2FA, WTF? at PyCon Singapore

8ec1383b240b5ba15ffb9743fceb3c0e?s=47 Phil Nash
October 11, 2019

2FA, WTF? at PyCon Singapore

Everyone is hacking everything. Everything is vulnerable. Your site, your users, even you. Are you worried about this? You should be!

Don't worry, I'm not trying to scare you (that much). We have plenty of safeguards against attempts on our applications' user data. We all (hopefully) recognise Two Factor Auth as one of those safeguards, but what actually goes on under the hood of 2FA?

We'll take a look into generating one time passwords, implementing 2FA in Python web applications and the only real life compelling use case for QR codes. Together, we'll make the web a more secure place.

---

Links:

2FA with Authy in Django: https://www.twilio.com/docs/authy/quickstart/two-factor-authentication-python-django
2FA with Authy in Flask: https://www.twilio.com/docs/authy/tutorials/two-factor-authentication-python-flask

PyOTP: https://github.com/pyauth/pyotp
Django OTP: https://github.com/django-otp/django-otp

8ec1383b240b5ba15ffb9743fceb3c0e?s=128

Phil Nash

October 11, 2019
Tweet

Transcript

  1. 2FA, WTF?

  2. HACKERS

  3. ARE

  4. EVERYWHERE

  5. None
  6. None
  7. None
  8. Phil Nash @philnash http:/ /philna.sh philnash@twilio.com @philnash

  9. 2FA, WTF?

  10. PART 1 THE HORRIFYING REALITY OF PASSWORD SECURITY

  11. None
  12. nash

  13. I WAS HACKED

  14. MAT HONAN

  15. Mat Honan's Hackers' Timeline 1. Found Gmail address on his

    personal site 2. Entered address in Gmail and found his @me.com back up email 3. Called Amazon to add a credit card to file 4. Called Amazon again to reset password and got access 5. 4:33pm: called Apple to reset password 6. 4:50pm: reset AppleID password and gained access to email @philnash
  16. Mat Honan's Hackers' Timeline 7. 4:52pm: reset Gmail account password

    8. 5:01pm: wiped iPhone 9. 5:02pm: reset Twitter password 10. 5:05pm: wiped MacBook and deleted Google account 11. 5:12pm: posted to Twitter taking credit for the hack @philnash
  17. @MAT

  18. https:/ /twitter.com/TheTimeCowboy/status/287536855828795393 @philnash

  19. STRONGER PASSWORDS

  20. ARE HARDER TO REMEMBER

  21. REUSE

  22. ASHLEY MADISON

  23. TOP 5 PASSWORDS

  24. 5) 123456789

  25. 4) DEFAULT

  26. 3) password

  27. 2) 12345

  28. 1) 123456

  29. Ashley Madison Top 10 Passwords 1. 123456 - 120,511 users

    2. 12345 - 48,452 users 3. password - 39,448 users 4. DEFAULT - 34,275 users 5. 123456789 - 26,620 users 6. qwerty - 20,778 users 7. 12345678 - 14,172 users 8. abc123 - 10,869 users 9. NSFW - 10,683 users 10. 1234567 - 9,468 users Source: http:/ /qz.com/501073/the-top-100-passwords-on-ashley-madison/ @philnash
  30. MARK ZUCKERBURG

  31. dadada

  32. I WAS HACKED

  33. @philnash

  34. Compromised sites • Adobe • Yahoo • LinkedIn • Tumblr

    • MySpace • DropBox • Bitly • Disqus @philnash
  35. @philnash

  36. @philnash

  37. None
  38. YOUR USERS ARE ONLY AS SECURE AS THEIR WEAKEST PASSWORD

  39. PART 2 SMS, SS7, OTP, 2FA

  40. 2FA

  41. TWO FACTOR AUTHENTICATION

  42. Two Factor Authentication 2FA is a security process in which

    a user provides two different forms of identification in order to authenticate themself with a system. The two forms must come from different categories. Normally something you know and something you have. @philnash
  43. SMS, TOKENS, PUSH

  44. SMS

  45. 2FA import random random_num = random.randint(0, 999999) code = str(random_num).rjust(6,

    "0") user.login_code = code user.save() 01. 02. 03. 04. 05. 06. @philnash
  46. 2FA from twilio.rest import Client import os client = Client(os.environ['ACCOUNT_SID'],

    os.environ['AUTH_TOKEN']) message = client.messages.create( to=user.phone_number, from_=os.environ['PHONE_NUMBER'], body=f'Your login code is {code}') 01. 02. 03. 04. 05. 06. 07. 08. @philnash
  47. SMS: Pros Almost everyone in the world can receive SMS

    messages @philnash
  48. SMS: Cons Costs per message Requires signal SMS is broken

    @philnash
  49. PART 2.1 THE HORRIFYING REALITY OF SMS SECURITY

  50. SOCIAL ENGINEERING

  51. None
  52. IF YOU CAN ACCESS AN ACCOUNT WITH JUST ONE FACTOR

    IT'S NOT 2FA
  53. SS7

  54. 2FA OVER SMS IS STILL BETTER THAN JUST PASSWORDS

  55. TOKENS

  56. HOTP + TOTP

  57. @philnash

  58. HOTP HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF HOTP-Value = HOTP(K,C) mod

    10d @philnash
  59. DEMO

  60. https:/ /github.com/pyauth/pyotp @philnash

  61. https:/ /github.com/django-otp/django-otp @philnash

  62. SHARING SECRETS

  63. QR code otpauth:/ /TYPE/LABEL?PARAMETERS otpauth:/ /totp/2FAWTF:philnash@twilio.com? secret=JBSWY3DPEHPK3PXP&issuer=2FAWTF @philnash

  64. DEMO

  65. Tokens: Pros Free to use Works offline @philnash

  66. Tokens: Cons Requires a smart phone Needs backup codes to

    recover account QR codes can be intercepted @philnash
  67. PUSH

  68. 0:00 / 0:21

  69. Push: Pros Much better user experience Most secure @philnash

  70. Push: Cons Requires a smart phone Requires a native app

    Requires more work on your web application Can't use offline @philnash
  71. Implement 2FA with Authy https:/ /twil.io/flask-2fa https:/ /twil.io/django-2fa @philnash

  72. https:/ /twitter.com/status_updates/status/656435611289653248 @philnash

  73. SUMMARY

  74. USERS ARE BAD WITH PASSWORDS

  75. OTHER WEBSITES ARE BAD WITH PASSWORDS

  76. 2FA CAN BE PUSH, TOKEN OR SMS

  77. 2FA IS FOR YOUR USERS

  78. None
  79. 2FA, WTF?

  80. 2FA, FTW!

  81. THANKS!

  82. Thanks! @philnash http:/ /philna.sh philnash@twilio.com @philnash