Phishing Blend Authentication and Authorization
Session Topic: Phishing Blend Authentication & Authorization Tuesday 1J
Convener: Marc Stiegler
Notes-taker: Rory Ford
Tags for the session - technology discussed/ideas considered: Phishing
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
2 Factor Access Control - Delivering on the promise made by 2 Factor Authentication
Every year, a Fortune 500 sends out an email out to employees that links to a Log on screen. Phishing tricks the user into revealing credentials at the wrong site.
2 Factor Authentication doesn’t make any difference to Phishing. Phishing workflow still humanly indistinguishable from legit workflow. The problem is credentials are still unbundled from valid site.
One way to solving this problem is via an unguessable random Webkey
Eg https://verysimplewebsite.com/demo/#0vib39n3dimwicm
Google Docs, Youtube, Craigslist and HP rooms use this.
Objections include: shoulder surfing, social engineering, user unfamiliarity.
2 Factor Access Control (2FAcc)
Can combine the password with the private login page
A web key can be used everywhere.
This fixes 75% of enterprise breaches at this stage.
An alternative:
Use an unguessable link for access. No username or password.
Claim: URL’s aren’t meant to contain secrets.
Server can be fully secure
Routing fabric: can be full secure.
Browser: breach of history/bookmarks
Comments:
This is fine internally.
As the application developer you are hoping people don’t walk away.
With this people have to have walk away to then come back and access.
Challenge and response is stronger.