Phishing Blend Authentication and Authorization

From IIW

Session Topic: Phishing Blend Authentication & Authorization Tuesday 1J

Convener: Marc Stiegler

Notes-taker: Rory Ford

Tags for the session - technology discussed/ideas considered: Phishing

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

2 Factor Access Control - Delivering on the promise made by 2 Factor Authentication

Every year, a Fortune 500 sends out an email out to employees that links to a Log on screen. Phishing tricks the user into revealing credentials at the wrong site.

2 Factor Authentication doesn’t make any difference to Phishing. Phishing workflow still humanly indistinguishable from legit workflow. The problem is credentials are still unbundled from valid site.


One way to solving this problem is via an unguessable random Webkey

Eg https://verysimplewebsite.com/demo/#0vib39n3dimwicm

Google Docs, Youtube, Craigslist and HP rooms use this.

Objections include: shoulder surfing, social engineering, user unfamiliarity.


2 Factor Access Control (2FAcc)

Can combine the password with the private login page


A web key can be used everywhere.


This fixes 75% of enterprise breaches at this stage.


An alternative:

Use an unguessable link for access. No username or password.


Claim: URL’s aren’t meant to contain secrets.

Server can be fully secure

Routing fabric: can be full secure.

Browser: breach of history/bookmarks



Comments:

This is fine internally.


As the application developer you are hoping people don’t walk away.

With this people have to have walk away to then come back and access.


Challenge and response is stronger.