Multi Factor Authentication

Transcription

1 Seminar Web Engineering Multi Factor Authentication Matr

2 Outline 1. Idea 2. Security Issues 3. Key Success Factors 4. Technologies 4.1 Knowledge 4.2 Property 4.3 Personal Characteristic 4.4 Social Authentication 2

3 Relevance of MFA Imperva Study on 32M stolen passwords: 3

4 Idea Prevention of unauthorized access Combination of different, independent components to verify identity of a user National Institute of Standards and Technology 2011: Electronic Authentication Guideline 4

5 Security Issues Eavesdropping Replay Attacks Guessing Attacks Man-in-the-middle Attack Hijacking Social Engineering 5

6 Key Success Factors Security independence of factors Future forward scalability Multi platform Costs User acceptance 6

7 Security vs Convenience Symantec Corporation 7

8 Knowledge Most used: password / PIN More secure approach: + Confident Technologies 8

9 Property Public-Private Key Pair, TAN, Smartcard, etc. One Time Passwords: 9

10 One Time Passwords Standard for bank transactions, e.g. mtan Implemented by Amazon, Dropbox, Google,... Google Authenticator: Form of HOTP algorithm Software based token Depending on shared secret + counter 10

11 Google Authenticator 11

12 One Time Passwords A.P. Sabzevar, A.Stavrou 12

13 Personal Characteristics Face Recognition, Fingerprint, Iris Scan expensive, not changable Location-based Authentication e.g. generated key from Wifi infrastructure, GPS location 13

14 Personal Characteristics Telfor 2010: LocBiometrics 14

15 Social Authentication 15

16 Conclusion Many different approaches Strong trends: Authentication via non-text informations Authentication via social networks Authentication via mobile phones 16

17 Thank you for your attention. 17

18 Bibliography s.pdf [ , 11:00] Lami, I. A., Kuseler, T., Al-assam, H., & Jassim, S. (2010). LocBiometrics : Mobile phone based multifactor biometric authentication with time and location assurance. Zhang, F., Kondoro, A., & Muftic, S. (2012). Location-Based Authentication and Authorization Using Smart Phones [ , 16:30] Sabzevar, A. P., & Stavrou, A. (2008). Universal Multi-Factor Authentication Using Graphical Passwords IEEE International Conference on Signal Image Technology and Internet Based Systems. Zhan, J., & Fang, X. (2011). Authentication Using Multi-level Social Networks. 18

19 Image Sources Slide 7: [ ,20:20] Slide 8: thentication_0.jpg [ ,19:30] Slide 12: Sabzevar, A. P., & Stavrou, A. (2008). Universal Multi- Factor Authentication Using Graphical Passwords IEEE International Conference on Signal Image Technology and Internet Based Systems 19

20 Image Sources Slide 14: Lami, I. A., Kuseler, T., Al-assam, H., & Jassim, S. (2010). LocBiometrics : Mobile phone based multifactor biometric authentication with time and location assurance Slide 15: Brainard, J., Juels, A., Rivest, R. L., & Szydlo, M. (n.d.). Fourth-Factor Authentication: Somebody You Know. 20

21 Google Authenticator calculated by generating an HMAC-SHA1 token, which uses a 10-byte base32-encoded shared secret as a key and Unix time (epoch) divided into a 30 second interval as inputs. The resulting 80-byte token is converted to a 40- character hexadecimal string, the least significant (last) hex digit is then used to calculate a 0-15 offset. The offset is then used to read the next 8 hex digits from the offset. The resulting 8 hex digits are then AND d with 0x7FFFFFFF (2,147,483,647), then the modulo of the resultant integer and 1,000,000 is calculated, which produces the correct code for that 30 seconds period. 21