Embed Size (px)
Citation preview
© 2013 Copyright SecurEnvoy Ltd. All rights reserved
Phil Underwood Global Head of Pre Sales
Users, Access and Passwords a
BAD Combination?
© 2013 Copyright SecurEnvoy Ltd. All rights reserved
User Authentication It’s all about trust
Can you trust the “logon” Was it the real user?
© 2013 Copyright SecurEnvoy Ltd. All rights reserved
How Many Passwords ?
© 2013 Copyright SecurEnvoy Ltd. All rights reserved
• “Social engineering”
• Finding written password
– Post-It Notes
• Guessing password / pin
– Dog/Child’s name/ Birthday • Shoulder surfing • Keystroke logging
– Can be resolved with mouse based entry
• Screen scraping (with Keystroke logging)
• Brute force password crackers
– L0phtcrack, Cain & Abel
The Password Problem
© 2013 Copyright SecurEnvoy Ltd. All rights reserved
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
Compromising the Password www.oxid.it
© 2013 Copyright SecurEnvoy Ltd. All rights reserved
© 2009 Copyright SecurEnvoy Ltd. All rights reserved
Compromising the Password
www.keyghost.com
© 2013 Copyright SecurEnvoy Ltd. All rights reserved
Traditional approach Weakness'
© 2013 Copyright SecurEnvoy Ltd. All rights reserved
Real Customer
• Password policy Minimum password length : 8 chars Maximum password age : 42 days Minimum password age : 28 days, Force logoff : never force Password history : no history
• 342 user account passwords including 69 IPC$ shares was obtained
• 29 users had the password “password”
• 1 user had the password “password1”
• 4 users only used numbers, of which two of these looked like a date of birth.
• 3 users only used 5 character passwords.
Vulnerability Assessment
© 2013 Copyright SecurEnvoy Ltd. All rights reserved
Why Tokenless®
• 6 Billion GSM phones Worldwide
Source: http://mobithinking.com/mobile-marketing-tools/latest-mobile-stats/a#subscribers
• According to the United Nations there are 7 Billion people in the world
Source: http://www.un.org/News/Press/docs/2011/sgsm13691.doc.htm
• That’s a potential token ready to be utilised
• Our Vision is to put an Authentication Token into every pocket
© 2013 Copyright SecurEnvoy Ltd. All rights reserved
Tokenless using SMS
1. User enabled for authentication
2. User setup for Pre Load SMS, OTP, Day
3. Passcode refreshed at time of use
4. User setup for Real Time SMS (Flash)
5. User receives SMS at time of logon
6. Real time Passcode (set time to live)
© 2013 Copyright SecurEnvoy Ltd. All rights reserved
******
***********
Soft Token Deployment
© 2013 Copyright SecurEnvoy Ltd. All rights reserved
Enrolment Security
Seed 1st Part
QRCode Scan
8 Digit Code
Seed 1st Part
Fingerprint of Phone
Seed 2nd Part Seed 2nd Part
2nd Seed Part is recreated each time a passcode is created
Seed 2nd Part Seed 2nd Part Seed 2nd Part
Random 1st Seed Part Created Locally Seeds are NOT stored by manufacture AES 256 Bit Encrypted
© 2013 Copyright SecurEnvoy Ltd. All rights reserved
SMS Vs Soft Tokens
What Is The Best Option?
Option 1 SMS
Option 2 Soft Token App
BOTH - Put The User In Control
© 2013 Copyright SecurEnvoy Ltd. All rights reserved
WEB/VPN
Remote Users –WEB/VPN
RADIUS
© 2013 Copyright SecurEnvoy Ltd. All rights reserved
Thank You
