Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2FA, WTF? at Identity and Security Meetup

Phil Nash
September 19, 2019
Programming
1
190

2FA, WTF? at Identity and Security Meetup

Everyone is hacking everything. Everything is vulnerable. Your site, your users, even you. Are you worried about this? You should be!

Don't worry, I'm not trying to scare you (that much). We have plenty of safeguards against attempts on our applications' user data. We all (hopefully) recognise Two Factor Auth as one of those safeguards, but what actually goes on under the hood of 2FA?

We'll take a look into generating one time passwords, implementing 2FA in web applications and the only real-life compelling use case for QR codes. Together, we'll make the web a more secure place.

Phil Nash

September 19, 2019
Tweet

More Decks by Phil Nash

See All by Phil Nash
Four steps from JavaScript to TypeScript
philnash
3
310
JavaScript Apps Go Intl - GIDS Live 2021
philnash
2
170
You're on Mute! WebRTC and our Lives on Screen - GIDS Live 2021
philnash
1
190
Better API DX with a CLI - APIdays Jakarta
philnash
0
270
The trouble with webhooks - at Apidays Live Hong Kong
philnash
2
140
Four steps from JavaScript to TypeScript
philnash
0
330
Fantastic passwords and where to find them - at NoRuKo
philnash
36
2.5k
The trouble with webhooks - at APIdays Singapore
philnash
0
220
What's going on with Project Fugu? at DevTalks Reimagined
philnash
0
310

Other Decks in Programming

See All in Programming
コーンフレークから始める モデリング会話入門
ogurotakayuki
0
270
1BRC--Nerd Sniping the Java Community
gunnarmorling
0
300
Zero Waste, Radical Magic, and Italian Graft – Quarkus Efficiency Secrets
hollycummins
0
210
Front-end application development, Symfony-style(s)
dunglas
2
1.9k
PHP8.3の機能を振り返る / Review of PHP 8.3 features
seike460
PRO
1
110
HUIT新歓2024「競技プログラミング、やってみませんか?」
slephy2784
1
250
Doctrine ORMでValue Objectを扱う方法4選 #phpstudy / 4 ways to handle Value Objects with Doctrine ORM
77web
4
110
PHPの次期バージョンはこの時期どうなっているのか - Internalsの開発体制について - PHPカンファレンス小田原
youkidearitai
PRO
1
180
Rails と人魚の話/rails-and-mermaid
sanfrecce_osaka
0
100
Blue/Greenデプロイの導入による 運用フローの改善
kudoas
1
350
Folding Cheat Sheet #3
philipschwarz
PRO
0
110
Git Lint
bkuhlmann
4
740

Featured

See All Featured
Six Lessons from altMBA
skipperchong
19
3k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.8k
Typedesign – Prime Four
hannesfritz
36
2k
Clear Off the Table
cherdarchuk
82
310k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
8
8.3k
Fashionably flexible responsive web design (full day workshop)
malarkey
397
65k
What’s in a name? Adding method to the madness
productmarketing
PRO
15
2.6k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
355
22k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
19
1.9k
Building Effective Engineering Teams - LeadDev
addyosmani
26
1.8k
GraphQLの誤解/rethinking-graphql
sonatard
49
9.2k
Debugging Ruby Performance
tmm1
69
11k

Transcript

  1. 2FA, WTF?

  2. HACKERS

  3. ARE

  4. EVERYWHERE

  5. None
  6. None
  7. None

  8. Phil Nash @philnash http:/ /philna.sh [email protected] @philnash

  9. 2FA, WTF?

  10. PART 1 THE HORRIFYING REALITY OF PASSWORD SECURITY

  11. None

  12. nash

  13. I WAS HACKED

  14. YOUR ACCOUNT IS ONLY AS SECURE AS YOUR WEAKEST PASSWORD

  15. MAT HONAN

  16. Mat Honan's Hackers' Timeline 1. Found Gmail address on his

    personal site 2. Entered address in Gmail and found his @me.com back up email 3. Called Amazon to add a credit card to file 4. Called Amazon again to reset password and got access 5. 4:33pm: called Apple to reset password 6. 4:50pm: reset AppleID password and gained access to email @philnash

  17. Mat Honan's Hackers' Timeline 7. 4:52pm: reset Gmail account password

    8. 5:01pm: wiped iPhone 9. 5:02pm: reset Twitter password 10. 5:05pm: wiped MacBook and deleted Google account 11. 5:12pm: posted to Twitter taking credit for the hack @philnash

  18. @MAT

  19. https:/ /twitter.com/TheTimeCowboy/status/287536855828795393 @philnash

  20. STRONGER PASSWORDS

  21. ARE HARDER TO REMEMBER

  22. REUSE

  23. ASHLEY MADISON

  24. TOP 5 PASSWORDS

  25. 5) 123456789

  26. 4) DEFAULT

  27. 3) password

  28. 2) 12345

  29. 1) 123456

  30. Ashley Madison Top 10 Passwords 1. 123456 - 120,511 users

    2. 12345 - 48,452 users 3. password - 39,448 users 4. DEFAULT - 34,275 users 5. 123456789 - 26,620 users 6. qwerty - 20,778 users 7. 12345678 - 14,172 users 8. abc123 - 10,869 users 9. NSFW - 10,683 users 10. 1234567 - 9,468 users Source: http:/ /qz.com/501073/the-top-100-passwords-on-ashley-madison/ @philnash

  31. MARK ZUCKERBURG

  32. dadada

  33. I WAS HACKED

  34. @philnash

  35. Compromised sites • Adobe • Yahoo • LinkedIn • Tumblr

    • MySpace • DropBox • Bitly • Disqus @philnash

  36. @philnash

  37. @philnash

  38. None

  39. YOUR USERS ARE ONLY AS SECURE AS THEIR WEAKEST PASSWORD

  40. PART 2 SMS, SS7, OTP, 2FA

  41. 2FA

  42. TWO FACTOR AUTHENTICATION

  43. Two Factor Authentication 2FA is a security process in which

    a user provides two different forms of identification in order to authenticate themself with a system. The two forms must come from different categories. Normally something you know and something you have. @philnash

  44. SMS, TOKENS, PUSH

  45. SMS

  46. 2FA import random random_num = random.randint(0, 999999) code = str(random_num).rjust(6,

    "0") user.login_code = code user.save() 01. 02. 03. 04. 05. 06. @philnash

  47. 2FA from twilio.rest import Client import os client = Client(os.environ['ACCOUNT_SID'],

    os.environ['AUTH_TOKEN']) message = client.messages.create( to=user.phone_number, from_=os.environ['PHONE_NUMBER'], body=f'Your login code is {code}') 01. 02. 03. 04. 05. 06. 07. 08. @philnash

  48. SMS: Pros Almost everyone in the world can receive SMS

    messages @philnash

  49. SMS: Cons Costs per message Requires signal SMS is broken

    @philnash

  50. PART 2.1 THE HORRIFYING REALITY OF SMS SECURITY

  51. SOCIAL ENGINEERING

  52. None

  53. IF YOU CAN ACCESS AN ACCOUNT WITH JUST ONE FACTOR

    IT'S NOT 2FA

  54. SS7

  55. 2FA OVER SMS IS STILL BETTER THAN JUST PASSWORDS

  56. TOKENS

  57. HOTP + TOTP

  58. @philnash

  59. HOTP HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF HOTP-Value = HOTP(K,C) mod

    10d @philnash

  60. DEMO

  61. https:/ /github.com/pyauth/pyotp @philnash

  62. SHARING SECRETS

  63. QR code otpauth:/ /TYPE/LABEL?PARAMETERS otpauth:/ /totp/2FAWTF:[email protected]? secret=JBSWY3DPEHPK3PXP&issuer=2FAWTF @philnash

  64. DEMO

  65. Tokens: Pros Free to use Works offline @philnash

  66. Tokens: Cons Requires a smart phone Needs backup codes to

    recover account QR codes can be intercepted @philnash

  67. PUSH

  68. None

  69. Push: Pros Much better user experience Most secure @philnash

  70. Push: Cons Requires a smart phone Requires a native app

    Requires more work on your web application Can't use offline @philnash

  71. https:/ /twitter.com/status_updates/status/656435611289653248 @philnash

  72. SUMMARY

  73. USERS ARE BAD WITH PASSWORDS

  74. OTHER WEBSITES ARE BAD WITH PASSWORDS

  75. 2FA CAN BE PUSH, TOKEN OR SMS

  76. 2FA IS FOR YOUR USERS

  77. None

  78. 2FA, WTF?

  79. 2FA, FTW!

  80. THANKS!

  81. None

  82. Thanks! @philnash http:/ /philna.sh [email protected] @philnash