Brno University of Technology Excalibur System
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Support for U2F FIDO Tokens in Mobile Applications
Masaryk University Faculty of Informatics Support for U2F FIDO tokens in mobile applications Bachelor’s Thesis Marek Hrašna Brno, Spring 2019 Masaryk University Faculty of Informatics Support for U2F FIDO tokens in mobile applications Bachelor’s Thesis Marek Hrašna Brno, Spring 2019 This is where a copy of the official signed thesis assignment and a copy ofthe Statement of an Author is located in the printed version of the document. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Marek Hrašna Advisor: RNDr. Petr Švenda Ph.D. i Acknowledgements I would like to express my gratitude to my advisor, RNDr. Petr Švenda Ph.D. his guidance, patience, and helpful advice throughout the mak- ing of this thesis. iii Abstract One of the biggest security problems on the Internet is the usage of weak credentials, such as passwords, for user authentication. Second- Factor Authentication (2FA) provides a valid answer to this threat. Still, there are many 2FA schemes vulnerable to prominent web threats such as phishing attacks. The U2F protocol provides a phishing-resistant 2FA solution, optionally based on secure hardware elements. This thesis provides an analysis of the security brought by the U2F authen- tication scheme and shows its real-world adaptation in mobile plat- forms. It discusses problems that occur while using commercial tokens implementing this standard and describes the process of installing a U2F applet onto a JavaCard while discussing possible problems that may occur. -
Move Beyond Passwords Index
Move Beyond Passwords Index The quest to move beyond passwords 4 Evaluation of current authentication method 6 Getting started with passwordless authentication 8 Early results to going passwordless 9 Common approaches to going passwordless 11 Email magic links 11 Factor sequencing 12 Webauthn 14 Planning for a passwordless future 16 Move Beyond Passwords 2 Introduction Traditional authentication using a username and password has been the foundation of digital identity and security for over 50 years. But with the ever-growing number of user accounts, there are a number of new issues: the burden on end users to remember multiple passwords, support costs, and most importantly, the security risks posed by compromised credentials. These new challenges are now outweighing the usefulness of passwords. The case for eliminating passwords from the authentication experience is getting more compelling every day. Emerging passwordless security standards, elevated consumer and consumer-like experience expectations, and ballooning costs have moved eliminating passwords from a theoretical concept to a real possibility. In this whitepaper, we will explore the case for going passwordless for both customer and employee authentication, and map out steps that organizations can take on their journey to true passwordless authentication. Move Beyond Passwords 3 The quest to move beyond passwords Understanding the need for passwordless authentication starts with understanding the challenges presented by passwords. The core challenges with passwords can be broken down into the following areas: Poor Account Security Passwords have spawned a whole category of security/identity-driven attacks — compromised passwords due to credential breaches, phishing, password spraying attacks, or poor password hygiene can result in account takeover attacks (ATO). -
Cybersecurity in a Digital Era.Pdf
Digital McKinsey and Global Risk Practice Cybersecurity in a Digital Era June 2020 Introduction Even before the advent of a global pandemic, executive teams faced a challenging and dynamic environ- ment as they sought to protect their institutions from cyberattack, without degrading their ability to innovate and extract value from technology investments. CISOs and their partners in business and IT functions have had to think through how to protect increasingly valuable digital assets, how to assess threats related to an increasingly fraught geopolitical environment, how to meet increasingly stringent customer and regulatory expectations and how to navigate disruptions to existing cybersecurity models as companies adopt agile development and cloud computing. We believe there are five areas for CIOs, CISOs, CROs and other business leaders to address in particular: 1. Get a strategy in place that will activate the organization. Even more than in the past cybersecurity is a business issue – and cybersecurity effectiveness means action not only from the CISO organiza- tion, but also from application development, infrastructure, product development, customer care, finance, human resources, procurement and risk. A successful cybersecurity strategy supports the business, highlights the actions required from across the enterprise – and perhaps most importantly captures the imagination of the executive in how it can manage risk and also enable business innovation. 2. Create granular, analytic risk management capabilities. There will always be more vulnerabilities to address and more protections you can consider than you will have capacity to implement. Even companies with large and increasing cybersecurity budgets face constraints in how much change the organization can absorb. -
Implementing a Web Application for W3C Webauthn Protocol Testing †
proceedings Proceedings Implementing a Web Application for W3C WebAuthn Protocol Testing † Martiño Rivera Dourado 1,* , Marcos Gestal 1,2 and José M. Vázquez-Naya 1,2 1 Grupo RNASA-IMEDIR, Departamento de Computación, Facultade de Informática, Universidade da Coruña, Elviña, 15071 A Coruña, Spain; [email protected] (M.G.); [email protected] (J.M.V.-N.) 2 Centro de Investigación CITIC, Universidade da Coruña, Elviña, 15071 A Coruña, Spain * Correspondence: [email protected] † Presented at the 3rd XoveTIC Conference, A Coruña, Spain, 8–9 October 2020. Published: 18 August 2020 Abstract: During the last few years, the FIDO Alliance and the W3C have been working on a new standard called WebAuthn that aims to substitute the obsolete password as an authentication method by using physical security keys instead. Due to its recent design, the standard is still changing and so are the needs for protocol testing. This research has driven the development of a web application that supports the standard and gives extensive information to the user. This tool can be used by WebAuthn developers and researchers, helping them to debug concrete use cases with no need for an ad hoc implementation. Keywords: WebAuthn; authentication; testing 1. Introduction Authentication is one of the most critical parts of an application. It is a security service that aims to guarantee the authenticity of an identity. This can be done by using several security mechanisms but currently, without a doubt, the most common is the username and password method. Although this method is easy for a user to conceptually understand, it constitutes many security problems. -
FIDO Technical Glossary
Client to Authenticator Protocol (CTAP) Implementation Draft, February 27, 2018 This version: https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id- 20180227.html Previous Versions: https://fidoalliance.org/specs/fido-v2.0-ps-20170927/ Issue Tracking: GitHub Editors: Christiaan Brand (Google) Alexei Czeskis (Google) Jakob Ehrensvärd (Yubico) Michael B. Jones (Microsoft) Akshay Kumar (Microsoft) Rolf Lindemann (Nok Nok Labs) Adam Powers (FIDO Alliance) Johan Verrept (VASCO Data Security) Former Editors: Matthieu Antoine (Gemalto) Vijay Bharadwaj (Microsoft) Mirko J. Ploch (SurePassID) Contributors: Jeff Hodges (PayPal) Copyright © 2018 FIDO Alliance. All Rights Reserved. Abstract This specification describes an application layer protocol for communication between a roaming authenticator and another client/platform, as well as bindings of this application protocol to a variety of transport protocols using different physical media. The application layer protocol defines requirements for such transport protocols. Each transport binding defines the details of how such transport layer connections should be set up, in a manner that meets the requirements of the application layer protocol. Table of Contents 1 Introduction 1.1 Relationship to Other Specifications 2 Conformance 3 Protocol Structure 4 Protocol Overview 5 Authenticator API 5.1 authenticatorMakeCredential (0x01) 5.2 authenticatorGetAssertion (0x02) 5.3 authenticatorGetNextAssertion (0x08) 5.3.1 Client Logic 5.4 authenticatorGetInfo (0x04) -
8 Steps for Effectively Deploying
8 Steps for Effectively Deploying MFA Table of Contents The value of MFA 3 1. Educate your users 4 2. Consider your MFA policies 5 3. Plan and provide for a variety of access needs 7 4. Think twice about using SMS for OTP 10 5. Check compliance requirements carefully 11 6. Plan for lost devices 12 7. Plan to deploy MFA to remote workers 14 8. Phase your deployment: Be prepared to review and revise 16 8 Steps for Effectively Deploying MFA 2 The value of MFA Multi-factor authentication (MFA) has never been more important. With the growing number of data breaches and cybersecurity threats—and the steep financial and reputational costs that come with them—organizations need to prioritize MFA deployment for their workforce and customers alike. Not doing so could spell disaster; an invitation for bad actors to compromise accounts and breach your systems. Adopting modern MFA means implementing a secure, simple, and context-aware solution that ensures that only the right people have access to the right resources. It adds a layer of security, giving your security team, your employees, and your customers peace of mind. Unfortunately, while the benefits are clear, implementing MFA can be a complex project. In our Multi-factor Authentication Deployment Guide, we’ve outlined eight steps that you can take to better enable your MFA deployment: Educate your users Consider your MFA policies Plan and provide for a variety of access needs Think twice about using SMS for OTP Check compliance requirements carefully Plan for lost devices Plan to deploy MFA to remote workers Phase your deployment: be prepared to review and revise In this eBook, we’ll take a deeper dive into each of these elements, giving you tactical advice and best practices for how to implement each step as you get ready to roll out Okta MFA. -
Mfaproxy: a Reverse Proxy for Multi-Factor Authentication
Iowa State University Capstones, Theses and Creative Components Dissertations Fall 2019 MFAProxy: A reverse proxy for multi-factor authentication Alan Schmitz Follow this and additional works at: https://lib.dr.iastate.edu/creativecomponents Part of the Digital Communications and Networking Commons Recommended Citation Schmitz, Alan, "MFAProxy: A reverse proxy for multi-factor authentication" (2019). Creative Components. 425. https://lib.dr.iastate.edu/creativecomponents/425 This Creative Component is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Creative Components by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. MFAProxy: A reverse proxy for multi-factor authentication by Alan Schmitz A Creative Component submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Major: Information Assurance Program of Study Committee: Doug Jacobson, Major Professor The student author, whose presentation of the scholarship herein was approved by the program of study committee, is solely responsible for the content of this Creative Component. The Graduate College will ensure this Creative Component is globally accessible and will not permit alterations after a degree is conferred. Iowa State University Ames, Iowa 2019 Copyright c Alan Schmitz, 2019. All rights reserved. ii TABLE OF CONTENTS Page LIST OF FIGURES . iii ABSTRACT . iv CHAPTER 1. INTRODUCTION . .1 CHAPTER 2. BACKGROUND . .3 2.1 Passwords and PINs . .3 2.2 Short Message Service . .4 2.3 One-Time Passwords . .5 2.4 U2F and WebAuthn . -
Security Keys: Practical Cryptographic Second Factors for the Modern Web
Security Keys: Practical Cryptographic Second Factors for the Modern Web Juan Lang, Alexei Czeskis, Dirk Balfanz, Marius Schilder, and Sampath Srinivas Google, Inc., Mountain View, CA, USA Abstract. \Security Keys" are second-factor devices that protect users against phishing and man-in-the-middle attacks. Users carry a single de- vice and can self-register it with any online service that supports the protocol. The devices are simple to implement and deploy, simple to use, privacy preserving, and secure against strong attackers. We have shipped support for Security Keys in the Chrome web browser and in Google's online services. We show that Security Keys lead to both an increased level of security and user satisfaction by analyzing a two year deployment which began within Google and has extended to our consumer-facing web applications. The Security Key design has been standardized by the FIDO Alliance, an organization with more than 250 member companies spanning the industry. Currently, Security Keys have been deployed by Google, Dropbox, and GitHub. An updated and extended tech report is available at https://github.com/google/u2f- ref-code/docs/SecurityKeys_TechReport.pdf. 1 Introduction Recent account takeovers [1{3] have once again highlighted the challenge of securing user data online: accounts are often protected by no more than a weak password [4] and whatever implicit signals (if any) that the online service provider has collected to distinguish legitimate users from account hijackers. Academic research has produced numerous proposals to move away from passwords, but in practice such efforts have largely been unsuccessful [5, 6]. In- stead, many service providers augment password-based authentication with a second factor in the form of a one-time passcode (OTP), e.g., [7, 8]. -
Strong Authentication Based on Mobile Application
View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Helsingin yliopiston digitaalinen arkisto STRONG AUTHENTICATION BASED ON MOBILE APPLICATION Helsingin yliopisto Faculty of Science Department of Computer Science Master's thesis Spring 2020 Harri Salminen Supervisor: Valtteri Niemi Tiedekunta - Fakultet - Faculty Osasto - Avdelning - Department Faculty of Science The Department of Computer Science Tekijä - Författare - Author Harri Salminen Työn nimi - Arbetets titel Title STRONG AUTHENTICATION BASED ON MOBILE APPLICATION Oppiaine - Läroämne – Subject Computer Science Työn laji/ Ohjaaja - Arbetets art/Handledare - Aika - Datum - Month and Sivumäärä - Sidoantal - Number of Level/Instructor year pages Master's thesis / Valtteri Niemi June, 2020 58 Tiivistelmä - Referat - Abstract The user authentication in online services has evolved over time from the old username and password-based approaches to current strong authentication methodologies. Especially, the smartphone app has become one of the most important forms to perform the authentication. This thesis describes various authentication methods used previously and discusses about possible factors that generated the demand for the current strong authentication approach. We present the concepts and architectures of mobile application based authentication systems. Furthermore, we take closer look into the security of the mobile application based authentication approach. Mobile apps have various attack vectors that need to be taken under consideration when designing an authentication system. Fortunately, various generic software protection mechanisms have been developed during the last decades. We discuss how these mechanisms can be utilized in mobile app environment and in the authentication context. The main idea of this thesis is to gather relevant information about the authentication history and to be able to build a view of strong authentication evolution. -
A Tale of Two Studies: the Best and Worst of Yubikey Usability
A Tale of Two Studies: The Best and Worst of YubiKey Usability †∗ ∗ ∗ ∗ z ∗ Joshua Reynolds , Trevor Smith , Ken Reese , Luke Dickinson , Scott Ruoti , Kent Seamons y ∗ z University of Illinois at Urbana-Champaign, Brigham Young University, MIT Lincoln Laboratory [email protected], ftsmith, ken.reese, [email protected], [email protected], [email protected] Abstract—Two-factor authentication (2FA) significantly device that authenticates the user after the user presses a improves the security of password-based authentication. button on the security key [8]. The button tap is a test of Recently, there has been increased interest in Universal 2nd user presence and prevents malware on the host device from Factor (U2F) security keys—small hardware devices that require users to press a button on the security key to authenticate. To using the security key surreptitiously. Most commonly, security examine the usability of security keys in non-enterprise usage, keys are designed to be plugged into a USB port, though we conducted two user studies of the YubiKey, a popular line they can also communicate with other devices using wireless of U2F security keys. The first study tasked 31 participants protocols (e.g., NFC, Bluetooth). with configuring a Windows, Google, and Facebook account to U2F security keys are designed to be easy-to-adopt and authenticate using a YubiKey. This study revealed problems with setup instructions and workflow including users locking use in day-to-day life, while protecting users against phishing themselves out of their operating system or thinking they had and man-in-the-middle attacks [8]. -
Of Two Minds About Two-Factor: Understanding Everyday FIDO U2F
Of Two Minds about Two-Factor: Understanding Everyday FIDO U2F Usability through Device Comparison and Experience Sampling Stéphane Ciolino, OneSpan Innovation Centre & University College London; Simon Parkin, University College London; Paul Dunphy, OneSpan Innovation Centre https://www.usenix.org/conference/soups2019/presentation/ciolino This paper is included in the Proceedings of the Fifteenth Symposium on Usable Privacy and Security. August 12–13, 2019 • Santa Clara, CA, USA ISBN 978-1-939133-05-2 Open access to the Proceedings of the Fifteenth Symposium on Usable Privacy and Security is sponsored by USENIX. Of Two Minds about Two-Factor: Understanding Everyday FIDO U2F Usability through Device Comparison and Experience Sampling Stéphane Ciolino Simon Parkin Paul Dunphy OneSpan Innovation Centre University College London OneSpan Innovation Centre & University College London [email protected] [email protected] [email protected] Abstract words and tokens) is widely recognized as an effective tech- Security keys are phishing-resistant two-factor authentica- nique to protect both corporate and personal online accounts tion (2FA) tokens based upon the FIDO Universal 2nd Factor against account hijacking threats. Indeed, there are already ex- (U2F) standard. Prior research on security keys has revealed amples of citizens being advised to use Two-Factor Authenti- intuitive usability concerns, but there are open challenges to cation (2FA) by government agencies (as in the UK [35]). The better understand user experiences with heterogeneous de- most common second factor is a One-Time Passcode (OTP) vices and to determine an optimal user experience for every- received via a text message to a mobile device [5]. -
Report On Next Generation Authentication Technologies
International Telecommunication Union FINANCIAL INCLUSION GLOBAL INITIATIVE (FIGI) TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (12/2018) Security, Infrastructure and Trust Working Group Discussion Paper: Secure Authentication Use Cases for DFS and Guidelines for Regulators and DFS Providers Report of the Authentication Workstream Security, Infrastructure and Trust Working Group: Secure Authentication Use Cases for DFS and Guidelines for Regulators and DFS Providers FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. A new global program to advance research in digital finance and accelerate digital financial inclusion in developing countries, the Financial Inclusion Global Initiative (FIGI), was launched by the World Bank Group, the International Telecommunication Union (ITU) and the Committee on Payments and Market Infrastructures (CPMI), with support from the Bill & Melinda Gates Foundation. The Security, Infrastructure and Trust Working Group is one of the three working groups which has been established under FIGI and is led by the ITU. The other two working groups are the Digital Identity and Electronic Payments Acceptance Working Groups