Speaker
Dr
Stefan Lueders
(CERN)
Description
Access protection is one of the cornerstones of security. The rule of least-privilege demands that any access to computer resources like computing services or web applications is restricted in such a way that only users with a need-to can access those resources. Usually this is done when authenticating the user asking her for something she knows, e.g. a (public) username and secret password. Unfortunately, passwords are regularly lost to attackers: Because of ignorance, users voluntarily reply to so-called Phishing emails that are specially crafted to steal passwords; attackers repeatedly succeeded to intercept passwords that are typed into compromised PCs… Adding a second factor to the authentication process, something the user is, like employing iris-scans, or has, like a hardware token, will prevent that the attacker can do any bad with the stolen password. He now also needs to get hold of the second factor.
In order to protect critical services and applications, the CERN Computer Security Team has evaluated several means for multi-factor authentication. Since there is no silver-bullet, three techniques have been selected: certificates stored in SmartChips embedded in the standard CERN access card, one-time passwords generated on USB sticks from Yubico (so-called yubi-Keys) and one-time passwords generated using mobile phone applications. This presentation will detail on the evaluation process, compare the different techniques, and outline the implementation and first experience in the field.
| Student? Enter 'yes'. See http://goo.gl/MVv53 | no |
|---|
Author
Dr
Stefan Lueders
(CERN)
Co-authors
Remi Mollon
(CERN)
Mr
Romain Wartel
(CERN)
