Save 37% off PRO during our Black Friday Sale! »

2FA, WTF at Web Directions Summit 2017

8ec1383b240b5ba15ffb9743fceb3c0e?s=47 Phil Nash
November 10, 2017

2FA, WTF at Web Directions Summit 2017

Everyone is hacking everything. Everything is vulnerable. Your site, your users, even you. Are you worried about this? You should be!

Don't worry, I'm not trying to scare you (that much). We have plenty of safeguards against attempts on our applications' user data. We all (hopefully) recognise Two Factor Auth as one of those safeguards, but what actually goes on under the hood of 2FA?

We'll take a look into generating one time passwords, implementing 2FA in web applications and the only real life compelling use case for QR codes. Together, we'll make the web a more secure place.

----

Links:

notp package: https://github.com/guyht/notp

Twilio Authy: https://www.twilio.com/two-factor-authentication

The Authy app: https://authy.com/

Top passwords 2015: https://www.teamsid.com/worst-passwords-2015/
Ashley Madison passwords: http://cynosureprime.blogspot.ie/2015/09/how-we-cracked-millions-of-ashley.html

Have I Been Pwned? - https://haveibeenpwned.com/

Deray Mckesson Hacked - https://techcrunch.com/2016/06/10/how-activist-deray-mckessons-twitter-account-was-hacked/

How to hack Facebook with just a phone number - http://www.zdnet.com/article/how-to-hack-facebook-with-a-phone-number/

8ec1383b240b5ba15ffb9743fceb3c0e?s=128

Phil Nash

November 10, 2017
Tweet

Transcript

  1. 2FA, WTF?

  2. HACKERS

  3. ARE

  4. EVERYWHERE

  5. None
  6. None
  7. None
  8. Phil Nash @philnash http:/ /philna.sh philnash@twilio.com @philnash

  9. 2FA, WTF?

  10. PART 1 THE HORRIFYING REALITY OF PASSWORD SECURITY

  11. None
  12. nash

  13. I WAS HACKED

  14. YOUR ACCOUNT IS ONLY AS SECURE AS YOUR WEAKEST PASSWORD

  15. https:/ /twitter.com/TheTimeCowboy/status/287536855828795393 @philnash

  16. STRONGER PASSWORDS

  17. ARE HARDER TO REMEMBER

  18. REUSE

  19. ASHLEY MADISON

  20. TOP 5 PASSWORDS

  21. 5) 123456789

  22. 4) DEFAULT

  23. 3) password

  24. 2) 12345

  25. 1) 123456

  26. Ashley Madison Top 10 Passwords 1. 123456 - 120,511 users

    2. 12345 - 48,452 users 3. password - 39,448 users 4. DEFAULT - 34,275 users 5. 123456789 - 26,620 users 6. qwerty - 20,778 users 7. 12345678 - 14,172 users 8. abc123 - 10,869 users 9. NSFW - 10,683 users 10. 1234567 - 9,468 users Source: http:/ /qz.com/501073/the-top-100-passwords-on-ashley-madison/ @philnash
  27. MARK ZUCKERBURG

  28. dadada

  29. I WAS HACKED

  30. @philnash

  31. Compromised sites • Adobe • Yahoo • LinkedIn • Tumblr

    • MySpace • DropBox • Bitly • Disqus @philnash
  32. @philnash

  33. @philnash

  34. None
  35. YOUR USERS ARE ONLY AS SECURE AS THEIR WEAKEST PASSWORD

  36. PART 2 SMS, SS7, OTP, 2FA

  37. 2FA

  38. TWO FACTOR AUTHENTICATION

  39. Two Factor Authentication 2FA is a security process in which

    a user provides two different forms of identification in order to authenticate themself with a system. The two forms must come from different categories. Normally something you know and something you have. @philnash
  40. SMS, TOKENS, PUSH

  41. SMS

  42. 2FA const randomNum = Math.floor(Math.random() * 1000000); const code =

    randomNum.toString().padStart(6, "0"); user.update('loginCode', code); 01. 02. 03. @philnash
  43. 2FA const twilio = require('twilio'); const client = new twilio(config.accountSid,

    config.authToken); client.messages.create({ from: config.yourNumber, to: user.phoneNumber, body: `Your login code is ${code}` }); 01. 02. 03. 04. 05. 06. 07. @philnash
  44. SMS: Pros Almost everyone in the world can receive SMS

    messages @philnash
  45. SMS: Cons Costs per message Requires signal SMS is broken

    @philnash
  46. PART 2.1 THE HORRIFYING REALITY OF SMS SECURITY

  47. SOCIAL ENGINEERING

  48. None
  49. IF YOU CAN ACCESS AN ACCOUNT WITH JUST ONE FACTOR

    IT'S NOT 2FA
  50. SS7

  51. 2FA OVER SMS IS STILL BETTER THAN JUST PASSWORDS

  52. TOKENS

  53. HOTP + TOTP

  54. @philnash

  55. HOTP HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF HOTP-Value = HOTP(K,C) mod

    10d @philnash
  56. notp > const notp = require('notp'); > const hotp =

    notp.hotp; > hotp.gen('hello', { counter: 1 }) '825147' > hotp.gen('hello', { counter: 2 }) '676217' 01. 02. 03. 04. 05. 06. @philnash @philnash
  57. notp > hotp.verify('825147', 'hello', { counter: 1 }) { delta:

    0 } > hotp.verify('676217', 'hello', { counter: 1 }) { delta: 1 } 01. 02. 03. 04. @philnash @philnash
  58. notp > const totp = notp.totp; > totp.gen('hello') '748003' Some

    time later... > totp.gen('hello') '691780' 01. 02. 03. 01. 02. @philnash @philnash
  59. notp > totp.verify('748003', 'hello') { delta: 0 } Some time

    later... > totp.verify('748003', 'hello') { delta: -1 } 01. 02. 01. 02. @philnash @philnash
  60. https:/ /github.com/guyht/notp @philnash

  61. SHARING SECRETS

  62. QR code otpauth:/ /TYPE/LABEL?PARAMETERS otpauth:/ /totp/2FAWTF:philnash@twilio.com? secret=JBSWY3DPEHPK3PXP&issuer=2FAWTF @philnash

  63. Tokens: Pros Free to use Works offline @philnash

  64. Tokens: Cons Requires a smart phone Needs backup codes to

    recover account QR codes can be intercepted @philnash
  65. PUSH

  66. None
  67. Push: Pros Much better user experience Most secure @philnash

  68. Push: Cons Requires a smart phone Requires a native app

    Requires more work on your web application Can't use offline @philnash
  69. https:/ /twitter.com/status_updates/status/656435611289653248 @philnash

  70. SUMMARY

  71. USERS ARE BAD WITH PASSWORDS

  72. OTHER WEBSITES ARE BAD WITH PASSWORDS

  73. 2FA CAN BE PUSH, TOKEN OR SMS

  74. 2FA IS FOR YOUR USERS

  75. None
  76. 2FA, WTF?

  77. 2FA, FTW!

  78. THANKS!

  79. Thanks! @philnash http:/ /philna.sh philnash@twilio.com @philnash