Download “Stronger” Web Authentication: A Security Review

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
Document related concepts

Moral hazard wikipedia , lookup

Risk wikipedia , lookup

Systemic risk wikipedia , lookup

Transcript 
“Stronger” Web Authentication:
A Security Review
Cory Scott
Problem Area
• Username and password are insufficient
authenticators for high-value assets
accessible via an untrusted network.
• Pressures:
– Regulatory: FFIEC guidance / mandate
– Consumer confidence
– Financial loss: Phishing and fraudulent activity
– Technical: Defense-in-depth for web applications
Authentication As
Ceremony: Prior Work
• Introduced by Walker / Ellison
– Model for protocols involving users as opposed
to machines
• Authentication Mechanism, as defined by
Kaliski, contains the following:
– Selected authentication factors
– Particular evidence about those factors; and a
– Specific protocol for conveying the evidence
Authentication As
Ceremony: Impact
• We can adopt compound authentication mechanisms that
combine different factors and assign a level of risk to each
factor.
• Example factors:
–
–
–
–
–
–
–
–
–
–
User credentials
IP Address
ISP / Geo-location
Challenge questions
Access device
Prior suspicious activity on any of the factors
Certificates
OTP tokens / scratch cards
Voice confirm / SMS messages
Nature or Business Impact of request
• As a result, we can have “risk-based authentication”.
Two-factor Too Much
• Consumer acceptance of traditional commercial
two-factor solutions in the US untested and
expensive.
• Industry Solutions:
– Mutual authentication (watermarking / HA SSL certs)
– Introduction of “soft” factors:
• Challenge questions
• Device identification
• Geolocation / IP Risk Profiling
– Application of risk-based authentication decisions based
on the above factors.
(Note: Value, in terms of cost or risk reduction, has not been proven yet.)
Factors in Risk-Based
Authentication
• Device Identification
– Signed Key of (Browser + OS + Language + Time Zone) + Specific
User Account
– Can be mapped to particular IP, ISP, Country
– Stored as HTTP Cookie and/or Flash Shared Object
• Geolocation / IP Risk Profiling
– Behavioral analysis of user login activity
– Blacklist or flag certain countries, ISPs
– Subscribe to a “fraud network”
• Transaction-level analysis
– Anomalous transaction activity increases risk profile
• In all of these cases, when a risk threshold has been
breached, the application can force “stronger”
authentication.
Second-Level
Authentication Decisions
• Challenge questions or other KnowledgeBased schemes
• SMS messages as One Time Passwords
• Voice or Registered Telephone verification
• E-mail verification
• Access from previously registered device
• Fall-back to 2FA: Smart-cards, Physical OTP
tokens, biometrics, etc.
Credential Disclosure:
Threat Models
• Shoulder-Surf or The “Post-It” Debacle
• Keyloggers, Malicious Browser Helper Objects, and
Rootkits
– Differing Impact: Interactive vs. Harvesting Mode
– Can the attacker generate traffic from the victim host?
• Man-in-the-Middle
• Phishing Sites (trust subversion / trickery)
• Cross-Site Scripting and Request Forgery and other
client-side web vulnerabilities
• Acquaintance fraud (weakening the credential)
Attack
Considerations
• Tomfoolery with enrollment / site-in-transition
– Phishing vectors
– Increased site complexity
• Challenge question fuzzy logic
• Can the phisher ask the challenge questions?
• Is the device identifier subject to attack?
Design
Considerations
• How tight is the restriction by IP?
• The conditioning problem: How often do you
challenge?
• Do you want to be married to images and
watermarks? Hard to take away.
• Support issues
– Customers struggle or want to expand images
– Account lockout / reset gets more complicated
Related documents
Name : Ahmed AL_Balawi ID: 200600112
Name : Ahmed AL_Balawi ID: 200600112
Panel: Security and the World Wide Web
Panel: Security and the World Wide Web
Internet Yesterday, Today and Tomorrow
Internet Yesterday, Today and Tomorrow
Authentication of Key Biological and/or Chemical
Authentication of Key Biological and/or Chemical
Network Device Security Options
Network Device Security Options
Document
Document
Malicious Cryptography : Exposing Cryptovirology
Malicious Cryptography : Exposing Cryptovirology
Lecture 7, Part 2
Lecture 7, Part 2
chap-09v2
chap-09v2
Java SE Security
Java SE Security
Mtech Syllabus - GEHU CS/IT Deptt
Mtech Syllabus - GEHU CS/IT Deptt
Physical Access Controls
Physical Access Controls
Introduction to ASP.NET
Introduction to ASP.NET
CMSC 414 Computer (and Network) Security
CMSC 414 Computer (and Network) Security
Chapter 21 PowerPoint Presentation
Chapter 21 PowerPoint Presentation
Kumar`s Security Slides
Kumar`s Security Slides
802.11 Security/Bluetooth
802.11 Security/Bluetooth
Campus Services - University of Guelph
Campus Services - University of Guelph
User Authentication Techniques
User Authentication Techniques
Authentication of Smartphone Users Using
Authentication of Smartphone Users Using
Edge Port Security using IEEE 802.1x
Edge Port Security using IEEE 802.1x
International Cell Line Authentication Committee ICLAC.org Terms
International Cell Line Authentication Committee ICLAC.org Terms