Wednesday, March 15, 2023

(0) comments

Password Complexity

 The complexity of a password can significantly affect its security. A password that is too simple or predictable is easy for an attacker to guess or crack, which could compromise the security of the account or system it is protecting. In the past, though, I've expressed a somewhat controversial view regarding complex passwords: overly complex passwords can actually decrease security because they encourage users to write down their passwords or use the same password across multiple accounts, which can increase the risk of a data breach.

Instead of focusing on complexity, organizations should encourage users to create longer passphrases that are easy to remember but difficult to guess. A passphrase is a sequence of words or other text that is used as a password. For example, "correct horse battery staple" is a passphrase that is recommended by some experts for its combination of length and randomness. Even better, substitute numbers and/or symbols for some of the letters (e.g. "c0rr3ct 4or5e 6@ttery st@pl3")

A strong password should be both complex and memorable. It should be long enough to resist brute-force attacks, which involve guessing every possible combination of characters until the correct one is found. A password that includes a mix of upper and lowercase letters, numbers, and symbols can make it more difficult for an attacker to guess, especially if the password is random or uses a phrase that is not commonly used.

However, the complexity of a password alone is not enough to ensure its security. Other factors, such as the length of time a password is used, how it is stored, and how it is transmitted over the network, also play a role in determining its overall security. It is important for users to follow good password hygiene practices, such as not reusing passwords across different accounts, regularly changing passwords, and using two-factor authentication, to maximize the security of their accounts and systems.

Friday, March 03, 2023

(0) comments

Better Authentication

 What are the key points about authentication that we’ve learned over the years?

Passwords are a weak form of authentication: I’ve noted in the past that passwords are often the weakest link in the authentication process, as they can be easily guessed or stolen. Yet they are the method users are most comfortable with.

Multifactor authentication is becoming more important: I’ve often emphasized the importance of using multiple factors for authentication, such as something you know (like a password), something you have (like a security token), and something you are (like a biometric identifier). And remember, Multi-Facor is limited to just two factors.

One of the factors, Biometric authentication, has its own challenges: I do caution that, while biometric authentication can be more secure than passwords, it also presents new challenges around privacy and data protection.

I believe that continuous authentication is the future. Continuous authentication, which uses a variety of signals and behaviors to authenticate users, will become increasingly important as time goes on.

Continuous authentication is an approach to authentication that uses a variety of signals and behaviors to verify a user's identity on an ongoing basis. Unlike traditional authentication methods, which typically require users to provide credentials (such as a password) only at the time of login, continuous authentication aims to provide continuous, real-time verification of a user's identity.

There are many different types of signals that can be used for continuous authentication, including biometric data (such as fingerprints or facial recognition), location data, behavioral biometrics (such as typing patterns or mouse movements), and machine learning algorithms that analyze user behavior over time to detect anomalies.

Continuous authentication has several potential benefits over traditional authentication methods. It can help to reduce the risk of unauthorized access by detecting and responding to anomalous behavior in real time, rather than relying on a one-time password or other static credentials. It can also provide a more seamless user experience, as users don't need to continually re-enter credentials to access resources.

However, there are also some potential challenges associated with continuous authentication. For example, there are privacy concerns around collecting and analyzing large amounts of user data, and there may be technical challenges around integrating different signals and behaviors into a coherent authentication system. Additionally, there may be challenges around user acceptance, as some users may be uncomfortable with the idea of being constantly monitored for authentication purposes.

Overall, I believe that authentication is a critical component of any security strategy and that organizations should be exploring new and innovative ways to authenticate users while minimizing risks to data and privacy.


Friday, February 24, 2023

(0) comments


You really, really need to modernize your authentication

my main argument is that passwords are not an ideal form of authentication, as they are often too weak and easily guessable. I, along with most of the people I know in the security business, advocate for the use of stronger forms of authentication, such as biometrics, multi-factor authentication, or risk-based authentication, which can provide greater security and reduce the risk of password-related attacks.
However, we need to also acknowledge that passwords will likely continue to be used for the foreseeable future, so I can’t emphasize enough the importance of using good password hygiene practices, such as using strong, unique passwords for each account, regularly changing passwords, and avoiding common or easily guessable passwords.
Overall, I believe that while passwords do have limitations, they can still be a valuable part of an organization’s security strategy if they are used responsibly and in conjunction with other security measures.
In particular, I urge you to look at risk-based authentication (RBA). RBA is a type of authentication that uses a combination of contextual and historical data to determine the level of risk associated with a login attempt or transaction. RBA takes into account factors such as the user’s location, device, behavior patterns, and other relevant information to assess the likelihood that a particular login attempt is legitimate or fraudulent.
Based on this risk assessment, RBA can then adjust the authentication requirements accordingly. For example, if the login attempt is considered low-risk, the system may require only a simple username and password combination for authentication. However, if the login attempt is deemed high-risk, the system may require additional authentication factors, such as a one-time password, biometric authentication, or security questions.
By using RBA, organizations can improve security while also reducing user friction. Rather than requiring all users to go through the same level of authentication, RBA can tailor the authentication process to the level of risk associated with each individual login attempt. This helps to reduce the burden on users while also providing stronger security for the organization.
Implementing risk-based authentication (RBA) typically involves the following steps:
1. Define Risk Factors: Identify and define the risk factors that will be used to assess the risk associated with a login attempt. These factors could include device type, location, IP address, user behavior patterns, or any other relevant contextual or historical data.
2. Determine Risk Levels: Define the different risk levels based on the risk factors identified in step 1. For example, you might define a low-risk login attempt as one that is coming from a known device, while a high-risk attempt might be one that is coming from a new or unknown device in a different location.
3. Define Authentication Requirements: Determine the authentication requirements for each risk level. For example, low-risk login attempts may only require a username and password, while high-risk attempts may require additional authentication factors such as biometrics or a one-time password.
4. Implement RBA: Implement the RBA system within your authentication process. This may involve integrating with an RBA solution provider or developing your own custom solution.
5. Test and Refine: Test the RBA system and refine the risk factors and authentication requirements as needed. Regularly reviewing and refining the RBA system will help to ensure that it remains effective and relevant over time.
Implementing RBA can help to improve security while also reducing user friction. By tailoring the authentication process to the level of risk associated with each login attempt, organizations can provide stronger security for high-risk scenarios while also reducing the burden on users for low-risk scenarios.
There are many risk-based authentication (RBA) solution providers in the market. Among them are:
1. Okta Adaptive MFA: Okta Adaptive MFA is an RBA solution that leverages contextual data to determine the level of risk associated with a login attempt. The system then adapts the authentication requirements accordingly, requiring additional factors for high-risk scenarios and fewer factors for low-risk scenarios.
2. RSA Adaptive Authentication: RSA Adaptive Authentication is an RBA solution that uses a combination of behavioral biometrics, device intelligence, and machine learning to assess the risk of a login attempt. The system then adjusts the authentication requirements accordingly.
3. IBM Security Verify Access: IBM Security Verify Access is an RBA solution that uses contextual data to determine the level of risk associated with a login attempt. The system then adapts the authentication requirements based on the risk level, using a range of authentication factors, including biometrics, one-time passwords, and push notifications.
4. Duo Security: Duo Security is an RBA solution that uses a range of contextual data, including device type, IP address, and user behavior patterns, to assess the risk of a login attempt. The system then adapts the authentication requirements accordingly, using a range of factors such as biometrics, SMS messages, or phone callbacks.
5. OneLogin Adaptive Authentication: OneLogin Adaptive Authentication is an RBA solution that uses machine learning algorithms to analyze a range of contextual data, including device information, location, and user behavior patterns. The system then adapts the authentication requirements based on the risk level, using a range of authentication factors, including biometrics, one-time passwords, and push notifications.
These are just a few examples of the many RBA solution providers in the market. When selecting an RBA solution, it’s important to consider factors such as the specific authentication requirements needed, the level of risk associated with your organization’s login attempts, and the level of integration and customization required.

Thursday, December 15, 2022

(0) comments

 Join me on Mastodon by following this link

Thursday, June 12, 2014

(0) comments

How dumb do you think I am?

According to an article in Time Magazine, you can Opt Out of Facebook’s New Ad-Targeting Program .

But FB will still track your web browsing. And FB will still show you lots of ads. The difference is that the ads will not be particularly relevant to your needs and preferences.

So, show of hands - how many of you don't mind being tracked, but love seeing irrelevant advertising? I thought so.

Friday, April 18, 2014

(0) comments

What does Chelsea Clinton's pregnancy mean for IAM?


Sunday, April 06, 2014

(2) comments

It's a dangerous world, learn about it

Tim Bray recently posted an article ("Ethical Privacy Choices") in which he asked, well no, demanded that:

 "the on­ly sane eth­i­cal po­si­tion [for web site operators] is to op­er­ate in a mode that is pri­vate by de­fault..."

He does offer this strawman codicil:
"​Yes, it is cer­tain­ly de­sir­able that for those who are in the
un­usu­al po­si­tion of be­ing con­fi­dent that they un­der­stand the
tech­ni­cal and pol­i­cy is­sues, they be giv­en the op­tion of
choos­ing to op­er­ate in plain-text anyone-can-MITM
anyone-can-eavesdrop mod­e.
Catch the subtle sarcasm? I beg to differ.

A site operator should set the default to what the mojority of the site visitors would prefer. That's not as difficult as it sounds. When designing the site you target a specific demographic. Set defaults to what hat demographic has shown they like. If that's full privacy/security then so be it. If not, then do that.

What is imperative, though, is that the options to fine-tune that default are easily available and the explanation for the settings is succinct but easily understandable.

The world should not be designed to save the self-naive at the expense of those who have chosen to know its dangers.

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]