This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates.© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.

Ant AllanTwitter: @G_ant

Gartner Authentication Methods Evaluation Scorecards (GAMES)

Why GAMES?

• To assist Gartner clients in evaluating (and choosing) new authentication methods

• Published guidelines (eg NIST SP800-63-1) focus on authentication strength (assurance, risk, or trust levels)- GAMES also considers UX and TCO

• Published guidelines might rank some available methods, but with little transparency- Why does X provide greater assurance than Y?- How can I rank P, Q,… that aren’t explicitly mentioned?

• Why is Gartner doing this? Because no-one else is!

GAMES Timeline

• First iteration - Gartner Authentication Method Evaluation Scorecards, 30 Sep

2008- Toolkit: Gartner Authentication Method Evaluation Scorecards, 8

Sep 2009

• Second iteration- Gartner Authentication Method Evaluation Scorecards, 2011:

Overview, 7 Mar 2011 - : Total Cost of Ownership, 7 Mar 2011 - : User Experience, 23 May 2011 - : Assurance and Accountability 5 Mar 2012 [sic]

• Third iteration… ?

Changes in GAMES

• General discussion of TCO elements chart of accounts• Ease of use UX• Authentication strength … multiple changes:

- V2 has explicit discussion of accountability, not completely orthogonal to assurance

- Scrapped complex, effortful quantitative approach (implying a precision that is really unattainable in this kind of evaluation) for a simpler, more qualitative approach

- Two parts: • A1: The method's resistance to attack — that is, how difficult is it for an attacker

to directly compromise or undermine the authentication method (without the user's knowing collusion)?

• A2: The method's resistance to willful misuse — that is, how difficult is it for a user to deliberately allow colleagues and others to share his or her account?

Basic GAMES Framework for Evaluating Assurance and Accountability

Particularity(Uniqueness Mapping)

BindingRaw resistance to masquerade

attack

Effective resistance to masquerade

attackAccountability

Assurance

People, processes and compensating

controls

Address w

eaknesses

1 2 4

3 5

6

The guiding principle of the evaluation of authentication strength is to find weaknesses in the authentication method: How could users share credentials? What vulnerabilities are there, and how could an attacker exploit them? What

user behaviors increase those vulnerabilities or make exploitation easier? How can we break this?

6

Combining Characteristics ( Operations)Level of first characteristic

High Medium Low Minimal

Level of second charac-teristic

High High Medium Low Low

Medium Medium Medium Low Minimal

Low Low Low Low Minimal

Minimal Low Minimal Minimal Minimal

Mathematically, we assign the values 1-4 to the levels minimal-high. The resultant value is the geometric mean of the two input values; that is, the square root of the product. The resultant level is taken from the integer part of that value. For example, combining medium with low, the resultant value is √(3× 2) = 2.449… so the resultant level is low.If we’re combining three values simultaneously, the resultant value is the cube root of the product, and so on.

Particularity Binding Accountability

• Particularity: To what degree are the authentication attributes — and the authentication information derived from them: - Unique?- Uniquely mapped to the user?

• Binding: How difficult is it for the user to willingly share authentication attributes with others?- Or: How tightly are the authentication attributes bound to the user?

• Accountability: An expression of resistance to willful misuse. (A2)

7

How Difficult Is it For an Attacker to Execute a Masquerade Attack? (A1)

This decomposes into four more-granular questions, each of which addresses a different attack mode:• B1: How difficult is it for an attacker to gain possession of

(a copy of) the authentication attributes the user possesses?

• B2: How difficult is it for an attacker to capture and successfully reuse the authentication information?

• B3: How difficult is it for an attacker to directly or indirectly modify the stored authentication attributes?

• B4: How difficult is it for an attacker to directly or indirectly modify an authentication decision or how a decision is enforced?

Any chain is only as strong as its weakest link! 8

Evaluating the Attack Mode Questions

Consider the following*:• C1: The attack vector — Where does an attacker have to

be to execute the attack? If it's local (that is, physically present), the difficulty is high; if on a local network, medium; if on the Internet, minimal.

• C2: The access complexity — What level of effort is required? This can be directly expressed as minimal to high.

• C3: The novelty** — How unusual is the attack? If this is seen in the wild, the novelty is minimal; if it exists as a proof of concept, low; if it is unproven, medium.

* Much simplified version from the Common Vulnerability Scoring System** Note that this replaces "exploitability of the attack" used in the original GAMES research, in order to have the scoring in the "right direction.")

9

Evaluating an Authentication Method's Effective Resistance to Attack

A method's inherent or "raw" resistance to masquerade attack can be modified — strengthened or weakened — by external considerations that will vary from one implementation to another:• D1: How can user behavior facilitate or mitigate an

attack?• D2: How can administrative processes and administrator

behavior facilitate or mitigate an attack?• D3: How can additional compensating controls mitigate

an attack?

10

11

Example of a Summary ScorecardCharacteristic Value Comments

A Uniqueness High [Rationale for high uniqueness value here] 

B Mapping uniqueness Medium [Rationale for medium mapping uniqueness here]

C Particularity (A B) Medium Derived value

D Binding Medium [Rationale for medium binding here]

E Assurance (C D) Medium Derived value

F Resistance to attacks of the first kind High See attatched worksheet.

G Resistance to attacks of the second kind

Low See attatched worksheet. [See example in Figure 4]

H Resistance to attacks of the third kind

High See attatched worksheet.

J Raw resistance to masquerade attacks (lowest of F, G and H)

Low Derived value: Lowest of F, G and H..

K Effective resistance to masquerade attacks

Medium [Details of complementary safeguards that mitigate the risk of attacks of the second kind. Might reference additional documentation.]

L Assurance (E K) Medium Derived value

12

Example of a Scorecard Evaluating Resistance to Attacks of the Second Kind

Attack vector

Access complexity

Novelty Resistance(cube root of product)

Comments

Eavesdropping at the endpoint

Medium (3) High (4) Medium (3) 3.302 Medium [Rationale here. Might reference additional documentation.]

Eavesdropping on the network

Minimal (1) High (4) High (4) 2.520 Low [Rationale here. Might reference additional documentation.]

Minimum resistance to attack

Low Derived value

Basic GAMES Framework, Redux

Particularity(Uniqueness Mapping)

BindingRaw resistance to masquerade

attack

Effective resistance to masquerade

attackAccountability

Assurance

People, processes and compensating

controls

Address w

eaknesses

1 2 4

3 5

6

• Learnability• Usability• Utility• Aesthetic appeal• Privacy concerns*

Universal Design Principles• Equitable use• Flexibility in use• Simple and intuitive• Perceptible information• Tolerance for error• Low physical effort• Size and space for

approach and use

14

UX Considerations

A person's perceptions and responses impact security and risk, TCO, corporate image and business outcomes.

* Not in published research. h/t Mary Ruddy

• Authentication infrastructure components:- Hardware- Software - Services

• IT operations- Implementation - Support - Identity administration - Logistics

• Target system components

• End-user and endpoint components

• Administration - Management - Training

• End users- Training- Downtime

15

TCO Considerations (High Level!)

Q&A

This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates.© 2013 Gartner, Inc. and/or its affiliates. All rights reserved.

Ant AllanTwitter: @G_ant

Gartner Authentication Methods Evaluation Scorecards (GAMES)