SlideShare a Scribd company logo

Seminar-Two Factor Authentication

Download as PPTX, PDF
D
Dilip Kr. Jangir

This document discusses two-factor authentication and its benefits. It describes two-factor authentication as requiring two different types of evidence, such as something you know (a password) and something you have (a token or mobile device). Hard tokens generate one-time passwords on a physical device while mobile tokens use a mobile app to generate passwords. Using a mobile token is more flexible and cheaper than hard tokens but still vulnerable to active attacks. Sending a one-time password via SMS and requiring the user to enter a code for transactions adds an extra layer of security against man-in-the-middle attacks compared to other methods. The document recommends hashing passwords before sending and mutual authentication between clients and servers to improve security.

1 of 29
Two Factor Authentication Submitted by: Dilip Kumar Jangir Roll No.:12EARIT019 Submitted to: Er. Amit Kumar Nayak
Index 1. Authentication 2. Authentication Factors • Need of 2FA • OTP3. 2 Factor Authentication 4. 2FA Using OTP Hard Tokens 5. 2FA Using Mobile Tokens 6. Response Mechanism 7. Business Benefits 8. Conclusion & Recommendations
Authentication
Authentication • Authentication is the process of verifying the identity of user. • The most common technique to authenticate a user is to use username and password.
Authentication Factors
Authentication Factors Something you know Something you have Something you are
Two Factor Authentication
Two Factor Authentication • It is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are.
Need of 2FA • Social Engineering • Phishing • Brute Force Attacks • Shoulder Surfing • Keystroke Logging • Eavesdropping • Dictionary Attacks
OTP Software – OTP An one-time password (OTP) generated by the company and sent to your mobile phone or PC. Hardware – OTP An OTP generated by a security device/token. You press the button on the security device/token to obtain the OTP. Event Based OTP Here the moving factor is triggered by an event Time Based OTP Here the moving factor is time. OTP is a second layer of security to verify your identity.
2FA Using Hard Tokens
2F Using Hard Tokens • Hardware token is a key fob which is typically carried on your key ring and displays a pseudo-random number that changes periodically.
2F Using Hard Tokens cont…
Security Analysis Benefits  It is secure against packet replay attacks.  It prevents against phishing.  Threats  User needs to carry the device everywhere, and there is a risk that it may get stolen or lost.  Cost is very high.  Vulnerable to active attacks and Man in the middle attacks 
2FA Using Mobile Tokens
2FA Using Mobile Tokens • This moves the second factor to ‘something you are’ or ‘something about your behaviour’. • It makes use of: – Application installed on user’s mobile – IMEI – Time Stamp – Seed • Time based One Time Password Algorithm is used.
How Mobile Token 2FA Works? •Seed •Pin •IMEI number •Time Stamp difference Mobile Application Mobile Application Auth Server • User Registration on server
How Mobile Token 2FA Works? Same Seed Algorithm Time Seed Algorithm Time Seed 159759 159759 Same Time Same OTP Mobile Application Authentication Server • OTP Generation:
Security Analysis Benefits  A relatively cheaper and flexible means of OTP.  User just need to carry their mobiles with them, no extra device is needed.  Threats  Still vulnerable to active attacks  Man in the middle attacks  Man in the browser attacks 
Response Mechanism
Response Mechanism • For fund transfer transactions, the server generates a code and sends to the user. The user enters the code provided to the Internet banking site in order to commit the transaction. Challenges: •High Cost required •Hardware required
SMS with Transaction Details
Security Analysis • Threat – Mobile is now single point of failure. OTP is generated/ received on mobile and the verification code of transaction is also received via sms on mobile. If attacker has the possession of user’s mobile, then he can do everything. • Recommendation – It is necessary that a different medium is used for receiving OTP and receiving transaction verification code.
Business Benefits
Business Benefits… Customer Confidence Regulations & Best Practices EFT ACT 2007 PCI DSS NIST Threat Prevention Phishing and Packet Replay and Man in the middle attacks Fraud Prevention
Conclusion & Recommendations
Recommendations… • User should check and make sure the website has https in the URL, so that the password goes encrypted while transmission. • The OTP and PIN should be hashed before sending. • Mutual authentication should be established between the client and the server before the session starts to ensure the user that server can be trusted. • Using split key technique for authentication.
Conclusion says… Method Threats Effective Against Man in the Browser attack? Static Passwords Can be lost and easily obtained Brute force attacks possible No Biometric No OTP Hard Tokens User has to carry the token No OTP Soft/ Mobile Token Man in the middle attacks No OTP with Signature (Challenge Response) Secure against man in the middle attacks Yes, but inconvenient OTP with SMS Transaction Detail Secure against Phishing, Packet Replay, MIM and MITM Yes!!
Thank You

More Related Content

Seminar-Two Factor Authentication

  • 1. Two Factor Authentication Submitted by: Dilip Kumar Jangir Roll No.:12EARIT019 Submitted to: Er. Amit Kumar Nayak
  • 2. Index 1. Authentication 2. Authentication Factors • Need of 2FA • OTP3. 2 Factor Authentication 4. 2FA Using OTP Hard Tokens 5. 2FA Using Mobile Tokens 6. Response Mechanism 7. Business Benefits 8. Conclusion & Recommendations
  • 4. Authentication • Authentication is the process of verifying the identity of user. • The most common technique to authenticate a user is to use username and password.
  • 6. Authentication Factors Something you know Something you have Something you are
  • 8. Two Factor Authentication • It is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are.
  • 9. Need of 2FA • Social Engineering • Phishing • Brute Force Attacks • Shoulder Surfing • Keystroke Logging • Eavesdropping • Dictionary Attacks
  • 10. OTP Software – OTP An one-time password (OTP) generated by the company and sent to your mobile phone or PC. Hardware – OTP An OTP generated by a security device/token. You press the button on the security device/token to obtain the OTP. Event Based OTP Here the moving factor is triggered by an event Time Based OTP Here the moving factor is time. OTP is a second layer of security to verify your identity.
  • 11. 2FA Using Hard Tokens
  • 12. 2F Using Hard Tokens • Hardware token is a key fob which is typically carried on your key ring and displays a pseudo-random number that changes periodically.
  • 13. 2F Using Hard Tokens cont…
  • 14. Security Analysis Benefits  It is secure against packet replay attacks.  It prevents against phishing.  Threats  User needs to carry the device everywhere, and there is a risk that it may get stolen or lost.  Cost is very high.  Vulnerable to active attacks and Man in the middle attacks 
  • 16. 2FA Using Mobile Tokens • This moves the second factor to ‘something you are’ or ‘something about your behaviour’. • It makes use of: – Application installed on user’s mobile – IMEI – Time Stamp – Seed • Time based One Time Password Algorithm is used.
  • 17. How Mobile Token 2FA Works? •Seed •Pin •IMEI number •Time Stamp difference Mobile Application Mobile Application Auth Server • User Registration on server
  • 18. How Mobile Token 2FA Works? Same Seed Algorithm Time Seed Algorithm Time Seed 159759 159759 Same Time Same OTP Mobile Application Authentication Server • OTP Generation:
  • 19. Security Analysis Benefits  A relatively cheaper and flexible means of OTP.  User just need to carry their mobiles with them, no extra device is needed.  Threats  Still vulnerable to active attacks  Man in the middle attacks  Man in the browser attacks 
  • 21. Response Mechanism • For fund transfer transactions, the server generates a code and sends to the user. The user enters the code provided to the Internet banking site in order to commit the transaction. Challenges: •High Cost required •Hardware required
  • 23. Security Analysis • Threat – Mobile is now single point of failure. OTP is generated/ received on mobile and the verification code of transaction is also received via sms on mobile. If attacker has the possession of user’s mobile, then he can do everything. • Recommendation – It is necessary that a different medium is used for receiving OTP and receiving transaction verification code.
  • 25. Business Benefits… Customer Confidence Regulations & Best Practices EFT ACT 2007 PCI DSS NIST Threat Prevention Phishing and Packet Replay and Man in the middle attacks Fraud Prevention
  • 27. Recommendations… • User should check and make sure the website has https in the URL, so that the password goes encrypted while transmission. • The OTP and PIN should be hashed before sending. • Mutual authentication should be established between the client and the server before the session starts to ensure the user that server can be trusted. • Using split key technique for authentication.
  • 28. Conclusion says… Method Threats Effective Against Man in the Browser attack? Static Passwords Can be lost and easily obtained Brute force attacks possible No Biometric No OTP Hard Tokens User has to carry the token No OTP Soft/ Mobile Token Man in the middle attacks No OTP with Signature (Challenge Response) Secure against man in the middle attacks Yes, but inconvenient OTP with SMS Transaction Detail Secure against Phishing, Packet Replay, MIM and MITM Yes!!