Authentication 2
Authentication Factors
Inherence Factors (Biometrics) are unique identifiable biological characteristics. Inherent to individuals
Biometrics
- Fingerprints
- Facial Recognition
- Iris Recognition
- Voice Recognition
- Behavioural biometrics - Dynamics (mouse, keyboard etc), Gait, Posture, Usage patterns
Security Considerations
- No risk of losing access
- Very convenient
- Availability of sensors?
- False positives and negatives
- Can never be changed
- Not fool proof
Hardware Tokens
- Keys
- USB tokens - OTP, Security keys
- Smart Cards - Metal contacts, RFID, Access control
- Smartphones/wearables - Readily available, often a single point of failure
Traditional hardware tokens
- Time/counter-based OTP that the user enters
- Temporary code that changes every 30s
- Requires manual intervention
Security keys for WebAuthn
- Public-key cryptography (private key stored on token, public key on server)
- Embedded MFA
- Challenge-response during authentication
- Automatic, if paired with authenticating device
- If password is a recovery option, security is the same as passwords
Possession Factors Security Considerations
- Relies on strong keys and cryptography, or on very different channels
- In principle very secure
- Often as part of MFA
- Physical loss, damage(usability) or theft
- Usability
- Cost
Managing Passwords
- Passwords are prone to be guessed, cracked, stolen, misued
- Often the weakest link
- Still not always well managed server-side!
- Much effort to replace them, but still around
- Targeted attacks versus wide net
Password Managers
Good
- Single master password vs many passwords
- Entropy sufficient for individual service passwords
- Entropy better since a single password is needed
- Convenience!
Bad
- Not all free
- Master password = single point of failure
- Attractive target!
- Still requires good password hygiene
- Vaults still at risk
- Leaks
- Can you trust a single third-party with all your auth data
- Trading some types of attacks
- Service leaks/mismanagements
- Lower entropy
Password Managers
- In the balance, probably a positive
- Community tends to be cautiously in favour
- Ultimately, depends on how they are used, the specific service
MFA
- Combination of several authentication methods
- Ideally, factors from different categories
- Disproportionately more difficult to compromise
- Usability, (in)convenience