PW - Comparing Centrally and Locally Verified Memorized Secrets

then it's uh two minutes passed and uh i do guess that quite a few people still out for lunch uh but i'll next because jim fountain uh for those uh who knows jim he needs no introduction and for those who doesn't need no gym he's he's just amazing and he will introduce himself uh and i'm looking forward to this one as usual jim so please go ahead thank you very much pear um so those of you that have been at passwords con just this morning may have already picked up on this if you've been a your passwords con regular you you know the pair likes to have kittens on all of the slide decks and my kitten is a little bit different it's a little bit pricklier than most kittens i i don't think my talk is necessarily prickly but it was just the picture that i had so i'm going to talk about um i'm and i'm going to use kind of the the formal terminology memorized secrets and the difference between the way that we usually deal with passwords and such uh that are stored centrally like you know for logging into something uh and those that are that are used increasingly now for activating a multi-factor authenticator so i'm going to start with my usual disclaimer i'm a consultant for nist and i'm working on the revision of special publication 863 which uh deals with user authentication and there's another volume on identity proofing and another volume on federation but everything that i'm talking about here is my own opinion it's not i am not a nist employee i don't represent nist at all um but some of the things that i'm talking about here you may recognize uh if if and when you look at the the new draft that we hope will be coming out not too far in the future but remember that everything it's that what what's coming out next is a draft and uh everything is subject to change in the review process uh and and by the way i this treats me very well and makes me feel like member of the family and i have a tendency sometimes to refer to nist as we and um just remember that it's just because they've they've made me feel welcome i'm not i'm not really a nist person so i get hung up on terms a lot um and so here's a few of them um memorized secret is kind of the formal term that we used in 863 revision three uh in order to get away from the notion of password versus passphrase yes i mean if it's a if it's a password can i have a space in it of course it can but um i just didn't want to uh to uh necessarily limit the the scope of of what we were talking about and i've thrown past key in here and our next talk is on past keys so that's kind of a kind of a preview of that um but and and i apologize for the wordiness of this slide i just kind of like cut and pasted some definitions that i had um a couple of of things that may be new definitions new terms for you is what what i'm referring to is an activation factor and that's when you've got a multi-factor authenticator and you uh need something in order to uh you need a second factor in order to use that authenticator that second factor could be a memorized secret and it could be a biometric an activation secret is the specific case where it's a memorized secret and that's really where i'm going to focus this afternoon is on activation secrets and how they compare with what we might think of as conventional or traditional passwords and what what their requirements should be now one of the things i'm going to actually go off slide for for a minute here one of the things that we did in the previous revision of 863 we did you know all sorts of things that people have have noticed about memorized secrets recommending that they not be subject to expiration recommending that you not have composition requirements and so forth um but we kind of lump together what i'm now calling activation secrets with memorized secrets and applied many of the same requirements to activation secrets as other sorts of memorized secrets and in retrospect uh i think we we could have done better with with activation secrets um so here's here's here's what i'm talking about here and uh it's used to activate a multi-factor authenticator so examples of multi-factor authenticators are things like uh phyto tokens are things like smart cards um but they can also be embedded authenticators where your um uh it could be you know an an app in a mobile device or something like that as well um in the case of uh an activation secret you can actually use that in order to derive the authentication secret you can essentially if you will encrypt the authentication secret with using the the activation secret as a key i realize it's not a very long key but we've got some other mitigations for for the the link that i'll be talking about usually the activation secret is something that's selected by the user uh there are some exceptions to that if you get a an atm card sometimes the bank will choose a pin and maybe give you the option to to change it but usually selected by the user and that has a big effect on the um guessability of of the activation secrets and usually the activation secret if you've got an authenticator like a phyto token is uses the same activation secret for everything that that's uh that that that token uh is used to authenticate at so it's it's one activation secret per authenticator rather than per site that you authenticate at which means there's less to remember now this is this is where the uh the the real differences come in between activation secrets and other sorts of memorized secrets um the first one the first threat brute force is really the same for both um you know an attacker can just just try and and guess either make an intelligent guess or a dumb guess and that can be done just as well with with an activation secret but a lot of the other threats are different um in the case of of a centrally stored memorized secret uh it's often involves the the cracking of some sort of a centralized authentication database that got x filtered somehow um whereas with the activation secret we'd be thinking since it's stored in the authenticator itself or or in the endpoint in a few cases um it's really you're thinking about the physical uh attacks on that and and possible side channel attacks you know is there some way that you can maybe buy the um radio frequency it emits or maybe by the uh current drain those sorts of side channels might be possible for a multi-factor authenticator shoulder surfing actually is is similar to both although in the case of an activation secret it's really shoulder surfing plus they steal your authenticator so uh you know if you're at the if you're at the subway station and you're typing in your pin on your phone to to authenticate somewhere um be aware of your surroundings because that might be a situation where you'd have a combined attack where somebody watches you do that and then grabs your phone and then of course for for for regular passwords there are you know password spraying attacks uh because people have a tendency to use the same passwords in on multiple sites uh so perhaps the same one that you used on some service that got breached might also be usable for your bank account whereas for activation secrets again it doesn't matter if it's the same activation secret for multiple sites um instead we're we're kind of thinking more about other sorts of forensic attacks you know sometimes if it's a pin and there's some sort of a dedicated keyboard for it maybe their particular keys that we're down more quickly or if somebody's very sophisticated maybe after you've authenticated maybe certain keys are warmer than others so in order to take this into account there are a few dimensions a few different factors that we can uh address about uh how an activation secret should be constructed and how it should be uh how it should be used um of course is the composition question uh what characters uh the length of it uh the uh uh the the throttling i mean we i mentioned earlier about the the fact that there are uh that uh brute force attacks are a significant threat for both activation secrets and regular passwords and so the throttling is a is a very uh significant counter measure to that and and also block lists so um in most cases um uh activation secrets tend to be pins and and in fact sometimes people equate pins with act with uh with uh activation secrets uh i don't tend to use that term because they aren't always numeric in fact uh for a for a fido token i can change my activation pin to abcdef and it's just fine with that as long as i'm using an endpoint that has an alphanumeric keyboard i can use that so since pin stands for personal identific personal identification number this is an instance of where i get hung up on terminology i try not to use that because i don't want to equate a multi-factor authenticator that uses a a memorized secret for activation i don't want to necessarily say that that has to be numeric uh but given that they are mostly pins the the use of a pin of course just limits the entropy that you can get and the and the uh the activation secrets are usually very short like four to eight digits for being by far the most common but uh you know you do see examples of well and you see on people's phones i think apple has has pushed people to use more digits and so that's uh you know i think that's going to increasingly happen one of the things about length though is that there's you you might think that a six digit pin is one and a half times as good as a four digit pin and it's not necessarily because there are different patterns that show up when you use a a six digit pin with four digit pins particular years like maybe a birth year or a marriage year or so forth show up with more regularity than other rent other random numbers with a six digit you get uh dates so you get a lot of you know uh 0 9 1 1 0 1 or something like that that aren't necessarily random as well and so just just because of the fact that different lengths of uh activation secrets lend themselves to different patterns you get uh different amounts of uh you don't necessarily get exactly what you might expect in terms of the uh benefit from uh having a having a longer activation secret now nist recommends using a block using a block list on memorized secrets and um you know the idea is to avoid having people use things like paris license plate or one two three four five six or or things of that sort as a memorized secret and kind of the same recommendation carries through to activation secrets just because there are there are common values that you're pretty clear that you don't want to allow and i give some examples down at the bottom i think those are the the most common ten pins down there zero zero zero zero one two 3 4 and so forth the the difficulty with block lists is that some authenticators have a very have very limited storage to keep track of a list of activation secrets that it shouldn't allow and unfortunately small block lists don't provide as much benefit as you would like to have part of the part of the issue there is that attackers will also know what what the block list is it will they will know that zero zero zero zero isn't allowed for this type of authenticator for example and so they won't try it and so essentially what you're doing is you're cutting off the the beginning of the probability distribution and just scaling everything up a little bit it ends up looking very much like the original probability distribution but nevertheless we recommend there's that we again recommend including a block list more more than 10 if you can but we recognize the practical limitations of a lot of existing authenticators those 10 values that you're looking at there constitute about 14 and a half percent of the pins that people would randomly select given given an unconstrained choice there's a i'll have a reference at the end to this uh website from amateur he did an interesting experiment where he put a an app in the in the app store that did something else i forget exactly what it was but it also prompted for somebody to set a pin in order to to secure it and he kept track of the the uh he collected uh quite a number of uh of pin values and uh was able to as a result do some research on uh pin distributions at least until he got kicked out of the app store because they discovered that and the next dimension is is throttling and throttling is can also be a problem on multi-factor authenticator because what you'd like to do is you'd like to slow the attacker down without necessarily cutting off entirely because you don't you know sometimes somebody will fat finger their pin a few times and you don't want them to be necessarily locked out so what you'd like to do is to slow things down or give some warnings or something like that that says uh you know don't uh you know be careful the next time you type it in because this is your last choice or something like that well you can probably do that warning but you can't do the actual slowing down because many of these standalone authenticators don't have a clock reference there isn't any they don't have a sense of time and they don't have any way of storing the state information about when the last bad attempt was smartphones will often do this but you know if you've got something like a a phyto token or a smart card that plugs into something else it's a little bit more problematic so as a result there's and even even when there is time based time throttling there is a hard lockout after a certain number of bad tries and the difficulty is that the limit needs to be small like 10 if the activation secret is short it's kind of a trade-off there between making the activation secret longer more you know higher entropy you can you can tolerate a higher a higher limit but the one of the problems here is that you have this risk that you're essentially going to brick your authenticator at some point if you've so the the message here is and i think this is a general message not just for multi-factor authenticators is have a have a backup authenticator because this is not something where if your authenticator locks up you can necessarily call the it help desk and have them have them fix it for you now some some authenticators do have a second password update key it's essentially another a second pin that the it department or somebody can use in order to reset your authenticator uh other authenticators like fido don't basically would you have your the the choice that you have with a with a fido multi-factor authenticator is that you basically need to reset it and re you know as it goes kind of goes back to factory factory reset mode um so do do have that extra authenticator that's you know maybe in your closet or some other secure place that um you can use if if that happens so any in any case this throttling is very important if you don't do this there's really nothing to prevent an attacker from that gets a hold of your multi-factor authenticator nothing that prevents them from going in and just trying all 10 000 possible pins if necessary in order to uh in order to try and uh get into your accounts so kind of my overall message is that activation secrets have a lot of different characteristics they have a different threat model they have different structure you might say well gee if i have a 16 character password shouldn't i also have a 16 character activation secret hopefully i've expressed to you why that isn't necessarily the case uh in fact most i i don't think i've seen any multi-factor authenticators yet that will accept all 16 characters and we have a visitor hello i'm damon i'm on the program committee and so when you apply we have this tradition you can make an outrageous speaker request okay i believe your outrageous speaker request is i just don't think i'm creative enough to make an outrageous speaker request [Laughter] so allow me to please present to you this book from john cleese on creativity the shortened cheerful guide for the dedication from all of us here at these sites thank you for everything you do for our community and for being part of this event thank you very much that's very nice oh this this looks fun and i i and i love john cleese's stuff so i will i will treasure this book thank you very much that's this is great this looks like a good book okay i won't read it right now so um you know the capabilities of uh let's see i'm activation secrets ought to be considered a little bit in a different category and i'm hoping that in the next version of 863 we'll be recognizing that in a better way and you know authenticator capabilities are uh you know vary from authenticator to authenticator so you know look at look at some of these things like what's what's the the number of retries that you're that you're a lot the number of attempts you're able to make and and size of uh activation secrets and all of that sort of thing and then a couple of references here this first one here on the security smartphone unlock pins is just really um kind of the bible on this subject in terms of how people choose unlock pins they've gone sort of done some reverse engineering of of iphones to see which pins iphones don't necessarily like as much and a lot of research and and i've had some offline conversations with this team as well because they've done a lot of research on sort of the trade-offs between a number of attempts that should be allowed and size of pins and block size block lists and all of that sort of thing and that was the kind of the basis for some of the comments that i made earlier and then the second one is the uh the the website that tells you about the most common iphone passcodes and tells you a little bit about how he collected that data and that's all i have any questions any questions for jim um a fair amount of uh smartphone authenticators allow the user to actually activate with biometrics instead of a pin is there any advice on that any well yeah that kind of goes into the into the broader category of activation um uh factors uh and uh yeah i mean the biometric methods are great i mean the uh i think that the current uh uh false accept rate which is the the metric for the security of those of current false acceptor rate is on the order of between one and a thousand one and ten thousand i think the face id is expected one in ten thousand the difficulty that i have and why i always need to have an activation secret as well is because if i want to unlock my phone and i've just been doing the dishes or i've unlocked my phone and my hands are dry because they're dry and dirty because i've been working in the garden it doesn't my fingerprint reader doesn't work if i'm wearing my mask my face id doesn't work so um you know biometrics are great as a as a as another means to do it but i think that activation secrets are still going to be an important thing thanks um you said that you're consulting for for this even though you're going to work for them and you mentioned that some of the items here might be in in the final draft so just curious what are the recommendations you're providing to nest for the 800 sp 863 that currently isn't in there uh well i mean the current the current recommendation treats activation secrets with in the same category as other sorts of memorized secrets there is a little bit of a special case there for numeric act numeric memorized secrets that are randomly generated by the verifier but it turns out nobody actually does that and so really the new the new treatment of activation secrets is in order to come up with some uh guidelines that are uh really intended to be more generally applicable and and actually deal with some of the differences that were that i've talked about in this talk that answer your question otherwise talk to jim jim afterwards we have to move on thank you again jim and just stay put because now we are heading straight for christian brown from google to talk about passkeys and after t