1 / 25

Evaluating Password Alternatives

Evaluating Password Alternatives. Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com. Key Points. Key Presentation Points Authentication Model Authenticator Characteristics Knowledge Based Authenticators Possession Based Authenticators

Download Presentation

Evaluating Password Alternatives

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Evaluating Password Alternatives Bruce K. Marshall, CISSP, IAM Senior Security Consultant bmarshall@securityps.com

  2. Key Points • Key Presentation Points • Authentication Model • Authenticator Characteristics • Knowledge Based Authenticators • Possession Based Authenticators • Biometric Based Authenticators

  3. Identification & Authentication Identification • A process for presentingan identity for use. Authentication • A process for validating proof of an identity.

  4. Authentication System Model Authenticator Transport Verification Input

  5. Authenticator Types • What you know • Passwords • Passphrases • Secret Answers • Graphical Passwords • What you have • ID Cards • Password List • One-Time Password Tokens • Certificates & Private Keys • What you are • Physical Features • Psychological Traits

  6. Authenticator Characteristics • Usability • How effectively can people operate • Uniqueness • How distinct is the proof • Integrity • How difficult to guess, forge, or steal • Affordability • How much does it cost to buy or maintain • Accuracy • How often do mistakes occur

  7. PINs and Secret Answers • Personal Identification Number (PIN) • Very simple authenticator • Difficult to enforce hard-to-guess PINs • May include non-numeric characters • Secret Answers • One or more correct answers authenticates an asserted identity • Users may be allowed to define questions • Typically a secondary authenticator

  8. Passwords • Passwords • Based on a string of characters • Usually too predictable (i.e. poor uniqueness) • Length rarely greater than 8 characters • Often consist of words or names • Typically composed of lowercase letters • Often think alike when choosing passwords • Use same password across systems • Not changed frequently enough • Controlled through requirements for character use, length, and pattern matching

  9. Case Study 15 Password Analysis

  10. Password Characteristics

  11. Passphrases • Passphrases • Multiple words, typically mixed case with numbers and symbols • Improvement upon passwords with little user learning curve • Not much study yet on predictability “The light of the M00N struck me in June” “SeattleSeahawksSingSadSongS4ME” “emmyis7”

  12. Graphical Passwords • Graphical Passwords • Rely on memory of images to authenticate • Users select, draw, or manipulate pictures • Relatively young technology that needs more attention

  13. “What You Have” Authenticators • “What You Have” Authenticators • Magnetic-stripe cards • RF & Wiegand cards • Stored-value cards • Password lists

  14. OTP Tokens • One-Time Password (OTP) Tokens • Generates a new password for each use • Can be challenge/response-based • Based on a unique, secret token seed value (and usually synchronized time) • Implemented with hardware or software

  15. OTP Tokens Characteristics

  16. Digital Certificates • Digital Certificates • Rely on the use of private and public keys • Typically require a Public Key Infrastructure (PKI) for certificate creation, publication, renewal, & revocation

  17. Digital Certificate Characteristics

  18. Smart Cards • Smart Cards • Microprocessor with memory that can generate and store keys and certificates • Different form factors and interfaces • Cryptographic functions using private key are processed on the card itself

  19. Smart Card Characteristics

  20. Biometric Authenticators • Biometric Authenticators • “The automated use of physiological or behavioral characteristics to determine or verify identity.” - International Biometrics Group • Rely on interpretation or ‘minutiae’ of a biometric trait • Maturing technology and standards • Increasingly used for physical security

  21. Biometric Authenticators • Fingerprint = 48% • Face = 12% • Hand = 11% • Eye (Iris) = 9% • Voice = 6% • Keyboarding = <1% * - Data source: International Biometrics Group 2004 Market Share

  22. Biometric Characteristics

  23. Multi-Factor Authenticators • Multi-Factor Authenticators • Stronger authentication? • Can combine best features • Might combine worst features • Do not want an Ident-I-Eeze”* * Coined by Douglas Adams in his book Mostly Harmless.

  24. Summary • Summary & Call to Action • Focus on entire authentication system • Evaluate suitability of authentication solutions for your specific environment • Do consider the Integrity of authenticators, but don’t forget about other characteristics • Assess & fortify password dependent systems • Visit www.passwordresearch.com

  25. Questions?

More Related