forrester and duo security webinar - 5 signs you're doing authentication wrong

5 Signs You’re Doing Authentication Wrong March 25, 2014

#duowebinar

5 Signs You're Doing Authentication Wrong

Eve Maler, Forrester Research5 Signs You're Doing Authentication Wrong

Brian Kelly, Duo SecurityHelping You Get It Right

Daniel Frye, CedarCrestoneChoosing The Appropriate Solution

#duowebinar

5 Signs You’re Doing Authentication Wrong

Eve Maler, Principal AnalystForrester Research

#duowebinar

5 Signs You’re Doing Authentication Wrong A Listicle About Security And Usability

Eve Maler, Principal Analyst March 25, 2014

You’re engaging in security theater

© 2014 Forrester Research, Inc. Reproduction Prohibited 3

Yeah, we really do have a problem


Source: December 30, 2013, “Market Overview: Employee And Customer Authentication Solutions In 2013, Part 1 Of 2” Forrester report

2 out of 3 top data breach types involve the keys to the kingdom


Passwords (and security Qs) have a weak “UDS profile”

Source: February 24, 2014, “Market Overview: Employee And Customer Authentication Solutions In 2013, Part 2 Of 2” Forrester report

Usability Deployability Security

Memorywise-Effortless Accessible Resilient-to-Physical-Observation

Scalable-for-Users Negligible-Cost-per-User Resilient-to-Targeted-Impersonation

Nothing-to-Carry Server-Compatible Resilient-to-Throttled-Guessing

Physically-Effortless Nothing-to-Provision-to-User Resilient-to-Unthrottled-Guessing

Easy-to-Learn Mature Resilient-to-Internal-Observation

Efficient-to-Use Multiple-Purposes Resilient-to-Leaks-from-Other-Verifiers

Infrequent-Errors Available-Offline Resilient-to-Phishing

Easy-Recovery-from-Loss

Resilient-to-Theft

No-Trusted-Third-Party

Requiring-Explicit-Consent

Unlinkable


Passwords (and security Qs) have a weak “UDS profile”

Source: February 24, 2014, “Market Overview: Employee And Customer Authentication Solutions In 2013, Part 2 Of 2” Forrester report










Resilient-to-Theft



Unlinkable

!!!


But password policy has become a bludgeon

We conclude that the sites with the most restrictive password policies do not have greater security concerns, they are simply better insulated from the consequences of poor usability. ... Most organizations have security professionals who demand stronger policies, but only some have usability imperatives strong enough to push back. When the voices that advocate for usability are absent or weak, security measures become needlessly restrictive. The watchers must be watched, not merely to ensure that they do not steal or cheat, but also to ensure that they do not decide to make their job a little easier at the cost of great inconvenience to everyone else. – Florencio and Herley, Where do security policies come from? (2010) [emph added]


What compensating controls can we use to better effect? ›  Lockout policy

›  Getting “securely random” closer to “memorable”

›  Risk-based and contextual authentication

›  Real-time strength checking

You’re unifying on a single login experience


Weird but true tales “Since it’s hard to type passwords on mobile devices or speak them out loud to customer service reps, we force all passwords to be short and uppercase.”

“We want to give everyone the identical login experience on every channel. How do we do that?”

“We have two-factor auth: Users give a password to log in, and if they forget their password, we ask them security questions.”


Authentication stages and tasks have different needs

New account enrollment, with users and devices potentially never seen before.

Stronger authentication to access higher-value,

higher-risk functions.

Front-door authentication to access ordinary functions.

Password reset and other security profile changes,

which may require re-enrollment.

Onboarding

Login Step-up

Recovery

Source: December 30, 2013, “Market Overview: Employee And Customer

Authentication Solutions In 2013, Part 1 Of 2” Forrester report

© 2012 Forrester Research, Inc. Reproduction Prohibited

Think in terms of “responsive design” for authentication tasks per channel

12

•  Pick up risk-based clues from the channel and task wherever possible

•  Leverage users’ smart mobile devices if they have them


“Mobile first” means IT has less room to maneuver than ever ›  Business owners want in-app

registration and login

›  Individuals demand user experiences with a clear purpose

›  Security task flows on mobile devices feel different

Your authentication chain has weak links


What’s your task/channel matrix? Web Mobile

web Mobile app

Phone CSR

Phone IVR…

Register user Register device Routine login Account recovery Change email…


What’s your population and scenario?

Benefit in

sharing credentials

Degree of freedom to

walk away from relationship

Baseline

Greater benefit

Large benefit

None (captive) Some at cost A lot

Regular employee

Contractor

Nonpaying affiliate

Paying affiliate

Bank customer

Privileged employee

Social network

user

Retail customer

Service-paying

customer

Payout beneficiary

Employee of partner


It’s intractably hard to stamp out all passwords

› Back-end privileged accounts › API client credentials and access tokens

› PINs to unlock MDM-protected devices › Passwords as a required first factor of many

third-generation strong authentication solutions

You’re pretending your enterprise is unextended


Source: December 30, 2013 “Market Overview: Employee And Customer Authentication Solutions In 2013, Part1 Of 2” Forrester report

The extended enterprise needs Zero Trust authentication


Source: November 15, 2012, “No More Chewy Centers: Introducing The Zero Trust

Model Of Information Security” Forrester report

Zero Trust and the cloud have affinities All resources are

accessed in a secure manner regardless of

location.

Access control is on a “need-to-

know” basis and is strictly enforced.

Verify and never trust.

Inspect and log all traffic.

The network is designed from the

inside out.

You annoy real users as much as fraudsters

© 2014 Forrester Research, Inc. Reproduction Prohibited 22 Source: February 24, 2014, “Market Overview: Employee And

Customer Authentication Solutions In 2013, Part 2 Of 2” Forrester report










Resilient-to-Theft



Unlinkable

Adding contextual cues can be a great booster shot

© 2014 Forrester Research, Inc. Reproduction Prohibited 23 Source: February 24, 2014, “Market Overview: Employee And

Customer Authentication Solutions In 2013, Part 2 Of 2” Forrester report










Resilient-to-Theft



Unlinkable

Mobile-fueled third-gen solutions can add UDS strength


Leverage “adjacent uses” for employees and consumers alike

Source: June 12, 2013, “Introducing The Customer Authentication Assessment Framework” Forrester report

Thank you Eve Maler +1 425 345 6756 [email protected] Twitter: @xmlgrrl

Helping You Get It Right

Brian Kelly, Sr. Product Marketing ManagerDuo Security

#duowebinar

Passwords

The security problem we all share

100% 94% 416of victims have up-to-date

anti-virus softwareof breaches are reported by

third parties

100%median number of days

advanced attackers are on the network before being detected

of breaches involved stolen credentials

(2013)All Breaches Involve Stolen Passwords

Helping You Get Two-Factor Authentication Right

1. Avoid Security Theatre

2. Deploy Responsive Two-Factor Authentication

3. Remove Weak Links In Your Authentication Chain

4. Embrace Your Extended Enterprise

5. Don’t Annoy Your Users


‣ Your employees and users don’t want to change their passwords every 90 days

my.vt.edu (Mar 2014)


‣ Your employees and users don’t want to change their passwords every 90 days

‣ Maintain a reasonable password policy and require two-factor authentication

xkcd.com/936/


‣ Your sales team probably doesn’t have the same risk profile as your IT administrators

≠!

!⋆

!



‣ Allow sales team to self-enroll and leverage Duo’s Trusted Device policy

!⋆



‣ Allow sales team to self-enroll and leverage Duo’s Trusted Device policy

‣ Require admins ‣ to use 2FA on every login ‣ not rely on phone callback or SMS OTP ‣ manually enroll


Know Your Humans

‣ Enroll

‣ Authenticate

‣ Migrate

‣ Deactivate


Know Your Humans: Prove Identity

‣ Enroll

‣ Authenticate

‣ Migrate

‣ Deactivate

# #

##


Know Your Humans

‣ Enroll: TOFU (self-enrollment), batch, manual, sync

‣ Authenticate

‣ Migrate

‣ Deactivate


Know Your Humans

‣ Enroll

‣ Authenticate: policy, bypass

‣ Migrate

‣ Deactivate


Know Your Humans

‣ Enroll

‣ Authenticate

‣ Migrate: change phone, token

‣ Deactivate


Know Your Humans

‣ Enroll

‣ Authenticate

‣ Migrate

‣ Deactivate


Remote Access Security Hygiene

‣ Understanding all points of access

‣ Fail safe (open) v. fail secure (close) tradeoffs



‣ Added 2FA for SSH access to your UNIX servers? Great!

‣ Did you remember turn off port forwarding and tunneling?

# Duo UNIX 2FA - sshd_config: PermitTunnel no AllowTcpForwarding no ForceCommand /usr/sbin/login_duo

duosecurity.com/docs/duounix



‣ Duo 2FA for Windows RDP locks down remote, interactive sessions

‣ “Run as” & non-interactive logins do not invoke credential provider

‣ Understand limitations for local auth

duosecurity.com/docs/rdp-faq


Integrate with everything that matters

‣ On-premises: VPN, servers, web apps

‣ Cloud: Google Apps, Office 365, Salesforce, Box, and more (SAML)

‣ API: Duo Web and REST


Authenticate users with any device

‣ Duo Push: iOS, Android, BlackBerry, Windows Phone

‣ Offline Passcodes

‣ SMS Passcodes

‣ Phone callback

‣ Tokens: HOTP/TOTP & YubiKey


Manage from anywhere

‣ Cloud-accessible management console

‣ Manage users, devices, integrations and access logs all from web interface

‣ Admin REST API for automation

5. Don’t Annoy Your Users

Your users are smart

‣ Explain why 2FA is important (and better than archaic password policies)

‣ Give them choice

‣ Provide personal security value

‣ Get out of the way

guide.duosecurity.com

Thousands Doing It Right, Today

duosecurity.com/success-stories

Choosing TheAppropriate Solution

Daniel Frye, SVP Corporate SecurityCedarCrestone

#duowebinar

About CedarCrestone

‣ Formed in 2005 ‣ Merger of Cedar Enterprise Solutions (founded 1981)

and Crestone International (founded 1995)

‣ Global consulting & managed services company

‣ Support 2,000+ employees for CedarCrestone & affiliated companies Headquarters

Atlanta, GA

Business Challenge

‣ Evaluated susceptibility to password phishing via internal pen-testing & social engineering testing

‣ Hundreds of consultants on the road that need VPN access

‣ Needed application-centric multi-factor solution as an option for managed services clients

Choosing The Appropriate Authentication Solution

‣ Why two-factor authentication vs. other security solutions?

‣ Defining authentication solution success

‣ Protect critical resources

‣ Make it easy on users and staff

‣ Evaluation and competitive bake off

Decision: Duo Security

‣ Protect critical resources

‣ Drop-in integrations for Juniper and more

‣ Flexible API for custom integration or enhancement

‣ Make it easy on users and staff

‣ Easy To Use: Duo Push, self-enrollment

‣ Easy To Deliver: Minimal training, factor choice

‣ Easy To Trust: Secure by design

$

Duo API

Results

‣ Password-related vulnerabilities mitigated since Duo deployment

‣ Feedback from 3rd party pen-testing team very positive

‣ Feedback from staff who have used other 2FA solutions: Duo Push is much better

‣ Flexibility of mobile apps, SMS, phone callback, and YubiKey support has proven integral to success

Questions + Answers #duowebinar

Eve Maler, Forrester [email protected] @xmlgrrl

Brian Kelly, Duo [email protected] @resetbrian

Daniel Frye, [email protected] @CedarCrestone

forrester and duo security webinar - 5 signs you're doing authentication wrong

Software

user resilient

loss resilient

servercompatible resilient

security qs

duo security

security professionals

security measures

security theater