Secure Authentication without the Need for Passwords

Presented at AppSec USA 2015, Sept. 24, 2015, 2 p.m. (55 minutes)

The recent major hacks at Sony, Target, Home Depot, Chase and Anthem all have something in common; they all gained access by stolen credentials. Hacking credit/debit cards is a growth industry, 66% CAGR. As more information and transactions are conducted online, the need for securing this information and these transactions is becoming paramount. There is increasing pressure to secure this information, customers wants it and shareholders are demanding it. Government regulations are good but they come slowly and the fraudsters seem to be gaining the upper hand. There are a number of various biometric technologies being used with moderate success. Fingerprint, facial recognition, iris scan and voice recognition all provide a good level of security but are week in the area of usability. Behavioral Biometrics is an area that offers ease of use, high level of security and does not require the need for passwords. An additional benefit is that there is nothing to remember, no special equipment and no personal identifiable information is used. Unlike the other biometric modes, the attributes are revocable which is useful in the corporate world. How does it work? One scenario is authenticating login. It is a software-based second-factor biometric authentication solution. The technology compares, in real-time, users' keying of known text against a previously-assembled cadence and habit library built using that known text. No keystroke character data is required for this comparison, only the keystroke timing data. Some software algorithms function by comparing two chunks of independent typing samples (any text) and provides a statistical analysis of whether the same person typed it and how confident that is it the same person. Applications include, insider threat analysis, continuous monitoring, determining if it is still you after have successful login, and validating distance learning/certification. These types of authentication are easliy configured and protect against MITM and MITB attacks.

Presenters:

• Donald Malloy - Chairman - OATH
  Donald Malloy is the Chairman of OATH, The Initiative for Open Authentication. OATH is an industry alliance that has opened the authentication market from proprietary systems to an open source standard based architecture promoting ubiquitous strong authentication.Malloy has more than 20 years' experience in the Security and Payment industry and is currently an technology consultant assisting companies with the development of their security business. Don was responsible for developing the online authentication product line while at NagraID Security, now Oberthur and prior to that he was Business Development and Marketing Manager for Secure Smart Card ICs for both Phillips Semiconductors (NXP) and Infineon Technologies. Don originally comes from Boston where he was educated and has degrees in Organic Chemistry and M.B.A. in Marketing. He currently resides in Orange County California and is married with 3 daughters, in his spare time he enjoys hiking, biking, kayaking and traveling around this beautiful world.

Links:

• https://appsecusa2015.sched.com/event/46Cf/secure-authentication-without-the-need-for-passwords
• https://infocon.org/cons/OWASP/AppSecUSA 2015/Secure Authentication without the Need for Passwords - Don Malloy.mp4

Similar Presentations:

• DerbyCon 8.0 Evolution (2018) / Advanced Deception Technology Through Behavioral Biometrics
• Black Hat Asia 2020 Virtual / Biometrics & Privacy: Time to Faceoff or is that FaceApp?
• BSides Austin 2017 / Biometric authentication: How can you measure the strength?