Implementing two-factor authentication: Google s experiences. Cem Paya (cemp@google.com) Information Security Team Google Inc.



Similar documents
Secure Your Enterprise with Usher Mobile Identity

Mobile Security. Policies, Standards, Frameworks, Guidelines

Multi-factor authentication

300% increase 280 MILLION 65% re-use passwords $22 per helpdesk call Passwords can no longer protect you

Leveraging SAML for Federated Single Sign-on:

NetIQ Advanced Authentication Framework

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Internet Banking Two-Factor Authentication using Smartphones

Google Identity Services for work

White Paper. The Principles of Tokenless Two-Factor Authentication

2-FACTOR AUTHENTICATION FOR MOBILE APPLICATIONS: INTRODUCING DoubleSec

Guide to Evaluating Multi-Factor Authentication Solutions

STRONGER AUTHENTICATION for CA SiteMinder

Two-Factor Authentication

Two-Factor Authentication and Swivel

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

Security Policy JUNE 1, SalesNOW. Security Policy v v

Designing federated identity management architectures for addressing the recent attacks against online financial transactions.

Two-Factor Solutions Choosing the Right One"

CA ArcotOTP Versatile Authentication Solution for Mobile Phones

Enhancing Organizational Security Through the Use of Virtual Smart Cards

Remote Access Securing Your Employees Out of the Office

nexus Hybrid Access Gateway

WHITE PAPER Usher Mobile Identity Platform

SECUREAUTH IDP AND OFFICE 365

The PortalGuard All-In-One Authentication Solution-set: A Comparison Guide of Two-Factor Capabilities vs. the Competition

Entrust IdentityGuard

Flexible Identity. Tokenless authenticators guide. Multi-Factor Authentication. version 1.0

Enhancing Web Application Security

Strong Authentication in details

Virtualization and Cloud Computing

Welcome Guide for MP-1 Token for Microsoft Windows

Two-Factor Authentication Basics for Linux. Pat Barron Western PA Linux Users Group

Securing Administrator Access to Internal Windows Servers

ADDING STRONGER AUTHENTICATION for VPN Access Control

The Key to Secure Online Financial Transactions

Hard vs. Soft Tokens Making the Right Choice for Security

How To Get A Certificate From Digicert On A Pc Or Mac Or Mac (For Pc Or Ipa) On A Mac Or Ipad (For Mac) On Pc Or Pc Or Pb (For Ipa Or Mac) For Free

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

Building Secure Multi-Factor Authentication

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Adding Stronger Authentication to your Portal and Cloud Apps

Improving Online Security with Strong, Personalized User Authentication

Frequently Asked Questions (FAQs) SIPRNet Hardware Token

Flexible Identity. OTP software tokens guide. Multi-Factor Authentication. version 1.0

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Accessing Derbyshire County Council s Outlook Web Access (OWA) Service. Smart Phone App version

Free Multi-Factor Authentication. Using and SMS in Enterprise/Random Password Manager (E/RPM)

Authentication Solutions Buyer's Guide

Department of Veterans Affairs Two-Factor Authentication MobilePASS Quick Start Guide November 18, 2015

Moving Beyond User Names & Passwords

One-Time Password Contingency Access Process

Two Factor Authentication (TFA; 2FA) is a security process in which two methods of authentication are used to verify who you are.

Scalable Authentication

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager

Salesforce1 Mobile Security Guide

Information Security Basic Concepts

Two-Factor Authentication (2FA) Registration Instructions Symantec VIP Access

SAP Single Sign-On 2.0 Overview Presentation

WHITEPAPER SECUREAUTH AND CAC HSPD-12 AUTHENTICATION TO WEB, NETWORK, AND CLOUD RESOURCES

2 factor + 2. Authentication. way

The Cloud, Mobile and BYOD Security Opportunity with SurePassID

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Research Article. Research of network payment system based on multi-factor authentication

Secure Your Mobile Workplace

QR-CODE BASED NON-REPUDIATION TRANSACTION VERIFICATION SYSTEM

The Top 5 Federated Single Sign-On Scenarios

Vidder PrecisionAccess

How Secure is Authentication?

AUTHENTIFIERS. Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes

Two Factor Authentication - USER GUIDE

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

ViSolve Open Source Solutions

Secure Login Issues & Solutions

It s 2 o clock: Who Has Your Data? Josh Krueger Chief Technology Officer Integrity Technology Solutions

Multi-Factor Authentication FAQs

Two Factor Authentication for VPN Access

IDENTITY & ACCESS. BYOD and Mobile Security Seizing Opportunities, Eliminating Risks in a Dynamic Landscape

Moving Beyond User Names & Passwords Okta Inc. info@okta.com

The Password Problem Will Only Get Worse

An Innovative Two Factor Authentication Method: The QRLogin System

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Authentication Tokens

NetIQ Advanced Authentication Framework - Smartphone Applications

WHITEPAPER SECUREAUTH IDP DEVICE FINGERPRINTING LOW-FRICTION, BYOD AUTHENTICATION

SecureAuth homes in on BYOD management and mobile app access

Deeper Levels of Security with Intel Identity Protection Technology

Five Trends to Track in E-Commerce Fraud

Transcription:

Implementing two-factor authentication: Google s experiences Cem Paya (cemp@google.com) Information Security Team Google Inc.

Google services and personalization

Identity management at Google 1. Internal Employees for accessing internal systems NOT covered in this presentation 2. Unmanaged Includes both home users and businesses (eg AdWords) 3. Managed Typically enterprises utilizing Google Apps Delegated to administrator who can manage identities for that namespace (eg @acme.com) Two options: Synchronize passwords with Google Use federated authentication

Federation support for enterprises Trust relationship 1.Credentials Enterprise IDP 2. SAML assertion Google IDP 3. Forward SAML assertion Cloud services Federation abstracts the authentication scheme used internally Enterprises can deploy 2FA transparently

Extending 2-factor authentication Objective Offer all users an optional authentication scheme with higher assurance level than passwords Constraints 1. Works for all users, all locales, all devices 2. Compatible with existing, session based authentication model 3. Opt-in 4. No in-person proofing possible 5. Support online recovery Immediate corollaries ruling out: Physical distribution of new hardware tokens Devices requiring platform-specific middleware eg smartcards

Google 2-step verification (2SV) Users challenged for a second-factor during login 6-8 digit numeric code Additional step after password input successfully Can optionally persist verification state for that computer Multiple options for generating second-factor 1. Delivered by SMS to user phone number 2. Algorithmically generated via phone app 3. Back-up codes printed on paper Multiple options can be active simultaneously Demo Enrollment Authentication Account maintenance

Smart-phone OTP generators Based on TOTP Time-based variant of HOTP (described in RFC 4226) Seed-key stored by phone Multiple platforms Google developed for Android, iphone, Blackberry Open-source alternatives for Windows Phone and Symbian User provisions seed-key material via web page Scanning QR code Manual key entry

Risk view: Advantages and limitations Mitigates common password management issues 1. Weak/guessable passwords 2. Password reuse on different websites Partial defense against phishing Harvesting credentials once does not grant long-term access Raises attack complexity Time-limited OTPs must cash-in stolen credentials immediately Disrupts secondary market for resale of credentials Main limitation is session-based authentication model Use compromised machine that session is under attacker control Sophisticated malware such as Zeus can exploit this Mitigations Limiting session validity times Verifying credentials again for sensitive operations

2SV history Released For enterprises: Sep 2010 For consumers: Feb 2011 Early adopters Users who experienced accounthijacking incidents in the past Vulnerability researchers High-risk groups Main obstacle Non web-based protocols [..] Gracchus said that his group protects itself against malicious viruses by using Linux-based operating systems and by opening e-mail attachments using ipads, both of which are less susceptible to them. To secure his communications, he employs a Google application that sends a unique code, which changes every minute, to his mobile phone so he can log into his e-mail. Trying to Stir Up a Popular Protest in China, From a Bedroom in Manhattan The New York Times, 04.28.2011

Deployment challenges Backwards compatibility Many systems expect passwords Usability One-time Unfamiliar experience Fixing applications that break under 2SV Ongoing: dependence on carrying the 2 nd -factor Account recovery More complex process than password reset Reliability Accurate clock required for OTP apps SMS delivery rates, particularly outside the US

Passwords everywhere Ubiquitous assumption: Authentication equals passwords Hard-wired at different levels Design of protocols XMPP, ActiveSync, SMTP, Including one used by Google (ClientLogin) Implementation short-cuts IMAP has option for TLS client-auth using X509 certificates, but many popular clients do not support it Most can not be updated eg embedded devices Used for implementing other security mechanisms Disk encryption, offline login / screen unlock, etc.

Short-term work around: Application-specific passwords (ASP) Creating safer substitute for passwords Original password is not accepted Randomly generated strings substitute when required For smart-phones, email readers, chat clients, Provisioned via web page Allows generating multiple ASP Can t view existing ones Can be revoked individually Intended for saving with application Comparison to passwords Not user memorable, can not be phished easily Rarely used, never for web login Still static, single-factor

Long-term solution: Oauth V2 for authentication OAuth Original use case: authorization between web services Repurposed: authentication protocol for client applications Flow 1. Client application launches/embeds a web browser displaying authentication flow from resource provider 2. User authenticates to the provider 3. Provider issues an access token returned to the client app Tokens are scoped to a particular service 4. Access token is used to authenticate subsequent requests Value proposition: Abstracts away details of authentication protocol (step #2) Compatible with any protocol implementable in web browser Ordinary passwords, OTP-based 2-factor solutions, smart-card logon etc.

Future directions Usability improvements Migrating client applications to oauth Exploring alternative secondary-factors

Q & A Thank you for attending. Links Enabling 2SV for your Google account Open-source smart-phone applications Android iphone Blackberry

Direct authentication with smart-cards? PIV card issuer Home user case Google IDP Same ID Cloud services Observation: PKI credentials can be used directly, bypassing requirement for an intermediary Allows use of existing smart-cards for personal accounts

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information