RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
Click here to load reader
-
Upload
mike-schwartz -
Category
Internet
-
view
1.046 -
download
0
Transcript of RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!
![Page 1: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/1.jpg)
#RSAC
1
![Page 2: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/2.jpg)
#RSAC
2
Obama says use two factors…
https://nakedsecurity.sophos.com/2016/02/12/obama-says-passwords-arent-strong-enough-urges-use-of-2fa/
![Page 3: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/3.jpg)
#RSAC
3
Progress = Obliviousness
2FA = two-factor authentication
![Page 4: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/4.jpg)
#RSAC
4
Authentication tradeoffs…
![Page 5: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/5.jpg)
#RSAC
5
Protect your money!
Issued guidance in 2005 entitled “Authentication in an Internet Banking Environment“
Source: https://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf
“… the techniques employed should be commensurate with therisks associated with the products and services offered ”
![Page 6: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/6.jpg)
#RSAC
6
What is Trust Elevation?
![Page 7: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/7.jpg)
#RSAC
7
Agenda
Background on authentication technology: where are we today?
Deep Dive into OAuth2: what features does it have to support Trust Elevation
Trust Elevation across domain boundaries
GOAL: Make you aware of some of the challenges we face to enable Trust Elevation
![Page 8: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/8.jpg)
#RSAC
8
What is Multi-Factor Authentication?
NIST defines this as two or more of …Something you know
Something you have
Something you are
Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
![Page 9: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/9.jpg)
#RSAC
9
Risk Scores
![Page 10: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/10.jpg)
#RSAC
10
Contextual Combinations Complicate
Is the IP address a known hacker? Was the device rooted? Is a
browser cookie present? Is the device running virus protection? Is
the location recognized? When was credential issued? What is the
time of the day?
![Page 11: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/11.jpg)
#RSAC
11
“…every scheme does worse than passwords on deployability”
http://research.microsoft.com/pubs/161585/QuestToReplacePasswords.pdf
![Page 12: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/12.jpg)
#RSAC
12
OAuth2 will make 2FA more “deployable”
Applications should use Standard API’s for authentication and Trust Elevation!
No “one-offs”
http://nordicapis.com/api-security-oauth-openid-connect-depth/ Good Intro to Oauth2:
![Page 13: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/13.jpg)
#RSAC
13
Enter OAuth2
i.e. API’s
i.e. Website or mobile app
i.e. Secure Token Service
![Page 14: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/14.jpg)
#RSAC
14
OpenID Connect
Resource Server = user_info API
To call this API, you need an Access Token
TOKENTOKEN
![Page 15: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/15.jpg)
#RSAC
15
Importance of Audience
https://hanszandbelt.wordpress.com/2015/12/14/the-importance-of-audience-in-web-sso/
BEFORE AFTER
![Page 16: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/16.jpg)
#RSAC
16
OpenID Connect: Client Registration, Discovery too!
http://openid.net/connect
![Page 17: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/17.jpg)
#RSAC
17
Overview of Authorization Code Flow
Relying Party (RP) redirects person to OpenID Provider (OP) for authorization
Authentication happens only once!
OP returns code to RP
RP uses code to get tokens from OP
RP uses access token to obtain user claims from /user_info API:{“given_name”: “Mike”, “family_name”: “Schwartz”}
![Page 18: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/18.jpg)
#RSAC
18
OpenID Connect id_token
Information about authentication event
{ "iss": "https://server.example.com", “sub": "248289761001", "aud": "3214244", "iat": 1311195570, "exp": 1311281970, “auth_time”: 131195001, “acr”: http://example.com/basic_bio” “amr”: [‘eye’, ‘pwd’, ‘12’]}
![Page 19: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/19.jpg)
#RSAC
19
ACR and AMR
How does the app know what kind of authentication happened?
![Page 20: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/20.jpg)
#RSAC
20
OpenID Provider Discovery
GET host + /.well-known/openid-configuration
![Page 21: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/21.jpg)
#RSAC
21
OpenID Dynamic Client Registration
![Page 22: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/22.jpg)
#RSAC
22
Authentication Request
In the request, acr_values is actually a space delimited string…
![Page 23: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/23.jpg)
#RSAC
23
id_token
Returned id_token confirms acr and amr
values
{ "iss": "https://server.example.com", “sub": "248289761001", "aud": "3214244", "iat": 1311195570, "exp": 1311281970, “auth_time”: 131195001, “acr”: http://example.com/basic_bio” “amr”: [‘eye’, ‘pwd’, ‘12’]}
![Page 24: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/24.jpg)
#RSAC
24
App Policy
GET https://example.com/finance
Just an example…using OpenID Connect alone,you could require a certain
type of authentication
![Page 25: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/25.jpg)
#RSAC
25
Best Practice: Centralize Policy Management
![Page 26: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/26.jpg)
#RSAC
26
UMA
Protect any API: require an RPT Token
![Page 27: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/27.jpg)
#RSAC
27
UMA In 60 seconds
Client Calls API without RPT Token
RS obtains Permission Ticket from AS and returns it to Client
Client presents ticket to AS
AS evaluates polices. If ok, issues RPT token (bearer)
Client calls API with RPT Token
RS introspects Token: if ok, returns content
![Page 28: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/28.jpg)
#RSAC
28
Subtle difference…Scope references policy
Scope based access:Level of abstraction that
enables the central policy decision point to decide which
acr is required
![Page 29: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/29.jpg)
#RSAC
29
What kind of policies can you make?
![Page 30: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/30.jpg)
#RSAC
30
Elevating Trust using UMA
You are Forbidden because you need
acr…
![Page 31: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/31.jpg)
#RSAC
31
Re-Authenticate!
![Page 32: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/32.jpg)
#RSAC
32
Part III: Intedomain trust elevation
Infrastructure and security is not (usually) basis for competition between firms in the same industry.
![Page 33: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/33.jpg)
#RSAC
33
Saml Federations
Normalize legal/technical
![Page 34: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/34.jpg)
#RSAC
34
Many SAML Federations publish user schema.
http://www.incommon.org/federation/attributesummary.html
![Page 35: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/35.jpg)
#RSAC
35
Oauth2 schema: not just user claims…
![Page 36: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/36.jpg)
#RSAC
36
Collaboration on ACR / AMR values
So what values should we use for amr and acr?
https://tools.ietf.org/html/draft-jones-oauth-amr-values-05 This IETF draft defines some AMR’s… but its inadequate
![Page 37: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/37.jpg)
#RSAC
37
ACR alignment
Domains need to collaborate on the values for acr’s and amr’s
![Page 38: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/38.jpg)
#RSAC
38
OTTO – Kantara Initiative Work Group
http://kantarainitiative.org/confluence/display/OTTO/Home
Open Trust Taxonomy for OAuth2
![Page 39: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/39.jpg)
#RSAC
39
SAML federations
![Page 40: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/40.jpg)
#RSAC
40
OAuth2 has new entities and new jargon
![Page 41: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/41.jpg)
#RSAC
41
Where do we need federations
![Page 42: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/42.jpg)
#RSAC
42
Summary
We don’t lack ways to identify people, but we lack agreement on the relative strength of these mechanisms.
OAuth2 enables centralized risk based trust elevation, driving down the cost of deployment—the main impediment to 2FA adoption.
To enable trust elevation across domains, federations are needed.
![Page 43: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/43.jpg)
#RSAC
43
Action items
Don’t limit your planning to two-factor authentication. Make a plan for trust elevation!
Start architecting your applications to leverage central policy decision point—not for all fine grained authorization, but for key security escalations.
If you work in an ecosystem, consider collaborating (even with your competitors) to drive down the cost of security.
![Page 44: RSA Conference 2016: Don't Use Two-Factor Authentication... Unless You Need It!](https://reader038.fdocuments.us/reader038/viewer/2022102323/58e7a21d1a28ab847a8b50b1/html5/thumbnails/44.jpg)
#RSAC
44