The end of passwords... as we know it. We talk about password alternatives, or 2-factor authentication and some trends that we are starting to see in regard to authentication.

1. Codebits 2011
The End Of Passwords...
11/11/11

2. Summary
Summary:
•
Mo&va&on
•
Today’s
scenario
•
Two-­‐Factor
Authen&ca&on
-­‐
Biometrics
-­‐
So>ware
Tokens
-­‐
Hardware
Tokens
•
Trends
SAPO
Websecurity
Team 2

3. Motivation > Lots of accounts compromised
SAPO
Websecurity
Team 3

4. Motivation > Lots of accounts compromised
SAPO
Websecurity
Team 4

5. Motivation > People Reuse Passwords
•
Password
Sharing:
73%
of
users
share
passwords
that
are
used
for
online
banking
with
at
least
one
non-­‐financial
website.
•
Username
/
Password
Sharing:
42%
of
users
share
both
their
username
and
password
with
at
least
one
non-­‐financial
website
Study
on
4M
PCs in
Reusing
Login
Creden.als,
Security
Advisor,
February
2010,
Trusteer
Inc.
SAPO
Websecurity
Team 5

6. Today
Typical
choice
of
passwords
on
the
Web:
• Weak
password
and
reused
in
different
sites
• Strong
password
but
reused
in
different
sites
• Weak
password
but
different
from
other
sites
• Strong
password
for
criIcal
sites,
Weak
password
for
other
sites
• Strong
or
weak
password
and
basic
derivaIons
on
other
sites
SAPO
Websecurity
Team 6

7. Today
Can
we
memorize
hundreds
of
strong
passwords?
SAPO
Websecurity
Team 7

8. Today
No
way!
SAPO
Websecurity
Team 8

9. Today
So
what
can
we
do?
SAPO
Websecurity
Team 9

10. Alternatives > Password Managers
Password
Managers
Use
a
password
manager
to
manage
all
your
passwords
instead
of
trying
to
memorize
them
all
Types:
•
Local
•
Stateless
•
Remote
Pros:
• easy
to
use
• prac&cal
• enable
you
to
use
strong
and
different
passwords
across
sites
Cons:
• If
a
hacker
breaks
your
password
manager,
ALL
your
passwords
are
compromised!
SAPO
Websecurity
Team 10

11. Passwords
But
Passwords
per
se
are
not
a
secure
authenIcaIon
mechanism
A
password
is
a
piece
of
informaIon,
that
can
be
shared,
leaked
or
stolen.
Someone
with
your
password
=
you
SAPO
Websecurity
Team 11

12. Alternatives
What
is
the
alternaIve?
MulL-­‐Factor
AuthenLcaLon
Any
combinaIon
of
these:
•
Something
you
know
•
Something
you
have
•
Something
you
are
SAPO
Websecurity
Team 12

13. Two-Factor Auth
The
most
popular
combinaIon
is
the
2-­‐factor
authenIcaIon:
“something
you
know”
and
“something
you
have”
SAPO
Websecurity
Team 13

14. Two-Factor Auth
...
but
the
second
(physical)
factor
cannot
be
stolen?
SAPO
Websecurity
Team 14

15. Two-Factor Auth
...sure,
but
it
is
about
scale.
SAPO
Websecurity
Team 15

16. Two-Factor Authentication
Two-­‐Factor
AuthenLcaLon
SAPO
Websecurity
Team 16

17. Two-Factor Auth > Examples
Some
Examples
•
Biometrics
•
Smart
cards
•
SMS
•
So>ware
OTP
Tokens:
-­‐
Google
AuthenIcator
-­‐
Verisign
VIP
•
Hardware
OTP
Tokens:
-­‐
Yubikey
-­‐
CryptoCard
-­‐
RSA
SecureID
Pros:
• More
secure
than
single-­‐
factor:)
Cons:
• Not
very
convenient
• May
provide
a
false
sense
of
security
• Typically
a
closed
market
(most
vendors
rip
you
off!)
SAPO
Websecurity
Team 17

18. Two-Factor Auth > Biometrics
Biometrics
Verifies
a
unique
personal
aYribute
or
behavior.
Divided
into
two
categories:
physiological
(iris,
re&na,
fingerprint)
or
behavioral
(signature,
keystroke,
voice
dynamics)
Pros:
• effec&ve
and
accurate
method
of
iden&fica&on
Cons:
• Cannot
be
re-­‐issued!
• Expensive
($$$$$)
• Privacy
concerns
• Physical
and
Behavioral
aYributes
can
change
• Not
suitable
for
all
scenarios
• Can
be
dangerous!
(If
thief
cuts
your
finger
off)
SAPO
Websecurity
Team 18

19. Two-Factor Auth > Biometrics
Biometrics
Usage:
• Could
be
used
for
Internet
banking,
to
confirm
the
authen&city
of
a
high-­‐value
transac&on
• Can
be
used
for
authen&ca&on
in
computers,
other
systems
or
applica&ons
SAPO
Websecurity
Team 19

20. Two-Factor Auth > Smart Cards
Smart
Cards
A
smart
card
has
the
capability
of
processing
informa&on
because
it
has
a
microprocessor
and
integrated
circuits
incorporated
into
the
card
itself.
Two-­‐factor
=
PIN
+
Smart
Card
Types
=
contact
and
contactless
Pros:
• Good
security
offered,
the
secret
never
leaves
the
smartcard
Cons:
• Not
very
convenient
• You
may
need
to
install
drivers
before
using
• May
provide
a
false
sense
of
security
SAPO
Websecurity
Team 20

21. Two-Factor Auth > Smart Cards
Smart
Cards
Usage:
• Some
sites
allow
you
to
use
SSL
Client
cer&ficates
as
a
mean
of
authen&ca&on.
Cer&ficates
can
be
stored
in
a
Smart
Card.
• Some
sites
allow
you
to
authen&cate
through
the
smart
card
(some
government
sites
using
the
ci&zen
card)
• You
can
use
a
smart
card
to
sign
email,
documents,
authen&cate
to
WiFi
networks
and
SSH,
use
them
with
PAM,
and
more...
SAPO
Websecurity
Team 21

22. Two-Factor Auth > Smart Cards
SMS
Some
sites
can
send
a
text
message
as
a
2nd
factor
of
authen&ca&on
Pros:
• Easy
to
implement
• No
need
to
carry[/buy]
extra
devices
(your
mobile
phone
is
always
with
you)
Cons:
• It’s
probably
the
weakest
2nd-­‐factor
(easy
to
fake
and
intercept)
SAPO
Websecurity
Team 22

23. Two-Factor Auth > Google Authenticator
One
Time
Passwords
(OATH)
It
can
be
HOTP
(event-­‐based)
or
TOTP
(&me-­‐based).
Pros:
• It’s
an
Open
Standard
• You
can
use
it
in
your
own
systems
(using
a
PAM
Module
or
integra&ng
it
with
RADIUS)
• You
have
mul&ple
implementa&ons
that
work
on
a
panoply
of
devices
(e.g.
smartphone,
yubikey,
hardware
tokens)
Cons:
• Concerns
related
to
security
of
the
device
(in
so>ware
implementa&ons)
• Your
baYery
may
die
when
you
most
need
an
OTP
(in
case
of
a
smartphone)
• You
lose
some
&me
to
generate/enter
an
OTP
SAPO
Websecurity
Team 23

24. Two-Factor Auth > Yubikey > What is it?
What
is
it?
• The
Yubikey
is
a
small
USB
token
which
acts
as
a
regular
keyboard.
It
can
generate
StaIc
Passwords
and
One
Time
Passwords.
SAPO
Websecurity
Team 24

25. Two-Factor Auth > Yubikey > How does it work?
StaLc
Passwords
• The
Yubikey
can
be
provisioned
with
a
staIc
password
with
up
to
64
chars.
This
password
can
be
used
with
applicaIons/services
that
do
not
support
OTPs.
You
should
use
an
addiIonal
password!
One
Time
Passwords
• Two
different
One
Time
Password
standards
are
supported:
event-­‐based
HOTP
and
Yubikey-­‐style
OTPs.
• HOTP
is
a
be^er
known
standard,
but
it
is
more
limited
due
to
usability
concerns
(smaller
OTP,
sync
issues,
etc.).
• The
Yubikey
OTP
standard
leverages
the
fact
that
the
Yubikey
inputs
the
OTPs
for
you.
Two
slots
• Short-­‐press
for
slot
1;
Long-­‐press
for
slot
2
(3
secs);
Drivers
• Any
OS
with
USB-­‐keyboard
support.
It
even
works
during
boot
(useful
for,
e.g.,
whole-­‐disk
encrypIon
soluIons
such
as
PGP-­‐WDE
and
TrueCrypt).
SAPO
Websecurity
Team 25

26. Two-Factor Auth > Yubikey > Where does it work?
Lastpass
(h^p://www.lastpass.com)
SAPO
Websecurity
Team 26

27. Two-Factor Auth > Yubikey > Where does it work?
Yubico
OpenID
(h^p://openid.yubico.com)
SAPO
Websecurity
Team 27

28. Yubikey > Where does it work?
FastMail
(h^p://www.fastmail.fm)
SAPO
Websecurity
Team 28

29. Two-Factor Auth > Yubikey > Where does it work?
Laptop
(h^p://127.0.0.1)
One
Time
Password Sta&c
Password
SAPO
Websecurity
Team 29

30. Yubikey > Where could it work?
Architecture
SAPO
Websecurity
Team 30

31. Two-Factor Auth > Yubikey > Details
Inner
workings
(Protocol
spec
is
Open)
SAPO
Websecurity
Team 31

32. Two-Factor Auth > Yubikey > Security Threats
Protocol
a^acks
• Generated
OTPs
consist
of
unique
128
bit
blocks
encrypted
with
a
shared
AES
key
between
Token
and
Server.
Protocol
security
depends
on
the
security
strength
of
the
AES
algorithm.
SAPO
Websecurity
Team 32

33. Two-Factor Auth > Yubikey > Security Threats
Server
a^acks
• Central
authenIcaIon
servers
store
symmetric
keys
for
all
Tokens.
If
successfully
a^acked,
this
can
be
catastrophic.
Yubico
miIgates
this
with
tamper-­‐proof
HSMs.
• A
DoS
a^ack
on
the
server
will
result
in
users
not
being
able
to
log
in.
SAPO
Websecurity
Team 33

34. Two-Factor Auth > Yubikey > Security Threats
User
a^acks
• Social
engineering;
• Phishing;
• “Borrowing”
the
Token.
SAPO
Websecurity
Team 34

35. Two-Factor Auth > Yubikey > Security Threats
Host
a^acks
• Soeware
key
extracIon
(very
hard
to
exploit);
• Man-­‐in-­‐the-­‐browser.
SAPO
Websecurity
Team 35

36. Two-Factor Auth > Yubikey > Security Threats
Hardware
a^acks
• Hardware
key
extracIon
and
Token
duplicaIon.
SAPO
Websecurity
Team 36

37. Two-Factor Auth > Yubikey > Advantages
Convenient
• No
drivers
necessary
• Types
the
key
for
you
Open
• Open
standard
and
infrastructure
• Soeware
released
under
permissive
license
• Extensible
(PIN
opIon)
• No
license
required
per
token
Affordable
• Around
10€
if
purchased
in
larger
quanIIes
Secure
• Provides
an
addiIonal
authenIcaIon
factor
• OTP
generaIon
requires
manual
intervenIon
SAPO
Websecurity
Team 37

38. Two-Factor Auth > NFC/RFID
NFC/RFID
We
can
use
the
technology
for
many
purposes,
including
authen&ca&on
Pros:
• Could
be
very
convenient
• No
need
to
carry[/buy]
extra
devices
(your
mobile
phone
is
always
with
you)
Cons:
• The
security
aspects
are
s&ll
being
discussed.
(Mifare
1K
and
DESFire
tags
can
be
cloned)
• In
reality,
there
are
no
standard
mechanisms
on
devices
to
use
NFC
authen&ca&on.
SAPO
Websecurity
Team 38

39. Trends > PoC
SAPO
Websecurity
Team 39

40. Future
Trends
SAPO
Websecurity
Team 40

41. Trends
Two-­‐factor
AuthenLcaLon
is
gecng
Popular:
SAPO
Websecurity
Team 41

42. Future
QR
Codes
Some
interesLng
ideas
are
brewing...
SAPO
Websecurity
Team 42

43. Trends > BMWʼs NFC PoC
SAPO
Websecurity
Team 43

44. Links
Smart
Cards
• OpenSC
Project
-­‐
h^p://www.opensc-­‐project.org
Yubikeys
• Yubico
-­‐
h^p://www.yubico.com
Time-­‐based
and
event-­‐based
OTPs
• Google
AuthenIcator
-­‐
h^p://code.google.com/p/google-­‐authenIcator/
NFC
• libnfc-­‐
h^p://www.libnfc.org/documentaIon/introducIon
QR
Codes
• Iqr
-­‐
hYps://&qr.org/
Biometrics
• BioAPI
Consor&um
-­‐
hYp://www.bioapi.org/
SAPO
Websecurity
Team 44

45. The End
QuesLons?
Nuno
Loureiro
<nuno@co.sapo.pt> João
Poupino
<joao.poupino@co.sapo.pt>
SAPO
Websecurity
Team 45