Passwords weakness has been in the news again lately. But we have known for some time that passwords alone are not a good authentication or access control mechanism. Strong and practical authentication is very challenging. There are “strong” schemes, but they often don’t work well for users. Security practitioners are familiar with the 3 factors of authentication: something you know; something you have, and; something you are. Each of these have fundamental flaws. I like to think of them as: something you forgot; something you lost, and; something you were! We will take a look at the current state of authentication, examine weaknesses in authentication factors, introduce the fourth factor of authentication and consider some solutions.

1. 3 Factors of Fail
Barry Caplin
Like what you hear? Tweet it using:
#WebTracks

2. Welcome to UMSA WebTracks
Questions during webinar
Post webinar survey
Are you tweeting? #WebTracks
Like what you hear? Tweet it
using: #WebTracks

3. 3 Factors of Fail
The Authentication Problem
UMSA WebTracks
Wed. Apr. 9, 2015
bcaplin1@fairview.org
bc@bjb.org @bcaplin
http://about.me/barrycaplin
http://securityandcoffee.blogspot.com
Barry Caplin
VP, Chief Information Security Officer
Fairview Health Services

4. Celebrating a decade
of guiding security
professionals.
@Secure360 or www.Secure360.org
Secure360!
May 12-13, 2015
Be There!

5. http://about.me/barrycaplin
securityandcoffee.blogspot.com
@bcaplin

6. Who is Fairview?
A partnership of North Memorial and Fairview

8. Authentication isAuthentication is thethe ChallengeChallenge

9. And The Challenge is…And The Challenge is…
People need to:
•Enter Buildings
•Use Systems
•Use Data

10. And The Challenge is…And The Challenge is…
The Right People need to:
•Enter Buildings
•Use Systems
•Use Data

11. Guiding PrincipleGuiding Principle
Minimum Necessary

12. We Usually Think Of…We Usually Think Of…
SS

13. And Passwords Get StolenAnd Passwords Get Stolen

14. And Bad Choices Are MadeAnd Bad Choices Are Made

15. Luckily, Passwords are Dead!Luckily, Passwords are Dead!

16. 3 Factors of3 Factors of
AuthenticationAuthentication
1. Something You Know
2. Something You Have
3. Something You Are (or Do)

17. 3 Factors of Auth FAIL3 Factors of Auth FAIL
1. Something You Forgot
2. Something You Lost
3. Something You Were (or Did)

18. 1. Something You Forgot1. Something You Forgot
• P@sswOrd5
• PINs
• Combinations
• “Secret” Phrases
• Picture Identification
• Patterns

19. Used by…Used by…

20. Not SimpleNot Simple
• Can’t be easily guessable
• False positives
−Grant rights to wrong person
−Actions attributable to you!
So not simple/guessable…
But simple is memorable…

21. ComplexityComplexity
RequirementsRequirements
• Make Guessing Hard
−Common: 8 char,
upper/lower, numeric,
special
• Smart Users Circumvent
• Nonsense/Random great
−But impossible to remember

22. To Make It WorseTo Make It Worse
• Expiration
−“best practice”
−Like changing your house locks every 30 days!
• Secret Questions – too simple, too guessable
−Answers on Facebook
−Remember… don’ t have to be true!
• Help Desks
−social engineering and process hacks (ask Mat
Honan)

23. 3 More Issues3 More Issues
• Bad Choices
−NYG1@nts! meets
requirements
• Shoulder Surfing
−Complex => slow to
enter
• Writing Down
−Not bad if done well

24. To Make It WorseTo Make It Worse
• Social Engineering
• Phishing

26. These are Legit

27. SolutionsSolutions
• Length
− Better than Complexity!
− Long phrases easier to remember
− Why do some sites have max length???
• Vaults
− Use ‘em!
− Don’t forget the main password!
• OTP (One Time Passwords)
− Fixes many issues except delivery

28. Something You LostSomething You Lost
• Hard/Soft token
• Static/Dynamic

29. OTP DeliveryOTP Delivery
• Hard Token
−Time (RFC 6238) or Sequence-based
−Also Smart Cards, Key Cards
• Soft Tokens
−Program or App
−Device independence
• SMS
• Paper

30. ChallengesChallenges
• Hard Tokens
−Can be lost
−Worse – often kept with laptop
−Multiple systems = multiple tokens
• Soft Tokens – better because people don’t
lose their phones…
• … Oh Wait…

31. SolutionSolution
• I still like this when implemented well
−Google Auth
−SMS
−Smart phones
−Paper

32. Something You WereSomething You Were
• Usually means biometrics
• Oldest form of ID
• Animals, babies, tribes/groups
– senses
• Mixed reliability

33. BiometricsBiometrics
• False Positives – bad for security
• False Negatives – bad for business

34. BiometricsBiometrics
Some common choices
•Iris/retinal scan, fingerprint, palm print/geometry
Less common
•Voice, typing cadence, “bottom” print

35. BiometricsBiometrics
• Best auth method for use in movies!

36. ChallengesChallenges
• Logistics
• Registration, hardware/people, “failure to
enroll” (FER), contaminants on readers
• Hygiene
• Perception (movie story)
• Back-end systems

37. 2 Biggest Issues2 Biggest Issues
• Can’t change your biometric when you need
to
• Your biometric can change when it wants to
−Hard to fake (getting easier)
−Easy to steal
−Nearly impossible to change/fix

38. Solutions?Solutions?
• Not bad if used correctly
• Local physical access
• Voice-print for automated pw reset

39. The 4The 4thth
FactorFactor
• Risk-based, location-based, adaptive auth
• “somewhere you are” or “something you are
doing”
• Key need – “rich” user profile
• Check against profile, then:
−Allow
−Deny
−Challenge

40. Biggest IssueBiggest Issue
• Establishing profile
−Takes time
−Highly non-trivial
−Needs much info and/or long/ongoing relationship
• Otherwise degenerates to 1-factor
• Promising

41. Multi-Factor (MFA)Multi-Factor (MFA)
•Take 2 bad things and combine them
together!
•That makes sense!

42. Multi-Factor (MFA)Multi-Factor (MFA)
• Typically 2-factor
−ID/pw + token
−Steal one, you can’t get in
−Either can be “easily” changed

43. Multi-Factor (MFA)Multi-Factor (MFA)
• But…

44. Solutions!

45. SolutionsSolutions
• Typical
− 1-factor – id/pw for login ; badges for entry
− Occasional hard token use
− But 1-factor only safe in “controlled” environments
• Challenge:
− Positively id a person
− Easy to use

47. User/UseUser/Use
• Customer
• Staff
• Tech worker
• Clinical
• Newbie
• Hardware/software
• Control over hw/sw
• Data classification
• Regulatory
• Threats/Risks
• Replay attack
• Availability
• Work-arounds
• Single/multi-use
• Easy to use?
Then do what makes
sense!

48. ExampleExample
• Biometrics for entrance into high-security area
• Badges can be lost or used by anyone
− Combine with measures like Keywatcher
• OTP
− Google Auth or Yubikey
− SmartPhones – can be lost but often kept close and
rarely left with computer
− Good choice for online/web-based services

49. ExampleExample
Online Banking
•System auth ->
−Preselected word/picture ->
 Id/pw ->
Challenge or Reauth for large/unusual
transaction

50. ExampleExample
• Long passwords + vault
−pw’s – with us for a while
−People make poor pw choices
−Long phrases easier to remember
−Long random strings better
• Better – Add easy-to-use soft fob
• Remote access + risk-based auth
−We have more info about staff

51. The FutureThe Future
Nymi

52. Wearing My Heart On
My Sleeve…
Literally!
Secure360
Tues. May 12, 2015
bcaplin1@fairview.org
bc@bjb.org @bcaplin
http://about.me/barrycaplin
http://securityandcoffee.blogspot.com
Barry Caplin
VP, Chief Information Security Official
Fairview Health Services

53. CISOs are from Mars
CIOs are from Venus
Secure360
Tues. May 12, 2015 1:30P
bcaplin1@fairview.org
bc@bjb.org @bcaplin
http://about.me/barrycaplin
http://securityandcoffee.blogspot.com
Barry Caplin
VP, Chief Information Security Official
Fairview Health Services

54. @bcaplin
http://about.me/barrycaplin
http://securityandcoffee.blogspot.com

55. Thank you for attending
Don’t forget to complete your post
webinar survey
Barry will stay on for additional
questions until 1:30pm
Like what you hear? Tweet it
using: #WebTracks