Slaying 2FA

Transcript

1. SLAYING 2FA OWASP SAITAMA MTG #27, TALK #1 “LEVIATHAN” by

   Tman, CC BY-NC-SA 2.0

2. TEXT SESSION FLAGS ▸ ࿥ըɾ࿥Իɾެ։: OK "Gay Traffic Lights" by

   Nico Kaiser, CC BY 2.0

3. TEXT BACKGROUND ▸ ͜ͷ͝Ζʹͳͬͯূ݊ձࣾͷޱ࠲͕ୣऔ͞ΕΔ ࣄҊ͕ଓग़ →2FA͕ޮ͍͍ͯΔʹ΋͔͔ΘΒͣ… →ۚ༥ி͔Β2FAΛݪଇېࢭ͢΂͠ͱͷ௨ୡ ▸ ͳʹ͕͋ͬͨͷͩΖ͏͔ʁ 2FAΛېࢭͯ͠ͳʹΛೖΕΔͱ͍͏ͷͩΖ͏͔ʁ

   “Leviathans glide, Graceful giants of the sea, Whale songs fill the depths.” by Nick Kenrick, CC BY-NC-SA 2.0

4. TEXT WHO I AM ▸ Takahiro Yoshimura (@alterakey) https://keybase.io/alterakey ▸

   Monolith Works Inc. Co-founder, CTO Security researcher ▸ ໌࣏େֶαΠόʔηΩϡϦςΟݚڀॴ ٬һݚڀһ (ʙ3݄)

5. TEXT WHAT I DO ▸ Security research and development ▸

   iOS/Android Apps →Financial, Games, IoT related, etc. (>200) →trueseeing: Non-decompiling Android Application Vulnerability Scanner [2017] ▸ Windows/Mac/Web/HTML5 Apps →POS, RAD tools etc. ▸ Network/Web penetration testing →PCI-DSS etc. ▸ Search engine reconnaissance (aka. Google Hacking) ▸ Whitebox testing ▸ Forensic analysis

6. TEXT WHAT I DO ▸ CTF ▸ Enemy10, Sutegoma2 ▸

   METI CTFCJ 2012 Qual.: Won ▸ METI CTFCJ 2012: 3rd ▸ DEF CON 21 CTF: 6th ▸ DEF CON 22 OpenCTF: 4th ▸ ൃදɾߨԋͳͲ DEF CON 25 Demo Labs (2017) DEF CON 27 AI Village (2019) CODE BLUE (2017, 2019) CYDEF (2020) etc. “DEFCON 2016” by Wiyre Media, CC BY 2.0

7. TEXT WHAT'S 2FA? ▸ 2 Factor Authentication →2ཁૉೝূ ▸ ҎԼ͔Β#1Ҏ֎ʹ1ͭΛཁٻ͢Δೝূͷ͜ͱ

   ▸ #1: what you know →password / passphrase ▸ #2: what you have →ܭࢉೳྗ΍ػࡐͳͲʢ←TOTP, SMS etc.ʣ ▸ #3: what you are →ੜମͷಛ௃ʢ←ࢦ໲, ೒࠼, إ, etc.ʣ “M&S Bank 2FA output” by Orde Saunders, CC BY 2.0

8. TEXT 2 STEPS? NO, YOU DON'T HAVE TO BE ▸

   ͪͳΈʹ2 StepͰ͋Δඞཁ͸ͳ͍ ▸ ྑࠞ͘ಉ͞ΕΔ͕֓೦తʹ͸ผ෺ ▸ ಉ࣌ʹཁٻͯ͠΋ྑ͍ ▸ ٯʹಉ͡factorΛෳ਺ஈʹ෼͚ͯཁٻͨ͠ͱ͜ΖͰɺ໘౗ʹ ͳΔ͚ͩͰڧ౓͸্ঢ͠ͳ͍ ▸ શମͷڧ౓͸weakest link →e.g. Googleͷphone/emailิ׬… →࣮࣭తʹύεϫʔυ͕ӳ਺4ʙ6ܻఔ౓ʹʢOSINTՄʣ →རศੑ༏ઌͷͨΊͩΖ͏͕ࡶͳҹ৅ “2FA-2017” by EFF Photos, CC BY 2.0

9. TEXT RECAP ON THE FLOW OF 2FA ▸ ϩάΠϯϑΥʔϜ ▸

   ϢʔβID / ύεϫʔυΛೖྗ ʢ˞֬ೝࣦഊ࣌ʹ͸ऴྃ͢Δ͜ͱ͕ଟ͍ʣ ▸ τʔΫϯͷ஋Λೖྗ ▸ ϩάΠϯ੒ཱ “Spiffy Little Login Form PSD” by Zack Smith, CC BY 2.0

10. TEXT RECAP ON THE FLOW OF 2FA ▸ Ϣʔβ໊ͱύεϫʔυ [factor

    #1] ▸ τʔΫϯͷॴ༗ [factor #2] ▸ OTP (One Time Password) →҉߸ֶతʹڧྗͳํ๏Ͱܭࢉ͞Εͨ࢖͍ࣺͯ ͷύεϫʔυΛੜ੒Ͱ͖Δ͜ͱͰॴ༗Λ֬ೝ (※TOTP: Time-based OTP͕ओྲྀ) ▸ SMSೝূ: ੜ੒ͨ͠OTP͋Δ͍͸ཚ਺Λ֬ೝ͢ Δ͜ͱͰॴ༗Λ֬ೝ “Wells Fargo 2FA RSA Token - Two Factor Authentication - Six Digit Code” by Tony Webster, CC BY 2.0

11. TEXT RECAP ON THE FLOW OF 2FA ▸ τʔΫϯ͸Ұछͷchallenge-responseೝূ ▸

    TOTP: ࣌ࠁ: challenge, OTP: response ▸ SMS: ཚ਺: challenge/response ▸ ͕ͩ: Ϣʔβ=ਓ͕ؒ஥հ →߈ܸऀ͕डྖͰ͖Ε͹ೝূ੒ཱ →ʮೝূ൪߸Λڭ͑ͳ͍ͰʂʯͱݴΘΕΔཧ༝ “Writing Up Challenge Responses” by Alan Levine, CC BY 2.0

12. TEXT ATTACK PLAN ▸ جຊతͳ߈ܸํ๏ ▸ ϢʔβID/ύεϫʔυΛ࢖ͬͯchallengeૹ෇ ▸ responseΛਪఆʢΉ͠Ζୣऔʣ ▸

    ϩάΠϯ੒ཱ “Building Planning” by Susan Smith, CC BY-NC-ND 2.0

13. TEXT ATTACK #1: PHISH'EM ▸ ϑΟογϯάʹΑΔํ๏ ▸ Ϣʔβ͕ϢʔβID/ύεϫʔυΛೖΕΔ →߈ܸऀ͸ཪͰαʔϏεʹதܧ →αʔϏε͕challengeΛૹ෇

    ▸ Ϣʔβ͕responseΛೖྗ →߈ܸऀ͕ୣऔ͠αʔϏεʹதܧ ▸ ϩάΠϯ੒ཱ →Ϣʔβ΁͸ΤϥʔΛฦ͢ ▸ ʮϑΟογϯάʹ஫ҙʂʯͷཧ༝ “phishing!” by Monja, CC BY-NC-ND 2.0

14. TEXT ATTACK #1: PHISH'EM ▸ ͦ΋ͦ΋ϑΟογϯάΛݟഁΔͷ͸ͳ͔ͳ͔೉ ͍͠ →࣮෺ͷ಺༰Λྲྀ༻͢Δέʔε͕΄ͱΜͲ ▸ Ϣʔβ͸੹ΊΒΕͳ͍

    →ϒϥ΢βͷURLόʔͰ…ͱ͔௚ೖྗ͢Δͳͱ͔ →্͔Β໨ઢͷܒ໤ʹͳʹ͔ҙຯ͕͋Δͷ͔ “Phishing Website Screenshot” by Gary Cope, CC BY-NC-ND 2.0

15. TEXT ATTACK #2: ENTICE'EM ▸ ιʔγϟϧΤϯδχΞϦϯάʹΑΔํ๏ ▸ ߈ܸऀ͕ϢʔβID/ύεϫʔυΛೖΕΔ →αʔϏε͕challengeΛૹ෇ ▸

    ϢʔβʹresponseΛ࿈ܞͤ͞Δ →߈ܸऀ͕ୣऔ ▸ ϩάΠϯ੒ཱ ▸ ʮೝূ൪߸Λڭ͑ͳ͍Ͱʂʯͷཧ༝ “Smooth Talker” by Mark Vaske, CC BY-NC-SA 2.0

16. TEXT ATTACK #2: ENTICE'EM ▸ ڭ͑ͳ͍ͰɺͱݴΘΕͯڭ͑ͳ͍Α͏Ͱ͸ιʔ γϟϧΤϯδχΞϦϯά͕଍Γͳ͍… ▸ ڭ͑ͤ͞Δͷ͕ٕྔ →஫ҙשى͸ҙຯΛͳ͍ͯ͠ͳ͍

    →্͔Β໨ઢͷܒ໤ʹͳʹ͔ҙຯ͕͋Δͷ͔ “Smooth Talker” by Mark Vaske, CC BY-NC-SA 2.0

17. TEXT ATTACK #3: FEED'EM UP ▸ ർ࿑ͤ͞Δํ๏ ▸ ߈ܸऀ͕αʔϏε΁܁Γฦ͠ΞΫηε →challengeΛ౎౓ૹ෇

    ▸ Ϣʔβ͕responseΛ͍ͣΕฦ͢ ▸ ϩάΠϯ੒ཱ “Fatigue” by Patrick Bouchard, CC BY-NC-ND 2.0

18. TEXT ATTACK #3: FEED'EM UP ▸ 2FA fatigue߈ܸ ▸ ೣ΋ḏࢠ΋2FA…ͷ݁Ռ

    →Ϣʔβͷҙࢥ֬ೝʹͯ͠͠·͏έʔε ʢ…Google Promptʁ Githubʁʣ ▸ ϢʔβΛർΕͤ͞Ε͹௨Δ… →ଟ͗͢Δܹࢗ͸ແࢹ͞ΕΔ →஫ҙͷϑΟϧλ

19. TEXT ATTACK #4: PEEK'EM ▸ ౪ௌ (SIM swapping etc.) ▸

    ߈ܸऀ͕ਖ਼نαΠτʹΞΫηε →challengeΛૹ෇ɾडྖ ▸ ߈ܸऀ͕responseΛૹ෇ ▸ ϩάΠϯ੒ཱ “Coral pendant” by Sheila Sund, CC BY 2.0

20. TEXT ATTACK #4: PEEK'EM ▸ ͜Ε͸Ͳ͏͠Α͏΋ͳ͍ →SMS͸ͦ΋ͦ΋ͦ͜·ͰsecureͰ͸ͳ͍ ▸ TOTPͷ΄͏͕Ϛγ

21. TEXT ATTACK #4: PEEK'EM ▸ ͱ͸͍ͬͯ΋SIM swappingͳΜͯ… ▸ ࢸۃଥ౰ͳݒ೦ ▸

    ࣮ࡍ೔ຊͰ͸গͳ͍ →ܞଳి࿩ෆਖ਼ར༻๷ࢭ๏ͷ͓͔͛ͩΖ͏͔ ▸ ͔ͳΓevident: ΍ΒΕΔͱ෼͔Δ →͍͖ͳΓ௨͡ͳ͘ͳΔ “SIM card macro” by Pedro Vera, CC BY-NC-ND 2.0

22. TEXT ATTACK #4: PEEK'EM ▸ ͕ͩ͜ΕͳΒͲ͏ͩΖ͏ ▸ SMSͷ௚઀ୣऔ (Android) →

    READ_PHONE_STATE/READ_SMS ▸ Auto fi llͷ༠Ҿ (※1): →android:auto fi llHints:"smsOTPCode" →TextField.textContentType(.oneTimeCode) →autocomplete="one-time-code" ▸ ※1: iOS 26: ৘ใݯΛݱঢ়iMessage/Apple Mailͷ Έ͔Β3rd party apps (GmailͳͲ) ʹ΋֦ு༧ఆ

23. TEXT ATTACK #4: PEEK'EM ▸ SMS͕དྷͨॠؒʹɺ͋Δ͍͸λοϓ͞ΕͨॠؒʹϦ ϨʔՄೳ ▸ ಛʹin-app browserʹѱҙ͕͋ͬͨ৔߹ʹ͸phishingͷ

    ඞཁ͢Βͳ͍͜ͱʹ஫ҙ →in-app browserଆͰDOMͷஔ͖׵͑΍ϑοΫ͕Ͱ͖ ΔͨΊ ▸ ྫ͑͹: ෆਖ਼ΞϓϦʹΑΔ௨஌ˠࣗ਎Ͱਖ਼౰ͳURLΛ։͔ͤͯ DOMΛॻ͖׵͑ˠλοϓΛ༠ಋͯ͠code͚ͩୣऔͳͲ “gotcha !” by Timothy Valentine, CC BY-NC-SA 2.0

24. TEXT ERRARE HUMANUM EST. ▸ ਓ͕ؒ஥հ͍ͯ͠Δ͜ͱ͕໰୊ ▸ ೝ஌ೳྗͷݶք: ݟؒҧ͏ɺ۠ผͰ͖ͳ͍ ▸

    ஫ҙྗͷݶք: ർΕΔɺ͏͔ͬΓૢ࡞͢Δ ▸ ൑அྗͷݶք: ڴ͞ΕΔɺὃ͞ΕΔ ▸ ୭΋͕࣋ͭಛੑ; ੹ΊΒΕΔ΂͖΋ͷͰͳ͍ “Humans Are Stupid” by Cat Branchman, CC BY 2.0

25. TEXT ALL OF YOU NEED TO BE PRESENT HERE ▸

    ڑ཭ΛऔΕΔ͜ͱ͕໰୊ →஌͍ͬͯΔਓؒͱ͍࣋ͬͯΔਓؒ͸཭Ε͍ͯͯ ྑ͍ͷ͔…ʁ ▸ ྑ͘ͳ͍ →ೝূର৅͕ࣗવਓͰ͋ΔҎ্ ▸ 2FA͸௥Ճ֬ೝͰ͸ͳ͘ೝূཁૉ (factor) ͩ… →2ஈ֊ೝূͱ͸ҧ͏ຊ࣭తͳཧ༝ →શͯͷೝূཁૉ͸ଋറ͞Ε͍ͯΔ΂͖ (←ॏཁ) “Call me” by Jim Nix, CC BY-NC-SA 2.0

26. TEXT SECURITY KEYS: 2FA DONE RIGHT ▸ Security keys (U2F/WebAuthn)

    ▸ USB/NFCͰ઀ଓͯ͠ػೳ (※Bluetooth઀ଓͷ΋ͷ΋͔ͭͯ͋ͬͨ) ▸ ެ։伴҉߸ܥͰೝূओମͱσόΠεͷਖ਼౰ੑ Λ૬ޓೝূ →࣮࣭తͳfactor #2ͱͯ͠ػೳ (U2F=Universal 2nd Factor [FIDO Alliance]) “Yubikey USB 2FA U2F Security Token” by Tony Webster, CC BY 2.0

27. TEXT PASSKEYS: LOOK MA, NO PASSWORDS! ▸ ύεΩʔ (Passkeys) ▸

    ύεϫʔυʹ୅ΘΔ΋ͷͱͯ͠৮Ε͜·ΕΔ… ▸ ެ։伴҉߸ܥʹΑΔೝূͳͷͰ҆શ ▸ ੜମೝূͰϩάΠϯͰ͖ΔͷͰ҆શ ▸ ύεϫʔυΛ࢖Θͳ͍ͷͰ҆શ etc. “Vintage Keys...” by Heartlover1717, CC BY-NC-ND 4.0

28. TEXT PASSKEYS: HENCE, UNBREAKABLE? ▸ ύεΩʔ (Passkeys) ▸ ύεϫʔυʹ୅ΘΔ΋ͷͱͯ͠৮Ε͜·ΕΔ… ▸

    ެ։伴҉߸ܥʹΑΔೝূͳͷͰ҆શ →͏ʔΜ…ͳʹ͕Ͳ͏҆શͳΜͩ… ▸ ੜମೝূͰϩάΠϯͰ͖ΔͷͰ҆શ →͏ʔΜ…ͦΕ͸࣮૷ͷ໰୊ͩ… ▸ ύεϫʔυΛ࢖Θͳ͍ͷͰ҆શ etc. →͏ʔΜ…ࣗಈతʹ҆શʹͳΔΘ͚Ͱ͸… “Contraseña / Password” by Microsiervos, CC BY 2.0

29. TEXT PASSKEYS: GHOST OF PASSWORDS? ▸ ύεϫʔυʹ୅ΘΔ΋ͷͱͯ͠৮Ε͜·ΕΔ… →·͔ͣ͜͜Βҧ͏ ▸ 2FA͸challenge-responseೝূ

    ▸ ͜ΕΛਖ਼͘͠΍Ζ͏ͱ͍͏ͷ͕໨త →Կ͕໰୊͔ͩͬͨʁ →ਓؒͷհࡏͱඇଋറੑ “Password-less logins via IndieAuth with a #pebble watch! Blog post coming soon” by Aaron Parecki, CC BY 2.0

30. TEXT PASSKEYS STITCH TIMESPACE ▸ passkey͸σόΠεೝূ [factor #2] ▸ ެ։伴ೝূͳͷ͕ͩɺೝূओମ͝ͱॺ໊͢Δ

    ͱͱ΋ʹೖྗओମͱͷڑ཭΋ଋറ͍ͯ͠Δ ▸ Local keystore (※2) ͋Δ͍͸BLE (iOS/Android※3) (cf. Security Keys: USB/NFC) “signature” by Chris Clark, CC BY-NC 2.0

31. TEXT PASSKEYS ARE SECURITY KEYS ▸ Security Keysͱ΄΅ಉ౳ͷΞϓϩʔν ▸ WebAuthn:

    U2Fͷ্Ґޓ׵ [FIDO2] webauthn.guide

32. TEXT ... WITH THEIR SHARE OF WEAKNESSES ▸ ※2: ୺຤ͷηΩϡϦςΟ͕໰ΘΕΔ

    ▸ ※3: ѱҙ͋Δτϯωϧ͕ηογϣϯΛ઄औͰ͖Δ ͜ͱʹ͸஫ҙ (CVE-2024-9956) [1] ▸ KEXͰ͸ͳ͘୯ͳΔॺ໊֬ೝͰ͋ΔͨΊ ▸ ͕ͩ…ͳͥτϯωϧͳͲΛೖΕͨͷ͔ ʢauthenticatorʹ୺຤Λར༻Ͱ͖ΔΑ͏ʹ͢΂ ͘ɺQRίʔυΛར༻͢ΔͨΊ͕ͩ… ͕ͩ…ʣ “Gettysburg Address: fountain pen handwriting practice” by Stephen Little, CC BY-NC 2.0

33. TEXT .. AND ARE FAIRLY SECURE ▸ Security Keysʹൺ΂Δͱ1ϥϯΫԼ…͕૬౰ (cf.

    AppleͳͲͷऔΓѻ͍) ▸ Bluetooth FIDOσόΠε͸Ͳ͏ͳ͔ͬͨʁ →iOS/Android୺຤ʹΑΔauthenticatorͱ౳Ձ →ͪ͜Βʹٵऩ͞Εͯ͠·ͬͨՄೳੑ “Gettysburg Address: fountain pen handwriting practice” by Stephen Little, CC BY-NC 2.0

34. TEXT TAKEAWAYS ▸ 2FA: 2ཁૉೝূ (2ஈ֊Ͱ͸ͳ͍) →શͯͷೝূཁૉ͸ଋറ͞Ε͍ͯΔ΂͖ →challenge-responseೝূ ▸ OTP/SMSͳͲ͸ਓؒͷதܧ͕લఏ

    (ʹඇଋറత) →໰୊ͷຊ࣭; SMS͸SIM swappingͳ͠Ͱ΋… ▸ Security Keys/Passkeys͸2FAΛਖ਼͘͠΍Δ΋ͷ →ର৅΋·ͱΊͯॺ໊; ೝূཁૉ΋ଋറ →SK: USB/NFC+HSM, PK: BLE+Local KS →΄΅ಉ͡΋ͷ͕ͩSKʹ·ͩҰ೔ͷ௕͕͋Δ “Writing Up Challenge Responses” by Alan Levine, CC BY 2.0

35. TEXT TAKEAWAYS ▸ Passkeys͸virtual security key… ▸ ssh for web:

    →࡞༻ػং͸ࣅ͍ͯΔ͕ҧ͏ ▸ password manager with biometric auth →શ͘ҧ͏ “Pointing at button” by Steve wilson, CC BY 2.0

36. ONE MORE THING.. Image by Chris Pirillo, CC BY-NC-ND 2.0

37. TEXT WHERE TO STORE? ▸ OTP, Passkeyͱ΋ʹൿີ͕͋Δ ▸ ύεϫʔυϚωʔδϟ͕ѻͬͯྑ͍΋ͷ͔… “Linux

    password file” by Christiaan Colen, CC BY-SA 2.0

38. TEXT OTP SEEDS ARE PASSWORDS ▸ OTPੜ੒: ͞΄Ͳେ͖ͳ໰୊͸ͳ͍ͱߟ͑Δ ▸ ੜ੒伴͸ग़ͯ͜ͳ͍

    ▸ DB͸େ఍E2EEతʹ҉߸Խ͞Ε͍ͯΔ ʢ˞͞Ε͍ͯͳ͔ͬͨΒͦΕ͸ͦΕͰ໰୊ʣ ▸ 2FAઐ༻ΞϓϦͷ࢖༻ͱେࠩͳ͍ͷͰ͸ “M&S Bank 2FA output” by Orde Saunders, CC BY 2.0

39. TEXT PASSKEYS ARE PRIVATE KEYS ▸ Passkey: ΍Ίͨ΄͏͕ྑ͍ ▸ ͦΕͳΓͷdynamism͕͋Δ

    (e.g. authenticator୳ࡧ [CTAP]) ▸ Ωʔͷॏཁ౓͕͔ͳΓҧ͏ ▸ ϓϥοτϑΥʔϜʹ೚͓͍ͤͯͨ΄͏͕ྑ͍ “Private keys” by Laszlo Gyarmati, CC BY-NC-SA 2.0

40. TEXT MAY YOU HAVE PASSKEYS WITH YOURSELF ▸ Passkey: Ͱ͖Ε͹Local

    keystoreͷ΄͏͕… ▸ ͳͥʁྫ͑͹ѱҙ͋Δϖʔδ͕CTAP 2.2 transaction initiating URI ( fi do:/) Λِ଄͠ɺѱ ҙ͋Δτϯωϧϔredirect͢Δ͜ͱͰηογϣϯ Λ઄औՄೳͳ໰୊ (ઌͷ˞3; CVE-2024-9956) [1] ▸ ରࡦ: fi do:/ Λϒϥ΢β͔Β։͚ͳͨ͘͠ ͜ΕͰdoneͱ͞Ε͍ͯΔ͕… “keys” by plenty.r., CC BY-SA 2.0

41. TEXT .. INTO VERY YOURSELF ▸ …ͦΕͰेશͳͷ͔ʁ ▸ ߈ܸऀ͕ѱҙͷ͋ΔQRίʔυΛషͬͨΒʁ (※CTAP

    2.2: epochͷنఆ͕optional) ▸ τϯωϧͷਖ਼౰ੑ୲อʹؔ͢Δنఆ͕ͳ͍ →Ephemeral Keysͷ࢖༻ͳͲ͕ඞཁͳͷͰ͸ →΋͘͠͸epochΛඞਢʹ͢ΔͳͲ “Yahoo! delivers amazing new experiences via Android and HTML5” by Yahoo, CC BY 2.0

42. STAY SAFE! Image by KaCey97078, CC BY-NC 2.0

43. TEXT REFERENCES ▸ [1] "CVE-2024-9956 - PassKey Account Takeover in

    All Mobile Browsers", Tobia Righi, February 2025. https://mastersplinter.work/research/passkey/ “look at alll the papers!” by Sara Grajeda, CC BY-NC-SA 2.0

44. FIN. 8.26.2025 TAKAHIRO YOSHIMURA (@ALTERAKEY) “Léviathan” by miluz, CC BY

    2.0