EasyMultiFactorAuthenticationStrategiesandPCIDSS3.2

HELLO!I am Anirban Banerjee.I am the Founder and CEO of Onion ID.

https://calendly.com/anirban/enterprise-demo/

Two/Multi Factor Authentication

PCI DSS 3.2

Strategies

WhatisTwo-FactorAuthentication?

▸ Addsasecondlevelofverificationtothepassword-basedapproach.

▸ Example:atextmessagetoyourphone,avaluefromaRSAtoken.

▸ Ifahackergetsyourusernameandpasswordtheystillwon’tbeabletogetintoyouraccount.

Whydoweneedthis?

Usernames&Passwordscanbestolen!• Phishing attacks• Samecredentialsacrossapps• Key-loggers• Educatedguesses, socialengineering

2FApreventsattackersfromaccessingyouraccounteveniftheyobtainyourusernameandpassword.

MandatedinVersion3.2ofthePCIDataSecurityStandard

WhoUsesTwo-Factor?

MultiFactorAuthentication

AddingMoreFactors

• Increasethestrengthofauthenticationbyaddingfactors.

• Fivecategoriesofauthenticationmethods• whoyouare,• whatyouknow,• whatyouhave,• whatyoutypicallydo,• thecontext.

• Addingfactorsfromdifferentcategoriescanincreasestrengthonly iftheoverallsetofvulnerabilities isreduced.

Whatcanweadd?

PhysicalBiometric▸ immutableand

unique• Facial recognition• IrisScan• RetinalScan• FingerprintPalm

Scan• Voice• Livelinessbiometric

factorsinclude:• Pulse.

CAPTCHA;etc

Behavioral/Biometric • basedonperson’s

physicalbehaviouralactivitypatterns

• Keyboardsignature

• Voice

WhoYouAre

Biometric

whatyou

know

whatyou

have

whatyou

DoContext

• UserNameandPassword(UN/PW),

• Apassphrase• aPIN• Ananswertoa

secretquestion

• OneTimePassword(OTP)

• Smartcard• X.509and

PKI• Rarely

usedalone• Usedin

combinationwithUN/PWandaPIN

• Browsingpatterns

• Timeofaccess

• Typeofdevice

• UsedinCombinationwithothermethods

•

• Location;Timeofaccess;

• Subscriberidentitymodule(SIM)

• Frequencyofaccess;

• Usedwithothermethods

▸ Combiningtwoormoreauthenticationmethodscanpotentiallyincreaseauthenticationstrength.

▸ However!• Becarefulnottointroducevulnerabilities

• MorefactorsèMorecomplex/costlytoimplement&use.Themorethemerrier?

Themorethemerrier?

▸ Simplyaddingfactorsdoesnotguaranteemoreprotection

Source: Gartner

FindingtheBestFactorCombo

UseNeedsandConstraintstoDetermine• Authenticationstrength

• indicatedbythelevelofrisk• TotalCostofOwnership

• Constrainedbybudget• Easeofuse

• universallydesirable,but itislesscriticalthegreatertheconsistency

• Otherconstraints• consistencyandcontrolofthe

endpoint isaparticularconstraint;

Source - Gartner

PCIDSS3.2

▸ Feb12018

▸ MultiFactorauthentication foreveryone

▸ Needtoprotectbothconsoleandnonconsolebasedaccess

▸ Newrequirements10.8and10.8.1outlinethatservice providersneedtodetectandreportonfailuresofcritical securitycontrolsystems

▸ Newrequirement11.3.4.1indicatesthatserviceprovidersneedtoperformpenetration testingonsegmentationcontrolseverysixmonths

Highlights

▸ Serverdoesnotsupport2FAbydefault

▸ AppdoesnotsupportSAML/Oauth

▸ Apphasnonativesupportfor2FA

▸ Regularauditingofaccess

▸ DataPrivacyissues,datasegregationChallenges

▸ EnableMFAviaBrowserextensionsorWebFilters

▸ UseUXfriendlyMFA:Geo fencing,proximity,fingerprint

▸ SetupauditingsystemsbyparsingSIEMinfo

▸ SetupamonthlyPCImeeting togooverprocessandresults

▸ Commercial tools– OnionIDtodoprivilegemanagementStrategies

Conclusions

▸ Passwordbasedauthenticationisnotenoughanymore.

▸ MultiFactorauthentication isheretostay!

▸ Manydifferentoptions,eachwithitsowncostsandvulnerabilities.

▸ Besmart:addingmorefactorswilldefinitelyincreasecostandcomplexity,butmightnot(sufficiently)increasesecurity.

▸ Considerthetrade-offs,customize.Pickthecombinationthatworksforyou.

Conclusions

THANK YOU!Any questions?You can find more about us at:Onion ID – The Next Generation of Privilege Managementwww.onionid.com , sales@onionid.comTel: +1-888-315-4745https://calendly.com/anirban/enterprise-demo/