Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2FA, U2F, OOB, and Other Terrifying Security Acronyms

Eric Mann
November 16, 2017
Technology
0
130

2FA, U2F, OOB, and Other Terrifying Security Acronyms

In 2016, NIST announced it was deprecating SMS-based 2FA (second-factor authentication) from its Digital Authentication Guidance. As the internet works to harden application and online security, what are the proper options available for truly secure authentication? What are those OOB (out-of-band) transactions anyway? Why is identity security so hard? Come learn about the tools that define the identity security landscape and how to easily integrate strong identity verification methods with your existing services. BYOA (bring your own acronyms).

Eric Mann

November 16, 2017
Tweet

More Decks by Eric Mann

See All by Eric Mann
WordPress, Meet AI
ericmann
0
20
Cooking with Credentials
ericmann
0
24
OWASP Top Ten in Review
ericmann
0
17
Monkeys in the Machine
ericmann
0
89
Asynchronous Awesome
ericmann
0
170
Evolution of PHP Security
ericmann
0
210
Web Application Security Update: Top Vulnerabilities
ericmann
0
72
Asynchronous Awesome
ericmann
0
67
The Future of the Web is Low Tech
ericmann
0
19

Other Decks in Technology

See All in Technology
技育祭2023春 ちゅらデータ講演資料
foursue
1
640
ローコードで改革!End to Endテストの再定義!
odasho
0
120
試して分かった!AWS を使った PLCのデータ収集と分析基盤の実践ノウハウ #FA設備技術勉強会#13
ganota
1
210
CDK使用歴1年の僕が現場でCDK導入するときに得たTips
miura55
0
290
数年先の金融DX/AI活用
abenben
1
260
DevOpsの始め方講座 - 2023年度こそDevOpsを始めよう!
devops_vtj
0
110
マネジメント3.0モデル入門(120分版)
takufujii
11
2.7k
BUILD UP for Web3 engineer
aramaki
0
130
Jotaiで作ったフォームをApollo_Clientで投げたらいい感じだった件.pdf
asazutaiga
1
220
TryToUseCloudFlareTunnel_20230317.pdf
kenichirokimura
0
170
Agileを始める前に知っておきたい3つの真実
chiroruxx
6
1k
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
oracle4engineer
PRO
1
2.4k

Featured

See All Featured
Fantastic passwords and where to find them - at NoRuKo
philnash
32
1.9k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
22
1.7k
Bash Introduction
62gerente
602
210k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
32
7.2k
Automating Front-end Workflow
addyosmani
1351
200k
Building Adaptive Systems
keathley
28
1.4k
How to train your dragon (web standard)
notwaldorf
66
4.3k
Happy Clients
brianwarren
90
5.9k
YesSQL, Process and Tooling at Scale
rocio
159
13k
WebSockets: Embracing the real-time Web
robhawkes
58
6.1k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
217
21k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
236
1.1M

Transcript

  1. 2FA, U2F, OOB, and Other Terrifying Security Acronyms
    php[world] 2017

    View Slide

  2. SMS 2FA Horror Story

    View Slide

  3. View Slide

  4. SS7
    • Signaling System 7
    • Developed in 1975 to manage phone network switching
    • The framework has several vulnerabilities
    • Anyone can track user movements with 70% success
    • Calls and messages can be forwarded to third parties

    View Slide

  5. Why SMS 2FA is Insecure

    View Slide

  6. Why SMS 2FA is Insecure

    View Slide

  7. Why SMS 2FA is Insecure

    View Slide

  8. Why SMS 2FA is Insecure

    View Slide

  9. Why SMS 2FA is Insecure

    View Slide

  10. NIST Discourages SMS
    • In 2016, announced that SMS was “deprecated” as a second factor
    • Later clarified who the deprecation was for
    • As of the latest guidance, SMS is still allowed, just discouraged

    View Slide

  11. So What Now?

    View Slide

  12. OOB
    • OOB means “out of band”
    • Applies to more than just security
    • Imagine a speaker sending their presentation ahead of time
    • … or a courier delivering a package to an event venue for you
    • The point is to leverage multiple channels of communication
    • It’s hard to leverage exploits in multiple channels simultaneously

    View Slide

  13. OOB: HOTP
    • HMAC-base One-Time Password
    • Leverages a shared secret key
    • Uses a counter to guarantee every OTP is unique
    • Can use a hardware or a software token

    View Slide

  14. OOB: TOTP
    • Time-based One-Time Password
    • Fundamentally identical to HOTP
    • Uses a timestamp as a counter
    • Also available in hardware or software

    View Slide

  15. OOB: Magic Links
    • Send a one-time password token via email
    • Tied to a user, functions like a password
    • Can also use as a first factor
    • Only as secure as your user’s inbox

    View Slide

  16. U2F
    • Universal Second (2) Factor
    • Open standard from the FIDO Alliance
    • Fast Identity Online
    • Industry group established in 2013
    • Built on top of HMAC and asymmetric keys
    • Supported by (almost) all major browsers

    View Slide

  17. Mobile Push:
    • APNS - Apple Push Notification Services
    • GCM - Google Cloud Messaging
    • SNS - Amazon Simple Notification Service
    • Submit a challenge to a mobile device to be signed and returned
    • Can leverage a securely-stored private key
    APNS, GCM, SNS

    View Slide

  18. Other Providers
    • Auth0 - Magic links, SMS
    • Authy - App
    • Duo - App, 2FA
    • Yuibco - Hardware tokens

    View Slide

  19. Keep in mind …
    • NIST’s SMS deprecation is a recommendation, not a requirement
    • Using SMS for 2FA is better than nothing
    • SS7 is exploitable, but the exploits are difficult
    • All of these 2FA providers offer SDKs - use them
    • Never roll your own when it comes to auth - use a proven solution

    View Slide

  20. [email protected]
    (844) 628-2872
    www.tozny.com
    THANK YOU!

    View Slide

  21. Questions?

    View Slide