the password is dead: an argument for multifactor biometric authentication
TRANSCRIPT
An Argument for Multifactor Biometric Authentication
THE PASSWORD IS DEAD
© 2016 Veridium All Rights Reserved
B E F O R E W E B E G I N
Attendees have been muted
You may submit questions at any time, but we will respond at the conclusion of the presentation during the Q&A session
© 2016 Veridium All Rights Reserved
John Callahan, PhDChief Technology Officer
B E F O R E W E B E G I N
• PhD in Computer Science from University of Maryland, College Park
• Former Associate Director at the Office of Naval Research, Global, London office
• Previously Research Director at the NASA Independent Verification and Validation Facility
© 2016 Veridium All Rights Reserved
A G E N DA
• History of username & password
• Password complexity is failing
• Biometrics• Physiological and behavioral
• Privacy needs for biometric data
© 2016 Veridium All Rights Reserved
HISTORY OF USERNAME AND PASSWORD
© 2016 Veridium All Rights Reserved
A T I M E O F C R I S I S
• The password is nearly 40 years old
• Username doesn’t truly represent Identity
© 2016 Veridium All Rights Reserved
N U M B E R O F ACCO U N T S
Most people have 10-20 online accounts…
…and you are asked to use a different password for all of them!
© 2016 Veridium All Rights Reserved
A F L U X P O I N T
• Passwords alone are no longer adequate for cybersecurity
© 2016 Veridium All Rights Reserved
CO S T O F C H U R N
• Best practice is to change passwords every three months
• These password resets cost time and money
© 2016 Veridium All Rights Reserved
H E L P D E S K CO S T S
• Lost password resets also cost time and money
• These costs are beyond tolerable
© 2016 Veridium All Rights Reserved
CO M P R O M I S E S E X A C E R B AT E L O S S
• Lost/Stolen passwords contribute to other database compromises
• Users often reuse passwords
• Complexity rules become predictable
© 2016 Veridium All Rights Reserved
PASSWORD COMPLEXITY IS FAILING
© 2016 Veridium All Rights Reserved
CO M P L E X I T Y R U L E S
• Frequency of change
• Minimum Length
• Mixture of “ulsd” (upper, lower, special, digit)
• Topologies
• Difficulty meters: A risk themselves
© 2016 Veridium All Rights Reserved
CREDIT: XKCD
CO M P L E X I T Y R U L E S ( CO N T. )
© 2016 Veridium All Rights Reserved
A N A LY S I S
Source: Rick Redman’s 2014 OWASP AppSec USA 2014 talk
© 2016 Veridium All Rights Reserved
A N A LY S I S
Source: Rick Redman’s 2014 OWASP AppSec USA 2014 talk
© 2016 Veridium All Rights Reserved
A N A LY S I S
Source: Rick Redman’s 2014 OWASP AppSec USA 2014 talk
Top 50 Most Commonly Used Topology IDs Across All Samples
Frequency of Common Topologies Across All SamplesPe
rcen
t of P
assw
ords
Mat
chin
g G
iven
Pat
tern
per
Sam
ple
Set
© 2016 Veridium All Rights Reserved
PA S S W O R D VA U L T S
• Examples• LastPass• 1Password• Browser extensions
• Single point of failure
• Non-portable w/o risk of compromise
© 2016 Veridium All Rights Reserved
T W O - F A C T O R A U T H E N T I C AT I O N ( 2 F A )
• An additional step AFTER username & password
• The one real cybersecurity improvement in 20 years
• Channels• SMS (Twitter & Apple)• Google Authenticator
(software app)• RSA dongle (hardware)• Bingo card (A1, F3, H1)
© 2016 Veridium All Rights Reserved
P R O B L E M S W I T H 2 F A
• Fails if device(s) lost or stolen
• NIST recently (25 July 2016) recommended against SMS• SMS can be intercepted/redirected• Codes can be “swiped” if they appear in lock-screen notifications• The algorithms used to generate the 2FA codes can be cracked• 2FA codes can be “phished” from the user
Biometrics: The next portable 2FA?
© 2016 Veridium All Rights Reserved
BIOMETRICS
© 2016 Veridium All Rights Reserved
B I O M E T R I C S : T H E PA S S W O R D I S Y O U
• Face• Fingerprint• Hand• Iris• Voice• DNA• …
Physiological
• Keystroke• Signature• Voice• Date/Time• Geolocation• …
Behavioral
Divided, none of these are perfect.Combined, they are a much more robust form of authentication.
© 2016 Veridium All Rights Reserved
A H I S T O R Y O F P O O R S TA R T S ,B U T H O P E R E M A I N S E T E R N A L
There have been many attempts at biometrics,but mobile devices have changed the game entirely.
© 2016 Veridium All Rights Reserved
F I D O S TA N D A R D
FIDO StandardMobile storage & authentication
Source: FIDO Alliance
© 2016 Veridium All Rights Reserved
IEEE 2410 Biometric Open Protocol Standard (BOPS)Mobile – FIDO-compliant
Or, split mobile-server
I E E E 2 4 1 0 B O P S
© 2016 Veridium All Rights Reserved
V E R I D I U M I D A U T H E N T I C AT I O N
© 2016 Veridium All Rights Reserved
V E R I D I U M I D E N R O L L M E N T
© 2016 Veridium All Rights Reserved
AVA I L A B L E B I O M E T R I C P L U G I N S
- Touch ID/Android Fingerprint
- 4 Fingers TouchlessID
- Face
- Iris
- Voice
- Behavioral
And whatever the next biometric on the horizon is…
© 2016 Veridium All Rights Reserved
G O O G L E A B A C U S
• Behavioral
• Multifactor
• Trust Score
© 2016 Veridium All Rights Reserved
PRIVACY NEEDS FOR BIOMETRIC DATA
© 2016 Veridium All Rights Reserved
Y O U R P H Y S I C A L B I O M E T R I C S D O N OT C H A N G E
• Cannot change your biometrics like you can a password
• Therefore, they must be carefully protected
• This is why regulations have been created for:• Storage• Transport• Encryption
© 2016 Veridium All Rights Reserved
R E G U L AT I O N S O N B I O M E T R I C D ATA P R I VA C Y
© 2016 Veridium All Rights Reserved
P R I VA C Y P R OT E C T I O N
• Split Biometric: 1/2 on server & 1/2 on mobile or desktop device
• Server- and Client-side PKI certificates
• Behavioral patterns for risk management
• Business rules require multifactor authentication steps
© 2016 Veridium All Rights Reserved
S P L I T T I N G B I O M E T R I C V E C T O R S
© 2016 Veridium All Rights Reserved
M AT C H I N G W I T H S P L I T B I O M E T R I C S
© 2016 Veridium All Rights Reserved
T H E PA S S W O R D I S D E A D
• Biometrics are already replacing 2FA
• Multifactor Authentication, including biometrics, is proving to be highly effective.
• But will biometrics replace passwords completely?
© 2016 Veridium All Rights Reserved
QUESTIONS?
Twitter: @Veridium
Request a demo at:www.VeridiumID.com/Contact-Us
© 2016 Veridium All Rights Reserved