Upload
chase-kirby
View
217
Download
0
Embed Size (px)
Citation preview
User Authentication on Mobile Devices
Google Two FactorAuthentication
OTP (One Time Password)
What is Two Factor AuthenticationMost of us, use a single factor (password), typically 8 characters and easy to remember. Your password can be compromised by:• Social Engineering• Intrusion in the host• It's written down somewhere• Brute force hacking• Phishing scheme
Two factor provides a second key (password), previously using a "fob" or a smart card. Google has now implemented OTP, 6 digit second factor, using using mobile phones: SMS, voice message or generated by your phone (Android, BlackBerry or iPhone).
What Google Two Factor looks like
Google has a check box to remember your location/s for 30 days. Either SMS or voice messaging 6 digit factor delivery.
Is Google Two Factor right for you
Pros• Simple to use • Backup phone if primary is fails,
lost or stolen• Allows users to roam, to different
systems/locations• 10 emergency backup codes• Automatic setup via QR code• Support for multiple accounts• Time and counter based code
generation RFC 4226, 3548 (Seek for Android information, Home)
Cons• Susceptible to man-in-the-middle
and man-in-the-browser attacks• Sys Admin overhead• 10 emergency backup codes• Application-specific passwords are
required, for applications requiring a separate login
• Can't be presently used with Google SSO enabled
• root access can overcome the JavaCard security mechanism
Two Factor Failures
There haven't been reports of the actual two-factor algorithms or protocol hacked.
Reports I'm aware of have made use of social engineering and/or password recovery processes.
The question is "will cell phone users implement two-factor authentication", or is there an alternative?
• Bio-metrics, retina scan, finger print scan, facial recognition, Bio-impedance, etc.
• Why have users failed to adopt any of the security methods?
References
RFC 4226 HOTP: An HMAC-Based One-Time Password Algorithm
Seek for Android information: Secure Element Evaluation Kit for the Android platform
2-Step Authentication for Google Administrators
An example of the RSA SecurID Fob, model RSA SID700-6-60-60-10
App Stores Security
What you download may be compromised!
State of the App Market
• Apple and Google control 80% of the App Market• By the end of 2013 an estimated 50 Billion downloads• There are over 1 million different Apps
The summary doesn't consider Amazon and Barnes & Noble. Corporate sites offering downloads for they're flavor Apps, Developers, in all sizes and Apps Distributors.
We have a chaotic marketplace depending on the participants "best efforts", to insure the end user privacy and security, as well as that of others (Companies who employ them, even ones they visit and use WiFi service).
What are the areas of concern?
• How trustworthy is the App Store?• How trustworthy is the Developer?• Can the user report issues found in the App?• Who should get the report?• Does the App use more permissions than needed?• Does the App make connections to the Internet?• Does the user need anti-virus, malware, etc.?• Will this be an issue with BYOD?
BYOD
Bring Your Own Device
Corporate Attitudes, Issues & Policies
• IT management is presently split regarding BYOD. A bit more than half allow employees to use their own devices. Given the recession IT budgets have been very tight, so it's an opportunity to avoid spending?
• The Operating Systems and CPUs are different than PCs does this provide a measure of protection?
• How can employees connect to the Company IT services: WiFi, Ethernet (Netbooks, Pads) and Smart Phone as a USB thumb drive?
• Do many companies have any policies regarding acceptable sources of Apps? A black list of Apps? a policy on connecting to the IT infrastructure?