webinar - easy multi factor authentication strategies and pci dss
TRANSCRIPT
Authentication: Past, Present and Future
HELLO!I am Anirban Banerjee.I am the Founder and CEO of Onion ID.
https://calendly.com/anirban/enterprise-demo/
Multi Factor Authentication
Multi Factor Authentication
Conclusions
What is Two-Factor Authentication?
▸ Adds a second level of verification to the password-based approach.
▸ Example: a text message to your phone, a value from a RSA token.
▸ If a hacker gets your username and password they still won’t be able to get in to your account.
Why do we need this?
Usernames & Passwords can be stolen!• Phishing attacks • Same credentials across apps• Key-loggers• Educated guesses, social engineering
2FA prevents attackers from accessing your account even if they obtain your username and password.
Mandated in Version 3.2 of the PCI Data Security Standard
Who Uses Two-Factor?
Multi Factor Authentication
Adding More Factors
• Increasing the strength of authentication can be done by adding factors.
• Five categories of authentication methods• who you are, • what you know, • what you have, • what you typically do,• the context.
• Adding factors from different categories can increase strength only if the overall set of vulnerabilities is reduced.
What can we add?
Physical Biometric▸ immutable and
unique• Facial recognition • Iris Scan• Retinal Scan• Fingerprint Palm
Scan• Voice• Liveliness biometric
factors include:• Pulse.
CAPTCHA; etc
Behavioral/Biometric • based on person’s
physical behavioural activity patterns
• Keyboard signature
• Voice
Who You Are
Biometric
what you
know
what you
havewhat you
Do Context
• User Name and Password (UN/PW),
• A passphrase• a PIN• An answer to a
secret question
• One Time Password (OTP)
• Smart card• X.509 and
PKI• Rarely
used alone• Used in
combination with UN/PW and a PIN
• Browsing patterns
• Time of access
• Type of device
• Used in Combination with other methods
•
• Location; Time of access;
• Subscriber identity module (SIM)
• Frequency of access;
• Used with other methods
▸ Combining two or more authentication methods can potentially increase authentication strength.
▸ However!• Each type of authentication factor has a set of overlapping and
intrinsic vulnerabilities with other factors
• A combination of two attributes of the same type tends to share many of vulnerabilities
• More factors More complex/costly to implement & use.
The more the merrier?
The more the merrier?
▸ Simply adding factors does not guarantee more protection
Source: Gartner
Finding the Best Factor Combo
Use Needs and Constraints to Determine• Authentication strength
• indicated by the level of risk• Total Cost of Ownership
• Constrained by budget • Ease of use
• universally desirable, but it is less critical the greater the consistency
• Other constraints • consistency and control of the
endpoint is a particular constraint;
Source of Figure is Gartner
209.12.74.162209.12.74.162
PCI DSS 3.2
▸ Feb 1 2018
▸ Multi Factor authentication for everyone
▸ Need to protect both console and non console based access
▸ New requirements 10.8 and 10.8.1 outline that service providers need to detect and report on failures of critical security control systems
▸ New requirement 11.3.4.1 indicates that service providers need to perform penetration testing on segmentation controls every six months
Highlights
▸ Server does not support 2FA by default
▸ App does not support SAML/Oauth
▸ App has no native support for 2FA
▸ Regular auditing of access
▸ Data Privacy issues, data segregationChallenges
▸ Enable MFA via Browser extensions or Web Filters
▸ Use UX friendly MFA: Geo fencing, proximity, fingerprint
▸ Set up auditing systems by parsing SIEM info
▸ Set up a monthly PCI meeting to go over process and results
▸ Commercial tools – Onion ID to do privilege managementStrategies
Conclusions
▸ Password based authentication is not enough any more.
▸ Multi Factor authentication is here to stay!
▸ Many different options, each with its own costs and vulnerabilities.
▸ Be smart: adding more factors will definitely increase cost and complexity, but might not (sufficiently) increase security.
▸ Consider the trade-offs, customize. Pick the combination that works for you.
Conclusions
THANK YOU!Any questions?You can find more about us at:
Onion ID – The Next Generation of Privilege Managementwww.onionid.com , [email protected]: +1-888-315-4745https://calendly.com/anirban/enterprise-demo/