Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2FA: The Rise of Two-Factor Authentication

2FA: The Rise of Two-Factor Authentication

Two-factor authentication has gotten lots of attention lately. It's being praised as a way to help eliminate passwords and already has several major companies adapting their practices to use it. Let me guide you through the world of 2FA, some of the basic concepts (with examples) and dive deeper into the associated protocols and RFCs.

224dac66704579d941e927965a6220a2?s=128

Chris Cornutt

February 27, 2014
Tweet

Transcript

  1. 2FA Chris Cornutt - Confoo 2014 The rise of two-factor

    authentication
  2. A

  3. A

  4. USER & PASS A

  5. USER & PASS SECURITY QUESTIONS A

  6. USER & PASS SECURITY QUESTIONS ? A

  7. Identity is hard

  8. None
  9. who? who?

  10. Know Password PIN Konami code

  11. Know Know Have ATM Card Hardware token Cellphone

  12. Know Know Have Are Fingerprint Voice

  13. Know Are ...and sometimes where Know Know Have Are

  14. 1 2 3 4 5 6 7 8 9 0

    +
  15. )))

  16. None
  17. None
  18. Source: http://www.howtogeek.com/103041/geek-comic-for-january-28th-horrible-two-factor-authentication/

  19. 2FA myths

  20. it’s a “quick fix”

  21. it’s not easy to break

  22. Source: Authy Blog

  23. it’s cheap

  24. your users will love you

  25. 2FA advantages

  26. safer than just passwords (duh)

  27. defense in depth

  28. increase customer confidence

  29. 2FA disadvantages

  30. yet another device?

  31. not cost effective

  32. harder for users

  33. 2FA flow

  34. 1. user creates account (user/pass) 2. user configures 2FA device

    3. confirmation code sent 4. site requests code as validation ! Device configured, code sent on login
  35. 1. user creates account (user/pass) 2. user configures 2FA device

    3. user set up with 3rd party 4. 3rd party validates user ! Device configured, 3rd party request
  36. 2FA options

  37. None
  38. 2FA tech

  39. Google Authenticator

  40. Google Authenticator HMAC-based OTP RFC 4226 Time-based OTP RFC 6238

    ! base32 encoded sha1 HMAC hashed
  41. None
  42. Yubikey

  43. Yubikey API validated request OTP + Nonce + Client ID

    Signature ! Unique 44 characters 128-bit AES OTP
  44. None
  45. ccccccbjnrirungbcderlhbidgeddkcfrnffdecnnkdv

  46. ccccccbjnrir ungbcderlhbidgeddkcfrnffdecnnkdv Public ID Generated Code

  47. Duo Security

  48. Duo Security Hosted service (API) ! OTP codes SMS messaging

    Phone callback Push notifications ! NIST certified
  49. None
  50. Authy

  51. Authy API validated request One time password Bluetooth pairing SMS

    messaging ! Works with other OTP codes
  52. Custom

  53. Twilio Nexmo

  54. Custom Internal implementation ! SMS send through service Internal authorization

    Custom auth requirements intact
  55. enough? but is it

  56. Weak passwords are still a problem ! Why stop at

    two? ! Other options aren’t as strong, but help
  57. the unfortunate truth is that passwords are here to stay...

  58. Demo Time! http://iheart2fa.com https://github.com/enygma/iheart2fa

  59. Thanks Questions? @enygma http://websec.io/tagged/twofactor http://securingphp.com