Presentation on theme: "User Authentication on Mobile Devices Google Two Factor Authentication OTP (One Time Password)"— Presentation transcript:
User Authentication on Mobile Devices Google Two Factor Authentication OTP (One Time Password)
What is Two Factor Authentication Most of us, use a single factor (password), typically 8 characters and easy to remember. Your password can be compromised by: Social Engineering Intrusion in the host It's written down somewhere Brute force hacking Phishing scheme Two factor provides a second key (password), previously using a "fob" or a smart card. Google has now implemented OTP, 6 digit second factor, using using mobile phones: SMS, voice message or generated by your phone (Android, BlackBerry or iPhone).
What Google Two Factor looks like Google has a check box to remember your location/s for 30 days. Either SMS or voice messaging 6 digit factor delivery.
Is Google Two Factor right for you Pros Simple to use Backup phone if primary is fails, lost or stolen Allows users to roam, to different systems/locations 10 emergency backup codes Automatic setup via QR code Support for multiple accounts Time and counter based code generation RFC 4226, 3548 (Seek for Android information, Home)RFC 42263548Seek for Android Home Cons Susceptible to man-in-the-middle and man-in-the-browser attacks Sys Admin overhead 10 emergency backup codes Application-specific passwords are required, for applications requiring a separate login pplication-specific passwords Can't be presently used with Google SSO enabled root access can overcome the JavaCard security mechanism
Two Factor Failures There haven't been reports of the actual two-factor algorithms or protocol hacked. Reports I'm aware of have made use of social engineering and/or password recovery processes. The question is "will cell phone users implement two-factor authentication", or is there an alternative? Bio-metrics, retina scan, finger print scan, facial recognition, Bio-impedance, etc. Why have users failed to adopt any of the security methods?
References RFC 4226RFC 4226 HOTP: An HMAC-Based One-Time Password Algorithm Seek for AndroidSeek for Android information: Secure Element Evaluation Kit for the Android platform 2-Step Authentication for Google Administrators An example of the RSA SecurID Fob, model RSA SID700-6-60-60-10
App Stores Security What you download may be compromised!
State of the App Market Apple and Google control 80% of the App Market By the end of 2013 an estimated 50 Billion downloads There are over 1 million different Apps The summary doesn't consider Amazon and Barnes & Noble. Corporate sites offering downloads for they're flavor Apps, Developers, in all sizes and Apps Distributors. We have a chaotic marketplace depending on the participants "best efforts", to insure the end user privacy and security, as well as that of others (Companies who employ them, even ones they visit and use WiFi service).
What are the areas of concern? How trustworthy is the App Store? How trustworthy is the Developer? Can the user report issues found in the App? Who should get the report? Does the App use more permissions than needed? Does the App make connections to the Internet? Does the user need anti-virus, malware, etc.? Will this be an issue with BYOD?
Corporate Attitudes, Issues & Policies IT management is presently split regarding BYOD. A bit more than half allow employees to use their own devices. Given the recession IT budgets have been very tight, so it's an opportunity to avoid spending? The Operating Systems and CPUs are different than PCs does this provide a measure of protection? How can employees connect to the Company IT services: WiFi, Ethernet (Netbooks, Pads) and Smart Phone as a USB thumb drive? Do many companies have any policies regarding acceptable sources of Apps? A black list of Apps? a policy on connecting to the IT infrastructure?