Electronic AuthenticationMore Than Just a Password
Nicholas DavisInformation Security
Cardinal Stritch Interview SessionMay 20, 2009
Session Overview
• What electronic authentication is and why it is important
• Definitions• Different types of authentication
factors (username/password)• Benefits and drawbacks of various
authentication technologies• “Strong Authentication”• Question and Answer Session
Presentation Style
• Blue = Topic
• Black = Informational Details
• Red = Discussion
• Audience participation is encouraged. Anytime you see red, you can begin to think about the discussion topic at hand
Authentication Defined
Authentication is the process of providingproof to a person or system that you areindeed who you claim to be.
Can you think of some examples?
Electronic authentication is similar in thatprovides a level of assurance as towhether someone or something is who orwhat it claims to be in a digitalenvironment.
Can you think of some examples?
Authentication Factors
• Three types of electronic authentication• Something you know –
username/password• Something you have – One time
password device• Something you are – Voiceprint or
retinal scan
• Let’s examine these in detail!
Username and PasswordSomething that you know
• Sometimes has rules associated with it, such as length, or has an expiration date.
• Can you think of some other password rules?
• Why do you think password rules are enforced?
Username and Password - Benefits• Most widely used
electronic authentication mechanism in the world. People understand how to use it.
• Low fixed cost to implement and virtually no variable cost
• Fairly good for low assurance applications
• No physical device required
Username and Password - Drawbacks
• Can be easily shared on purpose
• Can be easily stolen via Shoulder Surfing, Keyboard Logger Packet Sniffer
• Can be guessed• Can be hard to
remember• Password code is
easy to hack
Make Your Passwords Strong
• Be as long as possible (never shorter than 6 characters).
• Include mixed-case letters, if possible. • Include digits and punctuation marks, if possible. • Not be based on any personal information. • Not be based on any dictionary word, in any
language. • Expire on a regular basis and may not be reused• May not contain any portion of your name,
birthday, address or other publicly available information
One Time Password (OTP) DevicesSomething That You Have
• Have an assigned serial number which is tied to my userid
• Device generates a new password every 30 seconds
• Server on other end knows what to expect from the device assigned to me, at any point in time
One Time Password Device - Benefits
• Difficult to share• Constantly changing password means it
can’t be stolen, shoulder surfed or sniffed• Coolness factor!• Let’s try to circumvent the technology!• What would happen if I generated a one
time pass code, wrote it down and then tried to use it later?
One Time Passwords - Drawbacks
• Cost!• Rank very low on
the washability index
• Uncomfortable• Expiration• Battery Life• Can be forgotten
at home
BiometricsSomething That You Are
• Use a unique part of your body to authenticate you, such as your voice pattern, your retina, or your fingerprint
Biometrics Benefits
• Harder to steal than even a One Time Password since it is part of the user, not simply in their possession like and OTP device
• Absolute uniqueness of authentication factor
• Coolness factor
Biometrics Drawbacks
• Cost• Complexity of
Administration• Highly invasive• Not always
reliable – false negatives
• Not foolproof• The Gummi Bear
thief!
Single Factor vs. Multifactor vs Dual Factor
• Single Factor – Using one method to authenticate.
• Dual Factor – Using two different types of authentication mechanism to authenticate
• Multifactor – Using multiple forms of the same factor. (Password + identifying an image that only you would know)
• Some people claim multi factor is just a way around industry regulations. Good test is to ask, could I memorize both of these?
Key Concepts
• Current online password based authentication techniques are weak at best: Most rely on multiple single factors
• Password Credentials are easily stolen from consumers, and rarely change
• Lack of consistency in authentication processes confuse consumers
Summary
• There are three types of authentication technologies:– Something you know– Something you have– Something you are
Password is the weakest
Biometrics is the strongest
Audience Discussion and Q&A
• Describe which types of authentication technologies are incorporated into your ATM card
• How do you feel about the use of biometrics?
• Name a situation in which you think biometrics should be used for authentication
Top Related