Evaluating Alternatives to Passwords

Transcription

1 Security PS Evaluating Alternatives to Passwords Bruce K. Marshall, CISSP, IAM Senior Security Consultant

2 Key Topics Key Presentation Topics Authentication Model Authenticator Characteristics Knowledge Based Authenticators Possession Based Authenticators Biometric Based Authenticators

3 Identification & Authentication Identification A process for presenting an identity for use. Authentication A process for validating proof of an identity.

4 Authentication System Model Authenticator Transport Input Verification

5 Authenticator Types What you know Passwords Passphrases Secret Answers Graphical Passwords What you have ID Cards Password List One-Time Password Tokens Private Keys (Certificates) What you are Physical Features Psychological Traits

6 Authenticator Characteristics Usability How effectively can people operate Uniqueness How distinct is the proof Integrity How difficult to guess, forge, or steal Affordability How much does it cost to buy or maintain Accuracy How often do mistakes occur

7 PINs and Secret Answers Personal Identification Number (PIN) Very simple authenticator Difficult to enforce hard-to-guess PINs May include non-numeric characters Secret Answers One or more correct answers authenticates an asserted identity Users may be allowed to define questions Typically a secondary authenticator

8 Passwords Passwords Based on a string of characters Usually too predictable (i.e. poor uniqueness) Length rarely greater than 8 characters Often consist of words or names Typically composed of lowercase letters Often think alike when choosing passwords Use same password across systems Not changed frequently enough Controlled through requirements for character use, length, and pattern matching

9 Case Study 15 Password Analysis CS15 Password Lengths 0.4% Number of Occurrences Cracked 99.6% Uncracked Length Cracking Success of L0phtCrack Brute Force Strings 100% 90% 80% 70% 60% Word + Char 7% Number 1% Phrase 7% Other 8% Username 10% Username Variation 27% 50% 40% CS01 CS15 Random 30% 20% 10% 0% Word + Number 38% Word 2% BFS1 BFS2 BFS3 BFS4

10 Password Characteristics Poor Fair OK Good Excellent Usability Uniqueness Integrity Affordability Accuracy

11 Passphrases Passphrases Multiple words, typically mixed case with numbers and symbols Improvement upon passwords with little user learning curve Not much study yet on predictability The light of the M00N struck me in June SeattleSeahawksSingSadSongS4ME emmyis7

12 Graphical Passwords Graphical Passwords Rely on memory of images to authenticate Users select, draw, or manipulate pictures Relatively young technology that needs more attention

13 What You Have Authenticators What You Have Authenticators Magnetic-stripe cards RF & Wiegand cards Stored-value cards Password lists

14 OTP Tokens One-Time Password (OTP) Tokens Generates a new password for each use Can be challenge/response-based Based on a unique, secret token seed value (and usually synchronized time) Implemented with hardware or software

15 OTP Tokens Characteristics Poor Fair OK Good Excellent Usability Uniqueness Integrity Affordability Accuracy

16 Digital Certificates Digital Certificates Rely on the use of private and public keys Typically require a Public Key Infrastructure (PKI) for certificate creation, publication, renewal, & revocation

17 Digital Certificate Characteristics Poor Fair OK Good Excellent Usability Uniqueness Integrity Affordability Accuracy

18 Smart Cards Smart Cards Microprocessor with memory that can generate and store keys and certificates Different form factors and interfaces Cryptographic functions using private key are processed on the card itself

19 Smart Card Characteristics Poor Fair OK Good Excellent Usability Uniqueness Integrity Affordability Accuracy

20 Biometric Authenticators Biometric Authenticators The automated use of physiological or behavioral characteristics to determine or verify identity. - International Biometrics Group Rely on interpretation or minutiae of a biometric trait Maturing technology and standards Increasingly used for physical security

21 Biometric Authenticators Fingerprint = 48% Face = 12% Hand = 11% Eye (Iris) = 9% Voice = 6% Keyboarding = <1% * - Data source: International Biometrics Group 2004 Market Share

22 Biometric Characteristics Poor Fair OK Good Excellent Usability Uniqueness Integrity Affordability Accuracy

23 Multi-Factor Authenticators Multi-Factor Authenticators Stronger authentication? Can combine best features Might combine worst features Do not want an Ident-I-Eeze * * Coined by Douglas Adams in his book Mostly Harmless.

24 Summary Summary & Call to Action Focus on entire authentication system Evaluate suitability of authentication solutions for your specific environment Do consider the Integrity of authenticators, but don t forget about other characteristics Assess & fortify password dependent systems Visit

25 Questions?