Chris Calderon – February 2016 - PowerPoint Presentation

Slide1

Chris Calderon – February 2016

Goodbye to Passwords

MIS

534 Information Security Management Slide2

Contents

Problems with passwords

Security risks

Authentication methods

The future - FIDOQuestions/Comments

“Anyone

who’s ever clicked on a ‘forgot your password?’ on a website or in an app – read: every single one of us – thinks there’s

gotta

be a better way. There is

.” (

CIO.com

– Aug – 2015)Slide3

Too many, too long

Users don’t remember themUsers lack faith in passwordsInfrastructure to manage passwords

“Only 30% of users are confident that their passwords will protect the security of their online accounts.”(

Telesign

Consumer Account Security

R

eport – June 2015)

Problems with passwords

Telesign

Consumer Account Security

R

eport – June 2015)

N = 2,020; US & UK Slide4

Weak passwords, lack of policies

Using the same passwords on multiple accounts – Domino EffectFrequency of password changes

Password sharing

Shoulder surfing

Password storage

“You

don't need mad hacking skills to crack Password1, Hello123 and

password – 86

% of hackers surveyed at Black Hat said they weren't worried about being busted at any rate

.” (Network

World.com – Aug 2014)Security Risks

Network

World.com

–Aug 2014

Top10 Corporate Environment PasswordsSlide5

ID &

password authentication Biometric authentication devices & systemEnterprise

s

ingle sign-on (SSO)

Public Key Infrastructure (PKI) and digital certificate Security Token and smart card2FA & Multi-factor authenticationKnowledge, possession, inherent, location and time.

“With

the approach used by Google, Apple, and Microsoft, two-step verification combines the first two of these factors—something known only by the user, which is the account password, and something that only the user possesses, such as the smartphone or land line

telephone.” (

SecSign

Technologies – Nov 2014)Authentication Methods

SecSign Technologies – Nov 2014; 2FA: two factor authenticationSlide6

Fast Identity Online (FIDO) Alliance

non-profit founded in July 2012 and publicly announced in February 2013FIDO Members

Google,

Samsung, Microsoft, Bank

of America, Amex, MasterCard, Visa, etc.FIDO Protocol Standards

“The

FIDO method is more secure than current methods because no password of identifying information is sent out; instead, it is processed by software on the end user's device that calculates cryptographic strings to be sent to a login

server.” (

T

echTarget.com – May 2014)The futureSlide7

Questions/CommentsSlide8

References:

http://www.cio.com/article/2960634/security/why-it-s-time-to-say-goodbye-to-

passwords.html

http://lifehacker.com/5785420/the-only-secure-password-is-the-one-you-cant-

remember

https://www.telesign.com/resources/research-and-reports/telesign-consumer-account-security-report

/

https://www.telesign.com/wp-content/uploads/2015/06/TeleSign-Consumer-Account-Security-Report-2015-

FINAL.pdf

http://bankinnovation.net/2015/10/saying-goodbye-to-passwords/http://searchsecurity.techtarget.com/definition/single-factor-authentication-SFAhttp://searchsecurity.techtarget.com/feature/The-fundamentals-of-MFA-The-business-case-for-multifactor-authenticationhttps://www.secsign.com/two-factor-authentication-vs-two-step-verification/http://www.scmagazine.com/is-the-password-dead-not-just-yet/article/421648/http://www.scmagazine.com/google-testing-password-free-logins/article/461472/http://searchsecurity.techtarget.com/feature/Password-free-authentication-Figuring-out-FIDOhttps://fidoalliance.org/https://app.box.com/s/cde21pmtcqaygdqfr7o1