Usable Multi-Factor Authentication and Risk-Based Authorization



Similar documents
Usable Multi-Factor Authentication and Risk- Based Authorization

Role of Multi-biometrics in Usable Multi- Factor Authentication

Multi-factor Mobile Authentication

Device-Centric Authentication and WebCrypto

Security Levels for Web Authentication using Mobile Phones

Security and Privacy Challenges of Biometric Authentication for Online Transactions

AUTHENTIFIERS. Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

Biometrics and Cyber Security

White Paper: Multi-Factor Authentication Platform

Improving Online Security with Strong, Personalized User Authentication

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager

Multi-factor authentication

solutions Biometrics integration

Voice Authentication On-Demand: Your Voice as Your Key

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Multi-Factor Authentication for your Analytics Implementation. Siamak Ziraknejad VP, Product Management

Experiences with Studying Usability of Two-Factor Authentication Technologies. Emiliano De Cristofaro

How To Develop A Mobile Application On An Android Device

Mary Theofanos Brian Stanton

Improve your mobile application security with IBM Worklight

Self-Service, Anywhere

How To Protect Your Mobile Devices From Security Threats

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Chapter 1: Introduction

Human Behaviour and Security Compliance

Frequently asked questions

The 4 forces that generate authentication revenue for the channel

Authentication Tokens

May For other information please contact:

Contextual Authentication: A Multi-factor Approach

Building Secure Multi-Factor Authentication

Leveraging SAML for Federated Single Sign-on:

Building a Mobile App Security Risk Management Program. Copyright 2012, Security Risk Advisors, Inc. All Rights Reserved

By Ian Kilpatrick, chairman Wick Hill Group, specialists in secure infrastructure solutions.

Alternative authentication what does it really provide?

Security and Usability

Securing e-government Web Portal Access Using Enhanced Two Factor Authentication

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

From Edge to the Core. Sicurezza dati nelle infrastrutture condivise, virtualizzate e cloud.

The Benefits of an Industry Standard Platform for Enterprise Sign-On

WHITE PAPER Usher Mobile Identity Platform

Secure communications via IdentaDefense

Implementation of Operator Authentication Processes on an Enterprise Level. Mark Heard Eastman Chemical Company

Enterprise effectiveness of digital certificates: Are they ready for prime-time?

EVALUATION GUIDE. Evaluating a Self-Service Password Reset Tool. Usability. The password reality

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

International Journal of Software and Web Sciences (IJSWS)

A Security Survey of Strong Authentication Technologies

RealMe. Technology Solution Overview. Version 1.0 Final September Authors: Mick Clarke & Steffen Sorensen

Fundamentals of Secure Collaboration in the Mobile Workforce. Sinisha Patkovic

Resco Mobile CRM Security

Privacy and Identity Management for Europe

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

addressed. Specifically, a multi-biometric cryptosystem based on the fuzzy commitment scheme, in which a crypto-biometric key is derived from

Enhancing Your Mobile Enterprise Security with IBM Worklight IBM Redbooks Solution Guide

Biometrics and National Strategy for Trusted Identities in Cyberspace Improving the Security of the Identity Ecosystem September 19

One-Time Password Contingency Access Process

NIST E-Authentication Guidance SP and Biometrics

3D PASSWORD. Snehal Kognule Dept. of Comp. Sc., Padmabhushan Vasantdada Patil Pratishthan s College of Engineering, Mumbai University, India

Mobile Application Security

How Speech Recognition will Disrupt Enterprise BYOD Plans. Presented at Mobile Voice Conference 2014

How Secure is Authentication?

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

Biometric SSO Authentication Using Java Enterprise System

Is your mainframe less secure than your file server? Malcolm Trigg Solutions Consultant 24 th February 2016

Mobile Banking. Secure Banking on the Go. Matt Hillary, Director of Information Security, MX

The Authentication Revolution: Phones Become the Leading Multi-Factor Authentication Device

User Authentication Guidance for IT Systems

ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

Scalable Authentication

Moving to Multi-factor Authentication. Kevin Unthank

ID Director for Windows

Swivel Multi-factor Authentication

EESTEL. Association of European Experts in E-Transactions Systems. Apple iphone 6, Apple Pay, What else? EESTEL White Paper.

Secure Delegation for Web 2.0 and Mashups

ADDING STRONGER AUTHENTICATION for VPN Access Control

TECHNOLOGY WHITEPAPER

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

Provide access control with innovative solutions from IBM.

A Various Biometric application for authentication and identification

Password Reset PRO Version 3 Operational Summary and Screenshots

Business ebanking - User Sign On & Set Up

Business Banking Customer Login Experience for Enhanced Login Security

A SMART, LOCATION BASED TIME AND ATTENDANCE TRACKING SYSTEM USING ANDROID APPLICATION

Centralized Self-service Password Reset: From the Web and Windows Desktop

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

ImageWare Systems, Inc.

Multi-Factor Authentication: All in This Together

Authentication Solutions Through Keystroke Dynamics

User Authentication Methods for Mobile Systems Dr Steven Furnell

Mobile Device as a Platform for Assured Identity for the Federal Workforce

Online Gaming: Legalization with Protection for Minors, Adult Players, Problem Gamers

Applying Cryptography as a Service to Mobile Applications

MOBILE VOICE BIOMETRICS MEETING THE NEEDS FOR CONVENIENT USER AUTHENTICATION. A Goode Intelligence white paper sponsored by AGNITiO

Flexible Identity. Tokenless authenticators guide. Multi-Factor Authentication. version 1.0

WHITE PAPER AUGUST Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords

Biometrics in Physical Access Control Issues, Status and Trends White Paper

Transcription:

CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS Usable Multi-Factor Authentication and Risk-Based Authorization IBM T. J. Watson Research Center Larry Koved, Research Staff Member 17 September 2013 We gratefully acknowledge the UK for supporting this project 2013 IBM Corp. 2013 IBM Corp.

Team Profile IBM Research, T.J. Watson Research Center, Yorktown Heights, NY A multi-disciplinary research facility Security research on a broad range of topics, including hardware, information, operating systems, cryptography and network security World wide research team on security and privacy topics Interdisciplinary Team HCI, Security, Biometrics, Systems Larry Koved, Information Security, mobile security, HCI, middleware Dr. Rachel Bellamy, User Experience Design and Engineering, HCI, psychometrics Dr. Pau-Chen Cheng, Information Security, risk analysis Dr. Nalini Ratha, Exploratory Computer Vision, biometrics Dr. Kapil Singh, Information Security, web and mobile security Calvin Swart, User Experience Design and Engineering, mobile and web HCI Dr. Shari Trewin, User Experience Design and Engineering, HCI, accessibility 9/12/2013 CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS MEETING 2013 IBM Corp. 1

Customer Need Who is using this mobile device? Valuable information and assets are at risk! Mobile device interaction is brief (< 1 minute) Often interrupt driven Authentication is a secondary task Secure passwords are very hard to enter on these devices High dissatisfaction with strong password entry Security credentials are cached by mobile apps Mobile device unlock is predominantly: Weak credentials: PIN / SWYPE No authentication We are authenticating devices! Mobile devices are more likely to be lost / stolen / shared / borrowed Security versus usability asking too much or too little. 9/12/2013 CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS MEETING 2013 IBM Corp. 2

Approach: Human Interaction Paradigm Shift Interaction being driven by mobile multi modal features Camera Eye tracking Transactions Touch / Haptics Speech recognition No wires Text spoken Location Motion 9/12/2013 CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS MEETING 2013 IBM Corp. 3

Approach: Balancing Usability and Security Mixture of contextual, environmental, and historical factors Situation Driving Gloves on Hands busy Bad light Public place Multi Factor Authentication Voice Face Fingerprint Location 2 Factor Authorization service assesses risk and generates authentication challenges Authorizes access Enrollment Verifies against enrollment Banking Shopping 9/12/2013 CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS MEETING 2013 IBM Corp. 5

Approach Objective: Based on context, "authenticate just enough" to accommodate user preference and (situational) impairments 9/12/2013 CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS MEETING 2013 IBM Corp. 6

Approach Strong Authentication Through Fusion Fusion always gets better accuracy when the underlying modalities (biometrics) are uncorrelated. Table shows 2008 state of the art. 9/12/2013 CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS MEETING 2013 IBM Corp. 7

Benefits Usable Security: Authenticate if and when needed, to the extent needed. Eliminate insecure passwords on mobile devices Eliminate on-device password caching risks Eliminate forgotten passwords Home Strong usable multi-factor authentication Simple user interaction Minimize authentication challenges Multi-factor biometric (who you are) Non-biometric authentication Continuous authentication Extensible framework Crowded Location Daily Commute Risk? Loss of physical control Public Location Estimates change in possession of the device Lock out to prevent misuse by a 3 rd party Office Risk-based authorization Model user/device context and behaviors Authentication commensurate with value at risk Risk communication Integrate with existing apps with no app code changes Usability Security 9/12/2013 CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS MEETING 2013 IBM Corp. 8

Competition Passwords Hard to remember Insecurely stored Very hard to enter compliant passwords Disruptive to short term memory 2-factor tokens Separate item to lose Dreaded token necklace Subject to social engineering 2-factor SMS insecure (eavesdropping apps risk) Single factor biometrics Relatively weak Ignores situational impairments Niche vendors Increases risk due to non-trivial false accept rate Device-centric Traditional authentication flows Ignores context and history Does not reduce security challenges based on context 9/12/2013 CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS MEETING 2013 IBM Corp. 9

Current Status Accomplishments so far Operational demo system Negotiating the commercialization of the system (see Next Steps) Security software frameworks System architecture & communication protocol Cross-platform client-side framework & UI Server-side frameworks with bio & context plug-ins Out-Of-Band Authentication Client (OOBAC) Including unattended device detection User interface for multi-factor authentication Risk Perception 2 psychometric studies on perceived risk in mobile transactions Taxonomy of perceived risk Risk communication design Risk-based authorization Offline modeling of risk factors, focusing on time & location; features beyond GPS to model location Risk-based access control policy Risk Perception in Information Technology workshop Started and co-chaired with L. Jean Camp (U Indiana) 53+ attendees, most popular workshop at the Symposium on Usable Privacy and Security, http://cups.cs.cmu.edu/soups/2013/risk.html MObile Security Workshop (MoST 2013) Started and co-chaired with Hao Chen (U.C. Davis) Popular workshop for mobile security topics 60+ attendees, most popular workshop at the IEEE CS S&P Workshops, http://mostconf.org/2013/ Patents: two filings in progress, one filed. Papers: Perceived Security Risks in Mobile Interaction. Koved, Trewin, Swart, Singh, Cheng, Chari. Risk Perception in Info. Tech. workshop. One in submission (Singh & Koved), two in preparation. Two related papers: RAID 2013 and one in submission (Singh). University collaborations being explored: University College London, Carlton University, and Helsinki Institute for Information Technology Deliverables so far Risk Perception reports 1. Design of Psychometric Studies on Security Risk Perception for Mobile Authentication and Authorization 2. Taxonomy of Perceived Risk in Mobile Authentication and Interaction 3. Perceived Risk in Mobile Authentication and Interaction 4. Heuristic Evaluation of Mobile Authentication & Risk Communication Design 9/12/2013 CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS MEETING 2013 IBM Corp. 10

Next Steps Upcoming deliverables: 4Q2013: Biometric fusion 1Q2013: User preference specification & enforcement 3Q2014: Full system demo and evaluation, online modeling of risk Technology Transition Activities Ongoing meetings with customers in multiple industries Assess needs / requirements / use cases / scenarios / validation Understand their security and integration concerns Integration scenarios with existing mobile applications Negotiations with potential distribution channels Application development / deployment environments Mobile application gateways Software technology to transfer: Software security frameworks, risk-based authorization technology, risk communication, User Interface, biometric fusion 8/713 CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS MEETING 2013 IBM Corp. 11

Contact Information Larry Koved koved at us.ibm.com IBM T. J. Watson Research Center P.O. Box 218 Yorktown Heights, NY 10598 http://researcher.watson.ibm.com/researcher/view.php?person=us-koved 9/12/2013 CYBER SECURITY DIVISION 2013 PRINCIPAL INVESTIGATORS MEETING 2013 IBM Corp. 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information