is is th this re really yo you an em empi pirical st stud
play

Is Is Th This Re Really Yo You? ? An Em Empi pirical St Stud - PowerPoint PPT Presentation

Bonneau et al.: Passwords and the evolution of imperfect authentication. Comm. ACM 58(7) (Jun 2015) Image: Iwona Usakiewicz / Andrij Borys Associates Is Is Th This Re Really Yo You? ? An Em Empi pirical St Stud udy on n Ri Risk-Bas


  1. Bonneau et al.: Passwords and the evolution of imperfect authentication. Comm. ACM 58(7) (Jun 2015) Image: Iwona Usakiewicz / Andrij Borys Associates Is Is Th This Re Really Yo You? ? An Em Empi pirical St Stud udy on n Ri Risk-Bas Based Au Authen entication Ap Applied ed in th the Wi Wild Stephan Wiefling, Luigi Lo Iacono – TH Köln – University of Applied Sciences Markus Dürmuth – Ruhr University Bochum Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 1

  2. Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 2

  3. Mo Motiva tivatio tion § Weaknesses in password-based authentication increase § Large-scale password database leaks § Credential Stuffing § Intelligent password guessing* § Phishing *Wang et al.: Targeted online password guessing: An underestimated threat. In CCS ’16. ACM (2016) Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 3

  4. Mo Motiva tivatio tion § 2FA is unpopular § <10% of all Google accounts used 2FA in January 2018* à Using Risk-based Authentication to increase account security with minimal impact on user interaction *Milka, G.: Anatomy of Account Takeover. In: Enigma 2018. USENIX (Jan 2018) Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 4

  5. IP address User agent ... Username Password Risk estimation Risk: Low Medium High Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 5

  6. IP: Lisbon, PT Chrome Windows 10 ... Username Password Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 6

  7. IP: Lisbon, PT Chrome Windows 10 „Same device as ... always“ Username Password Risk estimation Low risk Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 7

  8. IP: Ber Berlin, n, DE Chrome An Andro roid 8 8.1 .1 ... Username Password Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 8

  9. IP: Ber Berlin, n, DE Chrome „There‘s An Andro roid 8 8.1 .1 something different here“ ... Username Password Additional Risk estimation Authentication Medium risk Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 9

  10. IP: Ber Berlin, n, DE Chrome „There‘s Andro An roid 8 8.1 .1 something different here“ ... Username Password Additional Risk estimation Authentication Medium risk Proof for additional authentication Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 10

  11. IP: Ne New York, US* Ph PhantomJS Li Linux ... Username Password *Known spam IP address Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 11

  12. IP: Ne New York, US* PhantomJS Ph „Very likely a Linux Li hacker“ ... Username Password Risk estimation High risk *Known spam IP address Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 12

  13. Ris Risk-ba based Au Authentic icatio ion § Recommended by NIST digital identity guidelines* § Used by large online services § However: Procedures not disclosed *Grassi et al.: Digital identity guidelines. Tech. Rep. NIST SP 800-63b (2017) Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 13

  14. Ris Risk-ba based Au Authentic icatio ion § Recommended by NIST digital identity guidelines* § Used by large online services § However: Procedures not disclosed § Prevents widespread adoption *Grassi et al.: Digital identity guidelines. Tech. Rep. NIST SP 800-63b (2017) Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 14

  15. Ris Risk-ba based Au Authentic icatio ion § Recommended by NIST digital identity guidelines* § Used by large online services § However: Procedures not disclosed à Black-box testing eight popular online services *Grassi et al.: Digital identity guidelines. Tech. Rep. NIST SP 800-63b (2017) Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 15

  16. Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 16

  17. ? Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 17

  18. Lo Login IP IP ad addre ress Us User Ag Agent ... ... ? Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 18

  19. Lo Login IP IP ad addre ress Us User Ag Agent ... ... Login ? 1 TH Köln Chrome ... Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 19

  20. Lo Login IP IP ad addre ress Us User Ag Agent ... ... Login ? 1 TH Köln Chrome ... 2 TH Köln Chrome ... Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 20

  21. Lo Login IP IP ad addre ress Us User Ag Agent ... ... Login ? 1 TH Köln Chrome ... 2 TH Köln Chrome ... 3 TH Köln Chrome ... Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 21

  22. Lo Login IP IP ad addre ress Us User Ag Agent ... ... Login ? 1 TH Köln Chrome ... 2 TH Köln Chrome ... 3 TH Köln Chrome ... ... ... ... .... 20 TH Köln Chrome ... Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 22

  23. Lo Login IP IP ad addre ress Us User Ag Agent ... ... ? 1 TH Köln Chrome ... 2 TH Köln Chrome ... </> 3 TH Köln Chrome ... ... ... ... .... 20 TH Köln Chrome ... Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 23

  24. Lo Login IP IP ad addre ress Us User Ag Agent ... ... Login ? 1 TH Köln Chrome ... 2 TH Köln Chrome ... </> 3 TH Köln Chrome ... ... ... ... .... 20 TH Köln Chrome ... Ot Other 21 Chrome ... Co Country Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 24

  25. Lo Login IP IP ad addre ress User Ag Us Agent ... ... Login ? 1 TH Köln Chrome ... 2 TH Köln Chrome ... </> 3 TH Köln Chrome ... ... ... ... .... , or ? 20 TH Köln Chrome ... Ot Other 21 Chrome ... Co Country Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 25

  26. It It‘s ‘s no not t that that ea easy sy... Login history influences risk score Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 26

  27. It It‘s ‘s no not t that that ea easy sy... Login history influences risk score Solution: Create many user accounts Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 27

  28. It It‘s ‘s no not t that that ea easy sy... Automated testing influences result Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 28

  29. It It‘s ‘s no not t that that ea easy sy... Automated testing influences result Solution: Create human-like browsingbehavior Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 29

  30. 28x Identities Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 30

  31. 28x Human RBA User Testing Imitation Log RBA Inspection System Identities Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 31

  32. 28x 224 User Accounts Human RBA User Testing Imitation Log RBA Inspection System Inspected Services Identities Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 32

  33. It It‘s ‘s st still n not ot that that ea easy sy... List of potential features is huge Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 33

  34. It It‘s ‘s st still n not ot that that ea easy sy... List of potential features is huge Solution: Test most relevant* features *Citations in literature, Highest distinguishing info in Alaca and van Oorschot Alaca, F., van Oorschot, P.C.: Device Fingerprinting for augmenting web authentication. In: Proc. ACSAC '16. pp. 289-301. ACM (2016) Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 34

  35. It It‘s ‘s st still n not ot that that ea easy sy... RB RBA references count Feature Fea re (e (except *) Di Distingui uishing info* ●●●●○ ������ IP IP a address ●●●●○ ��� Us User agent string ●●●●○ ��� Language La ●●●●○ �� Di Display resolut ution ●●●○○ ����� Lo Login time me ●●●●● � Evercookies ●●●○○ ��� Canvas fingerprinting Mouse and keystroke dynamics � - �� - Failed login attempts ●●●○○ WebRTC - ●●○○○ Counting hosts behind NAT - ●○○○○ Ad blocker detection - * Alaca, F., van Oorschot, P.C.: Device Fingerprinting for augmenting web authentication. In: Proc. ACSAC '16. pp. 289-301. ACM (2016) Stephan Wiefling, Luigi Lo Iacono, Markus Dürmuth Lisbon, Portugal | IFIPSEC 2019 35

Recommend


More recommend