2FA, U2F, OOB, and Other Terrifying Security Acronyms

Transcript

1. 2FA, U2F, OOB, and Other Terrifying Security Acronyms Nomad PHP

   - February 2018

2. Background • Tozny develops authentication and data security developer toolkits

   • Since 2013, but with backing from our parent company • Funded partly through gov't sponsorships and grants • Tekton (or "builder") at Tozny • I write PHP, JS, Go, Ruby, Java, Scala, C#... • I used to work full time with WordPress • Security Principles for PHP Applications

3. SMS 2FA Horror Story

4. None

5. SS7 • Signaling System 7 • Developed in 1975 to

   manage phone network switching • The framework has several vulnerabilities • Anyone can track user movements with 70% success • Calls and messages can be forwarded to third parties

6. Why SMS 2FA is Insecure

7. Why SMS 2FA is Insecure

8. Why SMS 2FA is Insecure

9. Why SMS 2FA is Insecure

10. Why SMS 2FA is Insecure

11. NIST Discourages SMS • In 2016, announced that SMS was

    “deprecated” as a second factor • Later clarified who the deprecation was for • As of the latest guidance, SMS is still allowed, just discouraged

12. TLDR - Don’t use SMS • The underlying infrastructure is

    laughably insecure • Telecom providers are notorious for enabling identity theft • Inter-telecom relationships can be fragile and/or unreliable • Often the device receiving the message is the same one logging in • There is no 2 in 2FA at this point! • SMS is considered insecure for sensitive installations

13. So What Now?

14. 2FA Something you ARE Something you KNOW Something you HAVE

    —— MFA

15. OOB • OOB means “out of band” • Applies to

    more than just security • Imagine a speaker sending their presentation ahead of time • … or a courier delivering a package to an event venue for you • The point is to leverage multiple channels of communication • It’s hard to leverage exploits in multiple channels simultaneously

16. OOB: HOTP • HMAC-base One-Time Password • Leverages a shared

    secret key • Uses a counter to guarantee every OTP is unique • Can use a hardware or a software token

17. OOB: TOTP • Time-based One-Time Password • Fundamentally identical to

    HOTP • Uses a timestamp as a counter • Also available in hardware or software • There's a PHP library available ;-)

18. OOB: Magic Links • Send a one-time password token via

    email • Tied to a user, functions like a password • Can also use as a first factor • Only as secure as your user’s inbox

19. U2F • Universal Second (2) Factor • Open standard from

    the FIDO Alliance • Fast Identity Online • Industry group established in 2013 • Built on top of HMAC and asymmetric keys • Supported by (almost) all major browsers

20. Mobile Push: • APNS - Apple Push Notification Services •

    GCM - Google Cloud Messaging • SNS - Amazon Simple Notification Service • Submit a challenge to a mobile device to be signed and returned • Can leverage a securely-stored private key APNS, GCM, SNS

21. Other Providers • Auth0 - Magic links, SMS • Authy

    - App • Duo - App, 2FA • Yuibco - Hardware tokens

22. Keep in mind … • NIST’s SMS deprecation is a

    recommendation, not a requirement • Using SMS for 2FA is better than nothing • SS7 is exploitable, but the exploits are difficult • All of these 2FA providers offer SDKs - use them • Never roll your own when it comes to auth - use a proven solution

23. [email protected] (844) 628-2872 www.tozny.com THANK YOU!

24. Questions?