Navigating the NIST AIM Guidelines
If the barrage of recent data breaches tells us anything, it’s that digital identity is the new battleground in information security.
According to Symantec’s Internet Security Threat Report, 1.1 billion identities were stolen in 2016 alone. Armies of botnets are attempting to reuse and harvest stolen credentials in drive-by downloads or targeted phishing scams—all while we are still struggling with security basics.
The standards of identity management are desperately inefficient. The 2017 Verizon Data Breach Investigations Report revealed that last year alone, 81% of hacking-related beaches leveraged weak or stolen passwords. Society’s standards around access and identity have been slow to evolve and in turn, our authentication strategies have remained stagnant for nearly 15 years. Passwords are still in use in most organizations while at the same time, those very enterprises use multiple solutions to manage access across their sprawling enterprises.
This should come as no surprise.
Identity represents a critical control point that holds the overall security of an organization in the balance. If addressed effectively, identity access management (IAM) dramatically improves security across a network’s ecosystem.
Recognizing the weaknesses of current standards, entities supporting government agencies and other sensitive industries are now being held to new identity standards, requiring them to take a new look at their IAM protocols in accordance with updated guidelines and mandates. Thus many enterprises are looking for a comprehensive solution that understands and meets these new requirements.
A slew of standards and regulatory groups are demanding stronger protocols for identity protection. The Payment Card Industry Data Security Standard (PCI DSS) now requires Multi Factor Authentication (MFA) around applications and infrastructure supporting and processing payment card data. Similarly, new mandates from the New York Department of Financial Services (NYDFS) require certain covered enterprises to move beyond legacy authentication solutions and implement robust IAM that supports MFA and a federated architecture to reach today’s cloud, mobile, and on-premises services.
The latest milestone in this trend of evolving IAM standards was the release of a report by the National Institute of Standards and Technology (NIST) on Digital Identity Guidelines. NIST’s Special Publication 800-63 wipes away most old password rules and places the burden of securing access in the hands of identity protection technology. In an effort to address today’s risks nearly all standards have recognized that we can no longer secure access to networks with single-factor authentication like simple passwords. For all federal agencies and government suppliers, NIST standards mandate the use of Multi-Factor Authentication (MFA) for privileged access and remote access to the network—essentially all of today’s modern IT workers.
The Octopus Authenticator: Follows the NIST guidelines to the letter
Secret Double Octopus technology provides all the solutions to address today’s threat environment. The Octopus Authenticator turns a user’s personal mobile machines into a cryptographic multifactor device, utilizes secure out-of-band data transfers. With with this, any individual or group can achieve Level 2 Authentication Assurance (AAL2), the highest security protocol used outside of military and top-secret government applications.
The Authenticator protects user identities from all the dangers outlined by the latest NIST guidelines :[sdo-table]
|Authenticator Threat/Attack||Description||Examples||Secret Double Octopus Technology|
|Assertion Manufacture or Modification||The attacker generates a false assertion||Compromised CSP asserts the identity of a claimant who has not properly authenticated||Through the use of Secret Sharing scheme, the CSPs is never exposed to the useful key material, and even if compromised cannot assert identity without actual authentication.|
|The attacker modifies an existing assertion||Compromised proxy that changes AAL of an authentication assertion||The authenticator is, by NIST definition, Cryptographic Multifactor Software. Its AAL offers high assurance (AAL2) by default, with low UX friction.|
|Theft||A physical authenticator is stolen by an attacker.||A hardware cryptographic device is stolen.||The authenticator is, by NIST definition, Cryptographic Multifactor Software. If stolen, security protocols on the phone would prevent its use by an attacker without the biometric data or pin code.|
|An OTP device is stolen.||Secret Double Octopus’s technology harnesses users mobile devices as authenticators. Security protocols on the phone would prevent its use by an attacker if stolen|
|A look-up secret authenticator is stolen.||The Authenticator does not use any physical or electronic record that stores a set of secrets, the secret is divided to shares which are encrypted Secret Sharing algorithms are used to randomize the secret, any piece of intercepted information is useless to an attacker, even|
|A cell phone is stolen.||The authenticator is, by NIST definition, Cryptographic Multifactor Software. If stolen, security protocols on the phone would prevent its use by an attacker without the biometric data or pin code.|
|Duplication||The subscriber’s authenticator has been copied with or without their knowledge.||Passwords written on paper are disclosed||The Octopus Authenticator does eliminate the use of passwords|
|Passwords stored in an electronic file are copied.||The Octopus Authenticator does not use passwords or Memorized secrets|
|Software PKI authenticator (private key) copied.||By use of Secret Sharing scheme, Octopus Authenticator does not store a private key but a useless, ephemeral share on the authenticator.|
|Look-up secret authenticator copied.||Octopus Authenticator does not rely on passwords, software PKI, or immutable authentication characteristics such as biometrics|
|Counterfeit biometric authenticator manufactured.||Octopus Authenticator is protected and will not operate on counterfeit or rooted devices.|
|Eavesdropping||The authenticator secret or authenticator output is revealed to the attacker as the subscriber is authenticating.||Memorized secrets are obtained by watching keyboard entry.||The authenticator achieves strong authentication without requiring keyboard entry|
|Memorized secrets or authenticator outputs are intercepted by keystroke logging software.||Octopus Authenticator does not use passwords or Memorized secrets|
|A PIN is captured from a PIN pad device.||Octopus Authenticator does not rely on a PIN pad device.|
|A hashed password is obtained and used by an attacker for another authentication (pass-the-hash attack).||The Octopus Authenticator does not use passwords or Memorized secrets.|
|An out-of-band secret is intercepted by the attacker by compromising the communication channel.||An out-of-band secret is transmitted via unencrypted Wi-Fi and received by the attacker.||The secret share delivered over the out-of band channel is 100% useless. The authenticator uses multiple channels to deliver authentication data. The compromise of one of them would not grant an attacker access.|
|Offline Cracking||The authenticator is exposed using analytical methods outside the authentication mechanism.||A software PKI authenticator is subjected to dictionary attack to identify the correct password to use to decrypt the private key.||Octopus Authenticator uses Secret Sharing scheme – which is an Information-Theoretical secure algorithm, not subject to analytical or dictionary attacks.|
|Side Channel Attack||The authenticator secret is exposed using physical characteristics of the authenticator.||A key is extracted by differential power analysis on a hardware cryptographic authenticator.||Because the Authenticator implements Secret Sharing algorithms to randomize authentication data, any piece of intercepted information is useless to an attacker.|
|A cryptographic authenticator secret is extracted by analysis of the response time of the authenticator over a number of attempts.||The authenticator uses multiple channels to deliver authentication data. The compromise of one of them would not grant an attacker access.|
|Phishing or Pharming||The authenticator output is captured by fooling the subscriber into thinking the attacker is a verifier or RP.||A password is revealed by subscriber to a website impersonating the verifier.||Authentication requires access to the user’s actual device. Phishing and other classic credential theft schemes are ineffective|
|A memorized secret is revealed by a bank subscriber in response to an email inquiry from a phisher pretending to represent the bank.||Authentication requires access to the user’s actual device. Phishing and other classic credential theft schemes are ineffective|
|A memorized secret is revealed by the subscriber at a bogus verifier website reached through DNS spoofing.||Authentication requires access to the user’s actual device. DNS spoofing and other classic credential theft schemes are ineffective|
|Social Engineering||The attacker establishes a level of trust with a subscriber in order to convince the subscriber to reveal their authenticator secret or authenticator output.||A memorized secret is revealed by the subscriber to an officemate asking for the password on behalf of the subscriber’s boss.||The Octopus Authenticator user does not use passwords or memorized secrets. Behind the scenes, passwords for legacy environment are replaced at high frequency.|
|A memorized secret is revealed by a subscriber in a telephone inquiry from an attacker masquerading as a system administrator.||The Octopus Authenticator user does not use passwords or memorized secrets. Behind the scenes, passwords for legacy environment are replaced at high frequency.|
|An out of band secret sent via SMS is received by an attacker who has convinced the mobile operator to redirect the victim’s mobile phone to the attacker.||The Octopus Authenticator does not use SMS at all.|
|Online Guessing||The attacker connects to the verifier online and attempts to guess a valid authenticator output in the context of that verifier.||Online dictionary attacks are used to guess memorized secrets.||Octopus Authenticator does not rely on memorized secrets.|
|Online guessing is used to guess authenticator outputs for an OTP device registered to a legitimate claimant.||Octopus Authenticator does not rely on OTP.|
|Endpoint Compromise||Malicious code on the endpoint proxies remote access to a connected authenticator without the subscriber’s consent.||A cryptographic authenticator connected to the endpoint is used to authenticate remote attackers.||Octopus Authenticator is not connected to the endpoint|
|Malicious code on the endpoint causes authentication to other than the intended verifier.||Authentication is performed on behalf of an attacker rather than the subscriber.||Octopus Authenticator is not connected to the endpoint|
|A malicious app on the endpoint reads an out-of-band secret sent via SMS and the attacker uses the secret to authenticate.||Octopus Authenticator is not connected to the endpoint|
|Malicious code on the endpoint compromises a multi-factor software cryptographic authenticator.||Malicious code proxies authentication or exports authenticator keys from the endpoint.||Octopus Authenticator does not employ usable keys on the endpoint|
|Unauthorized Binding||An attacker is able to cause an authenticator under their control to be bound to a subscriber’s account.||An attacker intercepts an authenticator or provisioning key en route to the subscriber.||OctopusAuthenticator supports multi-route provisioning|