CS1-1 Password Alternatives: Emerging Trends in Online Authentication

Nov 18, 2014

11:30 AM - 12:30 PM

Girish Chiruvolu, Ph.D., CISSP, MBA

VP, Information Security

Citi

It is a widely accepted principle that humans are the weakest link in the Cyber security chain. In general, most of the hacks follow the weakest link of user authentication, typically structured around passwords and there after is often associated with elevation of user privileges in order to compromise the entire system. As such, strong user authentication is of paramount importance. Further, in today's eCommerce, monetary transactions mounting to billions of dollars, user authentication is the primary defense against online fraud. In the online user-authentication jungle, there exist a plethora of solutions addressing and impacting security, use-convenience and scalability. However, passwords remain the core front-end as first-factor authentication and have been hard to displace because of convenience and usability.

This session provides an overview of multi-factor authentication solutions spectrum and some of the industry guidelines such as FFIEC, HIPAA; looks at ways to addresses today's password vulnerabilities such as Phishing, Malware/Keylogs and several attack vectors and, presents an approach to retain-password-experience and yet bring in at least a few orders of magnitude security over passwords balancing both usability and convenience with the scalability with Single-Sign-on (SSO) technologies.

In this session, we will cover the following topics:

  1. Importance of user authentication and why password authentication is inadequate for most
  2. Spectrum of authentication technologies reviewed including their strengths and entropy:
    1. Various aspects and tradeoffs of security and convenience examined
    2. Explore an emerging technology that has password convenience but offering better resistance against attack vectors
    3. Future authentication trends.
  3. Single sign on (SSO) technologies such as SAML, Oauth, OpenID, OpenID Connect reviewed and the mitigating factors on passwords-explosion and Identity and Access Management.
  4. Industry guidelines