FIDO2 + Biometric Security Key = The Solid Passwordless Option - THE TREND OF AUTHENTICATION - Authentrend
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
THE TREND OF AUTHENTICATION
FIDO2 + Biometric Security Key =
The Solid Passwordless Option
JUNE 2021
Passwords Aren’t
A small leak will
sink a great ship. Enough to Protect
— Benjamin Franklin
Your Data
JUNE 2021
123456
54% of consumers
123456789
use 5 or fewer password
passwords for all
of their accounts. qwerty
iloveu
TeleSign Consumer Account Security Report
NordPass's most common passwords list
JUNE 2021
Weak Passwords
80% On average, it costs an
of account vulnerabilities
enterprise $70 for a single
were due to weak or
stolen passwords password reset.
-Verizon 2019 Data Breach Investigations Report - Forrester Research, January 8, 2018
JUNE 2021
Set up 2-factor authentication?
JUNE 2021
Adopting either 2nd-factor authentication
can improve security,
BUT...
JUNE 2021
Backup OTP/ Mobile Security
SMS
Codes TOTP Push Key
• Coverage issues • Saving required • Shared Secret • Internet Phishing-resistant
• Delay • Phishable Key required
• Phishable • Phishable • Phishable
Level of Assurance
- Google Cloud JUNE 2021
Time to
authenticate
- Google Cloud JUNE 2021
has not had any of its 85,000+
employees phished on their work-related
accounts since 2017, when it began
requiring all employees to use physical
Security Keys in place of passwords and
one-time codes.
- KrebsOnSecurity
JUNE 2021
Phishing Attacks are Easier than you think!
1
https://account.micorsoft.com/
JUNE 2021Phishing Attacks are Easier than you think!
2
From account-security-noreply@account.microsoft.com
https://account.micorsoft.com/ Update your account
JUNE 2021Once you enter your
credential on the
fake site, attackers
immediately log in to
the real website with
your ID/Password.
3
- Cloudflare JUNE 2021What about SMS Code?
SMS is transmitted in
cleartext and can be
also easily intercepted
by attackers
SMS Code
JUNE 2021What About A Physical Security Key?
https://account.microsoft.com/
"I promise a user is here"
"The server challenge was: XXXXXX"
"The origin was: https://account.microsoft.com"
- Fidoalliance
JUNE 2021How Security Key Prevents Phishing Attacks
Request origin
(https://account.micorsoft.com/) !=
Registered relying party
(https://account.microsoft.com/)
JUNE 2021It's not enough...
2FA gives us stronger, safer password protection for your accounts, but it's a waste of time.
High Security
Passwordless
Passwords + 2FA
Inconvenient Convenient
Passwords
Low Security
That's where FIDO2 and WebAuthn play a role.
A better standard offers an extra layer of security
by allowing users to authenticate their devices without using a password.
- Microsoft JUNE 2021FIDO2: The New Passwordless Standard
External Platform/Client Relying Party (RP)
Authenticator
Application
CTAP Browser WebAuthn
OS
Internal Authenticator
FIDO Server
Metadata
- Fidoalliance JUNE 2021+ Biometric = Truly Passwordless
Fingerprint-enable PIN-only
Security Key Security Key
Truly Passwordless User Verification PIN + Touch +
< 1s Time to Authenticate > 3s (Depends on PIN length)
Using just a fingerprint match User Experience A strong PIN is difficult to remember
No one can guess the fingerprint PIN is still guessable!
The enrolled fingerprint template is stored and • It's risky to type the PIN on an unknown device.
Security Consideration
biometrically matched in a specialized secure element • Losing the key by accident will pose a security risk.
• Easily profiled when entering PIN codes in public places.
to protect it from digital and physical attacks.Individual User Journey
- Microsoft JUNE 2021How FIDO2 Security Key Works?
Who's Challenge
calling? ”account.microsoft.com"
Challenge
USB/BLE/NFC
Jenny's Key
{challenge, Sign:
Challenge was:123456
”account.microsoft.com"} {challenge,
Origin was:
Signed ”account.microsoft.com"}
account.microsoft.com
- Google
JUNE 2021Where people can use the FIDO2 ATKey
DEVICE
PLATFORM
BROSWER
ONLINE SERVICE
Google Microsoft Facebook GitHub Twitter
Account Account
JUNE 2021For Business
- Microsoft JUNE 2021Passwordless+Biometric MFA Options on Azure
User's Device Passwordless Authentication Identity Provider Access Application
Device Bound:
PC / Desktop
Windows 10 Biometric Match-on-device
Pro laptop or desktop
Device Bound:
Azure AD
Microsoft Authenticator App
Connect Anything protected
with Azure AD-
Physical devices,
Biometric Match-on-device
SaaS web apps,
ANY DEVICE has a web browser virtual apps,
virtual desktops, etc.
(BYO or enterprise Windows
OS, mobile devices, virtual desktops, thin CROSS-DEVICE
clients, etc.) + FIDO2 Security Key
Biometric Match-on-chipComparing Microsoft Passwordless Methods
Windows Hello for Business Microsoft Authenticator Fingerprint Security Key
Windows 10, version 1511 or later Microsoft Authenticator App Windows 10, version 1809 or later
Pre-Pequisite
Azure Active Directory Phone (iOS and Android 6.0 or above devices) Azure Active Directory
Security Device Bound: Anyone with the PIN of the Out of Band: Fraud is still possible from remote to Cross-device : Only near-field
Assurance device can log in directly control the user authentication between key and devices
• Relies on devices with built-in Trusted • Can be used to Azure AD-join a Windows 10-based • Places with poor network communication
Device Platform Module (TPM) devices (since Windows 10 1909), non-Windows • Non-managed Windows devices or not place
Requirements • Windows Hello for Business compatible devices (Mac, Linux, Android, iOS, web browser, etc) any company-related information on their
/Applicability hardware, and only works with and non-managed devices (aka BYOD). personal devices.
Windows 10-based devices. • A device can only be registered in a single tenant. • Works with all major Operating Systems.
• The maximum number of supported • Must back up the Authenticator App when • Microsoft-validated security key, Such as
Windows Hello for Business enrollments switching a new phone device or no longer work on the entire series of ATKey security keys.
Restrictions
on a single Windows device is 10. the new device. • Require a logistical process to deploy.
• Needs to be enrolled for each Windows • Requires colleagues to use their personal device
10-based device individually. for corporate purposes.FIDO2 Security Key Scenarios
HI G H-T ECH PRI VI LEG ED REMOT E T HI RD-PART Y
MANUF ACT URERS ACCESS ACCESS CONT ROL
For places where mobiles are Safeguard privileged user Securely work anywhere and Safely work with outside
not feasible or where Internet accounts and lower the risk help IT leaders manage experts, consultants, and
connectivity is poor of attacks workforces more securely other third-party vendor
SHARED MULT I PLE OF F I CE HI G HLY SECURE
WORK SPACE AAD EMPLOY EES SENSI T I VE ACCESS
In an environment with Easy identity selection among Combined with office Remotely have simple,
shared devices or kiosk, users multiple AAD tenants with a scenarios, one security key or highly secure access to the
can sign in more quickly good user experience card for multiple uses most sensitive dataTHE TREND OF AUTHENTICATION
Raise your Security Standards Today with ATKey
www.authentrend.com
JUNE 2021You can also read
