Presentation is loading. Please wait.

Presentation is loading. Please wait.

“Stronger” Web Authentication: A Security Review Cory Scott.

Published byTeresa Brooks Modified over 9 years ago

Similar presentations

Presentation on theme: "“Stronger” Web Authentication: A Security Review Cory Scott."— Presentation transcript:

1 “Stronger” Web Authentication: A Security Review Cory Scott

2 Problem Area Username and password are insufficient authenticators for high-value assets accessible via an untrusted network. Pressures: –Regulatory: FFIEC guidance / mandate –Consumer confidence –Financial loss: Phishing and fraudulent activity –Technical: Defense-in-depth for web applications

3 Authentication As Ceremony: Prior Work Introduced by Walker / Ellison –Model for protocols involving users as opposed to machines Authentication Mechanism, as defined by Kaliski, contains the following: –Selected authentication factors –Particular evidence about those factors; and a –Specific protocol for conveying the evidence

4 Authentication As Ceremony: Impact We can adopt compound authentication mechanisms that combine different factors and assign a level of risk to each factor. Example factors: –User credentials –IP Address –ISP / Geo-location –Challenge questions –Access device –Prior suspicious activity on any of the factors –Certificates –OTP tokens / scratch cards –Voice confirm / SMS messages –Nature or Business Impact of request As a result, we can have “risk-based authentication”.

5 Two-factor Too Much Consumer acceptance of traditional commercial two-factor solutions in the US untested and expensive. Industry Solutions: –Mutual authentication (watermarking / HA SSL certs) –Introduction of “soft” factors: Challenge questions Device identification Geolocation / IP Risk Profiling –Application of risk-based authentication decisions based on the above factors. (Note: Value, in terms of cost or risk reduction, has not been proven yet.)

6 Factors in Risk-Based Authentication Device Identification –Signed Key of (Browser + OS + Language + Time Zone) + Specific User Account –Can be mapped to particular IP, ISP, Country –Stored as HTTP Cookie and/or Flash Shared Object Geolocation / IP Risk Profiling –Behavioral analysis of user login activity –Blacklist or flag certain countries, ISPs –Subscribe to a “fraud network” Transaction-level analysis –Anomalous transaction activity increases risk profile In all of these cases, when a risk threshold has been breached, the application can force “stronger” authentication.

7 Second-Level Authentication Decisions Challenge questions or other Knowledge- Based schemes SMS messages as One Time Passwords Voice or Registered Telephone verification E-mail verification Access from previously registered device Fall-back to 2FA: Smart-cards, Physical OTP tokens, biometrics, etc.

8 Credential Disclosure: Threat Models Shoulder-Surf or The “Post-It” Debacle Keyloggers, Malicious Browser Helper Objects, and Rootkits –Differing Impact: Interactive vs. Harvesting Mode –Can the attacker generate traffic from the victim host? Man-in-the-Middle Phishing Sites (trust subversion / trickery) Cross-Site Scripting and Request Forgery and other client-side web vulnerabilities Acquaintance fraud (weakening the credential)

9 Attack Considerations Tomfoolery with enrollment / site-in-transition –Phishing vectors –Increased site complexity Challenge question fuzzy logic Can the phisher ask the challenge questions? Is the device identifier subject to attack?

10 Design Considerations How tight is the restriction by IP? The conditioning problem: How often do you challenge? Do you want to be married to images and watermarks? Hard to take away. Support issues –Customers struggle or want to expand images –Account lockout / reset gets more complicated

Download ppt "“Stronger” Web Authentication: A Security Review Cory Scott."

Similar presentations

FFIEC Agency Supplement to Authentication in an Internet Banking Environment http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf.

FFIEC Agency Supplement to Authentication in an Internet Banking Environment
Achieving online trust through Mutual Authentication.

Achieving online trust through Mutual Authentication.
Selecting a Strong Authentication Solution Scott Mackelprang, V.P. of Security Digital Insight.

Selecting a Strong Authentication Solution Scott Mackelprang, V.P. of Security Digital Insight.
George Tubin Senior Analyst Consumer Banking © 2005 The Tower Group, Inc. May not be reproduced by any means without express permission. All rights reserved.

George Tubin Senior Analyst Consumer Banking © 2005 The Tower Group, Inc. May not be reproduced by any means without express permission. All rights reserved.
Challenges of Identity Fraud Chris Voice, VP Technology.

Challenges of Identity Fraud Chris Voice, VP Technology.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
1 Secure Credit Card Transactions on an Untrusted Channel Source: Information Sciences in review Presenter: Tsuei-Hung Sun ( 孫翠鴻 ) Date: 2010/9/24.

1 Secure Credit Card Transactions on an Untrusted Channel Source: Information Sciences in review Presenter: Tsuei-Hung Sun ( 孫翠鴻 ) Date: 2010/9/24.
Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.

Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.
Access Control Methodologies

Access Control Methodologies
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Using Digital Credentials On The World-Wide Web M. Winslett.

Using Digital Credentials On The World-Wide Web M. Winslett.
Delayed Password Disclosure Mutual Authentication to Fight Phishing Steve Myers Indiana University, Bloomington Joint work with: Markus Jakobsson Indiana.

Delayed Password Disclosure Mutual Authentication to Fight Phishing Steve Myers Indiana University, Bloomington Joint work with: Markus Jakobsson Indiana.
The OWASP Foundation OWASP Chennai 2007 Phishing.

The OWASP Foundation OWASP Chennai Phishing.

Similar presentations

Ads by Google