OWASP AppSec USA 2015, San Francisco
4 likes•2,040 views
This document discusses concerns with some commonly used multi-factor authentication technologies. It notes that SMS one-time passwords have been circumvented by intercepting SMS messages from phones. Biometric authentication using fingerprints can be fooled by high-quality images or lifts of fingerprints. Location-based authentication poses issues if GPS signals can be spoofed. The document argues that many multi-factor authentication methods in use may not adequately consider security threats.
OWASP AppSec USA 2015, San Francisco
- 1. www.owasp.org The Inmates Are Running the Asylum Why Some Multi-Factor Authentication Technology is Irresponsible Clare Nelson, CISSP
- 2. www.owasp.org Clare Nelson, CISSP • Scar tissue – Encrypted TCP/IP variants for NSA – Product Management at DEC (HP), EMC2 – Director Global Alliances at Dell, Novell (IAM) – VP Business Development, MetaIntelli (Mobile Security) – CEO ClearMark, MFA Technology and Architecture • 2001 CEO ClearMark Consulting • 2014 Co-founder C1ph3r_Qu33ns • 2015 April, ISSA Journal, Multi-Factor Authentication: What to Look For • Talks: HackFormers; BSides Austin; LASCON; AppSec; clients including Fortune 500 financial services, Identity Management • B.S. Mathematics
- 3. www.owasp.org Scope • External customers, consumers – Not internal employees, no hardware tokens – IoT preview • No authentication protocols – OAuth, OpenID, UMA, SCIM, SAML • United States – EU regulations o France: legal constraints for biometrics Need authorization from National Commission for Informatics and Liberty (CNIL)1 – India: e-commerce Snapdeal, Reserve Bank of India o Move from two-factor to single-factor authentication for transactions less than Rs. 3,0002 1Source: http://www.diva-portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl 2Source: http://economictimes.indiatimes.com/industry/services/retail/snapdeal-for-single-factor-authentication-for- low-value-deals/articleshow/46251251.cms
- 4. www.owasp.org NIST Definition1 Origin of definition? • NIST: might be Gene Spafford, or “ancient lore”2 – @TheRealSpaf, “Nope — that's even older than me!”3 – 1970s? NSA? Academia? 1Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf 2Source: February 26, 2015 email response from a NIST SP 800-63-2 author 3Source: February 27, 2015 response from @TheRealSpaf (Gene Spafford)
- 5. www.owasp.org How can one write a guide based on a definition of unknown, ancient origin? How can you implement MFA without a current, coherent definition? Photo: The Thinker by Auguste Rodin, https://commons.wikimedia.org/wiki/File:Auguste_Rodin-The_Thinker- Legion_of_Honor-Lincoln_Park-San_Francisco.jpg
- 6. www.owasp.org NIST versus New Definitions Multi-Factor Authentication (MFA) Factors: • Knowledge • Possession – Mobile device identification • Inherence – Biometrics: Physical or Behavioral • Location – Geolocation – Geofencing – Geovelocity • Time1 1Source: http://searchsecurity.techtarget.com/definition/multifactor-authentication-MFA 2Source: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf NIST: Device identification, time, and geo- location could be used to challenge an identity; but “they are not considered authentication factors”2
- 7. www.owasp.org Authentication in an Internet Banking Environment • OUT: Simple device identification • IN: Complex device identification, “digital fingerprinting” use PC configuration, IP address, geo-location, other factors – Implement time of day restrictions for funds transfers – Consider keystroke dynamics, biometric-based responses1 1Source: https://www.fdic.gov/news/news/press/2011/pr11111a.pdf “…virtually every authentication technique can be compromised”
- 8. www.owasp.org “…time to alter how authentication is done …it doesn't meet today’s demands ….the range of technologies, such as soft tokens, hard tokens, Trusted Platform Module (TPM), biometrics, simple passwords and more have led to a ‘Tower of Babel’ for authentication.”1 – Phil Dunkelberger, CEO Nok Nok Labs State of the Market 1Source:http://www.networkworld.com/article/2161675/security/pgp-corp--co-founder-s-startup-targets-cloud- authentication.html
- 9. www.owasp.org Why 200+ MFA Vendors? Authentication has been the Holy Grail since the early days of the Web.1 The iPhone of Authentication has yet to be invented.2 1Source: http://sciencewriters.ca/2014/03/26/will-your-brain-waves-become-your-new-password/ 2Source: Clare Nelson, February 2015.
- 10. www.owasp.org Suboptimal Choices Authentication Factors/Technology 1. Biometrics, 2D fingerprint 2. Short Message Service (SMS) – One-Time Password (OTP) 3. Quick Response (QR) codes 4. Overreliance on GPS, location 5. JavaScript 6. Weak, arcane, account recovery 7. Assumption mobile devices are secure 8. Encryption (without disclaimers) – Quantum computing may break RSA or ECC by 20301 • Update on NSA’s $80M Penetrating Hard Targets project2 – Encryption backdoors, is it NSA-free and NIST-free cryptography? – No mysterious constants or “magic numbers” of unknown provenance”3 1Source: January 18, 2015: Ralph Spencer Poore, cryptologist, Austin ISSA guest lecturer 2Source: http://www.washingtonpost.com/world/national-security/nsa-seeks-to-build-quantum-computer-that-could- crack-most-types-of-encryption/2014/01/02/8fff297e-7195-11e3-8def-a33011492df2_story.html 3Source: https://www.grc.com/sqrl/sqrl.htm
- 11. www.owasp.org Juniper Research: • By 2019, 770 million apps that use biometric authentication will be downloaded annually - Up from 6 million in 2015 • Fingerprint authentication will account for an overwhelming majority - Driven by increase of fingerprint scanners in smartphones1 Irrational Exuberance of Biometric Adoption Samsung Pay 1Source: http://www.nfcworld.com/2015/01/22/333665/juniper-forecasts-biometric-authentication-market/
- 12. www.owasp.org 1Source: https://www.youtube.com/watch?v=q3ymzRYXezI Apple Touch ID: Cat Demo
- 14. www.owasp.org 2D Fingerprint Hacks • Starbug, aka Jan Krissler • 2014: Cloned fingerprint of German Defense Minister, Ursula Von der Leyen – From photographs1,2 • 2013: Hacked Apple’s Touch ID on iPhone 5S ~24 hours after release in Germany – Won IsTouchIDHackedYet.com competition3 • 2006: Published research on hacking fingerprint recognition systems4 1Source: https://www.youtube.com/watch?v=vVivA0eoNGM 2Source: http://www.forbes.com/sites/paulmonckton/2014/12/30/hacker-clones-fingerprint-from-photograph/ 3Source: http://istouchidhackedyet.com 4Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf
- 15. www.owasp.org Starbug Faking Touch ID 1Source: http://istouchidhackedyet.com
- 16. www.owasp.org Android: Remote Fingerprint Theft at Scale1 “…hackers can remotely steal fingerprints without the owner of the device ever knowing about it. Even more dangerous, this can be done on a “large scale.”2 1Source: https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Fingerprints-On-Mobile-Devices-Abusing-And- Leaking-wp.pdf 2Source: http://www.forbes.com/sites/thomasbrewster/2015/04/21/samsung-galaxy-s5-fingerprint-attacks/ Hardware User Space Kernel Space
- 17. www.owasp.org Krissler versus Riccio “Don't use fingerprint recognition systems for security relevant applications!”1 – Jan Krissler (Starbug) “Fingerprints are one of the best passwords in the world.”2 – Dan Riccio SVP, Apple 1Source: http://berlin.ccc.de/~starbug/talks/0611-pacsec-hacking_fingerprint_recognition_systems.pdf 2Source: http://www.imore.com/how-touch-id-works Photo: http://www.mirror.co.uk/news/world-news/revealed-fbi-believed-legendary-fight-3181991
- 18. www.owasp.org Behavioral Biometrics: 1Source: http://www.behaviosec.com Laptop: requires JavaScript, won’t work with Aviator browser, or if you disable JavaScript
- 19. www.owasp.org Behavioral Biometrics: Invisible Challenge • Detect threats based on user interaction with online, and mobile applications • Analyze 400+ bio-behavioral, cognitive and physiological parameters – Invisible challenge, no user interaction for step-up authentication – How you find missing cursor1 1Source: http://www.biocatch.com 1Source: http://www.biocatch.com
- 20. www.owasp.org Fingerprinting Web Users Via Font Metrics1 • Browser variations – Version – What fonts are installed – Other settings • Font metric–based fingerprinting – Measure onscreen size of font glyphs • Effective against Tor Browser 2Source: http://fc15.ifca.ai/preproceedings/paper_83.pdf
- 21. www.owasp.org Biometrics: In Use, Proposed • Fingerprints 2D, 3D via ultrasonic waves • Palms, its prints and/or the whole hand (feet?) • Signature • Keystroke, art of typing, mouse, touch pad • Voice • Iris, retina, features of eye movements • Face, head – its shape, specific movements • Ears, lip prints • Gait, Odor, DNA, Pills, Tattoos • ECG (Bionym’s Nymi wristband, smartphone, laptop, car, home security) • EEG1 • Smartphone/behavioral: AirSig authenticates based on g-sensor and gyroscope, how you write your signature in the air2 1Source: http://www.optel.pl/article/future%20of%20biometrics.pdf 2Source: http://www.airsig.com Digital Tattoo: http://motorola-blog.blogspot.com/2014/07/-unlock-your-moto-x-with-a-digital-tattoo.html
- 22. www.owasp.org “Thought Auth”1 EEG Biosensor • MindWave™ headset2 • Measures brainwave signals • EEG monitor • International Conference on Financial Cryptography and Data Security3 1Source: Clare Nelson, March 2015 2Source: http://neurosky.com/biosensors/eeg-sensor/biosensors/ 3Source: http://www.technewsworld.com/story/77762.html
- 23. www.owasp.org 3D Fingerprint1 1Source: http://sonavation.com/technology/ No matter how advanced the biometric is, the same basic threat model persists.
- 24. www.owasp.org How do you stump an MFA vendor? Ask for a threat model. Photo: http://www.huffingtonpost.co.uk/2015/08/09/parents-reveal-why-question-woes_n_7963152.html
- 25. www.owasp.org “… biometrics cannot, and absolutely must not, be used to authenticate an identity”1 – Dustin Kirkland, Ubuntu Cloud Solutions Product Manager and Strategist at Canonical 1Source: http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-not.html “Fingerprints are Usernames, Not Passwords”
- 26. www.owasp.org @drfuture on Biometrics 1Source: https://www.blackhat.com/docs/us-15/materials/us-15-Keenan-Hidden-Risks-Of-Biometric-Identifiers- And-How-To-Avoid-Them.pdf Diagram Source: http://security.stackexchange.com/questions/57589/determining-the-accuracy-of-a-biometric- system Hidden Risks 1. Biometric reliability and the perception of it 2. Lack of discussion of the consequences of errors 3. Biometric data’s irreversibility and the implications 4. Our biometrics can be grabbed without our consent 5. Our behavior can rat us out – sometimes incorrectly 6. Giving our biometric and behavioral data may be (de facto) mandatory 7. Biometric data thieves and aggregators1 Threshold
- 27. www.owasp.org • Difficult to reset, revoke • Exist in public domain, and elsewhere (1M+ fingerprints stolen in 2015 OPM breach1) • May undermine privacy, make identity theft more likely2 • Persist in government and private databases, accreting information whether we like it or not3 • User acceptance or preference varies by geography, demographic What Will Cause Biometric Backlash? 1Source: http://money.cnn.com/2015/07/10/technology/opm-hack-fingerprints/index.html 2Source: http://www.diva-portal.org/smash/get/diva2:512852/FULLTEXT01.pdfl 3Source: http://www.pbs.org/wgbh/nova/next/tech/biometrics-and-the-future-of-identification/ Photo: http://www.rineypackard.com/facial-recognition.php
- 28. www.owasp.org • Intel’s Dmientrienko, et al - Circumvented SMS OTP of 4 large banks1 • Northeastern University and Technische Universität Berlin - “SMS OTP systems cannot be considered secure anymore”2 • SMS OTP threat model - Physical access to phone - SIM swap attack - Wireless interception - Mobile phone trojans3 SMS OTP Attacks 1Source: http://www.christian-rossow.de/publications/mobile2FA-intel2014.pdf 2,3Source: https://www.eecs.tu-berlin.de/fileadmin/f4/TechReports/2014/tr_2014-02.pdf
- 29. www.owasp.org • Operation Emmental • Defeated 2FA - 2014, discovered by Trend Micro1 - European, Japanese banks - Online banking 1. Customer enters username, password 2. Token sent to mobile device (SMS OTP) 3. Customer enters token (OTP) - Attackers scraped SMS OTPs off customers’ Android phones2, 3 SMS OTP Attack: Banking Example 1Source: http://blog.trendmicro.com/finding-holes-operation-emmental/ 2Source: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes- operation-emmental.pdf 3Source: https://www.youtube.com/watch?v=gchKFumYHWc
- 30. www.owasp.org SMS OTP Attacks 1Source: http://www.christian-rossow.de/publications/mobile2FA-intel2014.pdf Diagram Source: https://devcentral.f5.com/articles/malware-analysis-report-cridex-cross-device-online-banking-trojan Banking trojans deploy mobile malware, allow attackers to steal SMS OTP 1
- 31. www.owasp.org QR Code Risks1 VASCO two-factor authentication • User captures QR code with mobile device • User enters PIN code to log on, or validate transaction2 QR code redirects user to URL • Even if the URL is displayed, not everyone reads • Could link to a malicious website 1Source: http://www.csoonline.com/article/2133890/mobile-security/the-dangers-of-qr-codes-for-security.html 2Source: https://www.vasco.com/products/client_products/software_digipass/digipass_for_mobile.aspx
- 32. www.owasp.org Overreliance on Location • GPS spoofing1 • Cellphone power meter can be turned into a GPS2 • PowerSpy gathers information about an Android phone’s geolocation by tracking its power use over time – That data, unlike GPS or Wi-Fi location tracking, is freely available to any installed app without a requirement to ask the user’s permission3 1Source: http://news.utexas.edu/2013/07/29/ut-austin-researchers-successfully-spoof-an-80-million-yacht-at-sea 2Source: Dan Boneh, quoted in http://cacm.acm.org/magazines/2015/9/191171-qa-a-passion-for-pairings/abstract 3Source: http://www.wired.com/2015/02/powerspy-phone-tracking/
- 33. www.owasp.org 1Source: http://www.zdnet.com/article/google-unveils-5-year-roadmap-for-strong-authentication/ Account recovery is the Achilles heel of 2FA – Eric Sachs Product Management Director, Identity at Google
- 35. www.owasp.org Account Recovery1 Apple Two-Step Authentication • What if I lose my Recovery Key? • Go to My Apple ID, create a new Recovery Key using your Apple ID password and one of your trusted devices.1 1Source: https://support.apple.com/en-us/HT204152
- 36. www.owasp.org “Mobile is the New Adversarial Ingress Point.”1 – Lee Cocking, VP Product Strategy at GuardTime 1Source: http://guardtime.com/blog/biggest-enterprise-risk-mobile-devices
- 37. www.owasp.org What’s Wrong with Mobile Device as Authentication Device? MetaIntelli research: sample of 38,000 mobile apps, 67% had M32 Source: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks Source: http://metaintelli.com/blog/2015/01/06/industry-first-metaintelli-research-discovers-large-number-of- mobile-apps-affected-by-owasp-mobile-top-10-risks/
- 38. www.owasp.org MFA Double Standard Consumers • Facial and voice for mobile login2 Employees • Symantec VIP3 1Source: http://cdn.themetapicture.com/media/funny-puppy-poop-double-standards.jpg 2Source: http://www.americanbanker.com/news/bank-technology/biometric-tipping-point-usaa-deploys-face-voice- recognition-1072509-1.html 3Source: http://www.slideshare.net/ExperianBIS/70-006identityauthenticationandcredentialinginpractice 1
- 39. www.owasp.org Perfect Storm • Fractured market – 200+ MFA vendors – ~$1.8B market1 • Apple, VISA, Samsung – 2D fingerprint authentication is cool, secure • Breaches • Legislation • FIDO Alliance 1Source: http://www.slideshare.net/FrostandSullivan/analysis-of-the-strong-authentication-and-one-time- password-otp-market
- 40. www.owasp.org FIDO Alliance • Fast ID Online (FIDO) Alliance • Proponent of interoperability – Universal 2nd Factor (U2F) – Universal Authentication Framework (UAF) • Triumph of marketing over technology • Network-resident versus device-resident biometrics – FIDO advocates device-resident • Problems, especially with voice1 1Source: January 2015, “Network vs Device Resident Biometrics,” ValidSoft
- 41. www.owasp.org “Legacy thinking subverts the security of a well-constructed system”1 – David Birch, Digital Money and Identity Consultant, Author of Identity is the New Money2 1Source: https://www.ted.com/talks/david_birch_identity_without_a_name?language=en#t-112382 2Source: http://www.amazon.com/Identity-Is-New-Money-Perspectives/dp/1907994122
- 43. www.owasp.org OWASP IoT Top 10 1Source: http://www.slideshare.net/SebastienGioria/clusir-infonord-owasp-iot-2014 A1: Insecure Web Interface A2: Insufficient Authentication/A utorization A3: Insecure Network Services A4:Lack of Transport Encryption A5: Privacy Concern A6 : Insecure Cloud Interface A8: Insecure Security Configurability A10: Poor Physical Security A7: Insecure Mobile Interface A9: Insecure Software / Firmware
- 44. www.owasp.org IoT Predictions Creative Cryptography, Uneven Protocol Adaptations • Enhanced Privacy ID (EPID®) – "Implementing Intel EPID offers IoT designers …proven security options”1 • PKI: instead of one-to-one mapping public and private key pairs, uses one-to-many mapping of public to private keys • Autobahn to dirt road – E.g., HTTPS to Constrained Application Protocol (CoAP) with OAuth2, OpenID, UMA – Different implementation constraints – “Security of these … mechanisms is highly dependent on the ability of the programmers creating it.”2 1Source: http://www.prnewswire.com/news-releases/atmel-collaborates-with-intel-on-epid-technology-to-enable-more- secure-iot-applications-300130062.html 2Source: Using OAuth for Access Control on the Internet of Things, Windley, 2015
- 45. www.owasp.org Consider Risk-Based Authentication (aka Context-Based Authentication, Adaptive Authentication) • Device registration and fingerprinting • Source IP reputation data • Identity store lookup • Geo-location, geo-fencing, geo-velocity • Behavioral analysis1 • Analytics, machine learning, continuous authentication2 1Source: http://www.darkreading.com/endpoint/authentication/moving-beyond-2-factor- authentication-with-context/a/d-id/1317911 2Source: Clare Nelson, August 2015 Layer multiple contextual factors. Build a risk profile.
- 46. www.owasp.org What You Can Do (1 of 2) • Request threat models from MFA vendors • Beware – 2D fingerprints – Already-hacked biometrics – QR codes – SMS OTP – JavaScript requirements – Weak account recovery – Lack of mobile device risk analysis – Encryption with backdoors Comic: Greg Larson, https://www.pinterest.com/pin/418834834066762730/
- 47. www.owasp.org What You Can Do (2 of 2) • Do not be swayed by latest InfoSec fashion trends – Apple Touch ID • Integration with VISA • Samsung Pay – FIDO Alliance • Rethink the definition of MFA – Beware of new interpretations Photo: http://northonharper.com/2014/04/wish-list-mini-midi-maxi/
- 49. www.owasp.org Additional References (1 of 3) • Stanislav, Mark; Two-Factor Authentication, IT Governance Publishing (2015) • Wouk, Kristofer; Flaw in Samsung Galaxy S5 Could Give Hackers Access to Your Fingerprints,http://www.digitaltrends.com/mobile/galaxy-s5-fingerprint-scanner- flaw/ (April 2015) • IDC Technology Spotlight, sponsored by SecureAuth, Dynamic Authentication: Smarter Security to Protect User Authentication (September 2014) Six technologies that are taking on the password. — UN/ HACKABLE — Medium • Barbir, Abbie, Ph.D; Multi-Factor Authentication Methods Taxonomy, http://docslide.us/documents/multi-factor-authentication-methods-taxonomy- abbie-barbir.html (2014) • Nelson, Clare, Multi-Factor Authentication: What to Look For, Information Systems Security Association (ISSA) Journalhttp://www.bluetoad.com/publication/?i=252353 (April 2015)
- 50. www.owasp.org Additional References (2 of 3) • Keenan, Thomas; Hidden Risks of Biometric Identifiers and How to Avoid Them, University of Calgary, Black Hat USA, https://www.blackhat.com/docs/us- 15/materials/us-15-Keenan-Hidden-Risks-Of-Biometric-Identifiers-And-How-To- Avoid-Them-wp.pdf (August 2015) • Pagliery, Jose; OPM’s hack’s unprecedented haul: 1.1 million fingerprints: http://money.cnn.com/2015/07/10/technology/opm-hack-fingerprints/index.html (July 2015) • Bonneau, Joseph, et al, Passwords and the Evolution of Imperfect Authentication, Communications of the ACM, Vol. 58, No. 7 (July 2015) • White, Conor; CTO Doan, Biometrics and Cybersecurity, http://www.slideshare.net/karthihaa/biometrics-and-cyber-security (2009, published 2013) • Gloria, Sébastien, OWASP IoT Top 10, the life and the universe, http://www.slideshare.net/SebastienGioria/clusir-infonord-owasp-iot-2014 (December 2014)
- 51. www.owasp.org Additional References (3 of 3) • Steves, Michelle, et al, NISTIR, Report: Authentication Diary Study, http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7983.pdf (February 2014) • Andres, Joachim; blog, Smarter Security with Device Fingerprints, https://forgerock.org/2015/09/smarter-security-with-device- fingerprints/?mkt_tok=3RkMMJWWfF9wsRonv6TIeu%2FhmjTEU5z16u8kWaSyhok z2EFye%2BLIHETpodcMTcFnM7DYDBceEJhqyQJxPr3GKtYNysBvRhXlDQ%3D%3D (September 2015) • Perrot, Didier; There’s No Ideal Authentication Solution, http://www.inwebo.com/blog/theres-no-ideal-authentication-solution/ (August 2015)
- 52. www.owasp.org "A rose by any other name would smell as sweet”1 • Adaptive authentication • Multi-modal authentication • Continuous authentication • 2FA, TFA, Two-factor authentication • Multi-factor authentication • Strong authentication – United States: Many interpretations, depends on context – European Central Bank (ECB): strong authentication, or strong customer authentication, set of specific recommendations2 • Apple: Two-step authentication • Multi-step authentication • SecureAuth: Adaptive, risk-based, context-based authentication • IDC: advanced authentication, dynamic user authentication, multiform authentication, multiframe authentication, standard authentication, traditional authentication – Traditional authentication: authenticate at beginning of session – Dynamic authentication: users may be asked to authenticate at “various points during a session, for various reasons”3 • Step-up authentication • Re-Authentication 1Source: Shakespeare, Romeo and Juliet, http://shakespeare.mit.edu/romeo_juliet/romeo_juliet.2.2.html 1Source: IDC Technology Spotlight, sponsored by SecureAuth, Dynamic Authentication: Smarter Security to Protect User Authentication (September 2014) 2Source: https://www.ecb.europa.eu/press/pr/date/2013/html/pr130131_1.en.html