Beyond credentials and 2FA - A strong approach to MFA and secure identity

Thursday
 
28
 
November
1:50 pm
 - 
2:30 pm
Topic
Identity / Access Management
Agenda
Sign in to add this session to your agenda
Add to My AgendaAdded to My Agenda
Location
Room 103
Theme
Cyber Security Infrastructure

Speakers

Randall Hughson
Randall Hughson

Randall Hughson

Randall Hughson

Director
Spectral Cyber Security

Synopsis

Identity Management combined with 2-Factor Authentication has resulted in a significant improvement in security at the credential perimeter level, and yet, successful phishing scams, social engieering, bank fraud and the like are more problematic than ever before. Then there's the authenticator apps with a growing list of entries.

This method also relies on a strong business policy (and personal) when it comes to password strength and credential sophistication and siloing. Put simply, 2FA is no longer good enough, and further, it relies on a key entry that is not necessarily linked to the correct identity. We know this, because - even as some attendees of prior AISA Cyber Con's will know - 2FA can be bypassed, and it's easier than we'd hope!

Microsoft, March 2023: "Cybercrime is now indusrialised" - A brief introduction on a discussion around MultiFactor Authentication

We illustrate four common ways 2-FA can be bypassed, including social engineering, realtime phishing (using any common phishing method), OAuth hijacking, and human brain fade (very common). A compelling approach to deal with this problem in a simple way is to use hardware security module (HSM) and human-identity-linked interfacing for strong multifactor authentication. Here we demonstrate the difference between a 2-FA "device" and a true MFA device and what that might look like.

Demonstrate how such a HSM device should be integrated with a person's own identity so that we can know and trust that individual and account (again, the non-repudiation element); personal invitation, human identity verification processes. Features roles, responsibilities, target certifications and standards for hardware and procurement. Understanding the role and the security requirements of a Cloud intermediary in the HSM process.

The Critical Infrastructure Trust Challenge: Being sure who is who, and knowing that's true = Identity Non-Repudiation. What might future humans use? From mobile phones to implants to HSM devices - a picture of what's possible and how this can feed into our greater goal in the industry of good privacy. What might this look like?

Back to Program

Acknowledgement of Country

We acknowledge the traditional owners and custodians of country throughout Australia and acknowledge their continuing connection to land, waters and community. We pay our respects to the people, the cultures and the elders past, present and emerging.

Acknowledgement of Country