Background • Tozny develops authentication and data security developer toolkits • Since 2013, but with backing from our parent company • Funded partly through gov't sponsorships and grants • Tekton (or "builder") at Tozny • I write PHP, JS, Go, Ruby, Java, Scala, C#... • I used to work full time with WordPress • Security Principles for PHP Applications
SS7 • Signaling System 7 • Developed in 1975 to manage phone network switching • The framework has several vulnerabilities • Anyone can track user movements with 70% success • Calls and messages can be forwarded to third parties
NIST Discourages SMS • In 2016, announced that SMS was “deprecated” as a second factor • Later clarified who the deprecation was for • As of the latest guidance, SMS is still allowed, just discouraged
TLDR - Don’t use SMS • The underlying infrastructure is laughably insecure • Telecom providers are notorious for enabling identity theft • Inter-telecom relationships can be fragile and/or unreliable • Often the device receiving the message is the same one logging in • There is no 2 in 2FA at this point! • SMS is considered insecure for sensitive installations
OOB • OOB means “out of band” • Applies to more than just security • Imagine a speaker sending their presentation ahead of time • … or a courier delivering a package to an event venue for you • The point is to leverage multiple channels of communication • It’s hard to leverage exploits in multiple channels simultaneously
OOB: HOTP • HMAC-base One-Time Password • Leverages a shared secret key • Uses a counter to guarantee every OTP is unique • Can use a hardware or a software token
OOB: TOTP • Time-based One-Time Password • Fundamentally identical to HOTP • Uses a timestamp as a counter • Also available in hardware or software • There's a PHP library available ;-)
OOB: Magic Links • Send a one-time password token via email • Tied to a user, functions like a password • Can also use as a first factor • Only as secure as your user’s inbox
U2F • Universal Second (2) Factor • Open standard from the FIDO Alliance • Fast Identity Online • Industry group established in 2013 • Built on top of HMAC and asymmetric keys • Supported by (almost) all major browsers
Mobile Push: • APNS - Apple Push Notification Services • GCM - Google Cloud Messaging • SNS - Amazon Simple Notification Service • Submit a challenge to a mobile device to be signed and returned • Can leverage a securely-stored private key APNS, GCM, SNS
Keep in mind … • NIST’s SMS deprecation is a recommendation, not a requirement • Using SMS for 2FA is better than nothing • SS7 is exploitable, but the exploits are difficult • All of these 2FA providers offer SDKs - use them • Never roll your own when it comes to auth - use a proven solution
ericmann
takatsunobuhiro
_kensh
mixi_engineers
tomoaki25
yokawasa
tkhresk
riru
gaelvaroquaux
masakamayama
tsujiba
.png){kind=icon}
pharma_x_tech
keiji
addyosmani
dougneiner
holman
dotmariusz
revolveconf
chriscoyier
keavy
samlambert
keithpitt
cherdarchuk
sugarenia
hursman