Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant

Slides:

Advertisements

Similar presentations

Multi-factor Authentication Methods Taxonomy Abbie Barbir.

Advertisements

CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.

Department of Labor HSPD-12

BTC - 1 Biometrics Technology Centre (BTC) Biometrics Solution for Authentication Prof. David Zhang Director Biometrics Technology Centre (UGC/CRC) Department.

3D-password A more secured authentication G.Suresh babu Roll no:08H71A05C2 Computer science & engineering Mic college of technology Guide:Mrs A.Jaya Lakshmi.

BIOMETRICS AND NETWORK AUTHENTICATION Security Innovators.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.

FIT3105 Smart card based authentication and identity management Lecture 4.

Fingerprint Authentication Kevin Amendt David Friend April 26, MIT Course Project Presentations.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

Introduction to Biometrics Dr. Pushkin Kachroo. New Field Face recognition from computer vision Speaker recognition from signal processing Finger prints.

GUIDE TO BIOMETRICS CHAPTER I & II September 7 th 2005 Presentation by Tamer Uz.

PALM VEIN TECHNOLOGY.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

B IOMETRICS Akash Mudubagilu Arindam Gupta. O VERVIEW What is Biometrics? Why Biometrics? General Biometric System Different types of Biometrics Uses.

Marjie Rodrigues

Security-Authentication

CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.

Certificate and Key Storage Tokens and Software

I DENTITY M ANAGEMENT Joe Braceland Mount Airey Group, Inc.

Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.

Karthiknathan Srinivasan Sanchit Aggarwal

Zachary Olson and Yukari Hagio CIS 4360 Computer Security November 19, 2008.

IT Introduction to Information Technology CHAPTER 05 - INPUT.

OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.

Chapter 10: Authentication Guide to Computer Network Security.

Author of Record Digital Identity Management Sub-Workgroup October 24, 2012.

CS 736 A methodology for Analyzing the Performance of Authentication Protocol by Laseinde Olaoluwa Peter Department of Computer Science West Virginia.

Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011.

Biometrics The Password You’ll Never Forget Shadi Azoum & Roy Donaldson CIS 4360 – Introduction to Computer Security.

Three Basic Identification Methods of password Possession (“something I have”) Possession (“something I have”) Keys Passport Smart Card Knowledge (“Something.

BIOMETRICS By: Lucas Clay and Tim Myers. WHAT IS IT?  Biometrics are a method of uniquely identifying a person based on physical or behavioral traits.

1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,

Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.

Biometrics Stephen Schmidt Brian Miller Devin Reid.

Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.

Biometrics Authentication Technology

G53SEC 1 Authentication and Identification Who? What? Where?

By: Kirti Chawla. Definition Biometrics utilize ”something you are” to authenticate identification. This might include fingerprints, retina pattern, iris,

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

Pertemuan #9 Security in Practice Kuliah Pengaman Jaringan.

Power Point Project Michael Bennett CST 105Y01 ONLINE Course Editor-Paulette Gannett.

Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.

TECHNICAL SEMINAR PRESENTATION BIOMETRICS:THE MAGIC OF IDENTIFICATION.

PRESENTATION ON BIOMETRICS

Biometric Technologies

1 Figure 2-8: Access Cards Magnetic Stripe Cards Smart Cards  Have a microprocessor and RAM  More sophisticated than mag stripe cards  Release only.

Biometrics Chuck Cook Matthew Etten Jeremy Vaughn.

INTRODUCTION TO BIOMATRICS ACCESS CONTROL SYSTEM Prepared by: Jagruti Shrimali Guided by : Prof. Chirag Patel.

Networking Network Classification, by there: 3 Security And Communications software.

Securing Online Banking By Ben White CS 591. Who Federal Financial Institutions Examination Council What To authenticate the identity of retail and commercial.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.

My topic is…………. - It is the fundamental building block and the primary lines of defense in computer security. - It is a basic for access control and.

Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.

1 Authentication Technologies Authentication Mechanisms –Something you know –Something you have –Something you are Features –Authenticator & Base secret.

LEARNING AREA 1 : INFORMATION AND COMMUNICATION TECHNOLOGY PRIVACY AUTHENTICATION VERIFICATION.

Chapter 13: Managing Identity and Authentication.

 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.

BOPS – Biometric Open Protocol Standard Emilio J. Sanchez-Sierra.

By Kyle Bickel. Road Map Biometric Authentication Biometric Factors User Authentication Factors Biometric Techniques Conclusion.

An Introduction to Biometrics

A l a d d I n. c o m Strong Authentication and Beyond Budai László, IT Biztonságtechnikai tanácsadó.

MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Access control techniques

Authentication.

Biometric technology.

Faculty of Science IT Department Lecturer: Raz Dara MA.

Module 2 OBJECTIVE 14: Compare various security mechanisms.

Chapter Goals Discuss the CIA triad

Presentation transcript:

Security PS Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant

Key Points Key Presentation Points Authentication Model Authenticator Characteristics Knowledge Based Authenticators Possession Based Authenticators Biometric Based Authenticators

Identification & Authentication Identification A process for presenting an identity for use. Authentication A process for validating proof of an identity.

Authentication System Model Authenticator Input Transport Verification

Authenticator Types What you know Passwords Passphrases Secret Answers Graphical Passwords What you have ID Cards Password List One-Time Password Tokens Certificates & Private Keys What you are Physical Features Psychological Traits

Authenticator Characteristics Usability  How effectively can people operate Uniqueness  How distinct is the proof Integrity  How difficult to guess, forge, or steal Affordability  How much does it cost to buy or maintain Accuracy  How often do mistakes occur

PINs and Secret Answers Personal Identification Number (PIN) Very simple authenticator Difficult to enforce hard-to-guess PINs May include non-numeric characters Secret Answers One or more correct answers authenticates an asserted identity Users may be allowed to define questions Typically a secondary authenticator

Passwords Based on a string of characters Usually too predictable (i.e. poor uniqueness)  Length rarely greater than 8 characters  Often consist of words or names  Typically composed of lowercase letters  Often think alike when choosing passwords  Use same password across systems  Not changed frequently enough Controlled through requirements for character use, length, and pattern matching

Case Study 15 Password Analysis

Password Characteristics PoorFairOKGoodExcellent Usability Uniqueness Integrity Affordability Accuracy

Passphrases Multiple words, typically mixed case with numbers and symbols Improvement upon passwords with little user learning curve Not much study yet on predictability “The light of the M00N struck me in June” “SeattleSeahawksSingSadSongS4ME” “emmyis7”

Graphical Passwords Rely on memory of images to authenticate Users select, draw, or manipulate pictures Relatively young technology that needs more attention Graphical Passwords

“What You Have” Authenticators Magnetic-stripe cards RF & Wiegand cards Stored-value cards Password lists

OTP Tokens One-Time Password (OTP) Tokens Generates a new password for each use Can be challenge/response-based Based on a unique, secret token seed value (and usually synchronized time) Implemented with hardware or software

OTP Tokens Characteristics PoorFairOKGoodExcellent Usability Uniqueness Integrity Affordability Accuracy

Digital Certificates Rely on the use of private and public keys Typically require a Public Key Infrastructure (PKI) for certificate creation, publication, renewal, & revocation

Digital Certificate Characteristics PoorFairOKGoodExcellent Usability Uniqueness Integrity Affordability Accuracy

Smart Cards Microprocessor with memory that can generate and store keys and certificates Different form factors and interfaces Cryptographic functions using private key are processed on the card itself

Smart Card Characteristics PoorFairOKGoodExcellent Usability Uniqueness Integrity Affordability Accuracy

Biometric Authenticators “The automated use of physiological or behavioral characteristics to determine or verify identity.” - International Biometrics Group Rely on interpretation or ‘minutiae’ of a biometric trait Maturing technology and standards Increasingly used for physical security

Biometric Authenticators Fingerprint = 48% Face = 12% Hand = 11% Eye (Iris) = 9% Voice = 6% Keyboarding = <1% * - Data source: International Biometrics Group 2004 Market Share

Biometric Characteristics PoorFairOKGoodExcellent Usability Uniqueness Integrity Affordability Accuracy

Multi-Factor Authenticators * Coined by Douglas Adams in his book Mostly Harmless. Multi-Factor Authenticators Stronger authentication? Can combine best features Might combine worst features Do not want an Ident-I-Eeze”*

Summary Summary & Call to Action Focus on entire authentication system Evaluate suitability of authentication solutions for your specific environment Do consider the Integrity of authenticators, but don’t forget about other characteristics Assess & fortify password dependent systems Visit

Questions?