Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2FA, U2F, OOB, and Other Terrifying Security Acronyms

Eric Mann
November 16, 2017

2FA, U2F, OOB, and Other Terrifying Security Acronyms

In 2016, NIST announced it was deprecating SMS-based 2FA (second-factor authentication) from its Digital Authentication Guidance. As the internet works to harden application and online security, what are the proper options available for truly secure authentication? What are those OOB (out-of-band) transactions anyway? Why is identity security so hard? Come learn about the tools that define the identity security landscape and how to easily integrate strong identity verification methods with your existing services. BYOA (bring your own acronyms).

Eric Mann

November 16, 2017
Tweet

More Decks by Eric Mann

Other Decks in Technology

Transcript

  1. 2FA, U2F, OOB, and Other Terrifying Security Acronyms
    php[world] 2017

    View full-size slide

  2. SMS 2FA Horror Story

    View full-size slide

  3. SS7
    • Signaling System 7
    • Developed in 1975 to manage phone network switching
    • The framework has several vulnerabilities
    • Anyone can track user movements with 70% success
    • Calls and messages can be forwarded to third parties

    View full-size slide

  4. Why SMS 2FA is Insecure

    View full-size slide

  5. Why SMS 2FA is Insecure

    View full-size slide

  6. Why SMS 2FA is Insecure

    View full-size slide

  7. Why SMS 2FA is Insecure

    View full-size slide

  8. Why SMS 2FA is Insecure

    View full-size slide

  9. NIST Discourages SMS
    • In 2016, announced that SMS was “deprecated” as a second factor
    • Later clarified who the deprecation was for
    • As of the latest guidance, SMS is still allowed, just discouraged

    View full-size slide

  10. So What Now?

    View full-size slide

  11. OOB
    • OOB means “out of band”
    • Applies to more than just security
    • Imagine a speaker sending their presentation ahead of time
    • … or a courier delivering a package to an event venue for you
    • The point is to leverage multiple channels of communication
    • It’s hard to leverage exploits in multiple channels simultaneously

    View full-size slide

  12. OOB: HOTP
    • HMAC-base One-Time Password
    • Leverages a shared secret key
    • Uses a counter to guarantee every OTP is unique
    • Can use a hardware or a software token

    View full-size slide

  13. OOB: TOTP
    • Time-based One-Time Password
    • Fundamentally identical to HOTP
    • Uses a timestamp as a counter
    • Also available in hardware or software

    View full-size slide

  14. OOB: Magic Links
    • Send a one-time password token via email
    • Tied to a user, functions like a password
    • Can also use as a first factor
    • Only as secure as your user’s inbox

    View full-size slide

  15. U2F
    • Universal Second (2) Factor
    • Open standard from the FIDO Alliance
    • Fast Identity Online
    • Industry group established in 2013
    • Built on top of HMAC and asymmetric keys
    • Supported by (almost) all major browsers

    View full-size slide

  16. Mobile Push:
    • APNS - Apple Push Notification Services
    • GCM - Google Cloud Messaging
    • SNS - Amazon Simple Notification Service
    • Submit a challenge to a mobile device to be signed and returned
    • Can leverage a securely-stored private key
    APNS, GCM, SNS

    View full-size slide

  17. Other Providers
    • Auth0 - Magic links, SMS
    • Authy - App
    • Duo - App, 2FA
    • Yuibco - Hardware tokens

    View full-size slide

  18. Keep in mind …
    • NIST’s SMS deprecation is a recommendation, not a requirement
    • Using SMS for 2FA is better than nothing
    • SS7 is exploitable, but the exploits are difficult
    • All of these 2FA providers offer SDKs - use them
    • Never roll your own when it comes to auth - use a proven solution

    View full-size slide

  19. [email protected]
    (844) 628-2872
    www.tozny.com
    THANK YOU!

    View full-size slide