The Inmates Are Running the Asylum – Why Some Multi-Factor Authentication Technology is Irresponsible

Presented at AppSec USA 2015, Sept. 24, 2015, 11:30 a.m. (55 minutes)

Outline: - Define multi-factor authentication - Describe the current state of the technology - Describe key problems o 2D fingerprints, other already-hacked biometrics o QR codes o SMS OTP (subject to MITM) o JavaScript requirements o Weak account recovery methods o Lack of mobile device risk analysis, not using OWASP Mobile Top 10 Risks for mobile o Encryption with backdoors - Recipe for what you can do As German defense minister, Ursula von der Leyen can attest, fingerprints can be hacked, even from photographs. Facial and other biometrics can also be hacked. Why, then, is biometric-based authentication so fashionable? It is easy to reset a password. It is hard to reset fingerprints. Why are there over 200 multi-factor authentication vendors? Why is multi-factor authentication so expensive? Are there open source alternatives? What is the FIDO Alliance? Is it marketing hype or great standards? Unfortunately, the current multi-factor technology offerings reflect evolutionary slip-slide, not quantum leaps forward. However, one or two technologies show promise.

Presenters:

  • Clare Nelson - CEO, Founder - ClearMark Consulting
    Clare lives at the nexus of security, privacy, and identity. Her middle name is MFA, and she loves all things identity. She forges identity solution roadmaps and tracks emerging technologies, especially in light of GDPR and PSD2. She recently evaluated 200+ MFA vendors, resulting in a successful acquisition. She is currently working on a biometrics project. Clare's early technical background includes software development of encrypted TCP/IP variants for NSA. She has held leadership positions in product management, marketing, and technology for companies including EMC2, Dell, Novell, TeaLeaf Technology (IBM), and mobile security startup Mi3. Clare is a co-founder of the mentoring organization, C1ph3r_Qu33ns. Clare's publications include Multi-Factor Authentication: What to Look For, and Security Metrics: An Overview, in the ISSA Journal. A frequent speaker, she has given talks at (ISC)2 Security Congress, Cloud Identity Summit, AppSec USA, HackFormers, BSides, OWASP Austin, FTC Panel, LASCON, ISSA, InfraGard, and Fortune 500 financial services organizations. She has a B.S. in Mathematics from Tufts University, and is a fitness enthusiast.

Links:

Similar Presentations: