/
Multi-factor Authentication Methods Multi-factor Authentication Methods

Multi-factor Authentication Methods - PowerPoint Presentation

test
test . @test
Follow
351 views
Uploaded On 2018-09-21

Multi-factor Authentication Methods - PPT Presentation

Taxonomy Abbie Barbir Authentication Strength 2 entity authentication A process used to achieve sufficient confidence in the binding between the entity and the presented identity What is ID: 673566

token authentication level factor authentication token factor level assurance device factors cryptographic strength method time password nist identity multi

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Multi-factor Authentication Methods" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Multi-factor Authentication MethodsTaxonomy

Abbie BarbirSlide2

Authentication Strength2(entity) authentication: A process used to achieve sufficient confidence in the binding between the entity and the presented identity.

What

is

Authentication Strength (or Trust in the Authentication Step)?

Measures

how difficult it is for

imposter to

masquerade as the legitimate user

Authentication strength is often more formally expressed as a "level of assurance“ (ITU X.1254 and ISO 29115 (Based on NIST 800 63))

Two-factor authentication (TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more factors from the same or different category

Multi-factor authentication uses more that 2 factors from different categories

Analysis

Overall objective is to elevate Trust in the Authentication step

Established terms, such as “2FA" are no longer precise enough to guide technology decisions

Choosing the method or methods appropriate for the needs of securing the enterprise using appropriate comparisons of different vendors' products and services require a more granular taxonomySlide3

How to determine the "Best" Authentication Method3

Use Needs and Constraints to Determine

Authentication strength

indicated by the level of risk

Total Cost of Ownership

Constrained by budget

Ease of use

universally desirable, but it is less critical the greater the consistency

Other constraints consistency and control of the endpoint is a particular constraint;

Source of Figure is GartnerSlide4

Elevating Trust in Authentication Strength Level4Increasing

the strength of

authentication can be done by

adding factors from the same or different

kinds of authentication

categories

that

don’t have the same vulnerabilities.

There are five categories of

authentication methods

who you are,

what you know,

what you have,

what you typically do and

the context.

What you typically do consists of behavioral habits that are independent of physical biometric attributes.

Context includes, “but is not limited” to, location, time, party, prior relationship, social relationship and source.

Authentication assurance or elevation can

be within the classic four X.1254 ITU-T

LoA

(ISO 29115 (NIST 800-063

))

Adding factors from different categories can increase strength only if the overall set of vulnerabilities is reduced.Slide5

Mostly used to provide

Secondary Attributes

Authentication Categories

5

Who You

Are

Biometric

what you

know

what you

have

what you

Do

Context

Physical

Biometric

immutable and unique

Facial recognition

Iris Scan

Retinal Scan

Fingerprint Palm Scan

Voice

Liveliness biometric factors include:

Pulse. CAPTCHA; etcBehavioral Biometric based on person’s physical behavioural activity patterns Keyboard signatureVoice

User Name and Password (UN/PW), A passphrase, a PINVery often used alone or in combinations with KBA methods.Knowledge Based Authentication (KBA)Static KBADynamic KBA

One Time Password (OTP)Smart cardX.509 and PKIRarely used aloneUsed in combination with UN/PW and a PIN

Browsing patternsTime of accessType of deviceUsed in Combination with other methods

Location; Time of access;

Subscriber identity module (SIM)

Frequency of access;

Source and endpoint identity attributes such as

Used in Combination of other methodsSlide6

How to Evaluate Authentication Strength1. Two aspects to considerMethod's resistance to attackhow difficult is it for an attacker to directly compromise or undermine the authentication method (without the user's knowing collusion) Method resistance to wilful misuse 

how difficult is it for a user to deliberately allow others to share his account?

2. Authentication

Strength

Measures how hard it is for another person to masquerade as the legitimate user

Authentication may be undermined by two kinds of attacks:

Masquerade attacks, in which an attacker is (by some means) able to corroborate a falsely claimed digital identity and, thus, log in as a legitimate user.

Session hijacking attacks, such as a man-in-the browser attack, which take control of or parasitize an already-authenticated session after a legitimate user's claimed digital identity has been corroborated.

6

Session

hijacking attacks bypass authentication and, thus, can succeed no matter how strong the authentication method is.

There

is always a need for fraud detection, misuse monitoring

and other compensating controls in order to elevate trust

.

Source : GartnerSlide7

How to Evaluate Authentication StrengthCombining two or more authentication methods can potentially increases authentication strength, compared with using either one.For example, passwords

are vulnerable to

key logging

adding

a second, partial password entered via

drop down menu may reduce vulnerability to this attack

.

Point of Caution

Each type of

authentication attribute has a set of

overlapping and

intrinsic

vulnerabilities with other attributes

A

combination of two attributes of the same

type tends to share

many of

vulnerabilities

It is a big

mistake to assume that strong authentication always result when combining multiple authentication attributes/factors.7Only by combining attributes of different kinds (that is, different factors) with different (non-overlapping) sets of vulnerabilities is there a significant increase in resistance to attack and, thus, in authentication strengthSource: OASIS, ITU, NIST, GartnerSlide8

How to Evaluate Authentication StrengthNot any MFA method is  stronger than an authentication method based on a single authentication

factor/attribute. For example,

For

example, a

biometric

authentication method using

heart beat is stronger

than a

password + OTPFor some type of attacks, a

2FA method

might not be stronger

than one of its components

if used alone.

For example, a "fly-phishing" attack that captures and immediately

use

an

OTP will be equally successful whether the OTP token was PIN-protected or not.Some issues to considerHow Unique is the credentialLevel Trust of Binding of credential to entity

8Source: NIST, GartnerSlide9

Evaluating Authentication Strength “Take Away”Counting Factors is not enough to evaluate authentication strength9

Source: GartnerSlide10

Authentication Process ThreatsOnline guessing Phishing Pharming Threat Resistance per Assurance Level

10

Eavesdropping

Replay

Session hijack

Man-in-the-middle

Source: ITU-T, NISTSlide11

Example Calculating the Overall Authentication Assurance Level (LOA 3)The overall authentication assurance level is based on the low watermark (weakest link) of the assurance levels for each of the components of the architecture. For instance, to achieve an overall assurance level of 3: The registration and identity proofing process shall, at a minimum, use Level 3 processes or higher. The token (or combination of tokens) used shall have an assurance level of 3 or higher. The binding between the identity proofing and the token(s), if proofing is done separately from token issuance, shall be established at level 3.

The authentication protocols used shall have a Level 3 assurance level or higher.

The token and credential management processes shall use a Level 3 assurance level or higher

Authentication assertions (if used) shall have a Level 3 assurance or higher

11Slide12

TokensA Token is something that the Claimant possesses and controls (typically a cryptographic module or password) that is used to authenticate the Claimant’s identity

12

Single-factor Token –

A token that uses one of the three factors to achieve authentication.

For example, a password is something you know.

There are no additional factors required to activate the token, so this is considered single factor.

Multi-factor Token –

A token that uses two or more factors to achieve authentication.

For example, a private key on a smart card that is activated via PIN is a multi-factor token.

The smart card is something you have, and something you know (the PIN) is required to activate the token.Slide13

All Possible Token Types1. Memorized Secret Token A secret shared between the Subscriber and the CSP2. Pre-registered Knowledge TokenA series of responses to a set of prompts or challenges3. Look-up Secret TokenA physical or electronic token that stores a set of secrets shared between the Claimant and the CSP. The token authenticator is the secret(s) identified by the prompt. Look-up secret tokens are something you have.

4. Out of Band Token

A physical token that is uniquely addressable and can receive a Verifier-selected secret for one-time use. The device is possessed and controlled by the Claimant and supports private communication19 over a channel that is separate from the primary channel for e-authentication.

5. Single-factor (SF) One-Time Password (OTP) Device

A hardware device that supports the spontaneous generation of one-time passwords

13Slide14

All Possible Token Types6. Single-factor (SF) Cryptographic DeviceA hardware device that performs cryptographic operations on input provided to the device. This device does not require activation through a second factor of authentication7. Multi-factor (MF) Software Cryptographic Token A cryptographic key is stored on disk or some other “soft” media and requires activation through a second factor of authentication.8. Multi-factor (MF) One-Time Password (OTP) Device A hardware device that generates one-time passwords for use in authentication and which requires activation through a second factor of authentication

 9. Multi-factor (MF) Cryptographic Device

A hardware device that contains a protected cryptographic key that requires activation through a second authentication factor. Authentication is accomplished by proving possession of the device and control of the key. The token authenticator is highly dependent on the specific cryptographic device and protocol, but it is generally some type of signed message. For example, in TLS, there is a “certificate verify” message. The MF Cryptographic device is something you have, and it may be activated by either something you know or something you are

.

14Slide15

Token Threats15Source: NIST, ITU-TSlide16

Token Threat Mitigation Strategies16Slide17

Token Requirements Per Assurance LevelSee NIST 800-63-117Slide18

NIST: Assurance Levels for Multi-Token E-Authentication Schemes18Slide19

Next StepsIdentify tokens that wedo supportDetermine LOA of each tokenDetermine LOA of each EAA cycleSuggest a Table for LOA levelAssume No protocol for now19Slide20

Appendix 1Token Requirements Per Assurance Level20Slide21

NIST21Slide22

NIST22Slide23

NIST23Slide24

NIST24