what does mfa mean
play

What does MFA mean? Jeffrey Goldberg jeff@1Password.com What does - PowerPoint PPT Presentation

Aug 18, 2023 •31 likes •471 views

What does MFA mean? Jeffrey Goldberg jeff@1Password.com What does MFA mean? It means multi-factor authentication. In certain cases it is called 2FA for two-factor authentication. Jeffrey Goldberg What does MFA mean?

  2. What does “MFA” mean? Jeffrey Goldberg jeff@1Password.com

  3. What does “MFA” mean? It means multi-factor authentication. In certain cases it is called “2FA” for two-factor authentication. Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  4. What does it mean … 1. For ordinary users? 2. For knowledgeable users? 3. In terms of the actual security properties it offers? Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  5. What do you believe? Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  6. What do you believe? 1.Does MFA mean that you need all factors to authenticate? Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  7. What do you believe? 1.Does MFA mean that you need all factors to authenticate? 2.Does MFA help protect you if your computer is compromised? Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  8. What do you believe? 1.Does MFA mean that you need all factors to authenticate? 2.Does MFA help protect you if your computer is compromised? 3.Does MFA protect you if the server is compromised? Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  9. What do you believe? 1.Does MFA mean that you need all factors to authenticate? 2.Does MFA help protect you if your computer is compromised? 3.Does MFA protect you if the server is compromised? 4.Does MFA make make it safe to reuse passwords? Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  10. What do you believe? 1.Does MFA mean that you need all factors to authenticate? 2.Does MFA help protect you if your computer is compromised? 3.Does MFA protect you if the server is compromised? 4.Does MFA make make it safe to reuse passwords? 5.Does having a second factor help you if you need to reset a forgotten password? Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  11. Mind the gaps Claims 1. ∃ gaps twixt ordinary user understandings and actual security properties of MFA 2. ∃ gaps twixt expert user understandings and actual security properties of MFA 3. These gaps can lead to dangerous behavior Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  12. Evidence for claims Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  13. Evidence for claims •Anecdotes Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  14. Evidence for claims •Anecdotes •Hearsay Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  15. Evidence for claims •Anecdotes •Hearsay •Divine revelation? Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  16. Evidence for claims •Anecdotes •Hearsay •Divine revelation? “Anecdote” is the singular of “data”, right? Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  20. Authentication Authentication is the process of proving 
 that you are who you say you are.* You provide your proof to a verifier, who 
 either accepts it or rejects it. If V accepts it, 
 they will grant you access to something. *“Who you say you are” may mean the owner of some 
 anonymous account. It doesn’t have to be a legal identity. Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  21. Classic Authentication Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  22. Classic Authentication V asks P for her username Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  23. Classic Authentication V asks P for her username P tells V her username Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  24. Classic Authentication V asks P for her username P tells V her username V checks that there is such a 
 username Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  25. Classic Authentication V asks P for her username P tells V her username V checks that there is such a 
 username V asks P for her password Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  26. Classic Authentication V asks P for her username P tells V her username V checks that there is such a 
 username V asks P for her password P tells V her password. V checks that P provided V verifies that the password is 
 correct and grants her access if it is Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  27. Classic problems • V learns P ’s secret • Eavesdroppers learn P ’s secret • P ’s secret is guessable • P never learns if V is really V • P ’s secret, if captured, can be used to enter this castle • P ’s secret, if captured, might be usable at other castles Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  28. Modern password problems • What V stores may be used for cracking • P is not informed when some tries to enter the castle using her name • P ’s password is the only thing required to gain entry Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  29. Security properties

  30. Useful security properties • P proves identity to V • V proves identity to P • No-one learns any secrets during authentication • Big H: Long term secrets are unguessable • Long term secrets are unique • What V stores long term is not usable for guessing P ’s long term secret. • More than one kind of secret required Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  31. Useful properties (continued) • P is made aware of any attempts to use her name • If P loses or forgets one of her long term secrets, she can get it reset using the one that she maintains Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  32. Non-Authentication security properties Some security properties have little to do with authentication.

  33. Once more into the breach! Penelope’s precious stuff, stored within the castle, is kept safe from • A breach in the walls • Dragons flying over the wall • Treachery from within the walls Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  34. Bewitched Penelope’s precious stuff, stored within the castle, is kept safe even if … Penelope is bewitched so that she is under the control of an evil wizard after she enters the castle Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  35. Major misunderstanding

  36. Forgetting the auth With (proper) MFA the authentication process remains secure as long as at least one factor remains secure. Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  37. “A keylogger on my device” “With the speed zero day malware are created these days and with the tools and the many advanced techniques they have available, […] users are at risk almost on a daily basis. […] I am not even sure I can trust that my own computer is truly secure despite the fact that it is behind an IDP/ Firewall device.” —Other forum user, January 2017 Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  38. “A keylogger on my device” “If I happen to have a key logger on my computer or if I use a public computer to access my account, my entire account key could be copied by someone. [...] I have 2FA set up on my email account, so I have to authenticate using 2FA any time I'm not at home.” —Forum user, January 2017 Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  39. Alternative Auth If a service uses access to a single factor for recovery or reset it is making it easier for attackers Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  40. Weakening other factors Using a second factor may give people confidence to use a weaker primary factor than they otherwise might. Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  41. Weakening is fine Except for when it isn’t If the factor that people chose to weaken is important for more than just authentication, they may do serious damage Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  42. Conclusions? • The security properties on any give MFA system depend on many subtle things about the implementation, service, and threats • Using MFA in some circumstances may add only tiny improvements to authentication security, but may encourage users to behave in ways that substantially weaken there security Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  43. Call for help • Can we give customers what they demand without harming their security? • Can my speculations about user behavior be studied and tested to see if my worries are justified? Jeffrey Goldberg What does “MFA” mean? jeff@1Password.com

  44. Table 1 Security Properties of di ff erent authentication schemes

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

TouchLogger: Inferring Keystrokes on Touch Screen from

TouchLogger: Inferring Keystrokes on Touch Screen from

TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Mo:on Liang Cai and Hao Chen UC Davis Security Problems on Smartphones Old

264 views • 15 slides
Meaningful Access: Bridge Project Jorge Rivera, Project Lead (MLS) | Bridge Project, Planning

Meaningful Access: Bridge Project Jorge Rivera, Project Lead (MLS) | Bridge Project, Planning

Meaningful Access: Bridge Project Jorge Rivera, Project Lead (MLS) | Bridge Project, Planning Department , Toronto Public Library Kristian Roberts, Partner, Nordicity Jan 31, 2020 What is Bridge? The Bridge Technology Services Assessment Toolkit

285 views • 28 slides
Equity, Inclusion, and Retention Allison Gallaher Assistant Director/Head of Public Services

Equity, Inclusion, and Retention Allison Gallaher Assistant Director/Head of Public Services

Rethinking Fines: Considering Equity, Inclusion, and Retention Allison Gallaher Assistant Director/Head of Public Services Oberlin College Libraries Overdue fines were intended to encourage the return of materials. Instead, in practice,

479 views • 17 slides
Library Research VANESSA LAWRENCE VANESSA.LAWRENCE@CARLETON.CA Library research workshop

Library Research VANESSA LAWRENCE VANESSA.LAWRENCE@CARLETON.CA Library research workshop

Library Research VANESSA LAWRENCE VANESSA.LAWRENCE@CARLETON.CA Library research workshop Getting started Creating a search Choosing good results Changing your search What are you looking for? How do you decide what is a

580 views • 21 slides
UNLEASHING DIGITAL TO UNLOCK VALUE 27 MARCH 2017 OUR VISION 1 CREATING VALUE FOR CUSTOMERS

UNLEASHING DIGITAL TO UNLOCK VALUE 27 MARCH 2017 OUR VISION 1 CREATING VALUE FOR CUSTOMERS

UNLEASHING DIGITAL TO UNLOCK VALUE 27 MARCH 2017 OUR VISION 1 CREATING VALUE FOR CUSTOMERS AND SHAREHOLDERS Previously announced 670m totex savings Helps us on our journey to build a leading business Outperforming our Final Determination

474 views • 33 slides
What is an EndoCube? A Product Invented and manufactured in the UK by British Engineers to:

What is an EndoCube? A Product Invented and manufactured in the UK by British Engineers to:

What is an EndoCube? A Product Invented and manufactured in the UK by British Engineers to: Save energy by as much as 30% Increase the life of equipment Increase the safety of food storage Save CO 2 emissions and reduce carbon

285 views • 11 slides
Halma: Site Visit to HWM Tuesday 1 October 2019 1 Welcome Andrew Williams Group Chief

Halma: Site Visit to HWM Tuesday 1 October 2019 1 Welcome Andrew Williams Group Chief

Halma: Site Visit to HWM Tuesday 1 October 2019 1 Welcome Andrew Williams Group Chief Executive 2 Agenda 11am - Noon Presentation and Q&A Buffet lunch 12.45pm Coach to HWM 1pm HWM site tour/product breakout sessions 3pm Close

661 views • 31 slides
MediaCenter ... in the Cloud Presented by: DSB Consulting In partnership with: Vidispine

MediaCenter ... in the Cloud Presented by: DSB Consulting In partnership with: Vidispine

Sony Pictures Television MediaCenter ... in the Cloud Presented by: DSB Consulting In partnership with: Vidispine Aspera Amazon Web Services Agenda 1. Key Vendor Introductions 2. Cloud Value Proposition 3. Solution Overview 4. UI Mockup

817 views • 50 slides
VoIP/SMPP traffic sniffer Break through your data Traffic sniffer modules VoIP traffic sniffer

VoIP/SMPP traffic sniffer Break through your data Traffic sniffer modules VoIP traffic sniffer

VoIP/SMPP traffic sniffer Break through your data Traffic sniffer modules VoIP traffic sniffer is an umbrella term VoIP traffic sniffer is an umbrella term for three interconnected features: for three interconnected features: Signalling Log C

245 views • 13 slides
Welcome to Wayland Martin Gr alin mgraesslin@kde.org BlueSystems Akademy 2015 26.07.2015

Welcome to Wayland Martin Gr alin mgraesslin@kde.org BlueSystems Akademy 2015 26.07.2015

Welcome to Wayland Martin Gr alin mgraesslin@kde.org BlueSystems Akademy 2015 26.07.2015 Agenda default 1 Architecture 2 Evolution of KWin 3 The kwind Project 4 Whats next? Welcome to Wayland Martin Gr alin Agenda default

809 views • 38 slides
testo 184 testo 184 D t Data Loggers for Transport L f T t testo 184: The new transport

testo 184 testo 184 D t Data Loggers for Transport L f T t testo 184: The new transport

testo 184 testo 184 D t Data Loggers for Transport L f T t testo 184: The new transport data logger family testo 184: The new transport data logger family pharma transport cold chain testo USB USB no software no software 184 food

448 views • 17 slides
Introductory Training of Trainers Course on Cybercrime and Electronic Evidence for Judges,

Introductory Training of Trainers Course on Cybercrime and Electronic Evidence for Judges,

Introductory Training of Trainers Course on Cybercrime and Electronic Evidence for Judges, Magistrates and Prosecutors of the ASEAN Region Cambodian Cybercrime Legislations Case Study Hacking Facebook Account Case: A Facebook account was

207 views • 9 slides
The UK energy wise project and beyond: Smart metering as an enabling platform for changing

The UK energy wise project and beyond: Smart metering as an enabling platform for changing

The UK energy wise project and beyond: Smart metering as an enabling platform for changing consumers' relationship with energy IEA DSM Day meeting Dublin 2017-05-10 David Shipworth Professor of Energy and the Built Environment [E:

488 views • 15 slides
Kooltrak Refrigeration Data Temperature Monitoring System Working together with the Energy

Kooltrak Refrigeration Data Temperature Monitoring System Working together with the Energy

Introducing the Kooltrak Refrigeration Data Temperature Monitoring System Working together with the Energy Saving EndoCube What is the Kooltrak system? An easy to use data temperature monitoring system designed for the catering and hospitality

371 views • 24 slides
Optimising Optimising the Gas the Gas Netw Networ ork Helen Fitzgerald Wales & West

Optimising Optimising the Gas the Gas Netw Networ ork Helen Fitzgerald Wales & West

Optimising Optimising the Gas the Gas Netw Networ ork Helen Fitzgerald Wales & West Utilities Contents A bit about Wales & West Utilities Project Background What are we doing? Why are we doing it? Project

382 views • 14 slides
Result 2016 February 2, 2017 Interim President and CEO Andrei Pantioukhov Strong performance in

Result 2016 February 2, 2017 Interim President and CEO Andrei Pantioukhov Strong performance in

Result 2016 February 2, 2017 Interim President and CEO Andrei Pantioukhov Strong performance in challenging market environment. 1. General overview 2. Nokian Tyres financial performance 3. Business units 4. Nokian Tyres going forward 5.

640 views • 53 slides
AUTHENTICATED AND EFFICIENT KEY MANAGEMENT FOR WIRELESS AD HOC NETWORKS Stefaan Seys and Bart

AUTHENTICATED AND EFFICIENT KEY MANAGEMENT FOR WIRELESS AD HOC NETWORKS Stefaan Seys and Bart

1 / 8 AUTHENTICATED AND EFFICIENT KEY MANAGEMENT FOR WIRELESS AD HOC NETWORKS Stefaan Seys and Bart Preneel Katholieke Universiteit Leuven, ESATSCD/COSIC Kasteelpark Arenberg 10, B3001 Heverlee, Belgium { Stefaan.Seys, Bart.Preneel }

194 views • 8 slides
2018 INVESTOR DAY March 2, 2018 NYSE: DOOR Safe Harbor / Non-GAAP Financial Measures SAFE

2018 INVESTOR DAY March 2, 2018 NYSE: DOOR Safe Harbor / Non-GAAP Financial Measures SAFE

2018 INVESTOR DAY March 2, 2018 NYSE: DOOR Safe Harbor / Non-GAAP Financial Measures SAFE HARBOR / FORWARD LOOKING STATEMENT This investor presentation contains forward-looking information and other forward-looking statements within the meaning

1.03k views • 89 slides
Traka Overview HELUG 2019 University of Washington Lets Consider How are mechanical

Traka Overview HELUG 2019 University of Washington Lets Consider How are mechanical

Traka Overview HELUG 2019 University of Washington Lets Consider How are mechanical credentials, vendor badges & assets currently managed? ASSA ABLOY, the global leader in door opening solutions Lets Consider How much time is

687 views • 35 slides
Axactor company presentation Oslo, April 13 th , 2018 This is Axactor Axactor in brief Axactor

Axactor company presentation Oslo, April 13 th , 2018 This is Axactor Axactor in brief Axactor

Axactor company presentation Oslo, April 13 th , 2018 This is Axactor Axactor in brief Axactor geographic footprint Axactor is a Nordic-based debt management company with operations in five European countries Axactor established as a

374 views • 11 slides
www.bramble s.c o m 2 July 2013 The Manager - Listings Australian Securities Exchange Limited

www.bramble s.c o m 2 July 2013 The Manager - Listings Australian Securities Exchange Limited

Bramble s L imite d ABN 89 118 896 021 L e ve l 40 Gate way 1 Mac quarie Plac e Sydne y NSW 2000 Australia GPO Bo x 4173 Sydne y NSW 2001 T e l +61 2 9256 5222 F ax +61 2 9256 5299 www.bramble s.c o m 2 July 2013 The Manager - Listings

324 views • 11 slides
Ov Over erview of F FY Y 2020/ 20/21 21 Town M Managers R Recommended Budget May 20,

Ov Over erview of F FY Y 2020/ 20/21 21 Town M Managers R Recommended Budget May 20,

Ov Over erview of F FY Y 2020/ 20/21 21 Town M Managers R Recommended Budget May 20, 2020 Ov Overview Budget timeline Synopsis of Recommended Budget Financial Overview Economic Conditions and Revenue Projections Expenditure

320 views • 16 slides
manager Investor Presentation May 2015 Executive summary Van Lanschots profile Solid

manager Investor Presentation May 2015 Executive summary Van Lanschots profile Solid

Transforming to a specialist wealth manager Investor Presentation May 2015 Executive summary Van Lanschots profile Solid performance on all key financials 2014 2013 One strategy: pure-play, independent wealth manager focusing on

587 views • 32 slides
Investor Presentation Q1 Report 2020 2020-05-26 SIDFOT 1 Todays presenter Mats Steen Sara

Investor Presentation Q1 Report 2020 2020-05-26 SIDFOT 1 Todays presenter Mats Steen Sara

Investor Presentation Q1 Report 2020 2020-05-26 SIDFOT 1 Todays presenter Mats Steen Sara Fors Chief Executive Officer Chief Financial Officer 5.5 years at Logent 5.5 years at Logent 25+ years of supply chain experience, both

340 views • 9 slides

More recommend