Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2FA, WTF at Web Directions Summit 2017

Phil Nash
November 10, 2017

2FA, WTF at Web Directions Summit 2017

Everyone is hacking everything. Everything is vulnerable. Your site, your users, even you. Are you worried about this? You should be!

Don't worry, I'm not trying to scare you (that much). We have plenty of safeguards against attempts on our applications' user data. We all (hopefully) recognise Two Factor Auth as one of those safeguards, but what actually goes on under the hood of 2FA?

We'll take a look into generating one time passwords, implementing 2FA in web applications and the only real life compelling use case for QR codes. Together, we'll make the web a more secure place.

----

Links:

notp package: https://github.com/guyht/notp

Twilio Authy: https://www.twilio.com/two-factor-authentication

The Authy app: https://authy.com/

Top passwords 2015: https://www.teamsid.com/worst-passwords-2015/
Ashley Madison passwords: http://cynosureprime.blogspot.ie/2015/09/how-we-cracked-millions-of-ashley.html

Have I Been Pwned? - https://haveibeenpwned.com/

Deray Mckesson Hacked - https://techcrunch.com/2016/06/10/how-activist-deray-mckessons-twitter-account-was-hacked/

How to hack Facebook with just a phone number - http://www.zdnet.com/article/how-to-hack-facebook-with-a-phone-number/

Phil Nash

November 10, 2017
Tweet

More Decks by Phil Nash

Other Decks in Programming

Transcript

  1. ARE

  2. Ashley Madison Top 10 Passwords 1. 123456 - 120,511 users

    2. 12345 - 48,452 users 3. password - 39,448 users 4. DEFAULT - 34,275 users 5. 123456789 - 26,620 users 6. qwerty - 20,778 users 7. 12345678 - 14,172 users 8. abc123 - 10,869 users 9. NSFW - 10,683 users 10. 1234567 - 9,468 users Source: http:/ /qz.com/501073/the-top-100-passwords-on-ashley-madison/ @philnash
  3. Compromised sites • Adobe • Yahoo • LinkedIn • Tumblr

    • MySpace • DropBox • Bitly • Disqus @philnash
  4. 2FA

  5. Two Factor Authentication 2FA is a security process in which

    a user provides two different forms of identification in order to authenticate themself with a system. The two forms must come from different categories. Normally something you know and something you have. @philnash
  6. SMS

  7. 2FA const randomNum = Math.floor(Math.random() * 1000000); const code =

    randomNum.toString().padStart(6, "0"); user.update('loginCode', code); 01. 02. 03. @philnash
  8. 2FA const twilio = require('twilio'); const client = new twilio(config.accountSid,

    config.authToken); client.messages.create({ from: config.yourNumber, to: user.phoneNumber, body: `Your login code is ${code}` }); 01. 02. 03. 04. 05. 06. 07. @philnash
  9. SS7

  10. notp > const notp = require('notp'); > const hotp =

    notp.hotp; > hotp.gen('hello', { counter: 1 }) '825147' > hotp.gen('hello', { counter: 2 }) '676217' 01. 02. 03. 04. 05. 06. @philnash @philnash
  11. notp > hotp.verify('825147', 'hello', { counter: 1 }) { delta:

    0 } > hotp.verify('676217', 'hello', { counter: 1 }) { delta: 1 } 01. 02. 03. 04. @philnash @philnash
  12. notp > const totp = notp.totp; > totp.gen('hello') '748003' Some

    time later... > totp.gen('hello') '691780' 01. 02. 03. 01. 02. @philnash @philnash
  13. notp > totp.verify('748003', 'hello') { delta: 0 } Some time

    later... > totp.verify('748003', 'hello') { delta: -1 } 01. 02. 01. 02. @philnash @philnash
  14. Tokens: Cons Requires a smart phone Needs backup codes to

    recover account QR codes can be intercepted @philnash
  15. Push: Cons Requires a smart phone Requires a native app

    Requires more work on your web application Can't use offline @philnash