Archive for the ‘Mobility’ Category

Biometric authentication approaches

September 25, 2013 Leave a comment

Apple recently released their iPhone 5s with an fingerprint sensor as an replacement to the typical 4 digit pin code. As it was expected by the majority of people in the security space, it only took a few days until the biometry team at CCC (Chaos Computer Club) were able to fake a fingerprint to unlock an iPhone 5s. The article can be found here (german) and here (english). If you’re not willing to read, here is the initial video, which was re-done based upon request of, which is available here.

So what does that mean for biometric authentication?
Although we’re in total agreement that passwords must die, the security features looking promising at first glance did turn out to be just cheap hardware being able to be compromised by just increasing the scanning resolution. Biometrics might be a way to get away from passwords, but not with simple and easy hardware.As the fingerprint sensor was meant to replace the typical 4 digit pin code, this might just have been the first step. But just imagine the impact if the necessary would have been open so far application developers leveraging this technology? In case, your mobile banking account would be open to an attacker easier than before, your credit card data out of the AppStore and so on. So the CCC hack would be the initial (and not very complicated step) to an complete identity theft.

Another approach was taken by the inventors of nymi. They are trying to capture something unique, your heartbeat. But your heartbeat is just a single component of an 3-factor authentication: you’ll need your heartbeat (pretty hard to loose), your nymi device and your authorized authentication device (nymi does call that AAD) like a smartphone, tablet or whatever.. So even if you’d loose your smartphone and someone gets your nymi device, they’re still missing the 3rd component.

But nymi still offers an attack vector from my understanding: the nymi device is using bluetooth to communicate with your AAD, so there is some potential in hijacking the bluetooth connection and all information that is being exchanged via bluetooth.

Looking at the nymi approach, there’s only one conclusion: biometrics itself will not replace passwords (not as long as the devices like fingerprint readers are that weak that they are not able to do an deep scan to distinguish an faked fingerprint) on their own. Biometrics will be part of the multi-factor authentication as replacement for passwords. A good idea might be a combination of the nymi approach with fingerprints: a fingerprint sensor that is able not only to read the skin-deep fingerprint but also the pulse running through the finger. This combination can not be faked at all. And with all paranoia, it does allow certain scenarios: while your left thumb in combination with your heartbeat just enables you to unlock your device, while your right middle finger in combination with your heartbeat and a security code or external token might authenticate you into your corporate network when using private devices as part of an BYOD strategy. Additionally this combination would remove the bluetooth attack vector that is still open with the nymi approach so it would need a physical device hack to intercept the information.

One question is still circling in my head, maybe someone is able to answer that: what happens to your heartbeat in case of an myocardial infarcation or in case you’re getting shocked due to an medical emergency: will such happening influence your heartbeat and potentially destroy your access token?

Categories: IAM, Mobility, Privacy, Security

MDM in the context of IAM

While BYOD is not the newest phenomena in the IT and Security area, i just had my first project not only touching an Mobile Device Management platform. As part of the identity lifecycle it’s necessary to get control over mobile devices that are used by the end user. While this is pretty easy reg. mail integration (as soon as the user gets deprovisioned, the mailbox access is no longer possible), it’s not that easy to handle reg. profiles and own apps.

In my customers case, they do have MobileIron deployed in their infrastructure. As part of the deprovisioning process they came up with the requirement to retire devices used by the terminated employee within their MobileIron instance, which would take all the certificate based access from that device to the customers wifi and network resources.

As the MobileIron API does support HTTP requests to retire devices, it was necessary to have the device ID for an device in order to retire it. But lucky wise there is an HTTP web request to get a decent set of device attributes from MobileIron. We choose the most convenient and quickest approach: extending our IAM database model with an table to store the data of mobile devices with an foreign key link to the employees table. Calling an dedicated HTTP request within MobileIron, we got an CSV back from MobileIron carrying the decent set of attributes. This CSV then get’s imported into the IAM system. This process happens every hour.

As an employee now get’s terminated, we also kick off a process to retire all devices that are known for this employee in MobileIron. So far, this is satisfying the customers requirements.

For an later phase, this does also satisfy additional requirements that will come up (or already came up in while defining upcoming phases of the IAM strategy): being able to use the data from an governance and access management perspective does also answer questions such as “Who is accessing the enterprise network with what kind devices?” or “Are there devices with an software release that is not safe to let them touch the enterprise network and enterprise resources?”.

To cite a good IAM guy i did a project with: “Building an IAM implementation is like building a house: it’s all based on a strong foundation.”

I expect to see more projects coming up with even deeper integration between IAM and MDM as the BYOD wave is still rising…

Consuming Azure Mobile Services–1st step towards Identity on the Phone?

October 1, 2012 Leave a comment

Over the weekend I read an interesting blog series by Bruno Terkaly, titled “Introduction to Consuming Azure Mobile Services from iOS”. It has five parts, showing some basic principles on consuming Windows Azure Mobile Services with an iOS application on an iPad or iPhone. As a matter of fact, the complete issue of authenticating a user is missing in this blog series, but as Bruno is stating in his comment on the 5th blog post:

The portal will offer direct support for Authentication and Push notification for both ios and android.

So there might be an upcoming series on using authentication on iOS and / or Android, which might open the door a bit for the hot topic “Identity on the Phone” (do we already have IotP defined for that?) as it is completely missing in todays time having a smartphone being nearly everyone’s daily companion.

Here are the five blog posts on the topic:

Part 1 of 5: Introduction to Consuming Azure Mobile Services from iOS

Part 2 of 5: Introduction to Consuming Azure Mobile Services from iOS

Part 3 of 5: Introduction to Consuming Azure Mobile Services from iOS

Part 4 of 5: Introduction to Consuming Azure Mobile Services from iOS

Part 5 of 5: Introduction to Consuming Azure Mobile Services from iOS

So hopefully we do see any updates on his blog regarding the authentication topic, if he’s not already working on that. Looking forward to that.

Categories: Cloud, Identity, Mobility