Aladdin Beyond Passwords

8/6/2019 Aladdin Beyond Passwords

http://slidepdf.com/reader/full/aladdin-beyond-passwords 1/30

a l a d d I n . c o m

Beyond Passwords

Ori Ammar, CISSP, ISSAPPre-sales Manager




© Copyright 2008 Aladdin Knowledge Systems Ltd. All rights reserved.

Aladdin, Aladdin Knowledge Systems, HASP ® , eTokenTM and eSafe ® are only a few of Aladdin Knowledge Systems

Ltd.’s (“Aladdin”) proprietary trademarks. The Aladdin Knowledge Systems logo is also proprietary to Aladdin.

The information contained in this presentation is protected by international copyright laws. The copyrights are

owned by Aladdin or the original creator of the material. The information contained herein is provided to you for

informational purposes only, and except and to the extent specifically permitted, no portion of this presentation

may be copied, reproduced (or the like), distributed or used in any way whatsoever whether directly or indirectly.

In addition to Aladdin’s trademarks, logos, content and information, this presentation may contain references to

trademarks and/or logos owned by other entities. Aladdin expressly disclaims any proprietary interest in trademarks

and/or logos owned by other entities and makes no representation of any association, sponsorship, affiliation, orendorsement with or by the owners of such trademarks and/or logos.

This presentation may contain references and use of third party web sites for purposes of providing examples relevant

to this course. Aladdin assumes no responsibility and/or liability for any content and/or information contained in such

third party web sites. Aladdin further does not endorse the companies or contents of any referenced sites.

Aladdin does not assume any responsibility or liability for the accuracy of the information contained in this presentation.

The information contained in this presentation is provided "as is" and does not constitute a warranty of any kind, either

express or implied. Aladdin disclaims all warranties, expressed or implied, including but not limited to implied

warranties of merchantability, fitness for a particular purpose, and non-infringement.

a l a d d i n . c o m

Legal Notice




• Authentication for Online Services

– Current risk landscape

– Key forces

• Multi-factor authentication

– What is two-factor authentication – Authentication methods

– What methods are being used in online services ?

• Emerging Directions

Beyond Passwords

STRONG

AUTHENTICATION




Data is everywhere

Servers

Workstations(LAN)

Laptops

Mobile




• Internal

– July 2007 - Subsidiary employee stole 2.3 million consumer recordsfrom Fidelity National Information Services containing credit card, bank

account and other personal information – July 2007 - Former Boeing employee accused of stealing 320,000 data

files

• Partners

– April 2005 – a total of $350,000 was stolen from Citibank customers by12 employees of an outsourced call center firm in India, who defraudedthe customers of their credentials

• Outsiders

– January 2007 – intruders infiltrate TJX and steal consumer credit and

debit card data affecting millions of consumers and costing $118 M – July 2006 - researchers spotted a phishing website targeting Citibank's

Citibusiness service that attempted to steal user names and passwordsas well as OTP values for user accounts

Attacks Come From All Directions




Identity Theft

The TOTAL number of records containing sensitivepersonal information involved in security breaches in

the U.S. since January 2005.

236,529,278236,529,278

www.privacyrights.org




Phishing – Citibank Scam

http:// 68.255.44.238:87/%63%69%74/%69%6E%64%65%78%2E%68%74%6D




The Problem with Passwords

•Easy to crack, easy to guess

•Easy to steal: keystroke loggers, phishing

attacks

•Difficult to remember and use: high help-

desk costs

•Easy to crack, easy to guess

•Easy to steal: keystroke loggers, phishing

attacks

•Difficult to remember and use: high help-

desk costs

Memorized passwords are:




Passwords




Online Services: Forces In Action




Multi-Factor Authentication

Strong authentication means using two or moreauthentication factors

What you are

Authentication – the three ‛what’s

What you haveWhat you know

User Name:

Password:

xxxx




How do we Strongly Authenticate?

A wide set of technologies to choose from …..

USB tokens

OTP tokens

Hybrid tokens

Smart Cards

Biometrics

And more…




One Time Passwords

• An OTP (one-time password) system generates aseries of passwords that are used to authenticate

• Once one of the passwords is used, it cannot beused again

• The logon system will always expect a new one-time

password at the next logon




One Time Password - Tokens

• Password is generated on the device (token)

• Zero footprint, Platform independent

• Battery Operated (limited lifetime)

• Strong Authentication when combined with PIN code




One Time Password – Soft OTP

• Software generated

• Variety of devices (Cell. Phone, PDA, Laptop, PC)

• Low cost solution (compared to token)

• Limited control

• Distribution Overhead (of the OTP program)




One Time Password over SMS

• Challenge-Response system

• Generate the challenge on the Web, via SMS, etc’

• Main problem is reliability (usability concern)

• SMS Costs is also a concern (in large volumes)High TCO / Limited ROI




Public-Private Key Pairs (Dig. Certificates)

• Digital Certificates contain the Public Key

• After trust is established, mathematical operationauthenticates

• Allows mutual authentication (protocol dependant)

• Private key must be protected




Digital Certificates on Smart Cards

• Dedicated Hardware

• Secure – on-board key generation and storage

• Allows personalization

• Costly and less convenient – requires a reader




Digital Certificates on USB based Smart Cards

• Dedicated Hardware

• Secure – on-board key generation and storage

• Reader-less

• Portable




Biometrics

• Can provide both functions:Identification and Authentication

• Physiological / Behavioral

• Costly

• Complex to install (FAR/FRR)

• Privacy Issues




OTP or PKI?




Beyond Strong Authentication

• OTP Provides Strong Authentication

• Smart Tokens with PKI will take you beyond:

• Strong Authentication

• Signing• Encryption




Roaming vs. Authentication Strength

Authentication Strength

E a s e o

f R o a m i n g




The Tradeoff

Security

CostUsability




Emerging Directions: “Clientless” USBTokens

• Key proposition

– Use proven secure technology that is highly accepted from userand regulatory perspective

• Early adopters

– Software based

• Software smartcard on a storage device – HD or USBremovable device

– Hardware based

• TPM in the PC

• Smartcard based token• No software client required – Roaming PKC




Clientless USB Smart Card

Easy to deploy and simple to use

• “Plug and Play”

• No screen display or battery

• Application rich - use for secure network access, remote email access,password management and more

Security

• Certificate based authentication

• Highly secure - minimizes vulnerability to man-in-the-middle attacks• Smartcard based hardware device provides high level of security

Cost savings

• No battery• Reduced TCO by eliminating the cost of maintaining software clients




Summary

• Risks levels will continue to rise

• Ease of use and roaming capability are key factor foruser acceptance and adoption

• Zero footprint technologies & architectures have agrowing appeal

• A drift to PKI based technologies from the traditional

OTP




Is this only applicable to ‘online’ services?

• What is an online service?

• Is this different from the enterprise?




Reliable Authentication Enables Business




www.aladdin.com/eToken

Thank You

Documents

Aladdin Beyond Passwords