virtual smart card

… for desktop/laptop a physical smartcard inserted in the device provides additional security, user just need to unlock the smartcard with a pin, without the need to know their password – in times of mobile devices it is possible to attach those smartcard with adapters, but with bad user experience

derived credentials ensure compliance with HSPD12 / FIPS 201 personal identity verification (piv) requirements

derived credentials provider, e.g. entrust, provides an overview about the integration in the infrastructure and enrollment of trusted certificate with modern emm system

citrix provides an easy way to secure authenticate at workspace app for emm trusted devices, better usability and higher security

download NCCoE released second draft version of NIST cybersecurity practice guide SP 1800-12, derived piv credentials attached:

authenticator usability matrix

security is important and 2fa should mandatory …

 read more: multi factor authentication

… while more and more services offer this capability – how to handle all those tokens, here are my analyse of some authenticator apps

app	account	app lock	backup
google authenticator	–	–	–
microsoft authenticator	optional	screenlock	–
authy	phone & email	–	cloud
andotp	–	pin, password	local encrypted
lastpass authenticator	optional	pin, fingerprint	cloud
1passsword	price starts $2.99	pin, fingerprint	cloud, local, wlan

… this is neither comlete market analyse nor evaluate all available features, like enterprise grade rights management

stay tuned about secure authentication with virtual smart card 

wifi security today and attack vectors

because of current occasion …

… inside a wifi you could find your ip in android 8 settings > about > status, use unsecured services like sonos, scan for other clients, check open ports, bruteforce backend services (router, firewall)

open wifi – in 2018 none should access untrusted unsecured wireless networks anymore

wpa encryption – works with “handshake” to ensure trust between devices – wpa2 added advanced encryption standart (aes) – wpa2 is vulnerable: key reinstallation attacks – wi-fi alliance announced wpa3 with additional security features

public wifi – when accessing a wifi while shopping, your devices are redirected to a captive portal to accept policies and establish a secure connection

vpn – apps like nordvpn esablish secure connection to add another layer of security, browse incognito through the internet

business – could use radius protocol to check validity of authentification – further enroll client certificate via mdm to authenticate via 802.1x – aruba clearpass can check devices status in mdm to ensure security and trust at the entire cycle

rouge access – attacker can fake access points to start a man in the middle (mitm) attack, intercept your private data, for example this pineapple nano

hashcat – new technique allow to get all the information they need to brute force decrypt a Wi-Fi password, by snooping on a single data packet going over the air

ssl srip – a method to redirect traffic from https to http to force unencrypted transport – every passcode is unprotected, even it is shown as secure

mobile devices management – is a way to protect company devices, e.g. disallow profile installation – but in a byod or mam-only scenario you can’t disable all features

mobile thread defense – mtd is for private and business devices, check behaviour and use ai to protect – like lookout as cloud service and additionally on device like zimperium, partners with mobileiron

got leaked?

are you really sure that your account is/was not compromised – hasso plattner institute analysed over 5 billion leaked user accounts – your able to check if it’s listed in at least one stolen or unlawful published identity leak

they further analyse password quality – astonishing how easy password are still in 2018

need an extra layer of security ? use multi factory authentication, two factor authentication, 2fa, two step verification or fta – additionally to username and password are further method is requested to successfully authenticate like

• software token
• hardware token
• sms token
• google authenticator – android | ios
• microsoft authenticator – android | ios

a lot of services currently offer this security, you just need to enable it

• facebook
• apple
• dropbox

e.g. fedex exposed thousands customer records on a password-less server, companys should care about your data as well, especially for european citizen because of gdpr