Threat Based Authentication: Understanding the Risks of RBA

From IIW

Session Topic: Threat Based Authentication

Wednesday 5C

Convener: David

Notes-taker: David Waite

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

  • Intro - a framework for thinking about

authentication factors and the value they provide

  • Initial scenario
  • All-encompassing system protecting both the website and a safe
Both might support an access code
Website might use location as an additional factor "he is accessing from a secure location"
Safe gets no value from that!
  • Declaring specific authentication behavior and requirements based on a risk score means
that you may make your score requirements when the authentication factors use do not
protect against the threats you are concerned about
  • Example Threats:
  • Session Initiation / Action
  • Phishing
  • Physical attack
  • Leaked credentials
  • Compromised Network
  • Session Hijacking
  • XSS
  • Sidejacking
  • fixation
  • Network vulnerability
  • Browser extension
  • Constraining Attributes:
  • Local or Remote attack
  • Insider or Outsider-initiated attack
  • Funding level
  • Indiscriminate or Targeted attack
  • Personal knowledge or impersonal
  • Environment (browser app, native app, physical device)

Current work

  • Evaluate threats and mitigations
  • binary value
  • evaluate behavior of attributes
  • new kind of threat? (phishing vs spearphishing)
  • distinction into two kinds of mitigation?
  • Testbed
  • set up threat concerns
  • expose mitigations (password prompt, trusted location)
  • determine additional threats which may need to be mitigated
  • Product Direction input
  • evaluate list of threats against mitigations provided by authentication mechanisms
  • take list of additional threats which have mitigations which we do not provide
  • prioritize based on customer needs (the threats they are concerned about)