shawn williams

Download Shawn Williams

Post on 23-Feb-2016




0 download

Embed Size (px)


The Practicality of Changing Default Authentication Mechanisms: Applied in a Workstation Environment. Shawn Williams. Question?. The Problem. Is a World without Passwords Possible?. Agenda and Topics Covered. Purpose of this Study Where Did the Data Come from - PowerPoint PPT Presentation


Slide 1

The Practicality of Changing Default Authentication Mechanisms: Applied in a Workstation EnvironmentShawn Williams1Question?

If you wanted to secure your home, which of the two choices would you believe to be the better solution. Choice A: the heavily armed Mobile Walker orChoice B: the standard lock ?Well, obviously the huge mobile walker provides much better security over a simple lock, but is it really practical?2The Problem

In addition, there are also many different kinds of authentication choices available and since vendors often try to promoteTheir products, it is really difficult to determine which I best. The appropriate technology choice is very important because a Wrong choice can lead to creeping hiden costs, new security holes (costing more money), or greatly reduced production. (again attributing to money lose)3Is a World without Passwords Possible?

In the next few slide, I plan on introducing you to the rebric I can up with to rank and score various authentication systemsAnd in the end I will share some of the results of my findings. 4Agenda and Topics CoveredPurpose of this StudyWhere Did the Data Come fromWhy I Choose this Topic for ResearchGenerality on why Security fails The Problems with passwordsBenefits of this ResearchCriteria used for Evaluating technologiesTechnologies that were evaluatedResults and Findings

5 Purpose of this StudyTo explore various authentication systems and see if it is possible for any one of them to be deemed to be able to replace the current password mechanisms used in business environments

Where Did the Data Come fromTaken from mostly secondary sourcesThe evaluation criteria used for rating various authentication systems was created based on finding and personal knowledgeSecondary sources include: books, online databases and reports, tech websites, vendor websitesWhile the rubric for ranking technologies is a product of my own creation, it is losily based off of Some of the finding of desired features based on my readings.

7Personal Motivationfor Choosing this TopicPersonally, Ive always wondered why password authentication was still the default standard despite the fact that there were many new and more secure systems emerging and because of this, I wanted to find out whether or not it is even practical to replace password authentication with that of something better.

Why Do Security Systems Fail?Design modelUser modelSystem modelDesign model--the security model from the designers perspective and how it should interact with the user and the system. It is the belief how the system should work in a perfect world.Users mental model--the model in which how the user of the system believes the security system to work, based on assumptions. The model differs from user to user, some and some users have grossly inaccurate assumptions.system model--the actual way the system works

9Why Should we stop using password based security in productivity environments?There is a problem in finding balance between usability and securityPasswords can easily be told to othersPasswords are easy to copy

Why Should we stop using password based security in productivity environments?There are many widely available tool of decrypting stored password informationPasswords can be captured easily during input timeThere are weaknesses in password reset mechanisms that hackers may be able to exploitBenefits of this ResearchReduces risk of deploying unfamiliar authentication technologies in which may be more trouble then they are worthNarrows Down the choices and confusion created with multiple authentication methodsLarge and Small business owners no longer need to waste time figuring out what password replacement system is right for themEvaluation Criteria Categories Number of security holesCostEase of UseIncrease in SecurityScalabilityPracticality of implementation and moddingAccess and availability (how easy is it to obtain)

Number of security holesnumber of notable holes known, essentially the hole count, though not all are feasible for attacks to exploitCostthis include both fixed and on going variable costs. Systems with high on-going costs tend to score lower in this section then on with high installation costEase of Usemeasures how user friendly the system is. This is important because wasted time with authentication systems costs a company time and time is money. Eg Face Recognition Biometrics was a system I found out scored poorly in this area because of it high false rejection rates. This meant that companies with such a system often had users making funny faces infront of a capture cam trying to login in. Obviously 10mins trying to authenticate is a waste of time.Increase in Securityrefers to level of improved security over password based authenticationScalabilitymeasure of portability, can it scale to both large and small networks etc.Practicality of implementation and moddingDoes the installation of such a system require any changes to existing network infractructure. Mostly refers to added physical or non-standard additions if applicable. E.g. biometrics requires high level of moditions because of the specialized scanners needed. Graphical passwords on the other hand is done all through software and therefore scores low in this area.Access and availability (how easy is it to obtain) is the technology readily available and feasible to aquire

13Generalized ScoresHigh Medium Low14Number of Exploitable Security Holes (High)Score Range 0-3Number of security holes exceed the threshold of what could be considered acceptable and/or more holes then the password based security we are trying to replaceNumber of Exploitable Security Holes (Medium)Score Range 4-7Number of Security holes only marginally improve over number of exploitable password related holesNumber of Exploitable Security Holes (Low)Score Range 8-10Very few exploitable holes and massive improvement over password securityCost (High)Score Range 0-3High maintenance and installation costsCost (Medium)Score Range 4-7Cost of fully installing and maintaining system is either high in maintenance fees or high in installation but not both

Cost (Low)Score Range 8-10Cost of fully installing and maintaining system is minimalEase of Use (High)Score Range 8-10System is so complicating that most users will attempt to bypass it in order to speed up work productionEase of Use (Medium)Score Range 4-7System has a medium level of complexity that can be tolerated by most usersEase of Use (Low)Score Range 0-3Daily usage of security mechanism is easy to use by most users with business level computer skillsPracticality (High)Score Range 0-3The system is complex to troubleshoot if broken and difficult to mod and requires major changes to in fracture to use

Practicality (Medium)Score Range 4-7System has a medium level of setup complexity and can be workable with effort. Small change to existing in fracture may be requiredPracticality (Low) Score Range 8-10System is flexible, easy to install with current technologies and quick to set up. No change to infrastructure mainly out of the box solutionScalability (High)Score Range 8-10System is highly flexible and can be implemented with ease on networks of any sizeScalability (Medium)Score Range 4-7System has a workable level of flexibility but generally cant handle extremesScalability (Low)Score Range 0-3System is only meant to be installed on network size it supports and either does not provide room for growth or too elaborate to be practical on smaller systems

Increase Security (High)Score Range 8-10System is much more secure then password authenticationIncrease Security (Medium)Score Range 4-7System provides some security advantages over password securityIncreased Security (Low)Score Range 0-3System provide little or no security advantage over password securityAccess and Availability (High)Score Range 8-10Found in any office or computer storeAccess and Availability (Medium)Score Range 4-7Implementation exists but special orders need to be madeAccess and Availability (Low)Score Range 0-3Only exists in theory or is a prototype so development overhead is need to make the solution

Technologies that were EvaluatedTwo Types of Graphical PasswordsPassfaces Click-Based Graphical Password (Clickpoints)

Technologies that were EvaluatedFour Kinds BiometricsFinger Print Recognition (optical, capacitance, ultrasonic)Face RecognitionRetina ScanTyping Rhythem

Technologies that were EvaluatedThree Kinds of TokensDisconnected Tokens Connected Tokens (USB, SmartCard)Contactless Tokens (Bluetooth, RFID)

What Do the Scores mean?The ranking system is out of 70, 10 points for each of the 7 categoriesOnly systems with a score of 53/70 or higher will be considered a good password replacement53/70 = 75%

. In the end, only systems with and overall score of 53 or higher across all categories will be considered for being a likely candidate for selection. 39Findings None of the systems even hit close to 70/70Scores that made it just bearly hit the min requirement of 53 pointsThese borderline results paint a picture why wide scale adoptation of higher level authentication has not taken off a quickly is it should of dispite the fact nearly all systems offer improved security over passwordsSurprizly, None of the systems even hit close to 70/70

40ResultsGraphical passwords (Passfaces) = 55ptsBiometrics (Finger Print Recognition) = 53.5ptsDisconnected Tokens = 58ptsConnected Tokens = 56.5pts

More Results and FindingsYou can download the full report in my Blog @https://swillia5.wordpress.comIf you want more details on the pros and cons of various systems as well as moreScores visit my blog @ https://swillia5.wordpress.com42FinWell this concludes my report, I hope you learned something43