1. The document discusses the misuse of stolen credentials and the need to go beyond standard two-factor authentication. 2. It provides examples of how two-factor authentication can fail, such as through SMS interception, social engineering of knowledge-based authentication questions, and users wrongly accepting authentication requests. 3. The document promotes an adaptive authentication approach using multiple layers of risk analysis and a wide range of authentication methods to strengthen security with minimal user impact.

1. Prevent the Misuse of Stolen Credentials
James Romer – Chief Security Architect EMEA
Beyond Two-Factor: Secure
Access Control for O365

2. • All attendee audio lines are muted
• Submit questions via Q&A panel at any time
• Questions will be answered during Q&A at the end of the presentation
• Slides and recording will be sent later this week
• Contact us at webinars@secureauth.com
Webinar Housekeeping

3. Security Professional

4. Third-Party Research
• Verizon Data Breach Investigations Report
• Dedicated a section to credentials
• M-Trends 2016 Report
• Observation #1 -- Credentials, in general
• Password Complexity enforcement
• Single Factor Authentication to publicly exposed applications
1. The Trouble with Tor – Mathew Prince
https://blog.cloudflare.com/the-trouble-with-tor
2. 2016 Data Breach Investigations Report by Verizon
http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
3. Mandiant M-Trends 2016
https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf

5. Standard 2-Factor

6. 2 Factor #FAIL – Disclaimer
• The following 2 Factor Fail Slides are examples of where and how that
second factor has failed or been compromised. This does not mean to
illustrate the removal of the use of second factor authentication
methods. We recommend evaluating the security need of the identity
being protected by the second factor authentication method.
• We are in danger of running towards a broken methodology

7. 2 Factor #FAIL – Hard Tokens
• Hard Tokens Anyone?
• Provisioning and management nightmare
• User experience
• How about crafty users ?

8. 2 Factor #FAIL – SMS
• SS7 – Thank You Karsten Nohl
• Social Engineering
• Mobile Phone Providers are a weak link
• DRAFT NIST Special Publication 800-63B
• Must not send to VOIP based numbers
• Deprecated SMS as an Out-of-Band Authentication

9. 2 Factor #FAIL – KBQ-KBA
• Social Engineering
• Some are based on Public Record
• Users tend to forget answers
• Security Practices guide users to leverage incorrect answers

10. 2 Factor #FAIL – Simple Push-to-Accept
• Human Behavior --- Implementation
• Wrongly accept authentication requests
Dave Kennedy DEFCON 22 -- Destroying Education and Awareness
https://www.youtube.com/watch?v=vcA6dLl5Sa4&feature=youtu.be&t=30m38s

11. User Experience / Security
Not all users are created
equal, but everyone hates
additional auth. steps
Getting beyond the old school,
multi-step/interruption processes
Clean authentication experience
enhances user adoption
Balancing security needs with user
preferences – don’t have
compromise
Users choose how they want to
authenticate
Flexible authentication workflows
for different user groups
Best Possible
User Experience
SECURITY
HAPPY
USERS
MFA Step
Deny
Redirect
Allow
Go PASSWORDLESS –
Even less disruption for users
Multi-Layered Risk Analysis
Only require a MFA step
if risk present
Single Sign-On
Convenience of removing log-in
across multiple systems
User Self-Service
Allow user to help themselves
without a Help Desk call
On-Prem Apps
Homegrown Apps
SaaS Apps
VPN
Data Stores
• Password Resets
• Account Unlocking
• Enrollment
• User Personal Info
• Library of over 8000+ apps
• All Federation protocols supported
• Support custom branding

12. • Enough Doom and
Gloom! – The
Solution?
• Recognizes people
• Makes it easy
• Is part of a
community
• Adjusts over time

13. Pre-Authentication Risk Analysis
Adaptive Authentication
• Layered Risk Analysis
= Stronger Security
• No User Experience
Impact
• Only present MFA
when needed
• No other vendor has
as many “layers”
Device Recognition
Threat Service
Directory Lookup
Geo-Location
Geo-Velocity
Geo-Fencing
Fraud Detection
Identity Governance
Behavior Analytics
Behavioral Biometrics

14. Pre-Authentication Risk Analysis
Adaptive Authentication
Device Recognition
Threat Service
Directory Lookup
Geo-Location
Geo-Velocity
Geo-Fencing
Fraud Prevention
Identity Governance
Behavior Analytics
Behavioral Biometrics
Do we recognize this device?
Associated with a user we know?
Real-time Threat Intelligence
IP Address Interrogation
Group membership and
attribute checking
Request coming from a known location?
Do we have employees, partners or
customers here?
Has an improbable travel
event taken place?
Who should/does have access rights?
High Access Rights = greater risk/vulnerability
Track normal behavior
Looking for anomalies
Typing Sequences & Mouse Movements
Unique to each user on each device
Access request coming from within
or outside a geographic barrier
Reduce # of OTPs, Block device class,
Identify “porting” status, Block by carrier

15. Phone Number Fraud Prevention
Secure Phone-based Authentications & Comply with NIST Standards
OTP Spam
Prevention
Regulate number
of OTPs allowed
Number been ported
without consent?
Block by global
carrier networks
Block by phone
number class
A component of SecureAuth Adaptive Authentication
Block Recently
Ported Numbers
Block by
Number Class
Block By Carrier
Network

16. Protecting the Identity and the 2fA Method
ThreatService
GeoLocation
GeoVelocity
DeviceRecognition
BehaviorBiometrics
DirectoryOrAttributeChecking
UBA
GeoFencing
SecondFactorMethod

17. O365 Support
• SecureAuth and O365
• Certified Microsoft Integrator : https://azure.microsoft.com/en-
us/documentation/articles/active-directory-aadconnect-federation-
compatibility/#secureauth-idp-720
• Rich/Thick Client support for Outlook, Lync, Skype for Business, Web based
access and Mobile app access for the office suite
• Intelligent and Adaptive access control for the organization

18. Demo
• SecureAuth and O365
• Browser access from an untrusted device
• Browser access from a trusted device
• Browser access from an anonymous source

19. Become Proactive!
• Now that we have all this information on our Identities what else can we
do with it?
• Take automated actions
• Provide the most appropriate 2fA option
• Apply continuous authentication measures
• Lock the User account / Reset Password
• Report Automated Action to SIEM
• Send Notification to Administrators
• Send Notification to User
• Allow the valid Identity to self remediate with Service Service tools

20. In Summary – 2fA Is Not Enough
Profound difference between
being “compliant” & actually
being “secure”
Antiquated 2FA doesn’t provide
adequate access controls
• KBAs - socially engineered
• Tokens & devices can be
compromised
• OTPs via SMS/Text can be
intercepted
• Push-to-accept known to
routinely be falsely accepted
Old school approaches & methods
carry an increasing IT burden and
cost to manage
Compliance/2FA
NOT Enough
30+ MFA Methods
Choice and Flexibility
Multi-Layered Risk Analysis
Strengthen security with
minimal disruption to users
+
• Fingerprint Biometric
• Symbol-to-Accept
• SecureAuth App (w/
Fraud Detection)
• 25+ more methods…
+
Infinite Workflows
Different auth workflows for
groups, individuals, and/or apps
SIEM
Security Info & Event Mgmt
UBA
User Behavior Analytics
Dashboard
Visualize Access Control Data
Data Sharing
Correlate Access Control Data with Your Security Operations Center (SOC)

21. We use ADFS – Do we need to replace it?
• SecureAuth as a claims provider trust
• Take advantage of best of breed 20+ authentication techniques
• Utilise 10 layers of pre-authentication risk checking – bring authentication
intelligence into ADFS
• Compliment ADFS with all common SSO standards
• Deploy adaptive authentication without impacting the users
• SecureAuth authentication adapter
• Installs into ADFS to provide adaptive authentication
• Take advantage of best of breed authentication techniques

22. Question &
Answer

23. THANK YOU
Copyright SecureAuth Corporation 2017