Upgrade to Pro — share decks privately, control downloads, hide ads and more …

View Source Berlin 2016 - 2FA, WTF?

Dominik Kundel
September 14, 2016
0
93

View Source Berlin 2016 - 2FA, WTF?

Dominik Kundel

September 14, 2016
Tweet

More Decks by Dominik Kundel

See All by Dominik Kundel
AI for Marketers Sept '24 - How AI Agents will change your
dkundel
0
150
AGI Builders July '24 - Rogue Agents - Stop AI from misusing APIs
dkundel
0
98
AI Engineer World's Fair '24 - Cooking with Fire without
dkundel
0
130
Rogue Agents - Stop AI from misusing APIs
dkundel
0
180
SIGNAL 2021 - Live Developer Mode
dkundel
0
140
OpenJS World - What the AST?
dkundel
0
420
WFHConf - Move to TypeScript at your own Pace
dkundel
0
280
SFNode '20 - How to move your project to TypeScript
dkundel
0
290
Node+JS Interactive '19 - When Porgs Scream at Webpack and Other Stories
dkundel
0
320

Featured

See All Featured
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
Making Projects Easy
brettharned
115
5.9k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
What's new in Ruby 2.0
geeforr
343
31k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
Building Adaptive Systems
keathley
38
2.3k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
The Language of Interfaces
destraynor
154
24k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
Ruby is Unlike a Banana
tanoku
97
11k

Transcript

  1. 2FA, WTF? Dominik Kundel | @dkundel | View Source Berlin

    2016

  2. Dominik Kundel | @dkundel | View Source Berlin 2016

  3. HI! I'm Dominik! Dominik Kundel | @dkundel | View Source

    Berlin 2016

  4. About me Developer Evangelist at Get in touch with me!

    @dkundel [email protected] github/dkundel Dominik Kundel | @dkundel | View Source Berlin 2016

  5. HACKERS! Dominik Kundel | @dkundel | View Source Berlin 2016

  6. Dominik Kundel | @dkundel | View Source Berlin 2016

  7. Dominik Kundel | @dkundel | View Source Berlin 2016

  8. Dominik Kundel | @dkundel | View Source Berlin 2016

  9. 2FA, WTF? Dominik Kundel | @dkundel | View Source Berlin

    2016

  10. Two-Factor Authentication Dominik Kundel | @dkundel | View Source Berlin

    2016

  11. Dominik Kundel | @dkundel | View Source Berlin 2016

  12. Two-Factor Authentication Two different forms of identification from the user

    Typically: → Something that you know → Something that you have Dominik Kundel | @dkundel | View Source Berlin 2016

  13. Why? Dominik Kundel | @dkundel | View Source Berlin 2016

  14. Passwords Alone Are Weak Dominik Kundel | @dkundel | View

    Source Berlin 2016

  15. Story Time! Dominik Kundel | @dkundel | View Source Berlin

    2016

  16. Mark Zuckerberg Dominik Kundel | @dkundel | View Source Berlin

    2016

  17. Users are bad with passwords! Dominik Kundel | @dkundel |

    View Source Berlin 2016

  18. Top 10 Passwords of 2015 1. 123456 2. password 3.

    12345678 4. qwerty 5. 12345 6. 123456789 7. football 8. 1234 9. 1234567 10. baseball Source: https://www.teamsid.com/worst-passwords-2015/ Dominik Kundel | @dkundel | View Source Berlin 2016

  19. Other websites are bad with passwords! Dominik Kundel | @dkundel

    | View Source Berlin 2016

  20. Dominik Kundel | @dkundel | View Source Berlin 2016

  21. Mat Honan Dominik Kundel | @dkundel | View Source Berlin

    2016

  22. Hacking Timeline → Hackers find his personal website and then

    his Gmail → Detect alternative email through Gmail password recovery → Get Honan's address through whois on his domain → Phone Amazon to add a new credit card to Honan's account → Call again to recover the Amazon account → Hacker log into Amazon to retrieve last 4 digits of his actual card Dominik Kundel | @dkundel | View Source Berlin 2016

  23. Hacking Timeline → 4:33pm Call Apple to recover the iCloud

    access using the billing address and 4 digits of the credit card → 4:50pm Permanently reset iCloud password → 4:52pm Reset Gmail password → 5:00pm Hacker delete his iPad and iPhone → 5:02pm Reset Twitter password → 5:05pm Wipe Macbook → 5:12pm Hacker tweet to tack credit Dominik Kundel | @dkundel | View Source Berlin 2016

  24. @mat Dominik Kundel | @dkundel | View Source Berlin 2016

  25. Social engineering works! Dominik Kundel | @dkundel | View Source

    Berlin 2016

  26. Passwords Alone Are Weak Dominik Kundel | @dkundel | View

    Source Berlin 2016

  27. Physical protection layer for a digital world Dominik Kundel |

    @dkundel | View Source Berlin 2016

  28. Dominik Kundel | @dkundel | View Source Berlin 2016

  29. How? Dominik Kundel | @dkundel | View Source Berlin 2016

  30. Typical User Registration Flow 1. User visits registration page 2.

    Enters username and password 3. User is logged in Dominik Kundel | @dkundel | View Source Berlin 2016

  31. Typical User Log-in Flow 1. User visits log-in page 2.

    Enters username and password 3. System verifies details 4. User is logged in Dominik Kundel | @dkundel | View Source Berlin 2016

  32. Phone 2FA SMS / Voice Dominik Kundel | @dkundel |

    View Source Berlin 2016

  33. SMS-based User Registration Flow 1. User visits registration page 2.

    Enters username, password and phone number 3. Verifies phone number 4. User is logged in Dominik Kundel | @dkundel | View Source Berlin 2016

  34. SMS-based User Log-in Flow 1. User visits log-in page 2.

    Enters username and password 3. System verifies details 4. System sends verification code to user by SMS 5. User enters verification code 6. System verifies code 7. User is logged in Dominik Kundel | @dkundel | View Source Berlin 2016

  35. Dominik Kundel | @dkundel | View Source Berlin 2016

  36. DeRay Mckesson Dominik Kundel | @dkundel | View Source Berlin

    2016

  37. One-time Passwords 2FA Dominik Kundel | @dkundel | View Source

    Berlin 2016

  38. OTP-based User Registration Flow 1. User visits registration page 2.

    Enters username and password 3. Generate secret for the user 4. Share secret with the user 5. User is logged in Dominik Kundel | @dkundel | View Source Berlin 2016

  39. OTP-based User Log-in Flow 1. User visits log-in page 2.

    Enters username and password 3. System verifies details 4. User opens auth app 5. Enters app verification code on site 6. System verifies code 7. User is logged in Dominik Kundel | @dkundel | View Source Berlin 2016

  40. Secret based Codes Dominik Kundel | @dkundel | View Source

    Berlin 2016

  41. HOTP/TOTP Dominik Kundel | @dkundel | View Source Berlin 2016

  42. HOTP Formula HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF HOTP-Value = HOTP(K,C)

    mod 10d Dominik Kundel | @dkundel | View Source Berlin 2016

  43. https://github.com/guyht/notp Dominik Kundel | @dkundel | View Source Berlin 2016

  44. DEMO Dominik Kundel | @dkundel | View Source Berlin 2016

  45. Sharing Secrets Dominik Kundel | @dkundel | View Source Berlin

    2016

  46. QR Codes otpauth://TYPE/LABEL?PARAMETERS otpauth://totp/Example:[email protected]?secret=MySecret&issuer=Example Dominik Kundel | @dkundel | View

    Source Berlin 2016

  47. Dominik Kundel | @dkundel | View Source Berlin 2016

  48. Friends don't let friends write their own authentication frameworks! Dominik

    Kundel | @dkundel | View Source Berlin 2016

  49. Friends don't let friends write their own two-factor authentication frameworks!

    Dominik Kundel | @dkundel | View Source Berlin 2016

  50. Dominik Kundel | @dkundel | View Source Berlin 2016

  51. Authy-based User Registration Flow 1. User visits registration page 2.

    Enters username, password and phone number 3. System registers user with Authy 4. User is logged in Dominik Kundel | @dkundel | View Source Berlin 2016

  52. Authy-based User Log-in Flow 1. User visits log-in page 2.

    Enters username and password 3. System verifies details 4. Authy prompts user 5. User enters app verification code on site 6. System verifies success with Authy 7. User is logged in Dominik Kundel | @dkundel | View Source Berlin 2016

  53. UX or 2FA Dominik Kundel | @dkundel | View Source

    Berlin 2016

  54. Push notifications (OneTouch) Dominik Kundel | @dkundel | View Source

    Berlin 2016

  55. Dominik Kundel | @dkundel | View Source Berlin 2016

  56. Dominik Kundel | @dkundel | View Source Berlin 2016

  57. Summary Dominik Kundel | @dkundel | View Source Berlin 2016

  58. Users are bad with passwords! Dominik Kundel | @dkundel |

    View Source Berlin 2016

  59. Other websites are bad with passwords! Dominik Kundel | @dkundel

    | View Source Berlin 2016

  60. Social engineering works! Dominik Kundel | @dkundel | View Source

    Berlin 2016

  61. 2FA can be push, tokens or SMS Dominik Kundel |

    @dkundel | View Source Berlin 2016

  62. 2FA is for your users! Dominik Kundel | @dkundel |

    View Source Berlin 2016

  63. Dominik Kundel | @dkundel | View Source Berlin 2016

  64. Thank You! @dkundel [email protected] github/dkundel Dominik Kundel | @dkundel |

    View Source Berlin 2016

  65. Credits: http://www.hackercg.com/wp-content/uploads/2015/12/Hacker.jpg http://www.v3.co.uk/IMG/494/302494/hacker-hacking-dark-hoodie.jpg http://qruniversity.hipscan.net/sites/default/files/article-images/computer- hacker.jpg http://www.wpdroids.com/wp-content/uploads/2014/12/How-to-scan-QR-code- in-your-Smartphone.jpg https://img1.etsystatic.com/036/0/9343025/il_fullxfull.654477583_8ktu.jpg http://cdn1.tnwcdn.com/wp-content/blogs.dir/1/files/2015/01/mark-zuckerberg- qa-colombia.png

    https://lastpass.com/press-room/ http://66.media.tumblr.com/d19d0b84160d51e696aeaa939b84f4de/ tumblrns7wyq9uVl1qhub34o10r1_500.gif Dominik Kundel | @dkundel | View Source Berlin 2016