class: middle, center
Why and how you should use it
Factors are something you:
- Have (Possession): key, smartcard, token
- Know (Knowledge): password, PIN, security questions
- Are (Inheritance):fingerprints, voice, eyes
class: middle, center
- Security is only as strong as our weakest link
- Knowledge-based 1FA is weak and only getting weaker
- 2FA helps us keep our customer data safe
- Demonstrates commitment to security practices
- Simple for all users
- Vastly superior security compared to effort
class: middle, center
Things such SMS and Email codes
- Relies on a separate, (hopefully) secure interface to the user.
- Can be used to bypass all security if compromised (depending on how things such as password resets are handled).
- Better than nothing, but there are easier options that offer better security.
- Vast improvement over the security of OOBA
- Relies on a shared secret and counter
- Easy to implement
- Has two implementations for different needs (HOTP and TOTP)
- Has standards
- HOTP: RFC 4226
- TOTP: RFC 6238
- Standardized in 2005
- Counter is based on events
- Can be implemented in hardware or software.
- Event drift can be used to detect login attempts
- Syncing a counter off of events is difficult
- Standardized in 2011
- Counter is based off of current time using a sliding window (usually 30 seconds)
- Can be implemented in hardware or software
- Google Authenticator is the most famous example of this
- Does not support detection of login attempts
- Time is much easier to keep in sync
- We all use this
- Standard created by FIDO (Fast IDentity Online) Alliance
- Inspired by smart card standards
- Uses USB or NFC tokens to authenticate via cryptographic signatures
- Most secure
- Asymmetric crypto (private on token, public on server)
- Key never leaves the device
- No passing around secrets from server to client
- Counter drift is nonexistent
- Cannot be used as a primary source of authentication (server needs to know what key to ask for)
- Can be hard to implement
class: center, middle