1 / 43

Shawn Williams

The Practicality of Changing Default Authentication Mechanisms: Applied in a Workstation Environment. Shawn Williams. Question?. The Problem. Is a World without Passwords Possible?. Agenda and Topics Covered. Purpose of this Study Where Did the Data Come from

ganesa
Download Presentation

Shawn Williams

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Practicality of Changing Default Authentication Mechanisms: Applied in a Workstation Environment Shawn Williams

  2. Question?

  3. The Problem

  4. Is a World without Passwords Possible?

  5. Agenda and Topics Covered • Purpose of this Study • Where Did the Data Come from • Why I Choose this Topic for Research • Generality on why Security fails • The Problems with passwords • Benefits of this Research • Criteria used for Evaluating technologies • Technologies that were evaluated • Results and Findings

  6. Purpose of this Study • To explore various authentication systems and see if it is possible for any one of them to be deemed to be able to replace the current password mechanisms used in business environments

  7. Where Did the Data Come from • Taken from mostly secondary sources • The evaluation criteria used for rating various authentication systems was created based on finding and personal knowledge

  8. Personal Motivationfor Choosing this Topic • Personally, I’ve always wondered why password authentication was still the default standard despite the fact that there were many new and more secure systems emerging and because of this, I wanted to find out whether or not it is even practical to replace password authentication with that of something better.

  9. Why Do Security Systems Fail? • Design model • User model • System model

  10. Why Should we stop using password based security in productivity environments? • There is a problem in finding balance between usability and security • Passwords can easily be told to others • Passwords are easy to copy

  11. Why Should we stop using password based security in productivity environments? • There are many widely available tool of decrypting stored password information • Passwords can be captured easily during input time • There are weaknesses in password reset mechanisms that hackers may be able to exploit

  12. Benefits of this Research • Reduces risk of deploying unfamiliar authentication technologies in which may be more trouble then they are worth • Narrows Down the choices and confusion created with multiple authentication methods • Large and Small business owners no longer need to waste time figuring out what password replacement system is right for them

  13. Evaluation Criteria Categories • Number of security holes • Cost • Ease of Use • Increase in Security • Scalability • Practicality of implementation and modding • Access and availability (how easy is it to obtain)

  14. Generalized Scores • High • Medium • Low

  15. Number of Exploitable Security Holes (High) • Score Range 0-3 • Number of security holes exceed the threshold of what could be considered acceptable and/or more holes then the password based security we are trying to replace

  16. Number of Exploitable Security Holes (Medium) • Score Range 4-7 • Number of Security holes only marginally improve over number of exploitable password related holes

  17. Number of Exploitable Security Holes (Low) • Score Range 8-10 • Very few exploitable holes and massive improvement over password security

  18. Cost (High) • Score Range 0-3 • High maintenance and installation costs

  19. Cost (Medium) • Score Range 4-7 • Cost of fully installing and maintaining system is either high in maintenance fees or high in installation but not both

  20. Cost (Low) • Score Range 8-10 • Cost of fully installing and maintaining system is minimal

  21. Ease of Use (High) • Score Range 8-10 • System is so complicating that most users will attempt to bypass it in order to speed up work production

  22. Ease of Use (Medium) • Score Range 4-7 • System has a medium level of complexity that can be tolerated by most users

  23. Ease of Use (Low) • Score Range 0-3 • Daily usage of security mechanism is easy to use by most users with business level computer skills

  24. Practicality (High) • Score Range 0-3 • The system is complex to troubleshoot if broken and difficult to mod and requires major changes to in fracture to use

  25. Practicality (Medium) • Score Range 4-7 • System has a medium level of setup complexity and can be workable with effort. Small change to existing in fracture may be required

  26. Practicality (Low) • Score Range 8-10 • System is flexible, easy to install with current technologies and quick to set up. No change to infrastructure mainly out of the box solution

  27. Scalability (High) • Score Range 8-10 • System is highly flexible and can be implemented with ease on networks of any size

  28. Scalability (Medium) • Score Range 4-7 • System has a workable level of flexibility but generally can’t handle extremes

  29. Scalability (Low) • Score Range 0-3 • System is only meant to be installed on network size it supports and either does not provide room for growth or too elaborate to be practical on smaller systems

  30. Increase Security (High) • Score Range 8-10 • System is much more secure then password authentication

  31. Increase Security (Medium) • Score Range 4-7 • System provides some security advantages over password security

  32. Increased Security (Low) • Score Range 0-3 • System provide little or no security advantage over password security

  33. Access and Availability (High) • Score Range 8-10 • Found in any office or computer store

  34. Access and Availability (Medium) • Score Range 4-7 • Implementation exists but special orders need to be made

  35. Access and Availability (Low) • Score Range 0-3 • Only exists in theory or is a prototype so development overhead is need to make the solution

  36. Technologies that were Evaluated • Two Types of Graphical Passwords • Passfaces • Click-Based Graphical Password (Clickpoints)

  37. Technologies that were Evaluated • Four Kinds Biometrics • Finger Print Recognition (optical, capacitance, ultrasonic) • Face Recognition • Retina Scan • Typing Rhythem

  38. Technologies that were Evaluated • Three Kinds of Tokens • Disconnected Tokens • Connected Tokens (USB, SmartCard) • Contactless Tokens (Bluetooth, RFID)

  39. What Do the Scores mean? • The ranking system is out of 70, 10 points for each of the 7 categories • Only systems with a score of 53/70 or higher will be considered a good password replacement • 53/70 = 75%

  40. Findings • None of the systems even hit close to 70/70 • Scores that made it just bearly hit the min requirement of 53 points • These borderline results paint a picture why wide scale adoptation of higher level authentication has not taken off a quickly is it should of dispite the fact nearly all systems offer improved security over passwords

  41. Results • Graphical passwords (Passfaces) = 55pts • Biometrics (Finger Print Recognition) = 53.5pts • Disconnected Tokens = 58pts • Connected Tokens = 56.5pts

  42. More Results and Findings • You can download the full report in my Blog @ • https://swillia5.wordpress.com

  43. Fin

More Related