The Deal with Password Alternatives

Presented at BSidesLV 2016, Aug. 3, 2016, 6 p.m. (50 minutes).

Many discussions on how to break passwords, but what to do about it? There are various methods, but its hard to ge tthe right infomation as to the differences without the vendor coolaid involved. 

This talk will take off from where red team leaves off and go through nearly all of the password alterntive possibilities. It will outline practical differences, pluses, cons, but also the technical layers that are typically overlooked and less understood. 

It will emphasize context within the commerical organizations that need to be managed at scale, resiliant, integrate with existing applications and lifecycle methodologies, and discuss the pitfalls of how each techonlogy can be implmented the wrong way and turn a security solution into one that is comprimised from the start. 

We will review password managers (single sign on), one-time password generators (how they actually work) from tokens to sms, RFID cards, PKI, smart cards, PIV, biometrics, and othe rmethods. 

Last, within organizations, identify credentials can't be assessed apart from identity management and relate systems, so we'll review the demands of actual implmentation and management to each.


Presenters:

  • Terry Gold - Principal Analyst - D6 Research
    Terry is the founder and Principal Analyst of D6 Research, a vendor-neutral research and advisory firm specializing in security, identity management, and authentication across the physical, transactional and logical domains. For the past 15 years, Terry has specialized in assisting global organizations to assess their security posture and deploy strong identiy credentials such as PKI, smart cards, OTP, SSO, and other technologies as massive scale with focused governance discipline. At D6, he has been focused on leveraging his experience to build repeatable methodologies, tools, and research in these areas for broader scale and impact. Prior to forming D6, he Vice President of Cloud Identity for idOnDemand, the first commercially available cloud-based smart card infrastructure which was acquired by the Identive Group in 2011. He also worked for ActivCard (vendor of the DOD Common Access Card management platform), and Bioscrypt (a leading biometric provider) where he led the development of the first commercially available converged identity credential authentication platform. Today, Terry applies his knowledge to impose transparency and disclosure from vendors for the benefit of customers and shares his experiences within communities. Terry is frequently published in media and presents at various conferences including DEFCON, DerbyCon, BSides, ISC West, and is a board member of ISSA Orange County and Security B Conferences of California.

Links:

Similar Presentations: