Every chain has its weak link. In any Information Security model it’s us, the users. So how do we strengthen a key area? In this session, we review common challenges and learn the strategies for bridging the gap in a secure but user-friendly way.
Presenter: Reinier van der Drift, Product Manager
4. • What is authentication?
Identity verification
• What is the authentication method most used?
Passwords
• What is the main cause of cybercrime?
Password abuse
Some questions about authentication
Jeremy Grant, Senior Executive
Advisor, Identity management, NIST
(National Institute of Standards and
Technology, US)
5. • Memory not equipped to memorize more than 8 characters
• Too many password(changes)
• Compliance is a burden for the user (password reset every 1-3 months)
• Internal users tend to trust each other and share passwords easily
• User wants it easy, gets it difficult
The user problem
7. The Nexus of Forces is the convergence and mutual reinforcement of social, mobility, cloud
and information patterns that drive new business scenarios.
• Rapidly changing enterprise IT-environment through virtualization of server and
workstation platforms
• Bringing IT to the cloud and offer disruptive PAAS, IAAS, SAAS services.
• Revolutionary penetration of mobile devices, like smartphones, tablets (BYOD)
• Immense popularity of social media, like Facebook, Twitter, Google, LinkedIN, ..
User authentication is a vital
component of this emerging
Nexus of Forces economy
The Nexus of Forces
8. Growing and Converging Markets in the Nexus of Forces
Identity Access Mgt Market
grows from $9.6B to $18.3B by 2019
with CAGR of 14,6% (Includes
eSSO/wSSO, provisioning etc)
The Total IT
Security market
$155B in 2019
Governance, Risk &
Compliance Market
$30B total market
Software $2-$6B
CAGR of 9.4 % to 2018
Global Multi-factor
Authentication Market
$10.8B by 2020 with CAGR of
19,7%
1. MF Authentication
3. Governance
Risk & Compliance 2. Security Incident &
Event Management
$4.54B in 2019 at CAGR
of 12.0%
4. Identity
Access Management
9. • Broader acceptance of MFA (multi factor authentication):
• User passwords replaced/enhanced by OTP/SMS authentication.
• FIDO initiative has broad industry support
• Mobile, smart and IoT-devices are more vulnerable than traditional
devices.
• The bad guys are getting smarter.
• Security practices struggle to keep pace with rapid adoption cloud
computing.
• Authentication methods continue to diversify:
• push messaging to the mobile,
• embedded biometric sensors,
• Bluetooth Smart-based authentication,
• contactless and NFC-based methods
• FIDO-tokens provide MFA with end-to-end security
• Enterprises and consumers have unprecedented choice of secure
authentication solutions.
Major MFA trends
11. Authentication Basics
Authentication: simple and strong
Simple authentication: 1 factor
Strong authentication: 2 or > factors
Examples:
- User Name and Password
• Cards + PIN (Banks)
• PKI-card + PIN (Government)
• Token + Password (RSA)
• Cards + Biometrics (Match on Card)
There is no such thing as a ‘one-fits-all’ (strong) authentication
solution
12. Business Drivers
Improve compliance
Increase Information security
Increase user convenience
Lower IT costs (Help Desk Calls) and Centralise Tooling
No rip and replace (re-use existing hardware)
13. Authentication today (point solutions)
Example of Methods
Hardware tokens (Radius, USB)
Smartphones (OOB, OATH)
Phones (voice, sms)
Access cards (RFID, mifare, NFC)
Smart/PKI-cards
Biometrics
2/3 factor (combinations)
Social login
Federated authentication
Passwords/PIN-codes/Q&A
FIDO and more
Example of activities
• Remote access
• Access to workstations/user
devices,
• Access to networks/to servers
• Access to Applications:
– generic applications,
– Single Sign-on,
– business applications
• Access to Cloud/web:
– web sites
– web applications
• Business Authentication
– execution of transactions
– signing of transactions
– business data (storage)
• and more
17. Futureproof Authentication frameworkAdvanced Authentication USP’s
• Password replacement
• Escape from vendor lock in
• Low cost 2-factor authentication on smartphone
• Mix and match multiple authentication methods
• Integrated authentication solution for remote, on premise and web access
• Re-use available access cards for strong authentication
• Integration with IAM, SSO and SIEM
• Re-authenticate users in business processes (execution, signing)
• Linked accounts
18. Proximity and Smart Cards
Smartcards
Smartcards differ from proximity cards by using chips rather than antennas.
These chips vary in storage size and processing power but all contain
secure information (usually certificates). When a smart card is powered by
inserting into the reader, the certificate is verified (often with a PIN) for sign-
in, digital signature or other. Smartcards have the advantage of a secured
container but require a high maintenance, high priced card management
system.
Cards are widely used in hospitals, government offices and businesses.
They are often used for “physical” access to restricted and sensitive areas.
The same cards can likely be used for “logical” network access.
Proximity Cards
These work by requiring a tap of the card on a card reader. The reader
activates a small antenna inside the card and reads the transmitted code.
This code is sent to the authentication system for verification (often with an
accompanying PIN). The greatest advantage of proximity cards is ease-of-
use. The biggest disadvantage is that they are not secured and will
transmit their clear text code to any device.
19. Biometrics
How it works
Regardless of the manor fingerprints are captured they result in a pattern that is
analyzed to identify unique characteristics at coordinates. These coordinates are
recorded and processed through an algorithm to derive a value. The value is
then used for comparison in future login attempts.
Advantages and Disadvantages
on the first try, no matter who you are or what the weather is doing.
more inclusive and more reliable than other fingerprint sensors, which are
vulnerable to a variety of conditions including the presence of topical
contaminants, moisture, and bright ambient light. Simply stated, our sensors
work where other technologies fail.
Fingerprint readers are generally a secure and convenient reliable
authentication solution that will exceed your expectations. They securely
authenticate a user and can be integrated to enable your step-up and
transaction level access management.
20. Soft and Hard Tokens
Hardware Tokens
Hard tokens registered
with the Radius server
generate a number for
entry to login form and
verification. Hard tokens
are expensive, hard to
manage and distribute and
these solutions can have a
lot of components, but
they are very popular
(especially in finance).
Software Tokens
Soft tokens are generated
by software at the end
point with a registered
seed. This is less secure
than hardware tokens
because the seed can be
reused. Soft tokens are
popular because they
provide the functionality
with no devices to buy,
ship, replace or renew.
Hardware and software tokens are widely used in addition to or in place of a
password. They provide a key authentication code generated at fixed
intervals using a built-in clock and a unique random key (or "seed"). Hard
tokens come in many formats (with number pads, biometrics, etc,) and soft
token generators can run on any platform.
Network
Radius
Network
21. Flash / Thumb Drive Support
Flash Drive Authentication
This method allows a user to enroll and use a commercially available flash
drive (plus a PIN code) for use as in authenticating much like a smart card
might work. (The flash drive acts as both the reader and card in this
comparison.) An encrypted file (FlashPinBspLogon.dat) is placed on the
flash drive during the enrollment process, . When used for authentication the
PIN unencrypts the file and the validity is checked. This is one of the easiest
universal authentication method options available. With today’s mobile users
there are many advantage to using an inexpensive easy to replace device.
The major disadvantage is that flash drives can be easily misplaced and
may not be available when needed.
Flash/thumb drives are convenient, cheap and readily available. They can
be used to securely authenticate a user, as a backup to a primary
authentication method that might not be available for any number of reasons
and they can be integrated to enable step-up and transaction level access
management.
24. High Tech Manufacturing
• Customer challenge
• Needed stronger authentication across wide
range of users
• Diverse authentication requirements
• increase security – inconsistent policies
• FIDO Compliant Tokens in Windows Infra
• Micro Focus solution
• Leveraged past investments, enabled future
options
• Simplified deployment
• One framework for integration and policy
management
• Solution across Windows and Mac clients
25. • Customer challenge
• Improve secure access to reduce risk
• Reduce attack surface through virtual clients
• Needed one solution for all authentication types
• Micro Focus solution
• Leveraged existing finger print readers on laptops
• 2 factor authentication for Citrix access
• Solution expanded across the business
International Manufacturing
26. • Customer challenge
• Comply to patient privacy regulations
• Inefficient and repeated authentication cost
clinician productivity
• Micro Focus solution
• Leveraged existing card readers
• Integrated with remote access system
• Provided tap ‘n go (pin only required once)
Healthcare