The Password Problem Will Only Get Worse

Similar documents
User Identity and Authentication

The Top 5 Federated Single Sign-On Scenarios

OpenID & Strong Authentication

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

Adding Stronger Authentication to your Portal and Cloud Apps

The increasing popularity of mobile devices is rapidly changing how and where we

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

SECUREAUTH IDP AND OFFICE 365

Single Sign On. SSO & ID Management for Web and Mobile Applications

Flexible Identity Federation

WHITEPAPER SECUREAUTH AND CAC HSPD-12 AUTHENTICATION TO WEB, NETWORK, AND CLOUD RESOURCES

Increase the Security of Your Box Account With Single Sign-On

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Improving Online Security with Strong, Personalized User Authentication

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

API-Security Gateway Dirk Krafzig

CSC Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

SAP Single Sign-On 2.0 Overview Presentation

Copyright: WhosOnLocation Limited

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

Identity Management with Spring Security. Dave Syer, VMware, SpringOne 2011

How To Use Salesforce Identity Features

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

SAML single sign-on configuration overview

Enhancing Organizational Security Through the Use of Virtual Smart Cards

Enhancing Web Application Security

Identity. Provide. ...to Office 365 & Beyond

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

Leveraging SAML for Federated Single Sign-on:

Authentication. Computer Security. Authentication of People. High Quality Key. process of reliably verifying identity verification techniques

GoldKey Product Info. Do not leave your Information Assets at risk Read On... Detailed Product Catalogue for GoldKey

nexus Hybrid Access Gateway

HOW MICROSOFT AZURE AD USERS CAN EMPLOY SSO

managing SSO with shared credentials

How Secure is Authentication?

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

Building Secure Multi-Factor Authentication

Identity Implementation Guide

Multi Factor Authentication API

Data Protection: From PKI to Virtualization & Cloud

WHITE PAPER Usher Mobile Identity Platform

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Two-factor authentication Free portable encryption for USB drive Hardware disk encryption Face recognition logon

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

Cloud Computing. Chapter 5 Identity as a Service (IDaaS)

HOL9449 Access Management: Secure web, mobile and cloud access

Implementing two-factor authentication: Google s experiences. Cem Paya (cemp@google.com) Information Security Team Google Inc.

Google Identity Services for work

Authentication Tokens

Two Factor Authentication. Software Version (SV) 1.0

STRONGER AUTHENTICATION for CA SiteMinder

White Paper. What is an Identity Provider, and Why Should My Organization Become One?

PRACTICAL IDENTITY AND ACCESS MANAGEMENT FOR CLOUD - A PRIMER ON THREE COMMON ADOPTION PATTERNS FOR CLOUD SECURITY

Secure Access Control for Mobile, Cloud, and Web Apps

Single Sign-on Frequently Asked Questions

A Method of Risk Assessment for Multi-Factor Authentication

ADVANCE AUTHENTICATION TECHNIQUES

Single Sign On Implementation Guide

A Security Survey of Strong Authentication Technologies

How To Use Saml 2.0 Single Sign On With Qualysguard

Scalable Authentication

SAML 101. Executive Overview WHITE PAPER

MOBILITY. Transforming the mobile device from a security liability into a business asset. pingidentity.com

SEC100 Secure Authentication and Data Transfer with SAP Single Sign-On. Public

WHITEPAPER. NAPPS: A Game-Changer for Mobile Single Sign-On (SSO)

Cybersecurity and Secure Authentication with SAP Single Sign-On

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

A Standards-based Mobile Application IdM Architecture

Multi-Factor Authentication

How Secure is Authentication?

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

A brief on Two-Factor Authentication

Apache Milagro (incubating) An Introduction ApacheCon North America

NetIQ Advanced Authentication Framework

Web Single Sign- On: OpenID, Shibboleth, and friends COSC412

Mobile Security. Policies, Standards, Frameworks, Guidelines

Manual for Android 1.5

Biometric SSO Authentication Using Java Enterprise System

Egnyte Single Sign-On (SSO) Installation for OneLogin

NIST E-Authentication Guidance SP and Biometrics

Authentication Methods

How to Overcome Challenges in Deploying Cloud Apps to Get the Most from your IAM Investment

FileCloud Security FAQ

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

ARCHIVED PUBLICATION

Transcription:

The Password Problem Will Only Get Worse New technology for proving who we are Isaac Potoczny-Jones Galois & SEQRD ijones@seqrd.com @SyntaxPolice

Goals & Talk outline Update the group on authentication threats Update the group on authentication solutions 2 Factor authentication factors on the market Single Sign-On The state of various protocols Get your advice on our approach Outline: Background, Threat Landscape, Solutions, Our Approach

About the Speaker Galois, Inc. - galois.com Research & Development, mostly for federal gov. Computer security, safety, correctness, etc. 40+ employees in Portland, OR Founded in 1999 SEQRD: A Galois spin-off seqrd.com Startup focusing on authentication Isaac's background: BS Computer Science, MS Cybersecurity

Authentication: Foundations Authentication is proving who you are Or proving that you're the same person as last time Something you know e.g. Passwords, PINs, screen patterns, first pet, etc. Something you have Physical keys, secure tokens, mobile phones Something you are Biometrics, fingerprint readers, etc.

Single & Multi-Factor Single factor: One authentication method Classics: Password, keys, keyfobs, keycards Multi-factor: More than one factor Get more security by mixing methods Multi-factor classics Debit card & PIN Password & Random # token

Uses for Authentication Remote authentication e.g. proving who you are to a web site That's our focus today Physical authentication Granting access to: locations/devices/services Screen unlock Mobile devices or computers

Threat Landscape: Passwords

Fundamental Problems Passwords dominate, but: Bad passwords are easy to guess Good passwords are impossible to remember But what's a good password? To answer that, let's explore password attacks

Massive Database Spills Causing acceleration in understanding of passwords LinkedIn: 6.5M (2012) Yahoo: 340K (2012) RSA: SecurID token seed-keys stolen (2011) Gawker: 740K (2011) Sony: (2011) Stratfor: 800K (2011) RockYou: 32M (2009) http://thepasswordproject.com/leaked_password_lists_and_dictionaries

Brute-Force Attacks source: Rob Graham, Errata Security

Password Cracking ocl-hashcat-plus performance 1 GPU benchmark NTLM 7487M c/s MD5 5144M c/s SHA1 2030M c/s SHA256 1003M c/s Password Safe 495k c/s bcrypt $2a$ 3788 c/s source: http://hashcat.net/oclhashcat-plus/

Hybrid Attacks 90% Success Great article by Ars on password crackers Challenge: 3 crackers, 16,000+ hashes Outcome: 90% success Example attacker approach: Method Passwords Uncovered Time Brute force 1-6 char length 1,300 2.5 minutes Mixed brute force 2,600 4.5 minutes Word list 6,000 9 minutes Hybrid 2,700 5 hours http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out -of-your-passwords

So What's a Good Password? Long enough Maybe 9+ characters Complex enough Pretty much random & large character set Not reused Or risk the wrath of database spills But: Average user has 26 accounts* (I have 300) *Source: Experian & Deloitte: http://goo.gl/4jrnha

With 26 passwords, it's impossible Let's just admit it: we're asking the impossible Users can never remember random passwords Users manage the problem: Reuse is most common users have 5 passwords Email reset - I forgot my password Password managers Firefox, KeePass, etc.

Conclusions about Threats Crack speed is increasing e.g. via GPUs Tool support is improving very quickly This is gaining steam as big password database spills provide crackers more info Passwords can't get complex enough

Result: 2 Factor is taking off Major Internet players offer it: Google, Facebook, Twitter, DropBox, etc. It's a good way to protect yourself from: Password reuse by users Other sites getting hacked

Solutions

Solutions: Identity Federation Single Sign On There was a great talk on this yesterday

Identity Federation: Moving Parts Service provider (SP): The site you log into Also called Relying Party or RP Identity Provider (IdP): The site you log in with Typical workflow: Visit Yahoo, click login Get redirected to Google with a session token Log into Google Get redirected to Yahoo with proof of login

Identity Federation Workflow Sign into Yahoo using Google (simplified) Yahoo (Service Provider) 2. Ask Google 5. Login & Attributes Google (Identity Provider) 3. I'm Isaac 4. Login & Attributes 1. Let me in User & Browser

OpenID OpenID seems to have lost momentum Relying parties are a problem On the mainstream Internet, there are very few Yahoo: Accepts Google & Facebook Google & Facebook are IdPs for OpenID & OAuth Facebook: Accepted logins in 2009 - stopped If there's a way, I can't figure it out myopenid.com: shutting down

OAuth Used for authorization in lots of sites Often also used for some kinds of authentication OAuth 2 worries: Facebook has several OAuth vulns this year The standard was abandoned / lambasted by its editor, now under new stewardship Both too complex & under-specified http://thehackernews.com/search?q=facebook%20oauth http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/

Security Assertion Markup Language - SAML Seems to be gaining momentum Federation & SSO InCommon, Education, Enterprise Also used to share attributes groups, etc. Accepted by Google Apps, Dropbox, Salesforce, etc. Major implementations Shibboleth (Java), SimpleSamlPHP Plugins for lots of platforms I audited plugins for Drupal & WordPress they were very insecure.

Central Authentication Service (CAS) Somewhat similar to SAML Widespread use in the academic community Can also be used for attribute exchange Java / Spring system Integrates with: Active directory, LDAP, X509, passwords, OpenID, SAML, etc. https://wiki.jasig.org/display/cas/cas+deployers

Cloud SSO Services (IdP) Largely based on SAML Mostly subscription SAAS Instead of operating your own IdP They work to integrate service providers Ping Identity, OneLogin, Okta, Centrify, Symplified, probably others JanRain Social login & user management

Physical Factors

Physical Tokens YubiKey Small, uses one-time or fixed passwords, pretends to be a USB keyboard. Random number tokens RSA SecurID Google Authenticator (soft token App) Lots of similar tokens Hardware benefits & drawbacks: Benefits: Tamper-proof & can't get viruses Drawbacks: Can't put 100 of them on your keychain

Password Managers Saves the password on the client Problematic for moving between clients Often have cloud options Becomes Something you have (e.g. laptop) Often also locked / encrypted in keychain Hey look! It's 2-factor auth! In the browser (e.g. Firefox, Chrome) In a browser plugin (e.g. Lastpass, OnePass) Native client (e.g. KeePass) Problem: Logging in on different devices

Mobile Phone Factors Mobile phone factors are a great trade-off! Google Authenticator random number (app) Text message random number used by Facebook, Twitter, Telesign In-app push-based notifications Twitter, DuoSecurity, others PhoneFactor (Microsoft) Text, Voice, Push

How to use your phone as a password manager today On your computer: Visit the website you want to log into Instead of login, click forgot my password Type in your email address On your phone: Open the reset email Reset your password Log in on your computer So what happens when you lose your phone?

Summary: Each factor has drawbacks Something you know: Basically passwords Doesn't scale beyond a handful of secure passwords Something you have Physical token: Doesn't scale beyond size of your keyring Mobile phone: Seems most promising to me Something you are: biometrics are not secret Federation / SSO: If only we could agree to agree

SEQRD

Mobile Authentication Factor How we're trying to solve this Looking for your feedback Passwords are terrible Let's replace passwords with a mobile phone Get 2 factor with a password or PIN Integrated with SAML & REST API Demo

How it Works User's Perspective 1. Scan QR code Creating an Account 2. Account Creation Logging In 1. Scan QR code 3. Login Approved 2. Secure authentication

How 2 Factor Works - 1 Type a Password First Factor - Password Second Factor - SEQRD 1. Scan QR code 2. Secure authentication

How 2 factor works - 2 Second Factor - SEQRD 1. Scan QR code 2. Type PIN (decrypts key) 3. Secure authentication

How it Works Under the hood Browser 5. App scans QR code : Session key, Challenge 1. Login request 3. QR code includes Session key, Challenge 8. User ID, OTP, Session key 12. Approved 13. Approved blog.seqrd.com 10. Site computes OTP Checks match 2. Session key 4. Web site & Session key 7. App computes OTP = OCRA (Challenge, Shared secret) 9. Shared key for User ID 11. Session key authenticated Cookie Storage 6. User ID, Shared secret For Web site Web site Storage Phone Storage

Threats & Mitigations During Registration & Issuance Threat Mitigation Impersonation of Stronger identification, claimed identity government-issued ID, bills Repudiation of registration Signed forms Disclosure during Issue in person transmission Tampering during Establish a procedure transmission Unauthorized Issuance Establish a procedure Source: NIST 800-63-R1

Threats & Mitigations Against Tokens Threats Mitigations Theft Duplication Eavesdropping Offline cracking Phishing Social engineering Online guessing Multi-factor w/ PIN or biometric Hardware crypto tokens Dynamic & Challenge/response High entropy & lockout Dynamic & Challenge/response Dynamic & challenge/response High entropy Source: NIST 800-63-R1

SEQRD - Threats & Mitigations Against Tokens Threats Disclosure during transmission Theft Duplication Eavesdropping Offline cracking Phishing Social engineering Online guessing Mitigations QR code on your screen or send the crypto key in snail mail Multi-factor w/ PIN & password, revocation Tricky on mobile! Software-based protections One-time passwords (OTP) challenge & response Long cryptographic keys OTP / challenge & response OTP / challenge & response Long cryptographic keys

Conclusions Threats against passwords are really bad 2-factor auth to greatly increase security SAML for SSO Mobile phone factors as good trade-off Contact info: ijones@seqrd.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information