Hacking Multifactor Authentication - Roger A Grimes

. .

Auteur(s) : Roger A Grimes

Editeur : Wiley

Langue : Anglais

Parution : 01/10/2020

Format : Moyen, de 350g à 1kg

Nombre de pages : 576

Expédition : 938

Dimensions : 23.2 x 18.6 x 2.9

ISBN : 1119650798

Résumé :

A thoughtful demonstration that, like all security technologies, MFA is not a panacea.
?BRUCE SCHNEIER

Roger provides example after example that there is no silver bullet computer security defense. MFA alone will not protect you against sophisticated adversaries. The real problems behind computer security involve people and making the appropriate risk decisions.
? KEVIN MITNICK

DISCOVER THE STRENGTHS AND WEAKNESSES OF MULTI-FACTOR AUTHENTICATION

So-called experts point to multifactor authentication (MFA) as the solution to most hacks and breaches. But, far from being the unhackable, off- the-shelf panacea they're widely touted to be, MFA systems require careful planning and design in order to be properly secured and not fall prey to the dozens of real-world MFA vulnerabilities Roger A. Grimes details in Hacking Multifactor Authentication.

Administrators and users of multifactor authentication systems will learn that all MFA systems can be hacked, most in at least five different ways. Anyone telling you MFA can't be hacked is either trying to sell you something or na?ve. Either way, you'll want to avoid their advice.

You'll learn how to mitigate the most common MFA security loopholes to prevent bad actors from accessing your systems. Readers will learn to quickly and comprehensively evaluate their own MFA solutions to assess their vulnerability to the known hacking methods.

This book provides real-world example MFA hacks and the practical strategies to prevent them. Perfect for CISSPs, CIOs, CISOs, and penetration testers, Hacking Multifactor Authentication also belongs on the bookshelves of any information security professional interested in creating or improving their MFA security infrastructure. Learn:

• How MFA works behind the scenes and how to hack it
• The strengths and weaknesses of different MFA types
• How to develop or pick a more secure MFA solution
• How to select the best MFA for your environment out of the hundreds available

...

Biographie:

Introduction xxv

Who This Book is For xxvii

What is Covered in This Book? xxvii

MFA is Good xxx

How to Contact Wiley or the Author xxxi

Part I Introduction 1

1 Logon Problems 3

It's Bad Out There 3

The Problem with Passwords 5

Password Basics 9

Identity 9

The Password 10

Password Registration 11

Password Complexity 11

Password Storage 12

Password Authentication 13

Password Policies 15

Passwords Will Be with Us for a While 18

Password Problems and Attacks 18

Password Guessing 19

Password Hash Cracking 23

Password Stealing 27

Passwords in Plain View 28

Just Ask for It 29

Password Hacking Defenses 30

MFA Riding to the Rescue? 31

Summary 32

2 Authentication Basics 33

Authentication Life Cycle 34

Identity 35

Authentication 46

Authorization 54

Accounting/Auditing 54

Standards 56

Laws of Identity 56

Authentication Problems in the Real World 57

Summary 58

3 Types of Authentication 59

Personal Recognition 59

Knowledge-Based Authentication 60

Passwords 60

PINS 62

Solving Puzzles 64

Password Managers 69

Single Sign-Ons and Proxies 71

Cryptography 72

Encryption 73

Public Key Infrastructure 76

Hashing 79

Hardware Tokens 81

One-Time Password Devices 81

Physical Connection Devices 83

Wireless 87

Phone-Based 89

Voice Authentication 89

Phone Apps 89

SMS 92

Biometrics 92

FIDO 93

Federated Identities and APIs 94

OAuth 94

APIs 96

Contextual/Adaptive 96

Less Popular Methods 97

Voiceover Radio 97

Paper-Based 98

Summary 99

4 Usability vs Security 101

What Does Usability Mean? 101

We Don't Really Want the Best Security 103

Security Isn't Usually Binary 105

Too Secure 106

Seven-Factor MFA 106

Moving ATM Keypad Numbers 108

Not as Worried as You Think About Hacking 109

Unhackable Fallacy 110

Unbreakable Oracle 113

DJB 113

Unhackable Quantum Cryptography 114

We are Reactive Sheep 115

Security Theater r 116

Security by Obscurity 117

MFA Will Cause Slowdowns 117

MFA Will Cause Downtime 118

No MFA Solution Works Everywhere 118

Summary 119

Part II Hacking MFA 121

5 Hacking MFA in General 123

MFA Dependency Components 124

Enrollment 125

User 127

Devices/Hardware 127

Software 128

API 129

Authentication Factors 129

Authentication Secrets Store 129

Cryptography 130

Technology 130

Transmission/Network Channel 131

Namespace 131

Supporting Infrastructure 131

Relying Party 132

Federation/Proxies 132

Alternate Authentication Methods/Recovery 132

Migrations 133

Deprovision 133

MFA Component Conclusion 134

Main Hacking Methods 134

Technical Attacks 134

Human Element 135

Physical 137

Two or More Hacking Methods Used 137

You Didn't Hack the MFA! 137

How MFA Vulnerabilities are Found 138

Threat Modeling 138

Code Review 138

Fuzz Testing 138

Penetration Testing 139

Vulnerability Scanning 139

Human Testing 139

Accidents 140

Summary 140

6 Access Control Token Tricks 141

Access Token Basics 141

Access Control Token General ...

Sommaire:

ROGER A. GRIMES is a computer security professional and penetration tester with over three decades of experience. He's an internationally renowned consultant and was the IDG/InfoWorld/CSO magazine weekly columnist for fifteen years. He's a sought-after speaker who has given talks at major security industry events, including RSA, Black Hat, and TechMentor....