Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2FA, WTF at Web Directions Summit 2017

Phil Nash
November 10, 2017
Programming
0
220

2FA, WTF at Web Directions Summit 2017

Everyone is hacking everything. Everything is vulnerable. Your site, your users, even you. Are you worried about this? You should be!

Don't worry, I'm not trying to scare you (that much). We have plenty of safeguards against attempts on our applications' user data. We all (hopefully) recognise Two Factor Auth as one of those safeguards, but what actually goes on under the hood of 2FA?

We'll take a look into generating one time passwords, implementing 2FA in web applications and the only real life compelling use case for QR codes. Together, we'll make the web a more secure place.

----

Links:

notp package: https://github.com/guyht/notp

Twilio Authy: https://www.twilio.com/two-factor-authentication

The Authy app: https://authy.com/

Top passwords 2015: https://www.teamsid.com/worst-passwords-2015/
Ashley Madison passwords: http://cynosureprime.blogspot.ie/2015/09/how-we-cracked-millions-of-ashley.html

Have I Been Pwned? - https://haveibeenpwned.com/

Deray Mckesson Hacked - https://techcrunch.com/2016/06/10/how-activist-deray-mckessons-twitter-account-was-hacked/

How to hack Facebook with just a phone number - http://www.zdnet.com/article/how-to-hack-facebook-with-a-phone-number/

Phil Nash

November 10, 2017
Tweet

More Decks by Phil Nash

See All by Phil Nash
Four steps from JavaScript to TypeScript
philnash
3
310
JavaScript Apps Go Intl - GIDS Live 2021
philnash
2
180
You're on Mute! WebRTC and our Lives on Screen - GIDS Live 2021
philnash
1
190
Better API DX with a CLI - APIdays Jakarta
philnash
0
280
The trouble with webhooks - at Apidays Live Hong Kong
philnash
2
140
Four steps from JavaScript to TypeScript
philnash
0
330
Fantastic passwords and where to find them - at NoRuKo
philnash
37
2.5k
The trouble with webhooks - at APIdays Singapore
philnash
0
220
What's going on with Project Fugu? at DevTalks Reimagined
philnash
0
310

Other Decks in Programming

See All in Programming
デフォルトにして至高、RubyMineの大好きな所
ruzia
0
390
Hanami and htmx
bkuhlmann
0
210
Snowflakeで眠ったデータを起こそう!
estie
0
120
TCAとKMPを用いた新規動画配信アプリ 「ABEMA Live」の設計
tomu28
1
110
効率化に挑戦してみたらモバイル開発が少し快適になった話
ryunakayama
0
130
AWS CDKコントリビュートTIPS / aws-cdk-contribution-tips
gotok365
2
200
GitHub Copilotのススメ
marcy731
1
200
SIMD Parallel Programming with the Vector API
josepaumard
0
180
初心者のためのRubyKaigi入門/RubyKaigi Introduction
a_matsuda
1
750
if constexpr文はテンプレート世界のラムダ式である
faithandbrave
3
650
0→1と1→10の狭間で Javaという技術選定を振り返る/Reflecting on the Decision to Choose Java Between Scaling from 0 to 1 and 1 to 10
jaguar_imo
2
380
PHPの次期バージョンはこの時期どうなっているのか - Internalsの開発体制について - PHPカンファレンス小田原
youkidearitai
PRO
1
190

Featured

See All Featured
Building Better People: How to give real-time feedback that sticks.
wjessup
355
18k
Typedesign – Prime Four
hannesfritz
36
2.1k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
17
1.4k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3.1k
10 Git Anti Patterns You Should be Aware of
lemiorhan
648
58k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
20
1.9k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.6k
Building Applications with DynamoDB
mza
88
5.6k
Building a Scalable Design System with Sketch
lauravandoore
456
32k
Faster Mobile Websites
deanohume
299
30k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
227
16k

Transcript

  1. 2FA, WTF?

  2. HACKERS

  3. ARE

  4. EVERYWHERE

  5. None
  6. None
  7. None

  8. Phil Nash @philnash http:/ /philna.sh [email protected] @philnash

  9. 2FA, WTF?

  10. PART 1 THE HORRIFYING REALITY OF PASSWORD SECURITY

  11. None

  12. nash

  13. I WAS HACKED

  14. YOUR ACCOUNT IS ONLY AS SECURE AS YOUR WEAKEST PASSWORD

  15. https:/ /twitter.com/TheTimeCowboy/status/287536855828795393 @philnash

  16. STRONGER PASSWORDS

  17. ARE HARDER TO REMEMBER

  18. REUSE

  19. ASHLEY MADISON

  20. TOP 5 PASSWORDS

  21. 5) 123456789

  22. 4) DEFAULT

  23. 3) password

  24. 2) 12345

  25. 1) 123456

  26. Ashley Madison Top 10 Passwords 1. 123456 - 120,511 users

    2. 12345 - 48,452 users 3. password - 39,448 users 4. DEFAULT - 34,275 users 5. 123456789 - 26,620 users 6. qwerty - 20,778 users 7. 12345678 - 14,172 users 8. abc123 - 10,869 users 9. NSFW - 10,683 users 10. 1234567 - 9,468 users Source: http:/ /qz.com/501073/the-top-100-passwords-on-ashley-madison/ @philnash

  27. MARK ZUCKERBURG

  28. dadada

  29. I WAS HACKED

  30. @philnash

  31. Compromised sites • Adobe • Yahoo • LinkedIn • Tumblr

    • MySpace • DropBox • Bitly • Disqus @philnash

  32. @philnash

  33. @philnash

  34. None

  35. YOUR USERS ARE ONLY AS SECURE AS THEIR WEAKEST PASSWORD

  36. PART 2 SMS, SS7, OTP, 2FA

  37. 2FA

  38. TWO FACTOR AUTHENTICATION

  39. Two Factor Authentication 2FA is a security process in which

    a user provides two different forms of identification in order to authenticate themself with a system. The two forms must come from different categories. Normally something you know and something you have. @philnash

  40. SMS, TOKENS, PUSH

  41. SMS

  42. 2FA const randomNum = Math.floor(Math.random() * 1000000); const code =

    randomNum.toString().padStart(6, "0"); user.update('loginCode', code); 01. 02. 03. @philnash

  43. 2FA const twilio = require('twilio'); const client = new twilio(config.accountSid,

    config.authToken); client.messages.create({ from: config.yourNumber, to: user.phoneNumber, body: `Your login code is ${code}` }); 01. 02. 03. 04. 05. 06. 07. @philnash

  44. SMS: Pros Almost everyone in the world can receive SMS

    messages @philnash

  45. SMS: Cons Costs per message Requires signal SMS is broken

    @philnash

  46. PART 2.1 THE HORRIFYING REALITY OF SMS SECURITY

  47. SOCIAL ENGINEERING

  48. None

  49. IF YOU CAN ACCESS AN ACCOUNT WITH JUST ONE FACTOR

    IT'S NOT 2FA

  50. SS7

  51. 2FA OVER SMS IS STILL BETTER THAN JUST PASSWORDS

  52. TOKENS

  53. HOTP + TOTP

  54. @philnash

  55. HOTP HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF HOTP-Value = HOTP(K,C) mod

    10d @philnash

  56. notp > const notp = require('notp'); > const hotp =

    notp.hotp; > hotp.gen('hello', { counter: 1 }) '825147' > hotp.gen('hello', { counter: 2 }) '676217' 01. 02. 03. 04. 05. 06. @philnash @philnash

  57. notp > hotp.verify('825147', 'hello', { counter: 1 }) { delta:

    0 } > hotp.verify('676217', 'hello', { counter: 1 }) { delta: 1 } 01. 02. 03. 04. @philnash @philnash

  58. notp > const totp = notp.totp; > totp.gen('hello') '748003' Some

    time later... > totp.gen('hello') '691780' 01. 02. 03. 01. 02. @philnash @philnash

  59. notp > totp.verify('748003', 'hello') { delta: 0 } Some time

    later... > totp.verify('748003', 'hello') { delta: -1 } 01. 02. 01. 02. @philnash @philnash

  60. https:/ /github.com/guyht/notp @philnash

  61. SHARING SECRETS

  62. QR code otpauth:/ /TYPE/LABEL?PARAMETERS otpauth:/ /totp/2FAWTF:[email protected]? secret=JBSWY3DPEHPK3PXP&issuer=2FAWTF @philnash

  63. Tokens: Pros Free to use Works offline @philnash

  64. Tokens: Cons Requires a smart phone Needs backup codes to

    recover account QR codes can be intercepted @philnash

  65. PUSH

  66. None

  67. Push: Pros Much better user experience Most secure @philnash

  68. Push: Cons Requires a smart phone Requires a native app

    Requires more work on your web application Can't use offline @philnash

  69. https:/ /twitter.com/status_updates/status/656435611289653248 @philnash

  70. SUMMARY

  71. USERS ARE BAD WITH PASSWORDS

  72. OTHER WEBSITES ARE BAD WITH PASSWORDS

  73. 2FA CAN BE PUSH, TOKEN OR SMS

  74. 2FA IS FOR YOUR USERS

  75. None

  76. 2FA, WTF?

  77. 2FA, FTW!

  78. THANKS!

  79. Thanks! @philnash http:/ /philna.sh [email protected] @philnash