Defeating the Secrets of OTP Apps
|
|
- Adelia Waters
- 5 years ago
- Views:
Transcription
1 Defeating the Secrets of OTP Apps M.A., M.Sc. Philip Polleit, Friedrich-Alexander-Universität, Erlangen Dr.-Ing., Michael Spreitzenbarth, Friedrich-Alexander-Universität, Erlangen 1
2 // Agenda Introduction Forensic Use Background Research Results Conclusion 2
3 // Introduction Information age requires secure authentication 3
4 // Introduction Information age requires secure authentication "Bitkom" sets damage caused by data theft at yearly 55 billion (2017, Germany only) 3
5 // Introduction Information age requires secure authentication "Bitkom" sets damage caused by data theft at yearly 55 billion (2017, Germany only) August 2013: Three Billion Yahoo Accounts affected 3
6 // Introduction Information age requires secure authentication "Bitkom" sets damage caused by data theft at yearly 55 billion (2017, Germany only) August 2013: Three Billion Yahoo Accounts affected April 2015: IS Hackers capture TV5Monde and spread own messages (password was readable on TV) 3
7 // Introduction Information age requires secure authentication "Bitkom" sets damage caused by data theft at yearly 55 billion (2017, Germany only) August 2013: Three Billion Yahoo Accounts affected April 2015: IS Hackers capture TV5Monde and spread own messages (password was readable on TV) July 2017: BKA reports database with 500 million stolen addresses (incl. passwords) 3
8 // Introduction Information age requires secure authentication "Bitkom" sets damage caused by data theft at yearly 55 billion (2017, Germany only) August 2013: Three Billion Yahoo Accounts affected April 2015: IS Hackers capture TV5Monde and spread own messages (password was readable on TV) July 2017: BKA reports database with 500 million stolen addresses (incl. passwords) May 2018: Twitter prompts users to change their passwords (as they saved these unencrypted). 3
9 // Introduction Information age requires secure authentication "Bitkom" sets damage caused by data theft at yearly 55 billion (2017, Germany only) August 2013: Three Billion Yahoo Accounts affected April 2015: IS Hackers capture TV5Monde and spread own messages (password was readable on TV) July 2017: BKA reports database with 500 million stolen addresses (incl. passwords) May 2018: Twitter prompts users to change their passwords (as they saved these unencrypted). > Weak PW (user) / unsalted Hashes (provider) 3
10 // Introduction 4
11 // Introduction 4
12 // Introduction 4
13 // Introduction lemotdepassedeyoutube 4
14 // Introduction 5
15 // Introduction Multi-factor Authentication (MFA) provides options to overcome the risks presented 5
16 // Introduction Multi-factor Authentication (MFA) provides options to overcome the risks presented Factors can be divided into three categories 5
17 // Introduction Multi-factor Authentication (MFA) provides options to overcome the risks presented Factors can be divided into three categories "Knowledge" (passwords, user names, PINs) "Being" (e.g. fingerprint, biometric features) "Possession" (hardware token, credit card, key) 5
18 // Introduction Multi-factor Authentication (MFA) provides options to overcome the risks presented Factors can be divided into three categories "Knowledge" (passwords, user names, PINs) "Being" (e.g. fingerprint, biometric features) "Possession" (hardware token, credit card, key) Classic implementation is SecurID token from RSA 5
19 // Introduction Multi-factor Authentication (MFA) provides options to overcome the risks presented Factors can be divided into three categories "Knowledge" (passwords, user names, PINs) "Being" (e.g. fingerprint, biometric features) "Possession" (hardware token, credit card, key) Classic implementation is SecurID token from RSA "Tokenless" MFA is implemented by software 5
20 // Introduction Multi-factor Authentication (MFA) provides options to overcome the risks presented Factors can be divided into three categories "Knowledge" (passwords, user names, PINs) "Being" (e.g. fingerprint, biometric features) "Possession" (hardware token, credit card, key) Classic implementation is SecurID token from RSA "Tokenless" MFA is implemented by software Popular forms are so-called 2FA apps für smartphones that generate OTPs ("one-time password ) 5
21 // Introduction Multi-factor Authentication (MFA) provides options to overcome the risks presented Factors can be divided into three categories "Knowledge" (passwords, user names, PINs) "Being" (e.g. fingerprint, biometric features) "Possession" (hardware token, credit card, key) Classic implementation is SecurID token from RSA "Tokenless" MFA is implemented by software Popular forms are so-called 2FA apps für smartphones that generate OTPs ("one-time password ) 5
22 // Introduction Multi-factor Authentication (MFA) provides options to overcome the risks presented Factors can be divided into three categories "Knowledge" (passwords, user names, PINs) "Being" (e.g. fingerprint, biometric features) "Possession" (hardware token, credit card, key) Classic implementation is SecurID token from RSA "Tokenless" MFA is implemented by software Popular forms are so-called 2FA apps für smartphones that generate OTPs ("one-time password ) 5
23 // Forensic Use 6
24 // Forensic Use Central question of any criminal procedure is Causality 6
25 // Forensic Use Central question of any criminal procedure is Causality Computer forensic consideration proofs whether the 6
26 // Forensic Use Central question of any criminal procedure is Causality Computer forensic consideration proofs whether the court exhibit (i.e. PC) was used as an instrument of crime 6
27 // Forensic Use Central question of any criminal procedure is Causality Computer forensic consideration proofs whether the court exhibit (i.e. PC) was used as an instrument of crime Consideration literally stops at the keyboard 6
28 // Forensic Use Central question of any criminal procedure is Causality Computer forensic consideration proofs whether the court exhibit (i.e. PC) was used as an instrument of crime Consideration literally stops at the keyboard 2FA app examination puts the user (perpetrator) into focus 6
29 // Forensic Use Central question of any criminal procedure is Causality Computer forensic consideration proofs whether the court exhibit (i.e. PC) was used as an instrument of crime Consideration literally stops at the keyboard 2FA app examination puts the user (perpetrator) into focus Otherwise defense strategy could be: it wasn t me 6
30 // Forensic Use Central question of any criminal procedure is Causality Computer forensic consideration proofs whether the court exhibit (i.e. PC) was used as an instrument of crime Consideration literally stops at the keyboard 2FA app examination puts the user (perpetrator) into focus Otherwise defense strategy could be: it wasn t me However analyzing authentication process closes the gap 6
31 // Forensic Use Central question of any criminal procedure is Causality Computer forensic consideration proofs whether the court exhibit (i.e. PC) was used as an instrument of crime Consideration literally stops at the keyboard 2FA app examination puts the user (perpetrator) into focus Otherwise defense strategy could be: it wasn t me However analyzing authentication process closes the gap Chain of evidence could be closed 6
32 // Forensic Use 7
33 // Forensic Use 7
34 // Forensic Use 7
35 // Forensic Use
36 // Forensic Use
37 // Forensic Use
38 // Forensic Use
39 // Forensic Use
40 // Forensic Use
41 // Forensic Use
42 // Forensic Use
43 // Forensic Use
44 // Forensic Use 8
45 // Forensic Use 8
46 // Forensic Use 8
47 // Forensic Use
48 // Forensic Use
49 // Forensic Use
50 // Forensic Use
51 // Forensic Use
52 // Forensic Use
53 // Forensic Use FA 8
54 // Forensic Use FA 8
55 // Forensic Use FA 8
56 // Forensic Use FA 8
57 // Forensic Use FA 8
58 // Forensic Use 9
59 // Forensic Use FA 9
60 // Forensic Use FA 9
61 // Forensic Use FA 9
62 // Forensic Use FA 9
63 // Background 10
64 // Background Leslie Lamport formulated idea of using OTP in November
65 // Background Leslie Lamport formulated idea of using OTP in November 1981 S = H(r a ggkw), see RFC
66 // Background Leslie Lamport formulated idea of using OTP in November 1981 S = H(r ggkw), see RFC 2289 a Of central importance is the "shared secret" (ggkw), as an essential basis for calculating the OTP 10
67 // Background Leslie Lamport formulated idea of using OTP in November 1981 S = H(r ggkw), see RFC 2289 a Of central importance is the "shared secret" (ggkw), as an essential basis for calculating the OTP Three different types can be distinguished: time-controlled method challenge-response controlled method event-driven method 10
68 // Background Leslie Lamport formulated idea of using OTP in November 1981 S = H(r ggkw), see RFC 2289 a Of central importance is the "shared secret" (ggkw), as an essential basis for calculating the OTP Three different types can be distinguished: time-controlled method challenge-response controlled method event-driven method Security of the 2FA app strongly depends on integrity of the operating system 10
69 // Research 11
70 // Research The samples (2FA apps) were examined whether they 11
71 // Research The samples (2FA apps) were examined whether they 11
72 // Research The samples (2FA apps) were examined whether they analyse the environmental-integrity during setup 11
73 // Research The samples (2FA apps) were examined whether they analyse the environmental-integrity during setup encrypt the shared secret (and how) 11
74 // Research The samples (2FA apps) were examined whether they analyse the environmental-integrity during setup encrypt the shared secret (and how) allow cloning of the database (with stored secrets) 11
75 // Research The samples (2FA apps) were examined whether they analyse the environmental-integrity during setup encrypt the shared secret (and how) allow cloning of the database (with stored secrets) disclose secrets due to network-traffic caused 11
76 // Research The samples (2FA apps) were examined whether they analyse the environmental-integrity during setup encrypt the shared secret (and how) allow cloning of the database (with stored secrets) disclose secrets due to network-traffic caused enable stealing of shared secret 11
77 // Research 12
78 // Research Examination procedure 12
79 // Research Examination procedure Determine most popular 2FA apps (cf. downloads) 12
80 // Research Examination procedure Determine most popular 2FA apps (cf. downloads) Install the apps via Google PlayStore 12
81 // Research Examination procedure Determine most popular 2FA apps (cf. downloads) Install the apps via Google PlayStore Save "zero evidence" with a script (before execution) 12
82 // Research Examination procedure Determine most popular 2FA apps (cf. downloads) Install the apps via Google PlayStore Save "zero evidence" with a script (before execution) Record network-traffic during execution 12
83 // Research Examination procedure Determine most popular 2FA apps (cf. downloads) Install the apps via Google PlayStore Save "zero evidence" with a script (before execution) Record network-traffic during execution Re-backup after execution and configuration 12
84 // Research Examination procedure Determine most popular 2FA apps (cf. downloads) Install the apps via Google PlayStore Save "zero evidence" with a script (before execution) Record network-traffic during execution Re-backup after execution and configuration Calculate the differences of both snapshots 12
85 // Research Examination procedure Determine most popular 2FA apps (cf. downloads) Install the apps via Google PlayStore Save "zero evidence" with a script (before execution) Record network-traffic during execution Re-backup after execution and configuration Calculate the differences of both snapshots Analysis of the collected data 12
86 // Research Examination procedure Determine most popular 2FA apps (cf. downloads) Install the apps via Google PlayStore Save "zero evidence" with a script (before execution) Record network-traffic during execution Re-backup after execution and configuration Calculate the differences of both snapshots Analysis of the collected data Verification of the results using tests in AVD 12
87 // Results Sample: Google Authenticator 13
88 // Results Sample: Google Authenticator 42:GA philip$ adb pull /data/data/ com.google.android.apps.authenticator2/databases/databases/ 42:GA philip$ sqlite3./databases "select * from accounts" > google_authenticator_secret.txt 42:GA philip$ cat google_authenticator_secret.txt 1 Dropbox rffl4xngz3bzhe5g7fhji4rzra Dropbox 42:GA philip$ 13
89 // Results Sample: Google Authenticator 42:GA philip$ adb pull /data/data/ com.google.android.apps.authenticator2/databases/databases/ 42:GA philip$ sqlite3./databases "select * from accounts" > google_authenticator_secret.txt 42:GA philip$ cat google_authenticator_secret.txt 1 Dropbox rffl4xngz3bzhe5g7fhji4rzra Dropbox 42:GA philip$ 13
90 // Results Sample: Google Authenticator 42:GA philip$ adb pull /data/data/ com.google.android.apps.authenticator2/databases/databases/ 42:GA philip$ sqlite3./databases "select * from accounts" > google_authenticator_secret.txt 42:GA philip$ cat google_authenticator_secret.txt 1 Dropbox rffl4xngz3bzhe5g7fhji4rzra Dropbox 42:GA philip$ 13
91 // Results Sample: Duo Mobile 14
92 // Results Sample: Duo Mobile 42:Duo philip$ adb pull /data/data/com.duosecurity.duomobile/files/ duokit/accounts.json 42:Duo philip$ cat accounts.json [ { "name": "philipevalu@wegwerf .info", "otpgenerator": { "otpsecret": "HVWB64JEXHST5XG2RG5J5NFWCI" }, "logouri": "android.resource://com.duosecurity.duomobile/drawable/ ic_dropbox" } ] 14
93 // Results Sample: Duo Mobile 42:Duo philip$ adb pull /data/data/com.duosecurity.duomobile/files/ duokit/accounts.json 42:Duo philip$ cat accounts.json [ { "name": "philipevalu@wegwerf .info", "otpgenerator": { "otpsecret": "HVWB64JEXHST5XG2RG5J5NFWCI" }, "logouri": "android.resource://com.duosecurity.duomobile/drawable/ ic_dropbox" } ] 14
94 // Results X = Yes; O = No; - = unwanted behavior; + = wanted behavior 15
95 // Results 16
96 // Results Security implementations vary greatly 16
97 // Results Security implementations vary greatly 50 % of apps do not encrypt shared secret 16
98 // Results Security implementations vary greatly 50 % of apps do not encrypt shared secret 12.5 % of the apps only use other notation 16
99 // Results Security implementations vary greatly 50 % of apps do not encrypt shared secret 12.5 % of the apps only use other notation Security strongly dependent on OS 16
100 // Results Security implementations vary greatly 50 % of apps do not encrypt shared secret 12.5 % of the apps only use other notation Security strongly dependent on OS 56 % of the apps allow copying the DB 16
101 // Results Security implementations vary greatly 50 % of apps do not encrypt shared secret 12.5 % of the apps only use other notation Security strongly dependent on OS 56 % of the apps allow copying the DB Only about 1/5 of the apps offer PIN protection 16
102 // Results Security implementations vary greatly 50 % of apps do not encrypt shared secret 12.5 % of the apps only use other notation Security strongly dependent on OS 56 % of the apps allow copying the DB Only about 1/5 of the apps offer PIN protection Only 44 % do not generate network traffic 16
103 // Conclusion 17
104 // Conclusion Pro 2FA-App 17
105 // Conclusion Pro 2FA-App Comprehensive use of 2FA is recommended 2FA app reduces number of devices to carry SM have more (transparent) data/sensors 17
106 // Conclusion Pro 2FA-App Comprehensive use of 2FA is recommended 2FA app reduces number of devices to carry SM have more (transparent) data/sensors Pro HW-Token 17
107 // Conclusion Pro 2FA-App Comprehensive use of 2FA is recommended 2FA app reduces number of devices to carry SM have more (transparent) data/sensors Pro HW-Token HW token self-sufficient -> no area of attack via remote "Stealing" the "shared secret" undermines factor property 2FA apps persuade to use a single device only Spread of specific malware threatens 2FA apps FIDO-Alliance combines secure hardware and PKI 17
108 Thank you for your attention Philip Polleit Questions? 42! 18
Attacking Your Two-Factor Authentication (PS: Use Two-Factor Authentication)
Attacking Your Two-Factor Authentication (PS: Use Two-Factor Authentication) 08 Jun 2017 K-LUG Technical Meeting Rochester, MN Presented by: Vi Grey Independent Security Researcher https://vigrey.com Who
More informationDeprecating the Password: A Progress Report. Dr. Michael B. Jones Identity Standards Architect, Microsoft May 17, 2018
Deprecating the Password: A Progress Report Dr. Michael B. Jones Identity Standards Architect, Microsoft May 17, 2018 The password problem Alpha-numeric passwords are hard for humans to remember and easy
More informationEXPERIENCE SIMPLER, STRONGER AUTHENTICATION
1 EXPERIENCE SIMPLER, STRONGER AUTHENTICATION 2 Data Breaches are out of control 3 IN 2014... 708 data breaches 82 million personal records stolen $3.5 million average cost per breach 4 We have a PASSWORD
More informationEBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS
EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS HOW SECURE IS YOUR VPN ACCESS? Remote access gateways such as VPNs and firewalls provide critical anywhere-anytime connections to the networks
More informationThe Lord of the Keys How two-part seed records solve all safety concerns regarding two-factor authentication
White Paper The Lord of the Keys How two-part seed records solve all safety concerns regarding two-factor authentication Table of contents Introduction... 2 Password protection alone is no longer enough...
More informationAddressing Credential Compromise & Account Takeovers: Bearersensitive. Girish Chiruvolu, Ph.D., CISSP, CISM, MBA ISACA NTX April 19
Addressing Credential Compromise & Account Takeovers: Bearersensitive OTPS Girish Chiruvolu, Ph.D., CISSP, CISM, MBA ISACA NTX April 19 Impact Across Every Industry Phishing: Low Cost, Big Impact for
More informationAuthentication Methods
CERT-EU Security Whitepaper 16-003 Authentication Methods D.Antoniou, K.Socha ver. 1.0 20/12/2016 TLP: WHITE 1 Authentication Lately, protecting data has become increasingly difficult task. Cyber-attacks
More informationAuthentication Technology for a Smart eid Infrastructure.
Authentication Technology for a Smart eid Infrastructure. www.aducid.com One app to access all public and private sector online services. One registration allows users to access all their online accounts
More informationWhitepaper on AuthShield Two Factor Authentication with SAP
Whitepaper on AuthShield Two Factor Authentication with SAP By AuthShield Labs Pvt. Ltd Table of Contents Table of Contents...2 1.Overview...4 2. Threats to account passwords...5 2.1 Social Engineering
More informationInternet is Global. 120m. 300m 1.3bn Users. 160m. 300m. 289m
UAF Protocol Internet is Global 120m 300m 1.3bn Users 160m 289m 300m #Users 2014 Google: 2013 Twitter: 2015 Devices without physical keyboard How Secure is Authentication? Cloud Authentication Password
More information<Partner Name> <Partner Product> RSA SECURID ACCESS. NetMove SaAT Secure Starter. Standard Agent Client Implementation Guide
RSA SECURID ACCESS Standard Agent Client Implementation Guide NetMove Daniel R. Pintal, RSA Partner Engineering Last Modified: April 4, 2018 Solution Summary Secure Starter
More informationCSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018
CSCE 548 Building Secure Software Entity Authentication Professor Lisa Luo Spring 2018 Previous Class Important Applications of Crypto User Authentication verify the identity based on something you know
More informationPro s and con s Why pins # s, passwords, smart cards and tokens fail
Current Authentication Methods Pro s and con s Why pins # s, passwords, smart cards and tokens fail IDENTIFYING CREDENTIALS In The Physical World Verified by Physical Inspection of the Credential by an
More informationContents. Multi-Factor Authentication Overview. Available MFA Factors
The purpose of this document is to provide National University student Single Sign-On users with instructions for how to configure and use Multi-Factor Authentication. Contents Multi-Factor Authentication
More informationTHE FUTURE OF AUTHENTICATION FOR THE INTERNET OF THINGS
THE FUTURE OF AUTHENTICATION FOR THE INTERNET OF THINGS FIDO ALLIANCE WEBINAR MARCH 28, 2017 1 INTRODUCTION TO THE FIDO ALLIANCE ANDREW SHIKIAR SENIOR DIRECTOR OF MARKETING MARCH 28, 2017 2 THE FACTS ON
More informationIs Your Online Bank Really Secure?
Is Your Online Bank Really Secure? Zoltan Szalai / ebanking Solution Manager April 25, 2013 2 Gemalto for You ONE THIRD OF THE WORLD S POPULATION USE OUR SOLUTIONS EVERYDAY BANKS & RETAIL TELECOM TRANSPORT
More informationModern two-factor authentication: Easy. Affordable. Secure.
Modern two-factor authentication: Easy. Affordable. Secure. www.duosecurity.com Your systems and users are under attack like never before The last few years have seen an unprecedented number of attacks
More informationWhat is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.
P1L4 Authentication What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource. Authentication: Who are you? Prove it.
More informationSecurity Strategy for Mobile ID GSMA Mobile Connect Summit
Security Strategy for Mobile ID GSMA Mobile Connect Summit Singapore, 22 nd November 2017 G+D Mobile Security G+D Mobile Security: Managing Billions of Connected Digital Identities Today 660 million contactless
More informationComputer Security 4/12/19
Authentication Computer Security 09. Authentication Identification: who are you? Authentication: prove it Authorization: you can do it Paul Krzyzanowski Protocols such as Kerberos combine all three Rutgers
More informationCNT4406/5412 Network Security
CNT4406/5412 Network Security Authentication Zhi Wang Florida State University Fall 2014 Zhi Wang (FSU) CNT4406/5412 Network Security Fall 2014 1 / 43 Introduction Introduction Authentication is the process
More informationComputer Security 3/20/18
Authentication Identification: who are you? Authentication: prove it Computer Security 08. Authentication Authorization: you can do it Protocols such as Kerberos combine all three Paul Krzyzanowski Rutgers
More information<Partner Name> <Partner Product> RSA SECURID ACCESS. Pulse Secure Connect Secure 8.3. Standard Agent Client Implementation Guide
RSA SECURID ACCESS Standard Agent Client Implementation Guide Pulse Secure John Sammon, Dan Pintal, RSA Partner Engineering Last Modified: July 11, 2018 Solution Summary
More informationComputer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Authentication Paul Krzyzanowski Rutgers University Spring 2018 1 Authentication Identification: who are you? Authentication: prove it Authorization: you can do it Protocols such
More informationMulti-Factor Authentication (MFA)
10.10.18 1 Multi-Factor Authentication (MFA) What is it? Why should I use it? CYBERSECURITY Tech Fair 2018 10.10.18 2 Recent Password Hacks PlayStation Network (2011) 77 Million accounts hacked Adobe (2013)
More informationIntegrated Access Management Solutions. Access Televentures
Integrated Access Management Solutions Access Televentures Table of Contents OVERCOMING THE AUTHENTICATION CHALLENGE... 2 1 EXECUTIVE SUMMARY... 2 2 Challenges to Providing Users Secure Access... 2 2.1
More informationTwo-Factor Authentication over Mobile: Simplifying Security and Authentication
SAP Thought Leadership Paper SAP Digital Interconnect Two-Factor Authentication over Mobile: Simplifying Security and Authentication Controlling Fraud and Validating End Users Easily and Cost-Effectively
More informationQuick Heal Mobile Security. Free protection for your Android phone against virus attacks, unwanted calls, and theft.
Quick Heal Mobile Security Free protection for your Android phone against virus attacks, unwanted calls, and theft. Product Highlights Complete protection for your Android device that simplifies security
More informationTPM v.s. Embedded Board. James Y
TPM v.s. Embedded Board James Y What Is A Trusted Platform Module? (TPM 1.2) TPM 1.2 on the Enano-8523 that: How Safe is your INFORMATION? Protects secrets from attackers Performs cryptographic functions
More informationIDENTITY AND THE NEW AGE OF ENTERPRISE SECURITY BEN SMITH CISSP CRISC CIPT RSA FIELD CTO
IDENTITY AND THE NEW AGE OF ENTERPRISE SECURITY BEN SMITH CISSP CRISC CIPT RSA FIELD CTO (US) @BEN_SMITH IDENTITY = THE MOST CONSEQUENTIAL ATTACK VECTOR Confirmed data breaches involving weak, default
More information<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. CyberArk Enterprise Password Vault
RSA SECURID ACCESS Implementation Guide CyberArk Peter Waranowski, RSA Partner Engineering Last Modified: March 5 th, 2018 Solution Summary CyberArk can integrate with
More informationSafeNet MobilePASS+ for Android. User Guide
SafeNet MobilePASS+ for Android User Guide All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have and keep the
More informationVidder PrecisionAccess
Vidder PrecisionAccess Transparent Multi-Factor Authentication June 2015 910 E HAMILTON AVENUE. SUITE 430. CAMPBELL, CA 95008 P: 408.418.0440 F: 408.706.5590 WWW.VIDDER.COM Table of Contents I. Overview...
More informationStop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico
1 Stop sweating the password and learn to love public key cryptography Chris Streeks Solutions Engineer, Yubico Stop Sweating the Password! 2 Agenda Introduction The modern state of Phishing How to become
More informationCHAPTER 6 EFFICIENT TECHNIQUE TOWARDS THE AVOIDANCE OF REPLAY ATTACK USING LOW DISTORTION TRANSFORM
109 CHAPTER 6 EFFICIENT TECHNIQUE TOWARDS THE AVOIDANCE OF REPLAY ATTACK USING LOW DISTORTION TRANSFORM Security is considered to be the most critical factor in many applications. The main issues of such
More informationIBM Multi-Factor Authentication in a Linux on IBM Z environment - Example with z/os MFA infrastructure
IBM Multi-Factor Authentication in a Linux on IBM Z environment - Example with z/os MFA infrastructure Dr. Manfred Gnirss IBM Client Center, Boeblingen 21.3.2018 2 Trademarks The following are trademarks
More informationPasswords Are Dead. Long Live Multi-Factor Authentication. Chris Webber, Security Strategist
Passwords Are Dead Long Live Multi-Factor Authentication Chris Webber, Security Strategist Copyright 2015 Centrify Corporation. All Rights Reserved. 1 Threat Landscape Breach accomplished Initial attack
More informationFIDO Alliance: Standards-based Solutions for Simpler, Strong Authentication
FIDO Alliance: Standards-based Solutions for Simpler, Strong Authentication Jeremy Grant Managing Director, Technology Business Strategy Venable LLP jeremy.grant@venable.com @jgrantindc Digital: The Opportunity
More informationJordan Levesque - Keeping your Business Secure
Jordan Levesque - Keeping your Business Secure Review of PCI Benefits of hosting with RCS File Integrity Monitoring Two Factor Log Aggregation Vulnerability Scanning Configuration Management and Continuous
More informationSECURITY TESTING. Towards a safer web world
SECURITY TESTING Towards a safer web world AGENDA 1. 3 W S OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS ate: 2013-14 Few Security Breaches September
More informationGetting Started with Duo Security Two-Factor Authentication (2FA)
Getting Started with Duo Security Two-Factor Authentication (2FA) Table of Contents What is Two-Factor Authentication (2FA)?... 1 Why 2FA at Bates College?... 2 2FA Technologies... 3 Duo Protected Resources
More informationTHE FUTURE IS DECENTRALIZED
THE FUTURE IS DECENTRALIZED A HYPR published study on Decentralized Authentication and its impact on the Identity and Access Management landscape. Jointly written by Sean Connolly of HYPR and Alan Goode
More informationA NEW MODEL FOR AUTHENTICATION
All Rights Reserved. FIDO Alliance. Copyright 2016. A NEW MODEL FOR AUTHENTICATION ENABLING MORE EFFICIENT DIGITAL SERVICE DELIVERY Jeremy Grant jeremy.grant@chertoffgroup.com Confidential 5 The world
More informationFIDO AND PAYMENTS AUTHENTICATION. Philip Andreae Vice President Oberthur Technologies
FIDO AND PAYMENTS AUTHENTICATION Philip Andreae Vice President Oberthur Technologies The Problem The Solution The Alliance Updates Data Breaches 781 data breaches in 2015 170 million records in 2015 (up
More informationEXPERIENCE SIMPLER, STRONGER AUTHENTICATION
1 EXPERIENCE SIMPLER, STRONGER AUTHENTICATION 2 Data Breaches are out of control 3 IN 2014... 783 data breaches >1 billion records stolen since 2012 $3.5 million average cost per breach 4 We have a PASSWORD
More informationIntroduction...1. Authentication Methods...1. Classes of Attacks on Authentication Mechanisms...4. Security Analysis of Authentication Mechanisms...
WHITE PAPER A Security Survey of Strong Authentication Technologies Contents Introduction...1 Authentication Methods...1 Classes of Attacks on Authentication Mechanisms...4 Security Analysis of Authentication
More informationUsing Biometric Authentication to Elevate Enterprise Security
Using Biometric Authentication to Elevate Enterprise Security Biometric authentication in the enterprise? It s just a matter of time Mobile biometric authentication is officially here to stay. Most of
More informationMODULE NO.28: Password Cracking
SUBJECT Paper No. and Title Module No. and Title Module Tag PAPER No. 16: Digital Forensics MODULE No. 28: Password Cracking FSC_P16_M28 TABLE OF CONTENTS 1. Learning Outcomes 2. Introduction 3. Nature
More informationCIS 4360 Secure Computer Systems Biometrics (Something You Are)
CIS 4360 Secure Computer Systems Biometrics (Something You Are) Professor Qiang Zeng Spring 2017 Previous Class Credentials Something you know (Knowledge factors) Something you have (Possession factors)
More informationUnlocking Office 365 without a password. How to Secure Access to Your Business Information in the Cloud without needing to remember another password.
Unlocking Office 365 without a password How to Secure Access to Your Business Information in the Cloud without needing to remember another password. Introduction It is highly likely that if you have downloaded
More informationTwo Factor Authentication
Two-Factor Authentication is a way to provide an extra layer of security when it comes to accessing accounts. It not only requires the logon password, but also a code that ONLY the authorized user has
More information716 West Ave Austin, TX USA
Fundamentals of Computer and Internet Fraud GLOBAL Headquarters the gregor building 716 West Ave Austin, TX 78701-2727 USA TABLE OF CONTENTS I. INTRODUCTION What Is Computer Crime?... 2 Computer Fraud
More informationBEYOND TRADITIONAL PASSWORD AUTHENTICATION: PKI & BLOCKCHAIN
SESSION ID: GPS-R09B BEYOND TRADITIONAL PASSWORD AUTHENTICATION: PKI & BLOCKCHAIN Sid Desai Head of Business Development Remme.io @skd_desai Agenda Our relationship to our digital-selves Evolution of Authentication
More informationWHITE PAPER AUTHENTICATION YOUR WAY SECURING ACCESS IN A CHANGING WORLD
WHITE PAPER AUTHENTICATION YOUR WAY SECURING ACCESS IN A CHANGING WORLD Imagine that you re a CISO in charge of identity and access management for a major global technology and manufacturing company. You
More informationAIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 6. Authentication Instructor: Dr. Kun Sun Authentication Authentication is the process of reliably verifying certain information. Examples User authentication
More informationAuthentication. Identification. AIT 682: Network and Systems Security
AIT 682: Network and Systems Security Topic 6. Authentication Instructor: Dr. Kun Sun Authentication Authentication is the process of reliably verifying certain information. Examples User authentication
More informationThe Future Of Protection. Ray Carlson Prescott Computer Society General Meeting December 2018
The Future Of Protection? Ray Carlson Prescott Computer Society General Meeting December 2018 The Need for Protection Recent Example Marriott/ Starwood Data A huge database was hacked including names,
More informationFIDO TECHNICAL OVERVIEW. All Rights Reserved FIDO Alliance Copyright 2018
FIDO TECHNICAL OVERVIEW 1 HOW SECURE IS AUTHENTICATION? 2 CLOUD AUTHENTICATION Risk Analytics Something Device Internet Authentication 3 PASSWORD ISSUES 2 Password might be entered into untrusted App /
More informationGoogle 2 factor authentication User Guide
Google 2 factor authentication User Guide Description: Updated Date: This guide describes how to setup Two factor authentication for your Google account. March, 2018 Summary ITSC is pleased to launch Two
More informationWeb Security, Summer Term 2012
IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 7 Broken Authentication and Session
More informationWeb Security, Summer Term 2012
Table of Contents IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Introduction Examples of Attacks Brute Force Session
More informationASC Chairman. Best Practice In Data Security In The Cloud. Speaker Name Dr. Eng. Bahaa Hasan
Regional Forum on Cybersecurity in the Era of Emerging Technologies & the Second Meeting of the Successful Administrative Practices -2017 Cairo, Egypt 28-29 November 2017 Best Practice In Data Security
More informationMobile Biometric Authentication: Pros and Cons of Server and Device-Based
Mobile Biometric Authentication: Pros and Cons of Server and Device-Based Table of Contents 01 Introduction 01 The Ongoing Debate 02 Server-Centric Architecture 02 Device-Centric Architecture 02 Advantages
More informationThe Role of PNT in Cybersecurity Location-based Authentication
The Role of PNT in Cybersecurity Location-based Authentication Dr. Michael O Connor November 14, 2013 Satelles is a Division of ikare Corporation What do we mean by Authentication? Authentication is the
More informationQuick Heal Mobile Security. Free protection for your Android phone against virus attacks, unwanted calls, and theft.
Free protection for your Android phone against virus attacks, unwanted calls, and theft. Product Highlights With an easy-to-update virus protection and a dynamic yet simple interface, virus removal from
More informationAuthenticatr. Two-factor authentication made simple for Windows network environments. Version 0.9 USER GUIDE
Authenticatr Two-factor authentication made simple for Windows network environments Version 0.9 USER GUIDE Authenticatr Page 1 Contents Contents... 2 Legal Stuff... 3 About Authenticatr... 4 Installation
More informationSee the ID Rules Before Us: FAL IAL AAL eh? Aaaagh!!! How, How, How, How?
See the ID Rules Before Us: FAL IAL AAL eh? Aaaagh!!! How, How, How, How? Bruce E. Wilson Enterprise Architect May 2018 National Laboratories IT Conference ORNL is managed by UT-Battelle for the US Department
More informationPrivacy in an Electronic World A Lost Cause?
InfoSec 2015 Summer School on Information Security Bilbao Privacy in an Electronic World A Lost Cause? Dr. Jan Camenisch Cryptography & Privacy Principal Research Staff Member Member, IBM Academy of Technology
More informationPaystar Remittance Suite Tokenless Two-Factor Authentication
Paystar Remittance Suite Tokenless Two-Factor Authentication Introduction Authentication is the process by which a computer system positively identifies a user It is commonly considered to be one of the
More informationOTP Issuance/Use Manual
For B2B Administrators of Samsung Electronics Online Customer DB OTP Issuance/Use Manual (Windows Type) Contents 3 1. OVERVIEW OF OTP ISSUANCE/INSTALLATION 4 4 5 6 7 9 12 12 2. OTP ISSUANCE/INSTALLATION
More informationFIDO & PSD2. Providing for a satisfactory customer journey. April, Copyright 2018 FIDO Alliance All Rights Reserved.
FIDO & PSD2 Providing for a satisfactory customer journey April, 2018 Copyright 2018 FIDO Alliance All Rights Reserved. 1 Introduction When PSD2 is deployed in Europe, users will be able to take advantage
More informationFRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months
FRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months MODULE: INTRODUCTION TO INFORMATION SECURITY INFORMATION SECURITY ESSENTIAL TERMINOLOGIES
More informationAll you need to know about OCBC Google Pay
All you need to know about OCBC Google Pay About Google Pay 1. What is Google Pay and can I participate as an OCBC Credit or Debit Card Member? Google Pay is a secure and easy-to-use mobile payment service
More informationDiscovering PIN Prints In Mobile Applications. Tomáš Rosa Raiffeisenbank, a.s.
Discovering PIN Prints In Mobile Applications Tomáš Rosa Raiffeisenbank, a.s. ATA Scenario Definition (ATA).Let the After-Theft Attack (ATA) be any attacking scenario that assumes the attacker has unlimited
More informationThe PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference
The PKI Lie Attacking Certificate Based Authentication Ofer Maor CTO, Hacktics OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Copyright 2007 - The OWASP Foundation Permission is granted to copy,
More informationPROVE IT! Matt and Dan, Dan and Matt, Those Fookers!
IS THAT REALLY YOU? PROVE IT! Matt and Dan, Dan and Matt, Those Fookers! Agenda slide 2 Who are we? Web Application Security Problems Business Drivers Solution Overview DEMO Who are we? slide 3 Matt Topper,
More informationCOMPUTING FUNDAMENTALS I
FALL 2017 / COMPUTER SCIENCE 105 COMPUTING FUNDAMENTALS I DAY 2 27 SEPTEMBER 2017 COURSE ADMIN COURSE ADMIN NOTECARDS - ATTENDANCE & FEEDBACK Name Student ID One of: What did you learn or find most interesting?
More informationEnhanced Mobile Security using Multi-Factor Biometric Authentication
Enhanced Mobile Security using Multi-Factor Biometric Authentication An Le Chief Technical Officer, BluStor PMC, Inc. 2013 BluStor PMC, Inc. 1 Contents The Rise of Mobile Computing... 3 Multi-Factor Biometric
More informationmhealth SECURITY: STATS AND SOLUTIONS
mhealth SECURITY: STATS AND SOLUTIONS www.eset.com WHAT IS mhealth? mhealth (also written as m-health) is an abbreviation for mobile health, a term used for the practice of medicine and public health supported
More informationKeeping Important Data Safe and Secure Online. Norm Kaufman
Keeping Important Data Safe and Secure Online Norm Kaufman Examples of Important Data Passwords and Secret Answers Personal Documents (Licenses, Passports, Insurance Cards, Credit Cards) Social Security
More informationHIPAA Compliance discussion
HIPAA Compliance discussion GoToWebinar Housekeeping: attendee participation Open and hide your control panel Join audio: Choose Mic & Speakers to use VoIP Choose Telephone and dial using the information
More informationLecture 14 Passwords and Authentication
Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422 Major Portions Courtesy Ryan Cunningham AUTHENTICATION Authentication
More informationAdaptive Authentication Adapter for Juniper SSL VPNs. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief
Adaptive Authentication Adapter for Juniper SSL VPNs Adaptive Authentication in Juniper SSL VPN Environments Solution Brief RSA Adaptive Authentication is a comprehensive authentication platform providing
More informationMulti-Factor Authentication: Security or Snake Oil? Steven Myers Rachna Dhamija Jeffrey Friedberg
Multi-Factor Authentication: Security or Snake Oil? Steven Myers Rachna Dhamija Jeffrey Friedberg Phishing & Identity Theft Historically most online banking done with passwords (single-factor authentication)
More informationRemote Access with Imprivata Two-factor Authentication
Remote Access with Imprivata Two-factor Authentication Migrating from RSA SecureID to Imprivata ID Token Please download and install the Imprivata ID app from the Google Play Store or Apple App Store first!
More informationAuthentication Objectives People Authentication I
Authentication Objectives People Authentication I Dr. Shlomo Kipnis December 15, 2003 User identification (name, id, etc.) User validation (proof of identity) Resource identification (name, address, etc.)
More informationNetwork Security Fundamentals
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 5 Viruses & Worms, Botnets, Today s Threats Viruses
More informationSecurity Vulnerabilities of Apple iphone Fingerprint Authentication. Suruchi Devanahalli
1 Security Vulnerabilities of Apple iphone Fingerprint Authentication Suruchi Devanahalli 2 Contents 1. Abstract 2. Introduction 2.1 The Touch ID sensor and the Secure Enclave 2.2 Fingerprint scan analysis
More informationThe State of the Trust Gap in 2015
The State of the Trust Gap in 2015 The widespread use of mobile devices for work has driven a profound change in how employees think about the privacy of their personal data on mobile devices. Ten years
More informationOptimised to Fail: Card Readers for Online Banking
Optimised to Fail: Card Readers for Online Banking Saar Drimer Steven J. Murdoch Ross Anderson www.cl.cam.ac.uk/users/{sd410,sjm217,rja14} Computer Laboratory www.torproject.org Financial Cryptography
More informationSafelayer's Adaptive Authentication: Increased security through context information
1 Safelayer's Adaptive Authentication: Increased security through context information The password continues to be the most widely used credential, although awareness is growing that it provides insufficient
More informationMobile Field Worker Security Advocate Series: Customer Conversation Guide. Research by IDC, 2015
Mobile Field Worker Security Advocate Series: Customer Conversation Guide Research by IDC, 2015 Agenda 1. Security Requirements for Mobile Field Workers 2. Key Mobile Security Challenges Companies Face
More informationAuthentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1
Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 CIA Triad Confidentiality Prevent disclosure of information to unauthorized parties Integrity Detect data tampering Availability
More informationFull Disk Encryption. Larry Carson, Associate Director, Information Security Management
Full Disk Encryption Larry Carson, Associate Director, Information Security Management What Security Really Looks Like at UBC News-worthy Security Incidents VGH Loss of 450 medical records via Resident
More informationGaining Business Value from IoT
Gaining Business Value from IoT Digital Aviation Conference 2018 Thomas Bengs GM, Head of Biometrics EMEIA Enterprise Cybersecurity EMEIA Human Centric Innovation Co-creation for Success 0 2018 FUJITSU
More informationLogging into the Firepower System
The following topics describe how to log into the Firepower System: Firepower System User Accounts, on page 1 User Interfaces in Firepower Management Center Deployments, on page 3 Logging Into the Firepower
More informationIBM. IBM Multi-Factor Authentication for z/os User's Guide. z/os. Version 1 Release 3 SC
z/os IBM IBM Multi-Factor Authentication for z/os User's Guide Version 1 Release 3 SC27-8448-30 Note Before using this information and the product it supports, read the information in Notices on page 91.
More information<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8
RSA SECURID ACCESS Implementation Guide PingIdentity John Sammon & Gina Salvalzo, RSA Partner Engineering Last Modified: February 27 th, 2018 Solution Summary Ping Identity
More informationBreaking FIDO Yubico. Are Exploits in There?
Breaking FIDO Are Exploits in There? FIDO U2F (Universal 2nd Factor) Analyzing FIDO U2F Attack and Countermeasures Implementation Considerations Resources 2 User Experience 1. Enter username/pwd 2. Insert
More informationData Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle
Data Security and Privacy : Compliance to Stewardship Jignesh Patel Solution Consultant,Oracle Agenda Connected Government Security Threats and Risks Defense In Depth Approach Summary Connected Government
More information