2FA, U2F, OOB, and Other Terrifying Security Acronyms

46093583d8895095adb1b0071c505af2?s=47 Eric Mann
February 16, 2018

2FA, U2F, OOB, and Other Terrifying Security Acronyms

February 2018 NomadPHP presentation demystifying various security and authentication acronyms.

46093583d8895095adb1b0071c505af2?s=128

Eric Mann

February 16, 2018
Tweet

Transcript

  1. 2.

    Background • Tozny develops authentication and data security developer toolkits

    • Since 2013, but with backing from our parent company • Funded partly through gov't sponsorships and grants • Tekton (or "builder") at Tozny • I write PHP, JS, Go, Ruby, Java, Scala, C#... • I used to work full time with WordPress • Security Principles for PHP Applications
  2. 4.
  3. 5.

    SS7 • Signaling System 7 • Developed in 1975 to

    manage phone network switching • The framework has several vulnerabilities • Anyone can track user movements with 70% success • Calls and messages can be forwarded to third parties
  4. 11.

    NIST Discourages SMS • In 2016, announced that SMS was

    “deprecated” as a second factor • Later clarified who the deprecation was for • As of the latest guidance, SMS is still allowed, just discouraged
  5. 12.

    TLDR - Don’t use SMS • The underlying infrastructure is

    laughably insecure • Telecom providers are notorious for enabling identity theft • Inter-telecom relationships can be fragile and/or unreliable • Often the device receiving the message is the same one logging in • There is no 2 in 2FA at this point! • SMS is considered insecure for sensitive installations
  6. 15.

    OOB • OOB means “out of band” • Applies to

    more than just security • Imagine a speaker sending their presentation ahead of time • … or a courier delivering a package to an event venue for you • The point is to leverage multiple channels of communication • It’s hard to leverage exploits in multiple channels simultaneously
  7. 16.

    OOB: HOTP • HMAC-base One-Time Password • Leverages a shared

    secret key • Uses a counter to guarantee every OTP is unique • Can use a hardware or a software token
  8. 17.

    OOB: TOTP • Time-based One-Time Password • Fundamentally identical to

    HOTP • Uses a timestamp as a counter • Also available in hardware or software • There's a PHP library available ;-)
  9. 18.

    OOB: Magic Links • Send a one-time password token via

    email • Tied to a user, functions like a password • Can also use as a first factor • Only as secure as your user’s inbox
  10. 19.

    U2F • Universal Second (2) Factor • Open standard from

    the FIDO Alliance • Fast Identity Online • Industry group established in 2013 • Built on top of HMAC and asymmetric keys • Supported by (almost) all major browsers
  11. 20.

    Mobile Push: • APNS - Apple Push Notification Services •

    GCM - Google Cloud Messaging • SNS - Amazon Simple Notification Service • Submit a challenge to a mobile device to be signed and returned • Can leverage a securely-stored private key APNS, GCM, SNS
  12. 21.

    Other Providers • Auth0 - Magic links, SMS • Authy

    - App • Duo - App, 2FA • Yuibco - Hardware tokens
  13. 22.

    Keep in mind … • NIST’s SMS deprecation is a

    recommendation, not a requirement • Using SMS for 2FA is better than nothing • SS7 is exploitable, but the exploits are difficult • All of these 2FA providers offer SDKs - use them • Never roll your own when it comes to auth - use a proven solution