fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

PasswordsCon 2020: Authentication Expert Expresses Skepticism About ‘Passwordless’ Future

https://open.spotify.com/show/3Gmj15x6cGrgJEzmGnDTTj

PasswordsCon 2020: Authentication Expert Expresses Skepticism About ‘Passwordless’ Future

Internet technologist Jim Fenton has questioned the assertion that the future is necessarily ‘passwordless’.

Many new authentication technologies are advertising themselves as passwordless. This an attractive promise to many who would like to avoid the cognitive effort of remembering passwords.

But during a presentation at the PasswordsCon conference yesterday (November 24), Fenton pointed out that users will be obliged to remember something like a PIN even while using passwordless authentication.

Fenton, one of the authors of the IS NIST SP800-63B authentication standard, released in 2017, argued that biometrics alone are not really a ‘secret’. For example, we leave fingerprints everywhere, and these can be lifted and cloned.

Recent research has revealed that high resolution photos reveal iris patterns, particularly if the subject is blue-eyed.

Reliance on biometrics is doubly problematic because, unlike a password, a fingerprint pattern tied to an individual is permanent and cannot be revoked even if it becomes compromised.

Also Read: Data Centre Regulations Singapore: Does It Help To Progress

PIN it down

Another passwordless approach involves the use of a physical authenticator with a biometric element. Many smartphones come with fingerprint or facial ID recognition built in.

But fingerprints can fail when hands or dry or wet. And facial recognition fails when wearing a mask – a potential problem when paying for groceries in a supermarket in a post-Coronavirus era.

“When I go work in my vegetable garden my fingers get all dry and dirty,” Fenton said. “I can’t use the fingerprint sensor on my phone then. I need to use the PIN to unlock the phone.”

In addition, biometrics are subject to a significant false acceptance or false failure rate.

“In a lot of ways all biometrics offer is a convenience factor,” Fenton said. “The security is limited by whichever is the weaker the biometric or the PIN”.

“PINs are really just low entropy passwords.” Fenton added.

Fenton noted that users are entitled to feel disappointed if they still have to remember a PIN when using passwordless authentication. “This is a marketing pitch we’re talking about here,” he said.

The future is more likely to be ‘password plus multi-factor authentication’, technology expert Jim Fenton argues

Oh, auth

Devices that use two physical authenticators are not as safe as their proponents might suggest because if an attacker can steal one physical authenticator, they can probably steal two.

“When we say two-factor authentication, we mean two different factors and not two of the same factor,” Fenton said.

Also Read: What Is A Governance Framework? The Importance And How It Works

Similar doubts exist about authentication based on two biometrics.

Fenton is even more scathing about combining email with a physical authenticator.

“I know it’s very widely used but email is a terrible authenticator is so many ways because it’s very often not secure in transit, and there are various threats when you have email stored on a server,” he said.

“And how do you access your email anyway? Probably with a password, so it’s not really passwordless anymore. Don’t use email as an authentication method if you can possibly avoid it.”

The numerous security issues of passwords including offline cracking, password spraying, and credential stuffing but the approach has proved more resilient than many expected.

Fenton’s argument is that the future is more likely to be password plus multi-factor authentication, rather than purely ‘passwordless’.

PasswordsCon 2020

The 2020 edition of PasswordsCon took place entirely online this week, with 14 presentation covering a range of topic tied to passwords, password cracking and authentication.

A diverse range of speakers from academia, the voluntary sector, and technology vendors presented at the event.

Academic Stephan Wiefling opened the conference on Monday (November 23) with a presentation on the usability of risk-based authentication.

The talk was based on a paper on the same subject, released last months and the fruits of a two-year long study.

Apple’s password compatibility project

During the closing presentation on Tuesday, Ricky Mondello, a software engineer at Apple, talked about an open source project to help improve generated password compatibility with websites.

Many websites have their own rules in terms of the length of password users need to use, the mix of letters, numbers and (most of all) special characters allowed or the length of a password required.

These quirks can create problem when a user uses a password manager to generic a random password because the mix of characters it contains might be unsupported by a particular site.

In these circumstances, users might revert to using a password they make up themselves, which is likely to far easier to guess than a machine-generated credential.

Apple’s iCloud Keychain password manager uses curated website-specific data to improve generated password compatibility in order to get around this problem.

The tech company recently open-sourced this data for everyone, including other password managers, to use and help curate, as explained during Mondello’s talk.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us