Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2FA: The Rise of Two-Factor Authentication

Chris Cornutt
February 27, 2014

2FA: The Rise of Two-Factor Authentication

Two-factor authentication has gotten lots of attention lately. It's being praised as a way to help eliminate passwords and already has several major companies adapting their practices to use it. Let me guide you through the world of 2FA, some of the basic concepts (with examples) and dive deeper into the associated protocols and RFCs.

Chris Cornutt

February 27, 2014
Tweet

More Decks by Chris Cornutt

Other Decks in Technology

Transcript

  1. 2FA
    Chris Cornutt - Confoo 2014
    The rise of
    two-factor authentication

    View full-size slide

  2. USER & PASS
    A

    View full-size slide

  3. USER & PASS
    SECURITY QUESTIONS
    A

    View full-size slide

  4. USER & PASS
    SECURITY QUESTIONS
    ?
    A

    View full-size slide

  5. Identity
    is hard

    View full-size slide

  6. Know
    Password

    PIN

    Konami code

    View full-size slide

  7. Know
    Know
    Have
    ATM Card

    Hardware token

    Cellphone

    View full-size slide

  8. Know
    Know
    Have
    Are
    Fingerprint

    Voice

    View full-size slide

  9. Know
    Are
    ...and sometimes where
    Know
    Know
    Have
    Are

    View full-size slide

  10. 1 2 3
    4 5 6
    7 8 9
    0
    +

    View full-size slide

  11. Source: http://www.howtogeek.com/103041/geek-comic-for-january-28th-horrible-two-factor-authentication/

    View full-size slide

  12. it’s a
    “quick fix”

    View full-size slide

  13. it’s not easy to
    break

    View full-size slide

  14. Source: Authy Blog

    View full-size slide

  15. it’s cheap

    View full-size slide

  16. your users will
    love you

    View full-size slide

  17. 2FA
    advantages

    View full-size slide

  18. safer than just
    passwords (duh)

    View full-size slide

  19. defense in
    depth

    View full-size slide

  20. increase customer
    confidence

    View full-size slide

  21. 2FA
    disadvantages

    View full-size slide

  22. yet another
    device?

    View full-size slide

  23. not cost
    effective

    View full-size slide

  24. harder for
    users

    View full-size slide

  25. 1. user creates account (user/pass)
    2. user configures 2FA device
    3. confirmation code sent
    4. site requests code as validation
    !
    Device configured, code sent on login

    View full-size slide

  26. 1. user creates account (user/pass)
    2. user configures 2FA device
    3. user set up with 3rd party
    4. 3rd party validates user
    !
    Device configured, 3rd party request

    View full-size slide

  27. Google
    Authenticator

    View full-size slide

  28. Google
    Authenticator
    HMAC-based OTP
    RFC 4226
    Time-based OTP
    RFC 6238
    !
    base32 encoded
    sha1 HMAC hashed

    View full-size slide

  29. Yubikey
    API validated request
    OTP + Nonce + Client ID
    Signature
    !
    Unique 44 characters
    128-bit AES OTP

    View full-size slide

  30. ccccccbjnrirungbcderlhbidgeddkcfrnffdecnnkdv

    View full-size slide

  31. ccccccbjnrir ungbcderlhbidgeddkcfrnffdecnnkdv
    Public ID Generated Code

    View full-size slide

  32. Duo Security

    View full-size slide

  33. Duo Security
    Hosted service (API)
    !
    OTP codes
    SMS messaging
    Phone callback
    Push notifications
    !
    NIST certified

    View full-size slide

  34. Authy
    API validated request
    One time password
    Bluetooth pairing
    SMS messaging
    !
    Works with other OTP
    codes

    View full-size slide

  35. Twilio Nexmo

    View full-size slide

  36. Custom
    Internal implementation
    !
    SMS send through service
    Internal authorization
    Custom auth
    requirements intact

    View full-size slide

  37. enough?
    but is
    it

    View full-size slide

  38. Weak passwords are still a
    problem
    !
    Why stop at two?
    !
    Other options aren’t as strong,
    but help

    View full-size slide

  39. the unfortunate
    truth is that
    passwords are here
    to stay...

    View full-size slide

  40. Demo Time!
    http://iheart2fa.com
    https://github.com/enygma/iheart2fa

    View full-size slide

  41. Thanks Questions?
    @enygma
    http://websec.io/tagged/twofactor
    http://securingphp.com

    View full-size slide