cis 2015-putting control back in the users’ hands- david pollington
TRANSCRIPT
CIS June 2015
Putting control back in the user’s hands
1
Fragility of passwords
Jeff Atwood h+p://blog.codinghorror.com/your-‐password-‐is-‐too-‐damn-‐short/
“No ma+er what you tell them, users will always choose simple passwords.”
“No ma+er what you tell them, users will re-‐use the same password over and over on mulBple devices, apps, and websites. If you are lucky they might use a couple of passwords instead of the same one..”
Why is this a problem?
§ Password vaults are a honeypot for a+ackers
§ High speed offline a+acks using GPU arrays can easily crack the hashed passwords retrieved from these data breaches:
§ SoluBon? § ‘Stop requiring passwords altogether’ § ‘The best password is one you don't have to store’
9 characters 2 minutes
10 characters 2 hours
11 characters 6 days
‘Cost of data breaches increasing to average of $3.8 million’, Reuters
‘Data breaches will cost the world economy more than $2tn (£1.3bn) by 2019 as hackers continue to exploit traditional IT infrastructure’, Juniper Research
‘This kind of leak happens all the Bme. And it will conBnue to happen forever’
Hardware tokens 9p the balance too far…
1. Costly to deploy
2. Inconvenient for the user: § Poor user experience (copying the
code across from the token) § Necessity of carrying a different
token per service
…and more flexible authen9ca9on models now needed
§ Primary login
§ Step-‐up authenBcaBon
§ Federated idenBty
§ AuthorisaBon § Auditable trail
§ TransacBonal authenBcaBon § Trustworthiness: need for the user to
be vouchsafed by a trusted enBty
§ Digital signing § Non-‐repudiaBon
Ge@ng the balance right between convenience vs security will become vital
§ Be+er customer engagement through lowering fricBon § Fraud management & reducBon § Trust in digital idenBBes § Efficiency gains (outsourcing) § New business models (federated logins)
Security
Convenience
Mobile Phones have become omnipresent
§ Mobile phones implicitly provide a single factor of authen9ca9on -‐ something you have
§ Provide peace of mind that your account cannot be accessed without you receiving a noBficaBon on your mobile phone
§ Out-‐of-‐band hence miBgaBng against many of the current vulnerabiliBes
Early aGempts to leverage the mobile phone have seen slow uptake due to poor usability
Solu9on: authen9cators intrinsic to the mobile phone & network
Locally-‐verified
Something I Know
Something I Have
Something I Have +
Something I Know
Something I Have +
Something I Am
Or Or
Click OK
+
Something I Have +
Something I Am
Risk-‐based authenBcaBon
Knowledge based authen9cators (KBA)
§ SIM applet § JavaCard applet § Hardware secure
element
§ Smartphone app § Binding via
MSISDN/IMSI/IMEI token
Smartphone app
User
PIN
AuthenBcaBon response
Mobile phone
AuthenBcaBon server
Bind app to user via locally verified secret
Bind app to device to miBgate against cloning
Bind app to AuthN server through signed response to miBgate against MITM/replay a+acks
Biometric authen9cators
My Voice is My Password
Iris scan Fingerprint
DOCOMO has been working to integrate FIDO-‐enabled biometric authen;ca;on technologies into its smartphones since last year. Four smartphones in DOCOMO's 2015 summer lineup—Galaxy S6 edge SC-‐04G, Galaxy S6 SC-‐05G, ARROWS NX F-‐04G and AQUOS ZETA SH-‐03G—offer biometric authen;ca;on capability.
Adop9on dependent on a common solu9on…
§ Common framework
§ Built on standards
§ Worldwide reach
Who are the GSMA?
The GSMA represents the interests of mobile operators worldwide Spanning more than 220 countries, the GSMA unites nearly 800 of the world’s mobile operators, as well as more than 230 companies in the broader mobile ecosystem
What is Mobile Connect? • Easy to use (leverages the device the user already has with
them; common authenBcaBon method across services)
• Pluggable approach to support a wide variety of market requirements & device types
• + can deliver the full spectrum of assurance levels (NIST SP 800-‐63 and ISO/IEC 29115)
• Anonymous but secure (no personal data is shared without user consent)
• Adds trust into digital transacBons (e.g. by confirming locaBon, user idenBty, usage etc. where consented)
• Provision of network session data for risk-‐based authenBcaBon and miBgaBng fraud
• Common northbound service API to SPs for requesBng authenBcaBon/authorisaBon
Account registraBon
KYC verificaBon
Synergis9c fit using FIDO for the first mile of Mobile Connect
FIDO UAF protocol
Mobile phone with FIDO client AuthN server
MNO
Tablet/desktop
Service access request
Service Provider
AuthenBcaBon request
Iden9ty GW
First mile
Second mile SIM applet protocol
AuthN server
SIM applet
White Paper: Mobile Connect and FIDO UAF integra9on (co-‐developed between GSMA, MNOs and FIDO members
Worldwide engagement & deployment
NSTIC funded project: Enabling Mobile-‐based Iden;ty and Access Management Technologies
ObjecBve: § Pilot a common approach to enable consumers and businesses to use mobile devices for secure, privacy-‐ enhancing idenBty and access management
§ Scope includes: user interface, user experience, security, and privacy challenges, with a focus on creaBng an easy-‐to-‐use soluBon for consumers
§ Based around Mobile Connect and augmented in the United States to align with NSTIC
http://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8054.pdf
If you would like more information, please contact David Pollington [email protected] www.gsma.com/personaldata https://developer.mobileconnect.io