
 
Identity 3.0 and Oracle
Identity 3.0 and OracleIdentity 3.0 and Oracle
Identity 3.0 and OracleBram van Pelt
 
Identity 3.0 and Oracle at AMIS25
Identity 3.0 and Oracle at AMIS25Identity 3.0 and Oracle at AMIS25
Identity 3.0 and Oracle at AMIS25Getting value from IoT, Integration and Data Analytics
 
3rd deliverable preso v1.2a
3rd deliverable preso v1.2a3rd deliverable preso v1.2a
3rd deliverable preso v1.2aAbbie Barbir
 
Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...
Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...
Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...Abbie Barbir
 

Weitere ähnliche Inhalte

Ähnlich wie Multi-factor Authentication Methods Taxonomy

Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication TechnologiesNicholas Davis
 
Authentication technologies
Authentication technologiesAuthentication technologies
Authentication technologiesNicholas Davis
 
Cryptography in user authentication
Cryptography in user authenticationCryptography in user authentication
Cryptography in user authenticationRishikesh Jha
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
Date security identifcation and authentication
Date security identifcation and authenticationDate security identifcation and authentication
Date security identifcation and authenticationLeo Mark Villar
 
Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust ModelYash
 
Biometrics_basicsandcharacteristics_.pdf
Biometrics_basicsandcharacteristics_.pdfBiometrics_basicsandcharacteristics_.pdf
Biometrics_basicsandcharacteristics_.pdfshivagreenevv
 
Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Hai Nguyen
 
74560 computer controlled biometric based access control
74560 computer controlled biometric based access control74560 computer controlled biometric based access control
74560 computer controlled biometric based access controlArsalan Mohammad
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA Ping Identity
 
Electronic authentication more than just a password
Electronic authentication more than just a passwordElectronic authentication more than just a password
Electronic authentication more than just a passwordNicholas Davis
 
Basic of Biometrics Technology
Basic of Biometrics Technology Basic of Biometrics Technology
Basic of Biometrics Technology NEHA SINGH
 
Identity 3.0 and Oracle
Identity 3.0 and OracleIdentity 3.0 and Oracle
Identity 3.0 and OracleBram van Pelt
 

Ähnlich wie Multi-factor Authentication Methods Taxonomy (20)

Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication Technologies
 
Authentication technologies
Authentication technologiesAuthentication technologies
Authentication technologies
 
Security audit
Security auditSecurity audit
Security audit
 
Security Audit
Security AuditSecurity Audit
Security Audit
 
Cryptography in user authentication
Cryptography in user authenticationCryptography in user authentication
Cryptography in user authentication
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
 
Date security identifcation and authentication
Date security identifcation and authenticationDate security identifcation and authentication
Date security identifcation and authentication
 
Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust Model
 
Keystroke dynamics
Keystroke dynamicsKeystroke dynamics
Keystroke dynamics
 
Biometrics_basicsandcharacteristics_.pdf
Biometrics_basicsandcharacteristics_.pdfBiometrics_basicsandcharacteristics_.pdf
Biometrics_basicsandcharacteristics_.pdf
 
Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01
 
E collaborationscottrea
E collaborationscottreaE collaborationscottrea
E collaborationscottrea
 
74560 computer controlled biometric based access control
74560 computer controlled biometric based access control74560 computer controlled biometric based access control
74560 computer controlled biometric based access control
 
Context Based Authentication
Context Based AuthenticationContext Based Authentication
Context Based Authentication
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA
 
Electronic authentication more than just a password
Electronic authentication more than just a passwordElectronic authentication more than just a password
Electronic authentication more than just a password
 
Basic of Biometrics Technology
Basic of Biometrics Technology Basic of Biometrics Technology
Basic of Biometrics Technology
 
Biometrics
BiometricsBiometrics
Biometrics
 
Identity 3.0 and Oracle
Identity 3.0 and OracleIdentity 3.0 and Oracle
Identity 3.0 and Oracle
 
Identity 3.0 and Oracle at AMIS25
Identity 3.0 and Oracle at AMIS25Identity 3.0 and Oracle at AMIS25
Identity 3.0 and Oracle at AMIS25
 

Mehr von Abbie Barbir

3rd deliverable preso v1.2a
3rd deliverable preso v1.2a3rd deliverable preso v1.2a
3rd deliverable preso v1.2aAbbie Barbir
 
Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...
Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...
Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...Abbie Barbir
 
Abbie Barbir Tcg Final
Abbie Barbir Tcg FinalAbbie Barbir Tcg Final
Abbie Barbir Tcg FinalAbbie Barbir
 
Open Reputation Management Systems
Open Reputation Management SystemsOpen Reputation Management Systems
Open Reputation Management SystemsAbbie Barbir
 
Crash Only Web Services
Crash Only Web ServicesCrash Only Web Services
Crash Only Web ServicesAbbie Barbir
 
BarbirThe Need of SDO Collaboration as an Enabler of SOA in NGN
BarbirThe Need of SDO Collaboration as an Enabler of SOA in NGNBarbirThe Need of SDO Collaboration as an Enabler of SOA in NGN
BarbirThe Need of SDO Collaboration as an Enabler of SOA in NGNAbbie Barbir
 
ITU-T Perspectives on the Standards-Based Security Landscape (SG 17 Main Focus)
ITU-T Perspectives on the Standards-Based Security Landscape (SG 17 Main Focus)ITU-T Perspectives on the Standards-Based Security Landscape (SG 17 Main Focus)
ITU-T Perspectives on the Standards-Based Security Landscape (SG 17 Main Focus)Abbie Barbir
 
Oasis Telecom SOA Workshop Welecome Talk
Oasis Telecom SOA Workshop Welecome TalkOasis Telecom SOA Workshop Welecome Talk
Oasis Telecom SOA Workshop Welecome TalkAbbie Barbir
 

Mehr von Abbie Barbir (9)

3rd deliverable preso v1.2a
3rd deliverable preso v1.2a3rd deliverable preso v1.2a
3rd deliverable preso v1.2a
 
Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...
Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...
Comparative Analysis of SOA and Cloud Computing Architectures using Fact Base...
 
Itu ics-pii
Itu ics-piiItu ics-pii
Itu ics-pii
 
Abbie Barbir Tcg Final
Abbie Barbir Tcg FinalAbbie Barbir Tcg Final
Abbie Barbir Tcg Final
 
Open Reputation Management Systems
Open Reputation Management SystemsOpen Reputation Management Systems
Open Reputation Management Systems
 
Crash Only Web Services
Crash Only Web ServicesCrash Only Web Services
Crash Only Web Services
 
BarbirThe Need of SDO Collaboration as an Enabler of SOA in NGN
BarbirThe Need of SDO Collaboration as an Enabler of SOA in NGNBarbirThe Need of SDO Collaboration as an Enabler of SOA in NGN
BarbirThe Need of SDO Collaboration as an Enabler of SOA in NGN
 
ITU-T Perspectives on the Standards-Based Security Landscape (SG 17 Main Focus)
ITU-T Perspectives on the Standards-Based Security Landscape (SG 17 Main Focus)ITU-T Perspectives on the Standards-Based Security Landscape (SG 17 Main Focus)
ITU-T Perspectives on the Standards-Based Security Landscape (SG 17 Main Focus)
 
Oasis Telecom SOA Workshop Welecome Talk
Oasis Telecom SOA Workshop Welecome TalkOasis Telecom SOA Workshop Welecome Talk
Oasis Telecom SOA Workshop Welecome Talk
 

Multi-factor Authentication Methods Taxonomy

  • 1. Multi-factor Authentication Methods Taxonomy Some Thoughts Abbie Barbir, Ph.D Co-chair OASIS Trust Elevation TC https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=trust-el
  • 2. Authentication Strength • (entity) authentication: A process used to achieve sufficient confidence in the binding between the entity and the presented identity. • What is Authentication Strength (or Trust in the Authentication Step)? – Measures how difficult it is for imposter to masquerade as the legitimate user – Authentication strength is often more formally expressed as a "level of assurance“ (ITU X.1254 and ISO 29115 (Based on NIST 800 63)) • Two-factor authentication (TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more factors from the same or different category • Multi-factor authentication uses more that 2 factors from different categories • Analysis – Overall objective is to elevate Trust in the Authentication step – Established terms, such as “2FA" are no longer precise enough to guide technology decisions – Choosing the method or methods appropriate for the needs of securing the enterprise using appropriate comparisons of different vendors' products and services require a more granular taxonomy 2
  • 3. How to determine the "Best" Authentication Method Use Needs and Constraints to Determine • Authentication strength • indicated by the level of risk • Total Cost of Ownership • Constrained by budget • Ease of use • universally desirable • Other constraints • consistency and control of the endpoint important Source Gartner 3
  • 4. Elevating Trust in Authentication Strength Level • Increasing the strength of authentication can be done by adding factors from the same or different kinds of authentication categories that don’t have the same vulnerabilities. • There are five categories of authentication methods • who you are, • what you know, • what you have, • what you typically do and • the context. • What you typically do consists of behavioral habits that are independent of physical biometric attributes. • Context includes, “but is not limited” to, location, time, party, prior relationship, social relationship and source. • Authentication assurance or elevation can be within the classic four X.1254 ITU-T LoA (ISO 29115 (NIST 800-063)) • Adding factors from different categories can increase strength only if the overall set of vulnerabilities is reduced. 4
  • 5. Authentication Categories Who You Are what you what you what you Biometric know have Do Context Physical • User Name and • One Time Password (UN/PW), Password • Browsing • Location; Biometric A passphrase, a PIN (OTP) patterns Time of • immutable and unique • Time of access; • Very often used • Smart card • Facial recognition alone or in access • Subscriber • X.509 and • Iris Scan combinations with PKI • Type of identity KBA methods. device module (SIM) • Retinal Scan • Rarely used • Knowledge Based • Used in • Frequency of • Fingerprint Palm Scan Authentication alone Combinatio access; • Voice (KBA) • Used in n with other • Source and • Liveliness biometric • Static KBA combination methods with UN/PW endpoint factors include: • • Dynamic and a PIN identity • Pulse. KBA attributes such CAPTCHA; etc as Behavioral • Used in Biometric Combination • based on person’s of other physical behavioural methods activity patterns • Keyboard signature • Voice Mostly used to provide Secondary Attributes 5
  • 6. How to Evaluate Authentication Strength 1. Two aspects to consider • Method's resistance to attack – how difficult is it for an attacker to directly compromise or undermine the authentication method (without the user's knowing collusion) • Method resistance to wilful misuse – how difficult is it for a user to deliberately allow others to share his account? 2. Authentication Strength • Measures how hard it is for another person to masquerade as the legitimate user – Authentication may be undermined by two kinds of attacks: – Masquerade attacks, in which an attacker is (by some means) able to corroborate a falsely claimed digital identity and, thus, log in as a legitimate user. – Session hijacking attacks, such as a man-in-the browser attack, which take control of or parasitize an already-authenticated session after a legitimate user's claimed digital identity has been corroborated. Session hijacking attacks bypass authentication and, thus, can succeed no matter how strong the authentication method is. There is always a need for fraud detection, misuse monitoring and other compensating controls in order to elevate trust . Source : Gartner 6
  • 7. How to Evaluate Authentication Strength • Combining two or more authentication methods can potentially increases authentication strength, compared with using either one. – For example, passwords are vulnerable to key logging – adding a second, partial password entered via drop down menu may reduce vulnerability to this attack. • Point of Caution – Each type of authentication attribute has a set of overlapping and intrinsic vulnerabilities with other attributes – A combination of two attributes of the same type tends to share many of vulnerabilities – It is a big mistake to assume that strong authentication always result when combining multiple authentication attributes/factors. Only by combining attributes of different kinds (that is, different factors) with different (non-overlapping) sets of vulnerabilities is there a significant increase in resistance to attack and, thus, in authentication strength 7 Source: OASIS, ITU, NIST, Gartner
  • 8. How to Evaluate Authentication Strength • Not any MFA method is stronger than an authentication method based on a single authentication factor/attribute. • For example, a biometric authentication method using heart beat is stronger than a password + OTP • For some type of attacks, a 2FA method might not be stronger than one of its components if used alone. – For example, a "fly-phishing" attack that captures and immediately use an OTP will be equally successful whether the OTP token was PIN-protected or not. • Some issues to consider • How Unique is the credential • Level Trust of Binding of credential to entity Source: NIST, Gartner 8
  • 9. Evaluating Authentication Strength “Take Away” • Counting Factors is not enough to evaluate authentication strength Source: Gartner 9
  • 10. Authentication Process Threats • Online guessing • Eavesdropping • Phishing • Replay • Pharming • Session hijack • Man-in-the-middle Threat Resistance per Assurance Level Source: ITU-T, NIST 10
  • 11. Example Calculating Overall Authentication Assurance Level (LOA 3) • Overall authentication assurance level is based on the weakest link of the assurance levels for each components • For instance, to achieve an overall assurance level of 3: – The registration and identity proofing process shall, at a minimum, use Level 3 processes or higher. – Token (or combination of tokens) used shall have an assurance level of 3 or higher. – The binding between the identity proofing and the token(s), if proofing is done separately from token issuance, shall be established at level 3. – The authentication protocols used shall have a Level 3 assurance level or higher. – The token and credential management processes shall use a Level 3 assurance level or higher – Authentication assertions (if used) shall have a Level 3 assurance or higher 11
  • 12. Tokens • A Token is something that the Claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the Claimant’s identity • Single-factor Token – • A token that uses one of the three factors to achieve authentication. • For example, a password is something you know. • There are no additional factors required to activate the token, so this is considered single factor. • Multi-factor Token – • A token that uses two or more factors to achieve authentication. • For example, a private key on a smart card that is activated via PIN is a multi-factor token. • The smart card is something you have, and something you know 12 (the PIN) is required to activate the token.
  • 13. Tokens “Token Style” 1. Memorized Secret Token – A secret shared between the Subscriber and the CSP 2. Pre-registered Knowledge Token – A series of responses to a set of prompts or challenges 3. Look-up Secret Token – A physical or electronic token that stores a set of secrets shared between the Claimant and the CSP. The token authenticator is the secret(s) identified by the prompt. Look-up secret tokens are something you have. 4. Out of Band Token – A physical token that is uniquely addressable and can receive a Verifier- selected secret for one-time use. The device is possessed and controlled by the Claimant and supports private communication19 over a channel that is separate from the primary channel for e-authentication. 5. Single-factor (SF) One-Time Password (OTP) Device – A hardware device that supports the spontaneous generation of one-time passwords 13
  • 14. Tokens “Token Style” 6. Single-factor (SF) Cryptographic Device – A hardware device that performs cryptographic operations on input provided to the device. This device does not require activation through a second factor of authentication 7. Multi-factor (MF) Software Cryptographic Token – A cryptographic key is stored on disk or some other “soft” media and requires activation through a second factor of authentication. 8. Multi-factor (MF) One-Time Password (OTP) Device – A hardware device that generates one-time passwords for use in authentication and which requires activation through a second factor of authentication 9. Multi-factor (MF) Cryptographic Device – A hardware device that contains a protected cryptographic key that requires activation through a second authentication factor. Authentication is accomplished by proving possession of the device and control of the key. The token authenticator is highly dependent on the specific cryptographic device and protocol, but it is generally some type of signed message. For example, in TLS, there is a “certificate verify” message. The MF Cryptographic device is something you have, and it may be activated by either something you know or something you are. 14
  • 15. Token Threats Source: NIST, ITU-T 15
  • 16. Token Threat Mitigation Strategies 16
  • 17. NIST: Assurance Levels for Multi-Token E-Authentication Schemes 17