6. Valencia 2014 – Chema Alonso
Superficie de exposición
• Los servicios están
activos 24 x 7 x 365
• Solo usamos nuestras
identidades un breve
espacio de tiempo
• Las cuentas deberían
poder apagarse
8. Valencia 2014 – Chema Alonso
2FA “classics”
• Usuario necesita introducir un código
• Despliege de SMS
• Matriz de coordenadas es estática
• Hardware tokens son caros
• Usuario necesita introducir un código
• Usuario no le gusta introducir un código
9. Valencia 2014 – Chema Alonso
A la gente le gusta dormir la
siesta (con el mando de la tele)
12. Valencia 2014 – Chema Alonso
At the airport
Anna has just started a new job and she is on a business trip. As usual,
she checks the weather, prepares her suitcase and defines her online
security levels using Latch.
13. Valencia 2014 – Chema Alonso
Taking a cab
To make her trip easier she decides to pay everything using a service, on her way to
the office at the destination point she switches service on, so she can pay the taxi
fare. Once done she switches her account off, minimizing the exposure to improper
usage.
14. Valencia 2014 – Chema Alonso
An alert of the service used!
Fortunately her account was blocked by Latch, as Anna easily
requested using the app. Alas, in the stopover someone tried to hack
her service account. The attack was under control and no misuse was
ever fulfilled.
16. Valencia 2014 – Chema Alonso
“Latch” de una cuenta
Latch
Server
1.-‐
Generate
pairing
code
2.-‐
Temporary
Pariring
token
My
Site
User
Se>ngs:
Login:
XXXX
Pass:
YYYY
Latch:
4.-‐AppID+Temp
pairing
Token
5.-‐
OK+Unique
Latch
6.-‐ID
Latch
appears
in
app
ULatch
17. Valencia 2014 – Chema Alonso
Login en una Web
Latch
Server
Latch
app
Latch1:
OFF
Latch2:ON
Latch3:OTP
Latch4:OFF
….
My
Bank
Users
DB:
Login:
XXXX
Pass:
YYYY
Latch:
Latch1
Login
Page:
Login:AAAA
Pass:BBBB
1.-‐
Client
sends
Login/password
2.-‐
Web
checks
CredenXals
with
Its
users
DB
3.-‐
asks
about
Latch1
status
4.-‐
Latch
1
is
OFF
5.-‐
Login
Error
6.-‐
Someone
try
to
get
Access
to
Latch
1
id.
2.-‐
Check
user/pass
20. Valencia 2014 – Chema Alonso
Hacer login con OTP
Latch
Server
Latch
app
Latch1:
OFF
Latch2:ON
Latch3:OTP
Latch4:OFF
….
My
Bank
Users
DB:
Login:
XXXX
Pass:
YYYY
Latch:
Latch1
Login
Page:
Login:AAAA
Pass:BBBB
1.-‐
Client
sends
Login/password
2.-‐
Web
checks
CredenXals
with
Its
users
DB
3.-‐
asks
about
Latch1
status
5.-‐
Latch
1
is
ON(OTP)
6.-‐
OTP?
7.-‐
Use
this
(OTP).
4.-‐
Latch
Server
Generates
OTP
8.-‐
User
introduces
OTP
2.-‐
Check
user/pass
25. Valencia 2014 – Chema Alonso
Operaciones latcheadas
Latch
Server
Latch
app
Latch1:
ON
Op1:OFF
Op2:ON
OP3:OTP
Latch
2:
OFF
….
My
Bank
Login:
XXXX
Pass:
YYYY
Latch:
Latch1
Int_Trnas:
Op1
Online
Banking
Send
Money:
1231124343
1.-‐
Client
orders
InternaXonal
TransacXons
3.-‐
asks
Latch1:Op1
status
4.-‐
Latch
1:Op1
is
OFF
5.-‐
Denied
6.-‐
Someone
try
to
do
a
Latch
1:Op1
OperaXon
26. Valencia 2014 – Chema Alonso
User
Pass
Login: User
Pass: Pass
Latch: Latch
Op1:Unlock
Op2: OTP
Supervision
Why?
Answer
OTP
27. Valencia 2014 – Chema Alonso
Latch
Users
Developers
Corporates
Control
all
digital
idenXXes
in
one
single
point.
ON/OFF.
Integrate
Plugins
and
develop
soluXons
with
SDKs
to
adapt
Latch
technology
to
their
needs
SDKs:
PHP,
Java,
.NET,
C,
Ruby,
Python
&
WebService
API
Plugins:
WordPress,
PrestaShop,
RedMine,
Cpanel,
Moodle,
OpenVPN,
SSH,
Drupal,
DotNetNuke,
Joomla!,
…
-‐ Deploy
2FAuth
-‐ Opt-‐in/mandatory
-‐ Detect
idenXty
theg
-‐ Granularity
-‐ Reduce
Fraud
-‐ Parental
Control
-‐ 4
Eyes
verificaXon
Tools
-‐ Control
Dashboard
-‐ Usage
StaXsXcs
-‐ Internal
appliance
(beta)
!
28. Valencia 2014 – Chema Alonso
Monitoring Switch
• With one latch
– As many granularity as needed
– Two status
– OTP
– User confs
• Schedulle
• AutoLock
• Possible to re-act at status
If Lock then {}
Else {}
Goto fail;
Goto fail:
30. Valencia 2014 – Chema Alonso
Windows pGina
hip://unstableequilibrium.com/2014/02/07/using-‐pgina-‐and-‐latch-‐to-‐protect-‐your-‐windows-‐login/
36. Valencia 2014 – Chema Alonso
Sobre Latch
• Privacidad:
– AppIDs conoce los UniqueLatches pero no los
UserLatches.
– Latch Server conoce Latchets y AppID, pero
no los usuarios/passwords
• Robustez:
– Si el servidor de Latch es comprometido la
seguridad del sitio protegido sigue intacta.
– No se guarda ningún dato sensible en Latch
Server.