This document discusses multi-factor authentication and provides criteria for evaluating different multi-factor authentication solutions. It begins with an introduction to different authentication factors and why multi-factor authentication is used. It then outlines security-focused criteria like the number of authentication factors, communication channels used, and cryptographic standards. Less security-critical criteria covered include cost, usability, and integration capabilities. The document cautions against "snake oil" solutions that make unrealistic claims and stresses understanding your security needs and an solution's actual capabilities rather than just marketing.
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
1. Multi-Factor Authentication: Weeding Out the Snake Oil
LASCON 2014
David Ochel
2014-10-24
This work is licensed under a Creative Commons Attribution 4.0 International License.
2. Objectives
•Understand what’s going on in the market of multi-factor authentication.
•Look at solutions from a risk view… Which problems are we actually solving / trying to solve?
Multi-Factor Authentication Criteria – LASCON 2014
Page 2
3. Agenda: Less Formalism, More Examples…
•Motivation / Introduction
–Authentication Factors
–Why Multi-Factor?
•Criteria and Industry Examples
–Security-focused criteria
–Less risky criteria
•…and the Snake Oil?
Page 3
Multi-Factor Authentication Criteria – LASCON 2014
6. Why Do We Still Use Passwords?
“The continued domination of passwords over all other methods of end-user authentication is a major embarrassment to security researchers.” [1]
•Passwords
–Highly deployable: infrastructure exists, users are accustomed, cheap, …
–Security issues: observation, interception, replay, guessing, phishing
–Pervasive assumption: General-purpose personal computers (laptops, PCs, …) cannot be secured/trusted
•Issues with existing alternatives
–Memory-based (“know”): no better than passwords?
–Biometrics (“are”): privacy, liveness detection on unsupervised devices, hard to replace
–Tokens (“have”): susceptible to theft, expensive, hard to replace
–Contexts: unreliable proof of identity
Page 6
Multi-Factor Authentication Criteria – LASCON 2014
[1] http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.html
7. Current Industry Trend: Combine Multiple Factors
•Tokens
–Hard(er) to compromise; susceptible to physical theft
•Passwords
–Interceptable (malware); hard to physically steal
•Also in the running:
–Biometrics
•Convenient; but often trust issues when unsupervised (liveness detection)
–Contexts
•Back-end risk evaluation; not technically authentication
Multi-Factor Authentication Criteria – LASCON 2014
Page 7
8. Authentication – A Piece of the Identity & Access Management Puzzle…
Multi-Factor Authentication Criteria – LASCON 2014
Page 8
http://forgerock.com/products/open-identity-stack/
9. Which threats are we trying to counter?
•Are we protecting:
•Individual consumer accounts?
•Corporate users and data?
•Machine authentication?
•Assets
•Adversaries
•Vulnerabilities
•Etc…
Page 9
Multi-Factor Authentication Criteria – LASCON 2014
10. CRITERIA – FROM A SECURITY POINT OF VIEW
Page 10
Multi-Factor Authentication Criteria – LASCON 2014
11. Are there at least two factors?
•Password + PIN = one factor
•Password-protected private key?
–…on a hardware token?
Multi-Factor Authentication Criteria – LASCON 2014
Page 11
http://blog.mailchimp.com/introducing-alterego-1-5-factor-authentication-for-web-apps/, https://alteregoapp.com
12. Swivel PIN Safe – Human-Computed Challenge Response
•But… password + PIN still aren’t two factors?
–When used in browser, helps against keylogging
–When used for SMS, actually helps!?
Multi-Factor Authentication Criteria – LASCON 2014
Page 12
http://www.swivelsecure.com/devices/browser/
13. How many communication channels? One? More? Different physical band?
Multi-Factor Authentication Criteria – LASCON 2014
Page 13
14. Communication channels (continued)
•Securing smartphone apps with smartphone tokens…?
•“plug and play”
–Factors
–Channels
Multi-Factor Authentication Criteria – LASCON 2014
Page 14
15. When to pull another factor?
•Once per session, at login.
•For every high risk transaction, during session.
•“Risk-based”
–Determined by context analysis.
Multi-Factor Authentication Criteria – LASCON 2014
Page 15
http://www.safenet-inc.com/multi-factor-authentication/context-based-authentication/
16. Enrolling users / tokens
•Personalization/provisioning of tokens
•Enrollment in service
•Central management of credentials
Multi-Factor Authentication Criteria – LASCON 2014
Page 16
https://www.yubico.com/wp-content/uploads/2012/10/Yubikey-Programming-Station- v1.0.pdf
17. Crypto
•There’s crypto everywhere
–Token challenge-response, digital signatures
–Transportation security for authentication channels
•Robustness/diversity
–More than one set of algorithm types supported?
•Trust
–Algorithms
–Implementations
Multi-Factor Authentication Criteria – LASCON 2014
Page 17
https://www.securityinnovation.com/products/encryption-libraries/ntru-crypto/
18. EMV-based
Multi-Factor Authentication Criteria – LASCON 2014
Page 18
•Mastercard CAP / VISA DPA
•German Sm@art TAN
•CrontoSign (photoTAN)…
https://www.vasco.com/products/products.aspx
•https://www.vasco.com/Images/DP% 20760_DS201309-v1b.pdf
https://www.vasco.com/Images/DP%20836_DS201401_v4.pdf
21. Open Source?
•Lots of freemium solutions
•E.g. WikID
Multi-Factor Authentication Criteria – LASCON 2014
Page 21
https://www.wikidsystems.com/learn-more/features
22. Integration with Identity & Access Management Solutions
•Open Source, e.g. gluu or OpenAM
•Commercial, e.g. SailPoint, and many more
Multi-Factor Authentication Criteria – LASCON 2014
Page 22
http://www.gluu.org/gluu-server/strong-authentication/
http://www.sailpoint.com/solutions/products/identityiq/access-manager
25. Availability
•Does it scale?
–Authentications per second
•Capacity to bug/security-fix
–Reputation, history, size, …
•SLA, redundancy, …
•Fallback if the cloud is unavailable?
Multi-Factor Authentication Criteria – LASCON 2014
Page 25
http://www.earlychildhoodworksheets.com/nature-clipart.html
27. How to find snake oil?
•Wait until it finds you, or… Google it!
•OWASP ‘Guide to Cryptography’ suggests:
‘A good understanding of crypto is required to be able to discern between solid products and snake oil. The inherent complexity of crypto makes it easy to fall for fantastic claims from vendors about their product. Typically, these are “a breakthrough in cryptography” or “unbreakable” or provide "military grade" security. If a vendor says "trust us, we have had experts look at this,” chances are they weren't experts!’
Multi-Factor Authentication Criteria – LASCON 2014
27
https://www.owasp.org/index.php/Guide_to_Cryptography
29. Unbreakable, impenetrable, etc.
Multi-Factor Authentication Criteria – LASCON 2014
Page 29
from http://www.edulok.com – retrieved 2014-09-23
30. WWPass (aka EduLok): What might be going on?
This is abstracted from their public online documentation… haven’t checked out the patents or anything else.
Multi-Factor Authentication Criteria – LASCON 2014
Page 30
31. What about “Best in Class”?
•E.g., SafeNet – “a consistent leader in the Magic Quadrant for User Authentication”
•Not exempt from marketing blah? ;-)
Multi-Factor Authentication Criteria – LASCON 2014
Page 31
http://www.safenet-inc.com/multi-factor-authentication/ - retrieved 2014-09-23
32. Conclusions
•Don’t trust the marketing hype!
•Understand your exposure.
•Understand which solutions can reduce it.
•And then look at usability, interoperability, etc.
Multi-Factor Authentication Criteria – LASCON 2014
Page 36