Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Implementing Multi-factor Auth (dotSecurity 2016)

Implementing Multi-factor Auth (dotSecurity 2016)

Jacob Kaplan-Moss

April 22, 2016
Tweet

More Decks by Jacob Kaplan-Moss

Other Decks in Technology

Transcript

  1. Implementing 

    multi-factor authentication
    Jacob Kaplan-Moss
    [email protected]
    Photo by Jordan Wiseman - https://unsplash.com/photos/AsQs1AziQD4

    View full-size slide

  2. @jacobian
    I MFA

    View full-size slide

  3. @jacobian https://twofactorauth.org/

    View full-size slide

  4. @jacobian
    “Oh , I need to add

    multi-factor auth.”

    View full-size slide

  5. @jacobian
    Why “multi-factor”
    instead of “two-factor”?

    View full-size slide

  6. @jacobian
    Why “multi-factor”
    instead of “two-factor”?
    Password
    IP address
    User-Agent
    User behavior
    User location
    “Challenges”
    ...

    View full-size slide

  7. “Possession factors”
    Photo by #WOCinTech/#WOCinTech Chat - https://flic.kr/p/EFQHok

    View full-size slide

  8. @jacobian
    1. Possession factor options
    2. Implementation questions
    3. Two recommendations:
    a. MFA for public-facing services
    b. MFA for internal systems

    View full-size slide

  9. @jacobian
    1. Possession factor options
    2. Implementation questions
    3. Two recommendations:
    a. MFA for public-facing services
    b. MFA for internal systems

    View full-size slide

  10. @jacobian
    Possession factor options:
    1. Out-of-band communications
    2. Soft Tokens
    3. Hard Tokens

    View full-size slide

  11. @jacobian
    Out-of-band
    communication
    e.g. phone calls, emails, SMS, …

    View full-size slide

  12. @jacobian
    Soft tokens
    e.g. Google Authenticator,
    Authy, SecureAuth, RSA...

    View full-size slide

  13. https://www.flickr.com/photos/digitalart/2836613675/
    Hard tokens
    e.g. U2F, RSA keys,
    YubiKeys, PIV cards, …

    View full-size slide

  14. @jacobian
    Criteria for comparing
    possession factors:
    1. Risks
    2. User Experience
    3. Cost

    View full-size slide

  15. @jacobian
    Risks
    Can codes be intercepted? Re-used? Brute-forced?
    Would a token theft/re-use be noticed?
    How secure against malware is the factor?

    View full-size slide

  16. @jacobian
    User Experience
    Multi-factor authentication is useless
    if your users won’t use it!

    View full-size slide

  17. @jacobian
    Cost
    What’s the implementation cost?
    What’s the per-user cost?

    View full-size slide

  18. @jacobian
    Comparison:

    View full-size slide

  19. @jacobian
    Out-of-band communication:
    Risks
    Communications can be intercepted
    Users will set up forwarding schemes
    Can be compromised by device malware
    Delivery is usually to the same device being used
    UX
    users are familiar with with SMS
    easy setup for users
    re-uses devices users already have
    typing codes is error-prone, not suitable for frequent auths
    delays in delivery can cause timeouts, frustrating users
    Cost Typically free for users.
    Minimal delivery cost for providers (~ $0.01/message)

    View full-size slide

  20. @jacobian
    Soft tokens
    Risks
    Can be compromised by device malware.
    Typically based around a shared secret, which can be silently stolen.
    Time-based tokens are vulnerable to theft, brute-forcing, and re-use.
    Delivery is usually to the same device being used.
    UX
    re-uses devices users already have
    relatively familiar (to experienced users, at least)
    enrollment can be confusing (TOTP)
    time skew on devices can make implementation difficult
    Cost Free to users.
    Provider costs range from free (e.g. TOTP) to several $/user.

    View full-size slide

  21. @jacobian
    Hard tokens
    Risks “Master keys” can be stolen
    UX
    “just press the button”; can be suitable for frequent auths
    some tokens can also be used for encryption, signing
    lost tokens can mean long lockouts
    no real standards mean token proliferation
    Cost At least $20 per user

    View full-size slide

  22. @jacobian
    1. Possession factor options
    2. Implementation questions
    3. Two recommendations:
    a. MFA for public-facing services
    b. MFA for internal systems

    View full-size slide

  23. @jacobian
    When should you require a 

    possession factor?

    View full-size slide

  24. @jacobian
    When should you require a 

    possession factor?
    Good: upon every login

    View full-size slide

  25. @jacobian
    When should you require a 

    possession factor?
    Good: upon every login
    Better: ... and when performing sensitive actions

    View full-size slide

  26. @jacobian
    When should you require a 

    possession factor?
    Good: upon every login
    Better: ... and when performing sensitive actions
    Best: ... and based on behavioral analysis

    View full-size slide

  27. @jacobian
    How should we handle lost tokens?

    View full-size slide

  28. @jacobian
    Backup codes?
    How should we handle lost tokens?

    View full-size slide

  29. @jacobian
    Backup codes? (users don’t save them)
    How should we handle lost tokens?

    View full-size slide

  30. @jacobian
    Backup codes? (users don’t save them)
    Backup phone/emails?
    How should we handle lost tokens?

    View full-size slide

  31. @jacobian
    Backup codes? (users don’t save them)
    Backup phone/emails? (expands attack surface)
    How should we handle lost tokens?

    View full-size slide

  32. @jacobian
    Backup codes? (users don’t save them)
    Backup phone/emails? (expands attack surface)
    “Contact support”?
    How should we handle lost tokens?

    View full-size slide

  33. @jacobian
    Backup codes? (users don’t save them)
    Backup phone/emails? (expands attack surface)
    “Contact support”? (vulnerable to social engineering)
    How should we handle lost tokens?

    View full-size slide

  34. @jacobian
    Backup codes? (users don’t save them)
    Backup phone/emails? (expands attack surface)
    “Contact support”? (vulnerable to social engineering)
    “sorry; deal with it ”?
    How should we handle lost tokens?

    View full-size slide

  35. @jacobian
    Backup codes? (users don’t save them)
    Backup phone/emails? (expands attack surface)
    “Contact support”? (vulnerable to social engineering)
    “sorry; deal with it ”? (not very user-friendly)
    How should we handle lost tokens?

    View full-size slide

  36. @jacobian
    1. Possession factor options
    2. Implementation questions
    3. Two recommendations:
    a. MFA for public-facing services
    b. MFA for internal systems

    View full-size slide

  37. @jacobian
    MFA for public-facing systems:
    Factor:
    Require MFA:
    Lost tokens:

    View full-size slide

  38. @jacobian
    MFA for public-facing systems:
    Factor:
    Require MFA:
    Lost tokens:
    Out-of-band communication,
    or good soft token implementation (Authy)

    View full-size slide

  39. @jacobian
    MFA for public-facing systems:
    Factor:
    Require MFA:
    Lost tokens:
    Out-of-band communication,
    or good soft token implementation (Authy)
    at login, and when performing sensitive actions

    View full-size slide

  40. @jacobian
    MFA for public-facing systems:
    Factor:
    Require MFA:
    Lost tokens:
    Out-of-band communication,
    or good soft token implementation (Authy)
    at login, and when performing sensitive actions
    backups codes & phone/email backup;
    don’t allow support to reset MFA

    View full-size slide

  41. @jacobian
    MFA for internal systems:
    Factor:
    Require MFA:
    Lost tokens:

    View full-size slide

  42. @jacobian
    MFA for internal systems:
    Factor:
    Require MFA:
    Lost tokens:
    hard tokens (U2F or Yubikey)

    View full-size slide

  43. @jacobian
    MFA for internal systems:
    Factor:
    Require MFA:
    Lost tokens:
    hard tokens (U2F or Yubikey)
    based on behavior analysis

    View full-size slide

  44. @jacobian
    MFA for internal systems:
    Factor:
    Require MFA:
    Lost tokens:
    hard tokens (U2F or Yubikey)
    based on behavior analysis
    until real-life identity verification

    View full-size slide

  45. @jacobian
    “Oh , I need to add

    multi-factor auth.”

    View full-size slide

  46. @jacobian
    “, I get to add

    multi-factor auth!”

    View full-size slide

  47. Thank you!
    [email protected]
    Photo by Hello Goodbye - https://unsplash.com/photos/uGtdjBMK28s

    View full-size slide

  48. Credits:
    Slide deck based on a template by Alice Bartlett:
    http://alicebartlett.co.uk/blog/how-to-do-ok-at-slides.
    Font: Roboto, by Christian Robertson
    https://www.fontsquirrel.com/fonts/roboto.
    Photos by:
    - Unsplash, https://unsplash.com/
    - #WOCinTech/#WOCinTech Chat, http://www.wocintechchat.com/
    (see slides for individual credits).

    View full-size slide