Threat Based Authentication: Understanding the Risks of RBA
From IIW
Session Topic: Threat Based Authentication
Wednesday 5C
Convener: David
Notes-taker: David Waite
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
- Intro - a framework for thinking about
authentication factors and the value they provide
- Initial scenario
- All-encompassing system protecting both the website and a safe
- Both might support an access code
- Website might use location as an additional factor "he is accessing from a secure location"
- Safe gets no value from that!
- Declaring specific authentication behavior and requirements based on a risk score means
- that you may make your score requirements when the authentication factors use do not
- protect against the threats you are concerned about
- Example Threats:
- Session Initiation / Action
- Phishing
- Physical attack
- Leaked credentials
- Compromised Network
- Session Hijacking
- XSS
- Sidejacking
- fixation
- Network vulnerability
- Browser extension
- Constraining Attributes:
- Local or Remote attack
- Insider or Outsider-initiated attack
- Funding level
- Indiscriminate or Targeted attack
- Personal knowledge or impersonal
- Environment (browser app, native app, physical device)
Current work
- Evaluate threats and mitigations
- binary value
- evaluate behavior of attributes
- new kind of threat? (phishing vs spearphishing)
- distinction into two kinds of mitigation?
- Testbed
- set up threat concerns
- expose mitigations (password prompt, trusted location)
- determine additional threats which may need to be mitigated
- Product Direction input
- evaluate list of threats against mitigations provided by authentication mechanisms
- take list of additional threats which have mitigations which we do not provide
- prioritize based on customer needs (the threats they are concerned about)