Authentication: Past, Present and Future

HELLO!I am Anirban Banerjee.I am the Founder and CEO of Onion ID.

https://calendly.com/anirban/enterprise-demo/

Multi Factor Authentication

Multi Factor Authentication

Conclusions

What is Two-Factor Authentication?

▸ Adds a second level of verification to the password-based approach.

▸ Example: a text message to your phone, a value from a RSA token.

▸ If a hacker gets your username and password they still won’t be able to get in to your account.

Why do we need this?

Usernames & Passwords can be stolen!• Phishing attacks • Same credentials across apps• Key-loggers• Educated guesses, social engineering

2FA prevents attackers from accessing your account even if they obtain your username and password.

Mandated in Version 3.2 of the PCI Data Security Standard

Who Uses Two-Factor?

Multi Factor Authentication

Adding More Factors

• Increasing the strength of authentication can be done by adding factors.

• Five categories of authentication methods• who you are, • what you know, • what you have, • what you typically do,• the context.

• Adding factors from different categories can increase strength only if the overall set of vulnerabilities is reduced.

What can we add?

Physical Biometric▸ immutable and

unique• Facial recognition • Iris Scan• Retinal Scan• Fingerprint Palm

Scan• Voice• Liveliness biometric

factors include:• Pulse.

CAPTCHA; etc

Behavioral/Biometric • based on person’s

physical behavioural activity patterns

• Keyboard signature

• Voice

Who You Are

Biometric

what you

know

what you

havewhat you

Do Context

• User Name and Password (UN/PW),

• A passphrase• a PIN• An answer to a

secret question

• One Time Password (OTP)

• Smart card• X.509 and

PKI• Rarely

used alone• Used in

combination with UN/PW and a PIN

• Browsing patterns

• Time of access

• Type of device

• Used in Combination with other methods

•

• Location; Time of access;

• Subscriber identity module (SIM)

• Frequency of access;

• Used with other methods

▸ Combining two or more authentication methods can potentially increase authentication strength.

▸ However!• Each type of authentication factor has a set of overlapping and

intrinsic vulnerabilities with other factors

• A combination of two attributes of the same type tends to share many of vulnerabilities

• More factors More complex/costly to implement & use.

The more the merrier?

The more the merrier?

▸ Simply adding factors does not guarantee more protection

Source: Gartner

Finding the Best Factor Combo

Use Needs and Constraints to Determine• Authentication strength

• indicated by the level of risk• Total Cost of Ownership

• Constrained by budget • Ease of use

• universally desirable, but it is less critical the greater the consistency

• Other constraints • consistency and control of the

endpoint is a particular constraint;

Source of Figure is Gartner

209.12.74.162209.12.74.162

PCI DSS 3.2

▸ Feb 1 2018

▸ Multi Factor authentication for everyone

▸ Need to protect both console and non console based access

▸ New requirements 10.8 and 10.8.1 outline that service providers need to detect and report on failures of critical security control systems

▸ New requirement 11.3.4.1 indicates that service providers need to perform penetration testing on segmentation controls every six months

Highlights

▸ Server does not support 2FA by default

▸ App does not support SAML/Oauth

▸ App has no native support for 2FA

▸ Regular auditing of access

▸ Data Privacy issues, data segregationChallenges

▸ Enable MFA via Browser extensions or Web Filters

▸ Use UX friendly MFA: Geo fencing, proximity, fingerprint

▸ Set up auditing systems by parsing SIEM info

▸ Set up a monthly PCI meeting to go over process and results

▸ Commercial tools – Onion ID to do privilege managementStrategies

Conclusions

▸ Password based authentication is not enough any more.

▸ Multi Factor authentication is here to stay!

▸ Many different options, each with its own costs and vulnerabilities.

▸ Be smart: adding more factors will definitely increase cost and complexity, but might not (sufficiently) increase security.

▸ Consider the trade-offs, customize. Pick the combination that works for you.

Conclusions

THANK YOU!Any questions?You can find more about us at:

Onion ID – The Next Generation of Privilege Managementwww.onionid.com , sales@onionid.comTel: +1-888-315-4745https://calendly.com/anirban/enterprise-demo/