Multi-Factor Authentication: Do I Need It, and How Do I Get Started? [And If I Do Need It, Why Aren't Folks Deploying It?] Joe St Sauver, Ph.D.

Slides:



Advertisements
Similar presentations
MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
Advertisements

Use specific reasons and examples to support your opinion.
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
Security BoF: What Are The Community's Open Questions? Joe St Sauver, Ph.D. or Manager, Internet2 Nationwide Security.
most important characteristic
Internet Online Safety How to have FUN and Stay in Control.
Bring Success in Beliefs. You don’t have to wait for someone to accept, to promote, to select... to somehow "discover." Access is nearly unlimited;
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
Business Building vs. “Get Rich Quick”
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.
A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006.
Adoption of PKI Where are we, where should we be, what’s holding us back, and where do we want to go? And: what about authentication vs. authorization?
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Mr Barton’s Maths Notes
Web Security A how to guide on Keeping your Website Safe. By: Robert Black.
Questions from a patient or carer perspective
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
Copyright, Designs and Patents Act. Introduction You have spent three months working on your coursework. It is absolutely brilliant,, you just know that.
Lesson 4: Percentage of Amounts.
Peace Out, Passwords Identity and Access Management for the rest of us.
Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University.
GETTING BUTTS INTO THE SEATS. SOCIAL MEDIA FACTS As of tomorrow Facebook will be 10 years old and has an estimated 1.3 BILLION users Facebook StatisticsData.
15 Simple Habits of The Happiest People.
Secrets Realtors® “Don’t want you to know about”
Mixed-level English classrooms What my paper is about: Basically my paper is about confirming with my research that the use of technology in the classroom.
Introduction Our Topic: Mobile Security Why is mobile security important?
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Franco Singh-Vigilante April 11,2011. W HAT DID I CHOOSE I chose Game programming as it has constant use of code and sometimes used to create engines,
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
Identity Management 2.0 George O. Strawn NSF CIO.
Welcome to the wonderful world of……. . A Quick & Easy Guide.  What IS ?  A quick, easy and convenient way to send a letter to friends, family.
National Science Foundation Chief Information Officer CIO Fall Update for the Advisory Committee for Business and Operations: Identity Management 2.0 George.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
Staying Safe Online Keep your Information Secure.
Reliability & Desirability of Data
Faith Faith vs. Presumption Confidence that actions rooted in good character will yield the best outcome, even when I cannot see how.
15 Improve Your Life!!! Tips. Be honest about what you want to achieve and who you want to become. Be honest with every aspect of your life, always. Because.
AUDITS What you should know - a campus perspective. Franz Lozano Director/Budget Officer (former Internal Auditor) San Francisco State University Academic.
Chloe Miles IMPROVING PRODUCTIVITY USING IT. Menu Using Word Advantages Disadvantages Conclusion E-Safety Social Media Dangers of Social Media Sites Staying.
WEB DESIGN AND PROGRAMMING Get a job. WEB DESIGN AND PROGRAMMING What do employers look for? In your resume – Clean layout, use clear headers and subheads.
Session 7 LBSC 690 Information Technology Security.
Unstated Requirements And useability 1. Many UI decisions End up being made by the technical development/implementation staff End up being made by the.
Social Media Roundup Bad social media: 7 Ways to lose your audience.
Data Base Systems Some Thoughts. Ethics Guide–Nobody Said I Shouldn’t Kelly make a backup copy of his company’s database on CD and took it home and installed.
Cloud Computing Project By:Jessica, Fadiah, and Bill.
Word problems DON’T PANIC! Some students believe they can’t do word problem solving in math. Don’t panic. It helps to read the question more than once.
Mtivity Client Support System Quick start guide. Mtivity Client Support System We are very pleased to announce the launch of a new Client Support System.
This is what makes the business tick. If you can’t do this then … MAKE A PARADIGM SHIFT or forget it! Prospecting and handling objections.
JOB SUCCESS SKILLS SALARY NEGOTIATION. Objective At the conclusion of this lesson, the student will be able to determine the most effective method for.
Can you trust your senses?. WHAT DO YOU KNOW? AN INTRODUCTION TO SCEPTICISM.
Lecture 7 Page 1 CS 236 Online Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Opening Slide You’re About to Discover the One Secret “__________” That Makes it Super- Easy to ____________________ That Allows You to __________________and.
Strengthening Your Interpersonal Relationships. 1. Don’t criticize, condemn, or complain about people.  There’s no faster way create resentment toward.
By Liam Wright Manga comic group Japan SAFETY on your computer.
Develop your Legal Practice using “Cloud” applications, but … Make sure your data is safe! Tuesday 17 November 2015 The Law Society, London Allan Carton,
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
By: WenHao Wu. A current situation that I have is that I cannot decide if a computer career is for me. I am considering any career in computers, but I.
1. Don’t criticize, condemn, or complain about people. There’s no faster way create resentment toward you than to criticize or complain about a person.
© 2015 albert-learning.com How to talk to your boss How to talk to your boss!!
Chapter 27 Project By: J.T. Brown O.D. Quinn B.M. Scapa K.R. Thomas.
Advanced Guide to ing. Introduction In this guide you and explain will learn how to use ing in an advanced way. I will go through on.
Get Secure! Facebook Privacy Tutorial Becky Benishek | November 2013.
10 Great Ways to Stop Procrastinating and Get More Done in Less Time Time Management Tips by Arman Sadeghi.
5 ONLINE DATING TIPS EVERY NEWBIE SHOULD KNOW. So you've finally given in to your friend's suggestion. You've created your own online dating account and.
Password Management Limit login attempts Encrypt your passwords
Full Page Watermarking
The main cause for that are the famous phishing attacks, in which the attacker directs users to a fake web page identical to another one and steals the.
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Week 7 - Wednesday CS363.
Presentation transcript:

Multi-Factor Authentication: Do I Need It, and How Do I Get Started? [And If I Do Need It, Why Aren't Folks Deploying It?] Joe St Sauver, Ph.D. Internet2 Global Summit, Denver Colorado Tuesday, April 8th th, :00-4:00PM Governor's Square 10 Disclaimer: all opinions expressed are strictly my own.

Everyone Agrees That Passwords Are Insecure Passwords are potentially vulnerable to sniffing, brute forcing, phishing, hash cracking, reset attacks, etc. We know that we could do better, typically by combining a regular password with a "second factor" such as a registered mobile phone (or a smart card, or a biometric method, etc.) Nonetheless, as far as we can tell, the higher education community still hasn't broadly embraced multifactor. WHY? 2

Really, Please Tell Us! We Need to Know! No one knows better than you why you're not currently using MFA everywhere on campus. If you could simply tell us, that would be great. Unfortunately, we believe that at least in some cases sites that aren't doing MFA may not have thought much about why they're not doing MFA (or at least may not be able to articulate why). Therefore, we'd like to suggest a few potential reasons, and then see if any of these reasons resonate with you. Please speak up if any of these do strike a chord with you.... 3

"MFA's On Our List, We're Just Really Busy" This may be the most common reason why at least some sites haven't done MFA yet: they're just really busy with lots of other projects. Is "I'm too busy" the main holdup for MFA at your site? Do you want to do MFA, but worry that deploying MFA would take too long or demand too much in the way of staff resources? If that's the case for your site, how long (order of magnitude) do you think deploying MFA would actually take? And what's a higher priority on your to-do list? How can we make deployment easier, or a higher priority? 4

"MFA's Too Expensive" (Or Is It?) Another commonly heard (historical) reason for not deploying MFA broadly was that it was "too expensive." That may have been true at one point, but these days the out-of-pocket cost MFA for some MFA enterprise solutions is under a dollar per person per year. That's pretty cheap. Some of us may even have accounts from 3 rd party cloud providers (such as Google) where we can enable use of MFA for free. And yet, somehow, many sites (and many users) still don't use it. So is money really the issue? 5

For Financial Comparison Purposes... Universities routinely spend $1/user/year (or more) on antivirus software. Why? Well, most sites worry a LOT about malware (bots, worms, trojan horses, etc.) But isn't phishing just as big a deal? Wouldn't it be worth $1/user/year to make (most) phishing go away, too? And how much do we spend recovering from plain old password failures? Wouldn't it make more sense to spend a little money on MFA to prevent breaches rather than a lot of money recovering from phishing attacks? What do YOU think? Is MFA still too expensive? How much would you and your site be willing to pay for MFA? 6

"MFA's Too Big A Pain To Use" (Or Is It?) If you login many times a day and you needed to copy six or eight secret digits from a hard token each time you did so, I could easily see that quickly becoming a huge pain. These days however, MFA has become easier to use (just push "OK" on a smart phone while logging in, for example), and in other cases, use of risk-based approaches means that MFA won't pester you at all unless you're doing something "unusual" (or particularly "significant"). Thus MFA isn't as painful to use as it once was – is it? What do those of you in the audience think? Is MFA still too painful to routinely use? If so, in what way? How could we make it easier for you to use? 7

"It's Not About Routine Use..." Another thing I've heard is that MFA isn't too bad when it comes to routine use, its the problems that MFA can cause when things are unusual that worry folks: -- I forgot my MFA device at home, what do I do now? -- I just got a new phone. How do I update the devices that the MFA system uses for me? -- If I use a cloud-based MFA solution, what happens if our site gets DDoS'd and we can't access the cloud? Are exceptions really the roadblock? Do we need to focus on making sure that failure paths resolve painlessly? 8

"We Don't Have Anything Top Secret" This is another commonly heard comment... namely, that from a risk management POV, MFA is "overkill" for regular university users. At sites where this is the case, you'll often see "targeted deployments:" "we'll just do MFA for high risk accounts only" (or comments to the effect that "nobody's really interested in just plain old student accounts," etc.) In fact, however, we know that even a "mere" student account can still be leveraged to send spam, or it can be used as a stepping stone for attacks against higher value assets. Even "just" student accounts really can matter. Or consider faculty/staff access that's able to be used to access/change HR records (including things like direct deposit destinations).... ALL employees MAY need MFA. 9

"We'll Do MFA When Everyone Else Does" This is what is sometimes referred to as the "herd phenomenon" or "critical mass problem" in higher ed. That is, at least some sites aren't willing to adopt a new technology until it becomes a well accepted practice for higher education as a whole (or at least well accepted for their peer cohort institutions). Of course, this has the potential to cause deadlocks unless/until you can get a critical mass of institutions to take a leadership role and set the example for others... If MFA is the right thing to do, and important, is your site willing to be an MFA leader rather than an MFA follower? 10

"We'll Do MFA When Compliance Requires It" As we discuss in another session during the Global Summit, there's growing emphasis on governance, risk and compliance these days. Some sites may have gone so far as to say that GRC is their top priority, and if a potential project isn't something required by GRC mandates, it isn't going to get done. Is it possible that GRC considerations are derailing MFA at your site? 11

"I Can't Tell What Sort of MFA I Should Do!" Are there just too many MFA possibilities? Are you confused about what product or technology you should choose? Traditional cryptographic hard tokens? Personal certs on smart cards or USB-format PKI hard tokens? Smart phone-based solutions? Biometrics? 12

"MFA Can't Totally Prevent All Authentication Risks, So Why Bother?" Sometimes people are profoundly disappointed that MFA isn't a magic bullet that will perfectly protect all users against all possible authentication-related attacks. For example, hypothetically, at least some "man-in-the- browser" attacks may continue to work, even if users are using MFA (e.g., the user may *think* they're confirming access to their secured site, but in reality a third party may be intercepting the user's MFA input and using it for their own nefarious purposes) Are we really going to let a "quest for the perfect" prevent us from making genuine meaningful progress? 13

"Using MFA Doesn't Eliminate Passwords!" Some sites hate passwords and may have hoped that deploying "multifactor auth" would somehow let them completely eliminate passwords. Because passwords normally remain half of the MFA process, doing MFA usually doesn't mean that you'll be "eliminating passwords." Given that, doing MFA means you end up with passwords (which you hate), PLUS potentially something else, too. That's not really what folks would prefer, I suspect. Did I capture this one correctly? Is this the "big deal" that's delaying deployment of MFA at your school? 14

MFA Doesn't Have to Include Passwords If you wanted to, you could try a password-less multifactor combination. One option might be something you have (like your smart phone) plus some sort of biometric factor (perhaps a voice recognition-based method)? Or what if you just used a smart card that had a client certificate on it, secured with just a single local password? Would *that* be sufficiently "non-passwordy" from a user's POV? Are we really ready to finally kick the "password habit?" 15

"There Are Too Many Campus Services That Need MFA Protection! For example, hypothetically you might want to secure "enable" access to your routers, and "root" access to large shared systems, and faculty access to your VPN, and web access to your ERP system, and... If you have to implement MFA support for campus services on a service-by-service basis, that can feel daunting. But what if you could secure broad chunks of your infrastructure in one fell swoop? 16

MFA Done At Scale via Federated IdPs If we assume that institutional identity management is federated (e.g., Shibboleth), can we deploy MFA for an entire IDP? Is so, does that make this service-by-service deployment issue go away, at least for web-based applications? I think the multifactor multi-context broker (MCB) will help make this a reality (see Context+Broker ) Is this the key we've been looking for? How can we work to ensure that SPs actually leverage MFA? 17

What About Assurance As a Potential Driver? We know that higher levels of assurance routinely require multifactor security. Is a desire to attain LOA-3 or LOA-4 enough to drive adoption of multifactor auth? Maybe, but currently we don't have an LOA-3 or LOA-4 class assurance profile (e.g., nothing like InCommon "Gold" or InCommon "Platinum" yet), in part because the community has been slow to identify use cases where LOA- 3 or LOA-4 is needed. If there's no need for LOA-3 or LOA- 4, why create those assurance profiles, eh? If anything, might ubiquitous deployment of multifactor will help to set the stage for easier deployment of LOA-3 or LOA-4 class assurance? 18

Might MFA Actually Make Some People Feel Paradoxically Less Secure? Multifactor authentication is meant to, and generally does, eliminate at least some risks. Doing MFA should make us feel MORE secure. However, human minds are funny things. Is it possible that MFA paradoxically makes us feel LESS secure? After all, doing MFA may make users think more about the possibility that their accounts may be at risk: -- "Why do I need MFA?" Answer: "There must be really serious attacks going on against MY accounts! OMG!" -- "I feel better knowing that my brokerage account is secured with MFA... but what about my bank account and all my other sensitive accounts??? All my other accounts don't use MFA! OMG!" 19

MFA's "Not Really About MFA?" Normally we think about MFA being all about authentication (heck, "authentication" is even part of the name!) However, is the real potential driver for "MFA" something else like end-to-end encryption or digital signatures? Those sort of objectives are facilitated by some types of "multifactor technologies" (such as the client certificates usable for S/MIME), but not by others (such as phone-based 2 nd channel methods). If the benefits of MFA aren't being seen, is it because we're focusing on the wrong sort of "MFA" technologies and not thinking about these ancillary benefits? 20

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.