Upgrade to Pro — share decks privately, control downloads, hide ads and more …

BASTA! 2017 - 2FA, WTF?

Dominik Kundel
February 21, 2017
Programming
1
110

BASTA! 2017 - 2FA, WTF?

2FA, WTF? Talk at BASTA! Spring 2017 in Frankfurt

Dominik Kundel

February 21, 2017
Tweet

More Decks by Dominik Kundel

See All by Dominik Kundel
AI for Marketers Sept '24 - How AI Agents will change your
dkundel
0
150
AGI Builders July '24 - Rogue Agents - Stop AI from misusing APIs
dkundel
0
98
AI Engineer World's Fair '24 - Cooking with Fire without
dkundel
0
130
Rogue Agents - Stop AI from misusing APIs
dkundel
0
180
SIGNAL 2021 - Live Developer Mode
dkundel
0
140
OpenJS World - What the AST?
dkundel
0
420
WFHConf - Move to TypeScript at your own Pace
dkundel
0
280
SFNode '20 - How to move your project to TypeScript
dkundel
0
290
Node+JS Interactive '19 - When Porgs Scream at Webpack and Other Stories
dkundel
0
320

Other Decks in Programming

See All in Programming
2024/11/8 関西Kaggler会 2024 #3 / Kaggle Kernel で Gemma 2 × vLLM を動かす。
kohecchi
5
910
最新TCAキャッチアップ
0si43
0
140
受け取る人から提供する人になるということ
little_rubyist
0
230
ピラミッド、アイスクリームコーン、SMURF: 自動テストの最適バランスを求めて / Pyramid Ice-Cream-Cone and SMURF
twada
PRO
10
1.3k
AWS IaCの注目アップデート 2024年10月版
konokenj
3
3.3k
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
100
TypeScript Graph でコードレビューの心理的障壁を乗り越える
ysk8hori
2
1.1k
Pinia Colada が実現するスマートな非同期処理
naokihaba
4
220
CSC509 Lecture 11
javiergs
PRO
0
180
Tauriでネイティブアプリを作りたい
tsucchinoko
0
370
シェーダーで魅せるMapLibreの動的ラスタータイル
satoshi7190
1
480
Amazon Qを使ってIaCを触ろう!
maruto
0
400

Featured

See All Featured
A Philosophy of Restraint
colly
203
16k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
Designing Experiences People Love
moore
138
23k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
120
Faster Mobile Websites
deanohume
305
30k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Raft: Consensus for Rubyists
vanstee
136
6.6k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Site-Speed That Sticks
csswizardry
0
23

Transcript

  1. 2FA, WTF? Dominik Kundel | @dkundel | #2fa #basta

  2. Dominik Kundel | @dkundel | #2fa #basta

  3. HI! I'm Dominik! Dominik Kundel | @dkundel | #2fa #basta

  4. About me Developer Evangelist at Get in touch with me!

    @dkundel [email protected] github/dkundel Dominik Kundel | @dkundel | #2fa #basta

  5. HACKERS! Dominik Kundel | @dkundel | #2fa #basta

  6. Dominik Kundel | @dkundel | #2fa #basta

  7. Dominik Kundel | @dkundel | #2fa #basta

  8. Dominik Kundel | @dkundel | #2fa #basta

  9. 2FA, WTF? Dominik Kundel | @dkundel | #2fa #basta

  10. Two-Factor Authentication Dominik Kundel | @dkundel | #2fa #basta

  11. Dominik Kundel | @dkundel | #2fa #basta

  12. Two-Factor Authentication Two different forms of identification from the user

    Typically: → Something that you know → Something that you have Dominik Kundel | @dkundel | #2fa #basta

  13. Why? Dominik Kundel | @dkundel | #2fa #basta

  14. Passwords Alone Are Weak Dominik Kundel | @dkundel | #2fa

    #basta

  15. Story Time! Dominik Kundel | @dkundel | #2fa #basta

  16. Mark Zuckerberg Dominik Kundel | @dkundel | #2fa #basta

  17. Users are bad with passwords! Dominik Kundel | @dkundel |

    #2fa #basta

  18. Top 10 Passwords of 2015 1. 123456 2. password 3.

    12345678 4. qwerty 5. 12345 6. 123456789 7. football 8. 1234 9. 1234567 10. baseball Source: https://www.teamsid.com/worst-passwords-2015/ Dominik Kundel | @dkundel | #2fa #basta

  19. Other websites are bad with passwords! Dominik Kundel | @dkundel

    | #2fa #basta

  20. Dominik Kundel | @dkundel | #2fa #basta

  21. Mat Honan Dominik Kundel | @dkundel | #2fa #basta

  22. Hacking Timeline → Hackers find his personal website and then

    his Gmail → Detect alternative email through Gmail password recovery → Get Honan's address through whois on his domain → Phone Amazon to add a new credit card to Honan's account → Call again to recover the Amazon account → Hacker log into Amazon to retrieve last 4 digits of his actual card Dominik Kundel | @dkundel | #2fa #basta

  23. Hacking Timeline → 4:33pm Call Apple to recover the iCloud

    access using the billing address and 4 digits of the credit card → 4:50pm Permanently reset iCloud password → 4:52pm Reset Gmail password → 5:00pm Hacker delete his iPad and iPhone → 5:02pm Reset Twitter password → 5:05pm Wipe Macbook → 5:12pm Hacker tweet to tack credit Dominik Kundel | @dkundel | #2fa #basta

  24. @mat Dominik Kundel | @dkundel | #2fa #basta

  25. Social engineering works! Dominik Kundel | @dkundel | #2fa #basta

  26. Passwords Alone Are Weak Dominik Kundel | @dkundel | #2fa

    #basta

  27. Physical protection layer for a digital world Dominik Kundel |

    @dkundel | #2fa #basta

  28. Dominik Kundel | @dkundel | #2fa #basta

  29. How? Dominik Kundel | @dkundel | #2fa #basta

  30. Typical User Registration Flow 1. User visits registration page 2.

    Enters username and password 3. User is logged in Dominik Kundel | @dkundel | #2fa #basta

  31. Typical User Log-in Flow 1. User visits log-in page 2.

    Enters username and password 3. System verifies details 4. User is logged in Dominik Kundel | @dkundel | #2fa #basta

  32. Phone 2FA SMS / Voice Dominik Kundel | @dkundel |

    #2fa #basta

  33. SMS-based User Registration Flow 1. User visits registration page 2.

    Enters username, password and phone number 3. Verifies phone number 4. User is logged in Dominik Kundel | @dkundel | #2fa #basta

  34. SMS-based User Log-in Flow 1. User visits log-in page 2.

    Enters username and password 3. System verifies details 4. System sends verification code to user by SMS 5. User enters verification code 6. System verifies code 7. User is logged in Dominik Kundel | @dkundel | #2fa #basta

  35. Dominik Kundel | @dkundel | #2fa #basta

  36. DeRay Mckesson Dominik Kundel | @dkundel | #2fa #basta

  37. One-time Passwords 2FA Dominik Kundel | @dkundel | #2fa #basta

  38. OTP-based User Registration Flow 1. User visits registration page 2.

    Enters username and password 3. Generate secret for the user 4. Share secret with the user 5. User is logged in Dominik Kundel | @dkundel | #2fa #basta

  39. OTP-based User Log-in Flow 1. User visits log-in page 2.

    Enters username and password 3. System verifies details 4. User opens auth app 5. Enters app verification code on site 6. System verifies code 7. User is logged in Dominik Kundel | @dkundel | #2fa #basta

  40. Secret based Codes Dominik Kundel | @dkundel | #2fa #basta

  41. HOTP/TOTP Dominik Kundel | @dkundel | #2fa #basta

  42. HOTP Formula HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF HOTP-Value = HOTP(K,C)

    mod 10d Dominik Kundel | @dkundel | #2fa #basta

  43. https://github.com/guyht/notp Dominik Kundel | @dkundel | #2fa #basta

  44. DEMO Dominik Kundel | @dkundel | #2fa #basta

  45. Sharing Secrets Dominik Kundel | @dkundel | #2fa #basta

  46. QR Codes otpauth://TYPE/LABEL?PARAMETERS otpauth://totp/Example:[email protected]?secret=MySecret&issuer=Example Dominik Kundel | @dkundel | #2fa

    #basta

  47. Dominik Kundel | @dkundel | #2fa #basta

  48. Friends don't let friends write their own authentication frameworks! Dominik

    Kundel | @dkundel | #2fa #basta

  49. Friends don't let friends write their own two-factor authentication frameworks!

    Dominik Kundel | @dkundel | #2fa #basta

  50. Dominik Kundel | @dkundel | #2fa #basta

  51. Authy-based User Registration Flow 1. User visits registration page 2.

    Enters username, password and phone number 3. System registers user with Authy 4. User is logged in Dominik Kundel | @dkundel | #2fa #basta

  52. Authy-based User Log-in Flow 1. User visits log-in page 2.

    Enters username and password 3. System verifies details 4. Authy prompts user 5. User enters app verification code on site 6. System verifies success with Authy 7. User is logged in Dominik Kundel | @dkundel | #2fa #basta

  53. UX or 2FA Dominik Kundel | @dkundel | #2fa #basta

  54. Push notifications (OneTouch) Dominik Kundel | @dkundel | #2fa #basta

  55. Demo Dominik Kundel | @dkundel | #2fa #basta

  56. Dominik Kundel | @dkundel | #2fa #basta

  57. Summary Dominik Kundel | @dkundel | #2fa #basta

  58. Users are bad with passwords! Dominik Kundel | @dkundel |

    #2fa #basta

  59. Other websites are bad with passwords! Dominik Kundel | @dkundel

    | #2fa #basta

  60. Social engineering works! Dominik Kundel | @dkundel | #2fa #basta

  61. 2FA can be push, tokens or SMS Dominik Kundel |

    @dkundel | #2fa #basta

  62. 2FA is for your users! Dominik Kundel | @dkundel |

    #2fa #basta

  63. Dominik Kundel | @dkundel | #2fa #basta

  64. Thank You! @dkundel [email protected] github/dkundel Dominik Kundel | @dkundel |

    #2fa #basta

  65. Credits: http://www.hackercg.com/wp-content/uploads/2015/12/Hacker.jpg http://www.v3.co.uk/IMG/494/302494/hacker-hacking-dark-hoodie.jpg http://qruniversity.hipscan.net/sites/default/files/article-images/computer- hacker.jpg http://www.wpdroids.com/wp-content/uploads/2014/12/How-to-scan-QR-code- in-your-Smartphone.jpg https://img1.etsystatic.com/036/0/9343025/il_fullxfull.654477583_8ktu.jpg http://cdn1.tnwcdn.com/wp-content/blogs.dir/1/files/2015/01/mark-zuckerberg- qa-colombia.png

    https://lastpass.com/press-room/ http://66.media.tumblr.com/d19d0b84160d51e696aeaa939b84f4de/ tumblrns7wyq9uVl1qhub34o10r1_500.gif Dominik Kundel | @dkundel | #2fa #basta