the password is dead: an argument for multifactor biometric authentication

An Argument for Multifactor Biometric Authentication

THE PASSWORD IS DEAD

© 2016 Veridium All Rights Reserved

B E F O R E W E B E G I N

Attendees have been muted

You may submit questions at any time, but we will respond at the conclusion of the presentation during the Q&A session


John Callahan, PhDChief Technology Officer

B E F O R E W E B E G I N

• PhD in Computer Science from University of Maryland, College Park

• Former Associate Director at the Office of Naval Research, Global, London office

• Previously Research Director at the NASA Independent Verification and Validation Facility


A G E N DA

• History of username & password

• Password complexity is failing

• Biometrics• Physiological and behavioral

• Privacy needs for biometric data


HISTORY OF USERNAME AND PASSWORD


A T I M E O F C R I S I S

• The password is nearly 40 years old

• Username doesn’t truly represent Identity


N U M B E R O F ACCO U N T S

Most people have 10-20 online accounts…

…and you are asked to use a different password for all of them!


A F L U X P O I N T

• Passwords alone are no longer adequate for cybersecurity


CO S T O F C H U R N

• Best practice is to change passwords every three months

• These password resets cost time and money


H E L P D E S K CO S T S

• Lost password resets also cost time and money

• These costs are beyond tolerable


CO M P R O M I S E S E X A C E R B AT E L O S S

• Lost/Stolen passwords contribute to other database compromises

• Users often reuse passwords

• Complexity rules become predictable


PASSWORD COMPLEXITY IS FAILING


CO M P L E X I T Y R U L E S

• Frequency of change

• Minimum Length

• Mixture of “ulsd” (upper, lower, special, digit)

• Topologies

• Difficulty meters: A risk themselves


CREDIT: XKCD

CO M P L E X I T Y R U L E S ( CO N T. )


A N A LY S I S

Source: Rick Redman’s 2014 OWASP AppSec USA 2014 talk


A N A LY S I S

Source: Rick Redman’s 2014 OWASP AppSec USA 2014 talk

Top 50 Most Commonly Used Topology IDs Across All Samples

Frequency of Common Topologies Across All SamplesPe

rcen

t of P

assw

ords

Mat

chin

g G

iven

Pat

tern

per

Sam

ple

Set


PA S S W O R D VA U L T S

• Examples• LastPass• 1Password• Browser extensions

• Single point of failure

• Non-portable w/o risk of compromise


T W O - F A C T O R A U T H E N T I C AT I O N ( 2 F A )

• An additional step AFTER username & password

• The one real cybersecurity improvement in 20 years

• Channels• SMS (Twitter & Apple)• Google Authenticator

(software app)• RSA dongle (hardware)• Bingo card (A1, F3, H1)


P R O B L E M S W I T H 2 F A

• Fails if device(s) lost or stolen

• NIST recently (25 July 2016) recommended against SMS• SMS can be intercepted/redirected• Codes can be “swiped” if they appear in lock-screen notifications• The algorithms used to generate the 2FA codes can be cracked• 2FA codes can be “phished” from the user

Biometrics: The next portable 2FA?


BIOMETRICS


B I O M E T R I C S : T H E PA S S W O R D I S Y O U

• Face• Fingerprint• Hand• Iris• Voice• DNA• …

Physiological

• Keystroke• Signature• Voice• Date/Time• Geolocation• …

Behavioral

Divided, none of these are perfect.Combined, they are a much more robust form of authentication.


A H I S T O R Y O F P O O R S TA R T S ,B U T H O P E R E M A I N S E T E R N A L

There have been many attempts at biometrics,but mobile devices have changed the game entirely.


F I D O S TA N D A R D

FIDO StandardMobile storage & authentication

Source: FIDO Alliance


IEEE 2410 Biometric Open Protocol Standard (BOPS)Mobile – FIDO-compliant

Or, split mobile-server

I E E E 2 4 1 0 B O P S


V E R I D I U M I D A U T H E N T I C AT I O N


V E R I D I U M I D E N R O L L M E N T


AVA I L A B L E B I O M E T R I C P L U G I N S

- Touch ID/Android Fingerprint

- 4 Fingers TouchlessID

- Face

- Iris

- Voice

- Behavioral

And whatever the next biometric on the horizon is…


G O O G L E A B A C U S

• Behavioral

• Multifactor

• Trust Score


PRIVACY NEEDS FOR BIOMETRIC DATA


Y O U R P H Y S I C A L B I O M E T R I C S D O N OT C H A N G E

• Cannot change your biometrics like you can a password

• Therefore, they must be carefully protected

• This is why regulations have been created for:• Storage• Transport• Encryption


R E G U L AT I O N S O N B I O M E T R I C D ATA P R I VA C Y


P R I VA C Y P R OT E C T I O N

• Split Biometric: 1/2 on server & 1/2 on mobile or desktop device

• Server- and Client-side PKI certificates

• Behavioral patterns for risk management

• Business rules require multifactor authentication steps


S P L I T T I N G B I O M E T R I C V E C T O R S


M AT C H I N G W I T H S P L I T B I O M E T R I C S


T H E PA S S W O R D I S D E A D

• Biometrics are already replacing 2FA

• Multifactor Authentication, including biometrics, is proving to be highly effective.

• But will biometrics replace passwords completely?


QUESTIONS?

[email protected]

Twitter: @Veridium

Request a demo at:www.VeridiumID.com/Contact-Us
