FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx

Editor's Notes

1. NIS1 in 2016 What are the requirements access control implememtation multi factor authentication (how access control is managed) -> NIS-2 mandated MFA (e.g. password + other factor Verbindlich für wesentlich oder wichtige unternehmen wesentlich wichtig a bit lesss but still painful (7mio, 1,4&% of global annual revenue besides legislations – it is worthwhile to discuss the requirements and obligations that companies have to fullfill grds a lot of requirements looking at the essential aspects that are new with NIS2 mainly 2 topics §30 (4) 9 + 10 of the German UmsuCG access control company network, people can login login / access has to be conrtollel (exact decision, who should have access to the company network) second aspect: how to design the access control? nis2 prescribes MFA (pw alone not possible – second factor has to be added / minimum is 2 factors for the implementation of access control) - which kind of access is affected? Network access local access to a pc app access local and remote, classical / cloud based every kind of digital access erhöhung der sicherheitsniveaus von netzwerken und informationssystemen in der EU (NIS-2 höheres Sicherheitsniveau und strengere Meldepflichten) So who is affected by NIS2? All mid-size and large organizations operating in the sectors listed above, as well as companies that meet the specified criteria, will be covered by the new NIS2 directive. As a result, a very large number of medium-sized enterprises are now obliged to observe the security measures laid down in the directive and are subject to certain reporting obligations. The goal of the NIS2 Directive is to enhance cybersecurity and resilience in European Union organizations. This Directive expands its scope to cover more sectors and focuses on the need for consistent implementation across all EU member states. Therefore, organizations should begin preparing for compliance by creating a roadmap and increasing their cybersecurity awareness. The following applies not only to NIS2 implementa- tion: Cybersecurity is a management task and must not be delegated. So how do companies need to prepare for the new cybersecurity requirements in order to avoid security and liability risks? One of the essential requirements of NIS2 is to develop appro- priate concepts for access control. The reason is obvious: Secure IT structures start with the question of who has access to the individual systems and networks. In particular, the following must be pro- tected against unauthorized access: • Local access to PCs • Remote access via VPN • App access to cloud-based and local applications
2. NIS1 in 2016 What are the requirements access control implememtation multi factor authentication (how access control is managed) -> NIS-2 mandated MFA (e.g. password + other factor Verbindlich für wesentlich oder wichtige unternehmen wesentlich wichtig a bit lesss but still painful (7mio, 1,4&% of global annual revenue besides legislations – it is worthwhile to discuss the requirements and obligations that companies have to fullfill grds a lot of requirements looking at the essential aspects that are new with NIS2 mainly 2 topics §30 (4) 9 + 10 of the German UmsuCG access control company network, people can login login / access has to be conrtollel (exact decision, who should have access to the company network) second aspect: how to design the access control? nis2 prescribes MFA (pw alone not possible – second factor has to be added / minimum is 2 factors for the implementation of access control) - which kind of access is affected? Network access local access to a pc app access local and remote, classical / cloud based every kind of digital access erhöhung der sicherheitsniveaus von netzwerken und informationssystemen in der EU (NIS-2 höheres Sicherheitsniveau und strengere Meldepflichten) So who is affected by NIS2? All mid-size and large organizations operating in the sectors listed above, as well as companies that meet the specified criteria, will be covered by the new NIS2 directive. As a result, a very large number of medium-sized enterprises are now obliged to observe the security measures laid down in the directive and are subject to certain reporting obligations. The goal of the NIS2 Directive is to enhance cybersecurity and resilience in European Union organizations. This Directive expands its scope to cover more sectors and focuses on the need for consistent implementation across all EU member states. Therefore, organizations should begin preparing for compliance by creating a roadmap and increasing their cybersecurity awareness. The following applies not only to NIS2 implementa- tion: Cybersecurity is a management task and must not be delegated. So how do companies need to prepare for the new cybersecurity requirements in order to avoid security and liability risks? One of the essential requirements of NIS2 is to develop appro- priate concepts for access control. The reason is obvious: Secure IT structures start with the question of who has access to the individual systems and networks. In particular, the following must be pro- tected against unauthorized access: • Local access to PCs • Remote access via VPN • App access to cloud-based and local applications
3. NIS1 in 2016 What are the requirements access control implememtation multi factor authentication (how access control is managed) -> NIS-2 mandated MFA (e.g. password + other factor Verbindlich für wesentlich oder wichtige unternehmen wesentlich wichtig a bit lesss but still painful (7mio, 1,4&% of global annual revenue besides legislations – it is worthwhile to discuss the requirements and obligations that companies have to fullfill grds a lot of requirements looking at the essential aspects that are new with NIS2 mainly 2 topics §30 (4) 9 + 10 of the German UmsuCG access control company network, people can login login / access has to be conrtollel (exact decision, who should have access to the company network) second aspect: how to design the access control? nis2 prescribes MFA (pw alone not possible – second factor has to be added / minimum is 2 factors for the implementation of access control) - which kind of access is affected? Network access local access to a pc app access local and remote, classical / cloud based every kind of digital access erhöhung der sicherheitsniveaus von netzwerken und informationssystemen in der EU (NIS-2 höheres Sicherheitsniveau und strengere Meldepflichten) So who is affected by NIS2? All mid-size and large organizations operating in the sectors listed above, as well as companies that meet the specified criteria, will be covered by the new NIS2 directive. As a result, a very large number of medium-sized enterprises are now obliged to observe the security measures laid down in the directive and are subject to certain reporting obligations. The goal of the NIS2 Directive is to enhance cybersecurity and resilience in European Union organizations. This Directive expands its scope to cover more sectors and focuses on the need for consistent implementation across all EU member states. Therefore, organizations should begin preparing for compliance by creating a roadmap and increasing their cybersecurity awareness. The following applies not only to NIS2 implementa- tion: Cybersecurity is a management task and must not be delegated. So how do companies need to prepare for the new cybersecurity requirements in order to avoid security and liability risks? One of the essential requirements of NIS2 is to develop appro- priate concepts for access control. The reason is obvious: Secure IT structures start with the question of who has access to the individual systems and networks. In particular, the following must be pro- tected against unauthorized access: • Local access to PCs • Remote access via VPN • App access to cloud-based and local applications
4. Synced passkeys provide a phishing-resistant authentication solution that helps reduce the need for passwords and provide a higher level of security than phishable MFA solutions like SMS, OTP, and push notifications. However, as mentioned previously, synced passkeys have security tradeoffs and adversaries are smart enough to pivot to where they can take advantage to gain access.  Phishing resistant MFA Based on trust relationship (Registration proves needs to be protected) No shared secrets (Can be easily stolen) Possession based security (Private keys are securely stored in something I have) Know the transacting parties (Both user and relying party are aware of each other) Intent (User acts on a known initiated authentication reques) While a hacker may be able to break into your system remotely, it is difficult to hack into one that requires a physical token without the token itself being present. These tokens also do not store any confidential data. This means that even if they do get lost or stolen, they cannot be used to gain access to sensitive information. reduced mobile device dependency costs maintenance aspects compared to phones https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/Accountschutz/Zwei-Faktor-Authentisierung/zwei-faktor-authentisierung_node.html https://kineticit.com.au/article/multi-factor-authentication/
5. Infineon powers electronic ID documents in>110 countries representing 77% of the world‘s population Emergency call (eCall) functionality in majority of cars feature an Infineon chip Secure Element (SE) Meaning OCT 24, 2023 | UPDATED OCT 24, 2023 private keys – security relevant functions and credentials crypto functionality tamper resistant attack resistant security certified secured manufacturing secured shipment SHARE A Secure Element (SE) is a microprocessor chip that facilitates the secure storage and processing of sensitive data. It is commonly used in SIM cards, passports and credit cards.What is a Secure Element (SE)? A Secure Element (SE) is a secure hardware component or chip that stores and processes highly sensitive data. It holds important user data, such as biometric information and banking and transaction information, and protects it from malware attacks. Secure Element can be perceived as a ‘nomad’ type of HSM. In crypto context, an SE can be used in hardware wallets to provide an extra layer of security for private keys. Despite how secure hardware wallets are, a hacker can still perform physical attacks if the wallet comes into their possession. This is where the SE comes in.  The Secure Element protects sensitive information with intrinsic countermeasures that make it tamper-proof and resistant to hacking. Entropy, from which the secret recovery phrase and private keys are derived, in cryptocurrency wallets is generated within the SE. The private keys never leave the SE The SE protects your hardware wallet against software attacks and physical attacks, including fault attacks and side-channel attacks.  For instance, they can withstand cold-boot attacks, a form of side-channel attack where a malicious actor physically accesses your device to perform a memory dump in the RAM. This forces a hard reset of the device.  Tamper-resistant hardware: Utilizes physically shielded environments or specialized processors to deter unauthorized access. Strong encryption and authentication: Employs advanced cryptographic algorithms and key management techniques to ensure data confidentiality and integrity. Secure boot and firmware update mechanisms: Prevents unauthorized modifications to the software running on the device. Industry standards and certifications: Often certified to meet security requirements such as Common Criteria or FIPS 140-2, providing validation of their security features by independent third-party organizations. 
6. So, - the only thing left for me to say today is:   Let’s make Minority Report real! -   Let’s jointly unlock the biometric future of authentication and access! -   Together, we can transform a market trend into a best-in-class solution for all players.