Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Passwordless auth
Ähnlich wie Passwordless auth (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Passwordless auth
- 1. “Change is the only constant” A World Beyond Passwords Lesha Bhansali
- 2. What are passwords and how are they used ? Password is a word or string of characters used for user authentication to prove identity 1990-2017 Roman Military “Watchwords” were used to prove membership US Army, World War II “Challenge-Response” used to prove membership 1944 430 BC MIT, CTSS Used to keep track of identities for time logging 1960
- 3. 3 $3 T Annual Cost of cybercrime to global economy $4 M is the average total cost of a data breach $22 cost per password reset call Conflicting password policies Password Managers Frequent password resets Costly ComplexVulnerable Advanced Password Cracking tools Social engineering and phishing attacks 6 unique passwords are used to guard 24 accounts results in re-use Most commonly used password can be cracked in seconds 47% people use passwords more than 5 years old Inconvenient No. of accounts/user constantly increasing (esp. w/ IoT) Should be unique, fresh for each account Increases Breaches 81% of breaches caused due to hacked passwords Password reuse allows easy pivoting to other accounts https://roboform-blog.siber.com/2015/03/06/password-security-survey-results-part https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03094WWEN https://www.cl.cam.ac.uk/~rja14/shb10/angela2.pdf-1/ https://www.avatier.com/blog/the-true-cost-of-password-resets/ https://assets.entrepreneur.com/static/1433198293-password-info.jpg?_ga=1.132545162.589846021.1467731180 http://info.idagent.com/blog/ What are the Problems with Passwords?
- 4. 3885 M 51.7% of total population 2789 M Social media users 4917 M Mobile Users Who is using Passwords today?
- 5. Hardware (Something you have) Single-Factor Authentication Two-Factor/Multi-Factor Authentication Passwords (Something you know) Passwords (Something you know) Passwords (Something you know) Passwords (Something you know) Biometrics (Something you are) Hardware (Something you have) Biometrics (Something you are) Evolution of Authentication Methods
- 6. #passwordlessWe need something which is more consistent, secure and user friendly
- 7. Alternate Methods of Authentication Something you have Retina, Iris, Vein, Heartbeat, Fingerprint, Facial, DNA Something you are Requests for more information based on risk and user, the action and data. Geo location, IP address Risk Based Authentication Typing, Signature, Keystrokes, Gesture, VoiceSomething you do Hard Tokens, Phone-as-a-token, Security Keys, Wearables, Device Fingerprinting
- 8. Risk Based Authentication on Data and User No. of Factors Determined based on Risk Multi-Factor + Intelligence Driven Authentication Adjust Risk levels, Data for advance analytics and No. of factor for Authentication based on use case and business priorities
- 9. Barriers to #passwordless Adoption Passwords are Ubiquitous Low Adoption of Multi-Factor Auth Authentication Biometrics and hardware compatibility Hardware Token cost and maintenance Implementation Enterprise challenges (usability and security) Websites still use classic password authentication
- 10. Gather behavioral data and adopt advance analytics Roadmap to Adoption UserExperience Trust and Accountability Leverage smartphones and include sensors for face, iris, and fingerprint recognition Integrate wearable with heart beat and vein technologies Get users to use SSO Use Phone/Security Keys + Biometrics + Risk based Auth = Passwordless
- 11. Market Trends . Behavioral Biometrics are poised to grow Two-Factor authentication continues to grow Companies predict they will get rid of passwords in less than 5 years Combination of multiple authentications need to be used Single sign on is being adopted by users
- 12. Voice Wells Fargo HSBC(Nuance) Citigroup Face Recognition Mastercard Apple Microsoft Amazon Uber Us Government Blockchain IBM, Accenture, New York Fund Iris Scan Vivo X5Pro OTP Hardware Token Paypal Single Sign On Majority of consumer websites, social media apps via Facebook, Google+, LinkedIn, Twitter, Microsoft, Github Security Key FIDO Alliance along with Facebook, Microsoft, Google, Salesforce, CERN, Github, Dropbox, Novartis Finger Print Apple, Motorola, Microsoft, Banks, Electronic Visa and Passport, Fujitsu(Hand), Samsung, Bank of America, Chase Retina Scan Fujitsu Vodaphone WellsFargo Citigroup Who is using what ?
- 13. Technology to watch out for: Blockchain for managing Digital identities You Amazon Chase GmailOutlook Facebook Microsoft You
- 14. High Trust and Accountability Good User Experience Low Implementation and Maintenance Cost Adaptability to Context Ideal Passwordless Authentication Solution
Hinweis der Redaktion
- Digital transformation is a cornerstone of most enterprise strategies today, with user experience at the heart of the design philosophy driving that transformation. But most user experiences—for customers, business partners, frontline employees, and executives—begin with a transaction that’s both annoying and, in terms of security, one of the weakest links. In fact, weak or stolen passwords are a root cause of more than three-quarters of corporate cyberattacks, and as every reader likely knows, corporate cyber breaches often cost many millions of dollars. Shoring up password vulnerability would likely significantly lower corporate cyber risk—not to mention boost user productivity, add the goodwill of grateful customers, and reduce the system administration expense of routinely managing employees’ forgotten passwords and lockouts.
- Let’s understand the history, what passwords are and what are they used for ? Undderstand where we are today before going into how to solve them https://www.cl.cam.ac.uk/~fms27/papers/2012-BonneauHerOorSta-password--oakland.pdf
- Making our digital lives too easy to crack Passwords were created in the early 1960s, and have not changed much in form or function since then. As a result, they have become the way for hackers to wreak havoc for companies and their consumers, stealing millions of pieces of data from just one set of login credentials. Complex but the funny part is the complexity neither helps with security nor with usability Mark Zuckerber g;s pinterest password was dadada World economic foruhttps://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/ https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/ https://roboform-blog.siber.com/2015/03/06/password-security-survey-results-part https://www.cl.cam.ac.uk/~rja14/shb10/angela2.pdf-1/ https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03094WWEN https://www.avatier.com/blog/the-true-cost-of-password-resets/ http://www.dailymail.co.uk/sciencetech/article-2331984/Think-strong-password-Hackers-crack-16-character-passwords-hour.html https://assets.entrepreneur.com/static/1433198293-password-info.jpg?_ga=1.132545162.589846021.1467731180 http://info.idagent.com/blog/63-of-data-breaches-result-from-weak-or-stolen-passwords https://www.betterbuys.com/estimating-password-cracking-times/ https://www.buzzfeed.com/josephbernstein/survey-says-people-have-way-too-many-passwords-to-remember?utm_term=.qiKK0Oe6PJ#.eimNMKe9zn ’ll put some facts in here 81% of Data breaches caused due hacked passwords Verizon 2016 Making our digital lives too easy to crack Only 24% of people always log out of websites when they are done using them More than 50% users often let their browsers remember passwords 42% wrote down their passwords 23% always use the same password 74% log into 6 or more sites, but only 41% use 6 or more unique passwords Conflicts with password policies Powerful supercomputer make it easier for hackers Password cracking tools are easily available Social media and social engineering makes it even more easy Average Cost Per Password Reset Call 22$ Operational and Management costs 24 accounts on average per user and is increasing everyday 383 companies in 12 countries $4 million is the average total cost of data breach 29% increase in total cost of data breach since 2013 $158 is the average cost per lost or stolen record 15% percent increase in per capita cost since 2013 81% of Data breaches caused due hacked passwords Password manager One Login hit by a data breach in Jun 2017 Tough passwords do not solve the problem 24 accounts on average per user and is increasing everyday 6 unique passwords are used to guard 24 accounts If one account compromised easy to compromise others Password managers if compromised lead to single point of failure Most commonly used passwords can be cracked in seconds 47% people use passwords more than 5 years old Users forgetting passwords make it costly Multiple passwords based attacks are increasing Now required to be more complex Now required to be unique, fresh Increasing in number (esp. w/ IoT) Results in re-use Key loggers Shoulder surfing Man-in-the-middle Phishing Database breach Human memory vs. computational power One password to reset them all: email
- Passwordless authentication, then, is becoming an increasingly relevant option for login. Users are connected to more devices and have more accounts than ever, which means that the passwordless approach is only growing more convenient for users. Sometimes it's also the case that you have to save the user from themselves — and for that, passwordless is a clear winner. Technology Landscape has Changed Drastically with IOT Now that we have looked what passwords are let’s see who is using it and how they are using it what the world looks like today like using the internet to authenticate themselves to various acoounts. These numbers are increasing everyday. It is important to know these numbers before we understand the problems with passwords There are over 4 b people almost about how they are
- March 2011 breach of RSA SecurID tokens. Telecom-based technologies, such as text messaging (SMS), have specific dependencies on the security of the mobile provider, which is chosen by the user. A service using SMS can be vulnerable to any number of telecom providers’ practices regarding reassignment of phone numbers or security of messages. Malware on users’ phones that intercepts SMS messages and sends them to an attacker is also becoming more common.People are using magic links To clean up the password mess Biometrics are on now for authentication and not just identification Low risk account you still use only passwords today crytopcurrenty harward wallet ledger nano S Password is the main foundation jusr passwords is high risk more security for 2 factor yellow and most secure Google authenticator Real world examples of each Along with why multiple layers got added and the challenges in terms of security and usability of each one New methods only add to passwords without making passwords go away MFA has major usability and adoption challenges Switching from password authentication to 2 factor authentication is relatively easy, as it adds just a simple step to the process. - Major companies such as Apple, Google and Facebook have already implemented it, acquainting their users with this new technology and increasing adoption. - As 2FA will gain more traction in terms of implementation, vulnerabilities will be eliminated, the number of companies to implement it will increase. - MFA is much safer than 2FA, which still relies heavily on passwords for authentication. - Considering the level of security it brings, the usability is superior to 2FA. - Legislation is an important factor that contributes to the increase of MFA market, as it is becoming a legal requirement for data security. - Governments are allocating high sums of money for cybersecurity products' development.Why this might not happen: - Cyber security awareness is still low among companies and employees. - Organisations have limited budgets, skills and resources for increasing cybersecurity, this slowing down adoption
- Passwordless authentication, then, is becoming an increasingly relevant option for login. Users are connected to more devices and have more accounts than ever, which means that the passwordless approach is only growing more convenient for users. Sometimes it's also the case that you have to save the user from themselves — and for that, passwordless is a clear winner.
- Steal, malware, Heartbeat I just came after going to the gym, FP Aand FN Location and Geolocation FaceID fool facial with wearing goggles. Facial recognition has quickly become the most used deployments of biometric tech, which explains why firms such as Facebook and Google have invested in it. Voice Replay attack , error rates need work although new designs are much better Behavioral biometric; Two parts one is identifying a bot and a human and the other is indentifying a specific human big worry for security is that systems can be gamed by bots and, eventually, more developed AI. One answer to this is behavioural biometrics which studies a wide range of behavioural parameters that detects real human being as well as individual ones. Behavioural biometrics also goes beyond physical characteristics to look at human activity in context. Problems are surveillenace Now well established - the US military has been using Iris scans in the field for a decade or more - while ID card systems and passport systems around the world also use human eye patterns as an identifier. Considered accurate but sometimes confused with retinal scanning which is based on the pattern of retinal blood vessels. Problems: Some believe the human eye changes over time Retina: Checks for intenal blood vessels The ultimate identifier – DNA – is impossible to spoof, but comes with some major issues. Although DNA can be easily extracted, analysing it is incredibly hard to do in real time. If not done correctly, it can also be inaccurate. There are also worries about losing such a critical piece of data that can’t be reset or revoked. Share Twitter Facebook LinkedIn Google Plus Which of these gate keepers to Nowadays, thanks to AI and other advanced technologies, people’s typing patterns and habits can be used to identify them. Besides the number of words per minute, there are other unique characteristics at play, such as “hold-time” for each key, right-handed, or left-handed approach and “rapid-fire sequences,” in when the user types common letter combinations, such as “the”, or “ing”. So, in keystroke dynamics, it doesn’t matter which password you typed – it’s how you typed it. Researchers say that the beauty of the method is not only in its use for initial authentication. It can be used continuously. So even if someone was able to impersonate the user during an email login sequence, the system can identify and block the bad guy later, if he tries to compose a new message, and his keystroke dynamics will not match those of the account owner. So, with the growing use of AI and machine learning, we may very well see the rise of keystroke dynamics and other advanced authentication methods, which minimize the possibility of identity theft and help users stay safe online. Risk based authentication can also be used during the session to prompt for additional authentication when the customer performs a certain high risk transaction, such as a money transfer or an address change. Risk based authentication is very beneficial to the customer because additional steps are only required if something is out of the ordinary, such as the login attempt is from a new machine.
- gyroscope, accelerometer, Force Touch, screen co-ordinates, timings of taps, mouse movement coordinates, tcp/ip settings, clock settings, browser type Incorporate identity analytics both during runtime( MFA and SSO) and admin time (identity fovernance) Users except companies to take care of their authentication
- Majority of the users hold business accountable for security Majority of the population using the internet are millennials who are used to instant gratification hence the challenge is to make solutions really easy Cars unlocked using phones” People are so used to passwords that it is drilled in their head that passwords are the ultimate source of protection it is the most familiar login method been around since 50 years 2FA has been around for quite a while now, but it wasn’t noticed by users as such: a different authentication system. The interest for this type of authentication is increasing quite abruptly, as the Google searches for the term “Two factor authentication” are on the rise, especially in the second half of 2016. Although widespread, SMS-based 2FA is now considered insecure, due to the fact that they are sent through various insecure systems, and there is the risk of the SMSs being intercepted by undesired parties.
- smartphones will eventually include sensors for face, iris, and fingerprint recognition—a rarity now. The cost isn’t that high for the hardware, he reasons, and perhaps you’d use them in different combinations for different transactions—the user might decide which they want to use, or for a big purchase on the phone a merchant might want you to use all three. Google and amazon have already started with alexa and google home Not just descriptive and decisional but also prescriptive and predicinal like Fitbit, apple watch, nymi Devices might require a biometric confirmation just to use them. (Android phones can already pull this off, and given Apple’s recent purchase of mobile-biometrics firm AuthenTec, it seems a safe bet that this is coming to iOS as well.) Those devices will then help to identify you: Your computer or a remote website you’re trying to access will confirm a particular device. Already, then, you’ve verified something you are and something you have.
- Gartner Massive immensely absolutely
- https://www.techworld.com/picture-gallery/security/10-biometric-technologies-that-will-kill-passwords-from-fingerprints-iris-scans-selfies-3637418/ http://webcusp.com/list-of-all-eye-scanner-iris-retina-recognition-smartphones/
- A growing chorus of enterprenurs and technologiests are betting on the way our digital identities are managed by companies, banks and governments to a decentrelaized ledger or blockchain where user gets full control Evernym is a startup that is working towards making this happen Even though this technology has been around for decades the technogy has been dififcult to implement for consumer application but with the growing popularity of cryptocurrency has inspired fresh commercial interest. Relies on public key cryptography Which is pair of keysone public one private which are used to authenticate users and verify their encrypted transaction Bitcoin users are represted by a strings of characters using their public key on the blockchain the wallet application they use to hold and exchange bitcoins are esetially managed systems of their private key. Just like how they hold bit coins they can hold personal identification information. Using a smartphone app or some other device a person could use a wallet like application to manage and access credentials. There is no clear conclusion on how it plans to get rid of passwords but it definitely challenges the way our identirties are managed. The same kind that
- Password considerations really depend on the service / endusers that need to be protected. Risk Level of the exposure to Confidentiality (of the data or service), ensuring the integrity of the data (if users can alter the data), and as an end result you need to worry about the availability to ensure security parameters to not impact authorized users from access the serv Enterprise
- In progress Login is initiated when the user enters a Clef-backed service’s login page, after which a waveform image is displayed on the screen. Users only have to hold up their phone to capture the image with their handset’s camera, and leave the rest to the Clef mobile app, which digitally signs the waveform image’s contents with the phone’s private key and sends it back to the server. Account access is granted after the server verifies the signature with its public key. The use of public/private key combination is a reliable method that mitigates the threat of man-in-the-middle attacks, one of the banes of password-based logins. It also eliminates the threat of identity theft in case of server breaches by not storing any critical user information on the server side. Clef is currently powering more than 100,000 sites, and is fast becoming a favorite among Bitcoin distribution firms British tech startup MIRACL offers the M-Pin crypto application, a PIN and software token authentication protocol, as a substitute for traditional passwords. M-Pin involves a user-selected 4-n length PIN and a related software token to create a unique key that runs a zero knowledge proof authentication protocol against its server. M-Pin stores no passwords or other shared secrets on the server, which according to Brian Spector, the company’s CEO, “will make password smash n’ grab attacks a thing of the past.” Instead, it stores a key, which is split in two parts and stored on two servers, one belonging to the application server and the other to MIRACL, a measure that further complicates identity theft. “No personal information is stored on servers,” Spector says. MIRACL offers M-Pin in two flavors, a JavaScript code snippet and library that is embedded within websites, or a mobile version that allows users to control browser access to their accounts through a mobile app. When registering with M-Pin-enabled services, users select a PIN and associate either their desktop browser or a mobile device with their account, in which the second factor token is stored. Afterwards, accounts can only be logged into with the device that contains the token. M-Pin has already been slated as the authentication technology to power a government-led project that will provide driving license renewal and tax form filling services to millions of UK citizens.
- In progress Improvements The break-through in Mobile BankID is the compromise – or in fact, The lack of compromise – between convenience, security and user Control BehavioSec BankID Reduces reliance on complex passwords Single gesture to log on Works with same devices people use every day Use the same authentication with different services Fast and convenientBased on public key cryptography Keys stay on device No server-side shared secrets to steal Protects against phishing, man-in-the-middle and replay attacks STRONGER SECURITY Biometrics, if used, never leave device No link-ability between services or accounts No 3rd party in the protocol