21-25 May 2012
New York City, NY, USA
US/Eastern timezone

Deployment of Multifactor Authentication for Critical Services at CERN

22 May 2012, 17:25
Eisner & Lubin Auditorium (Kimmel Center)

Eisner & Lubin Auditorium

Kimmel Center

Parallel Distributed Processing and Analysis on Grids and Clouds (track 3) Distributed Processing and Analysis on Grids and Clouds


Dr Stefan Lueders (CERN)


Access protection is one of the cornerstones of security. The rule of least-privilege demands that any access to computer resources like computing services or web applications is restricted in such a way that only users with a need-to can access those resources. Usually this is done when authenticating the user asking her for something she knows, e.g. a (public) username and secret password. Unfortunately, passwords are regularly lost to attackers: Because of ignorance, users voluntarily reply to so-called Phishing emails that are specially crafted to steal passwords; attackers repeatedly succeeded to intercept passwords that are typed into compromised PCs… Adding a second factor to the authentication process, something the user is, like employing iris-scans, or has, like a hardware token, will prevent that the attacker can do any bad with the stolen password. He now also needs to get hold of the second factor. In order to protect critical services and applications, the CERN Computer Security Team has evaluated several means for multi-factor authentication. Since there is no silver-bullet, three techniques have been selected: certificates stored in SmartChips embedded in the standard CERN access card, one-time passwords generated on USB sticks from Yubico (so-called yubi-Keys) and one-time passwords generated using mobile phone applications. This presentation will detail on the evaluation process, compare the different techniques, and outline the implementation and first experience in the field.
Student? Enter 'yes'. See http://goo.gl/MVv53 no

Primary author


Presentation Materials

There are no materials yet.