Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2FA, WTF? at WebCamp Zagreb

Phil Nash
October 29, 2016
Programming
1
570

2FA, WTF? at WebCamp Zagreb

Everyone is hacking everything. Everything is vulnerable. Your site, your users, even you. Are you worried about this? You should be! Don't worry, Phil is not trying to scare you (that much). You have plenty of safeguards against attempts on your applications' user data. We all (hopefully) recognise Two Factor Auth as one of those safeguards, but what actually goes on under the hood of 2FA?

You will discover how to generate one-time passwords and implement 2FA in your applications, and hear the only real-life compelling use case for QR codes. Together, we'll make the web a more secure place.

----

Links:

notp package: https://github.com/guyht/notp

Authy: https://www.authy.com/developers/

Authy OneTouch: https://www.authy.com/product/options/#onetouch

Top passwords 2015: https://www.teamsid.com/worst-passwords-2015/
Ashley Madison passwords: http://cynosureprime.blogspot.ie/2015/09/how-we-cracked-millions-of-ashley.html

Have I Been Pwned? - https://haveibeenpwned.com/

Deray Mckesson Hacked - https://techcrunch.com/2016/06/10/how-activist-deray-mckessons-twitter-account-was-hacked/

How to hack Facebook with just a phone number - http://www.zdnet.com/article/how-to-hack-facebook-with-a-phone-number/

Phil Nash

October 29, 2016
Tweet

More Decks by Phil Nash

See All by Phil Nash
Four steps from JavaScript to TypeScript
philnash
3
410
JavaScript Apps Go Intl - GIDS Live 2021
philnash
2
260
You're on Mute! WebRTC and our Lives on Screen - GIDS Live 2021
philnash
1
270
Better API DX with a CLI - APIdays Jakarta
philnash
0
340
The trouble with webhooks - at Apidays Live Hong Kong
philnash
2
200
Four steps from JavaScript to TypeScript
philnash
0
390
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
The trouble with webhooks - at APIdays Singapore
philnash
0
290
What's going on with Project Fugu? at DevTalks Reimagined
philnash
0
430

Other Decks in Programming

See All in Programming
ローコードSaaSのUXを向上させるためのTypeScript
taro28
1
610
Quine, Polyglot, 良いコード
qnighy
4
640
Macとオーディオ再生 2024/11/02
yusukeito
0
370
見せてあげますよ、「本物のLaravel批判」ってやつを。
77web
7
7.7k
弊社の「意識チョット低いアーキテクチャ」10選
texmeijin
5
24k
タクシーアプリ『GO』のリアルタイムデータ分析基盤における機械学習サービスの活用
mot_techtalk
4
1.4k
Creating a Free Video Ad Network on the Edge
mizoguchicoji
0
120
Remix on Hono on Cloudflare Workers
yusukebe
1
280
Jakarta EE meets AI
ivargrimstad
0
530
macOS でできる リアルタイム動画像処理
biacco42
9
2.4k
NSOutlineView何もわからん:( 前編 / I Don't Understand About NSOutlineView :( Pt. 1
usagimaru
0
330
色々なIaCツールを実際に触って比較してみる
iriikeita
0
330

Featured

See All Featured
Designing for Performance
lara
604
68k
Testing 201, or: Great Expectations
jmmastey
38
7.1k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Statistics for Hackers
jakevdp
796
220k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
Building Adaptive Systems
keathley
38
2.3k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
Fireside Chat
paigeccino
34
3k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k

Transcript

  1. 2FA, WTF?

  2. HACKERS

  3. ARE

  4. EVERYWHERE

  5. None
  6. None
  7. None

  8. Phil Nash @philnash h p:/ /philna.sh [email protected]

  9. 2FA, WTF?

  10. TWO FACTOR AUTHENTICATION

  11. Two Factor Authen ca on 2FA is a security process

    in which a user provides two different forms of iden fica on in order to authen cate themself with a system. The two forms must come from different categories. Normally something you know and something you have.

  12. WHY?

  13. MAT HONAN

  14. Mat Honan's Hackers' Timeline 1.  Found Gmail address on his

    personal site 2.  Entered address in Gmail and found his @me.com back up email 3.  Called Amazon to add a credit card to file 4.  Called Amazon again to reset password and got access 5.  4:33pm: called Apple to reset password 6.  4:50pm: reset AppleID password and gained access to email

  15. Mat Honan's Hackers' Timeline 7.  4:52pm: reset Gmail account password

    8.  5:01pm: wiped iPhone 9.  5:02pm: reset Twi er password 10.  5:05pm: wiped MacBook and deleted Google account 11.  5:12pm: posted to Twi er taking credit for the hack

  16. @MAT

  17. WHY?

  18. None

  19. ASHLEY MADISON

  20. Ashley Madison Top 10 Passwords 1.  123456 2.  12345 3.

     password 4.  DEFAULT 5.  123456789 6.  qwerty 7.  12345678 8.  abc123 9.  NSFW 10.  1234567

  21. Ashley Madison Top 10 Passwords 1.  123456 ‐ 120,511 users

    2.  12345 ‐ 48,452 users 3.  password ‐ 39,448 users 4.  DEFAULT ‐ 34,275 users 5.  123456789 ‐ 26,620 users 6.  qwerty ‐ 20,778 users 7.  12345678 ‐ 14,172 users 8.  abc123 ‐ 10,869 users 9.  NSFW ‐ 10,683 users 10.  1234567 ‐ 9,468 users Source: h p:/ /qz.com/501073/the‐top‐100‐passwords‐on‐ashley‐madison/

  22. MARK ZUCKERBURG

  23. DADADA

  24. None

  25. HOW?

  26. User Registra on Flow 1.  Visit registra on page 2.

     Sign up with username and password 3.  User is logged in

  27. User Log In Flow 1.  Visit login page 2.  Enter

    username and password 3.  System verifies details 4.  User is logged in

  28. SMS

  29. User Registra on Flow 1.  Visit registra on page 2.

     Sign up with username, password and phone number 3.  User is logged in

  30. User Log In Flow 1.  Visit login page 2.  Enter

    username and password 3.  System verifies details 4.  Verifica on code sent to user by SMS 5.  User enters verifica on code 6.  System verifies code 7.  User is logged in

  31. PROS/CONS

  32. None
  33. None

  34. SOFT TOKEN

  35. User Registra on Flow 1.  Visit registra on page 2.

     Sign up with username, password 3.  Generate a secret for the user 4.  Share the secret somehow 5.  User is logged in

  36. User Log In Flow 1.  Visit login page 2.  Enter

    username and password 3.  System verifies details 4.  User opens auth app 5.  User finds app verifica on code and enters on site 6.  System verifies code 7.  User is logged in

  37. SECRETS

  38. HOTP/TOTP

  39. HOTP HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF HOTP-Value = HOTP(K,C) mod

    10d

  40. TOTP

  41. DEMO

  42. h ps:/ /github.com/guyht/notp

  43. SHARING SECRETS

  44. QR code otpauth:/ /TYPE/LABEL?PARAMETERS otpauth:/ /totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example

  45. None
  46. None

  47. PROS/CONS

  48. CAN IT BE BETTER?

  49. FRIENDS DON'T LET FRIENDS WRITE THEIR OWN AUTHENTICATION FRAMEWORKS

  50. FRIENDS DON'T LET FRIENDS WRITE THEIR OWN TWO FACTOR AUTHENTICATION

    FRAMEWORKS
  51. None

  52. User Registra on Flow 1.  Visit registra on page 2.

     Sign up with username, password and phone number 3.  System registers User with Authy 4.  User is logged in

  53. User Log In Flow 1.  Visit login page 2.  Enter

    username and password 3.  System verifies details 4.  Authy prompts user 5.  User finds app verifica on code and enters on site 6.  System verifies code with Authy 7.  User is logged in

  54. THE FUTURE

  55. PUSH NOTIFICATIONS

  56. 0:00 / 0:21

  57. PROS/CONS

  58. SUMMARY

  59. USERS ARE BAD WITH PASSWORDS

  60. OTHER WEBSITES ARE BAD WITH PASSWORDS

  61. 2FA CAN BE PUSH, TOKEN OR SMS

  62. 2FA IS FOR YOUR USERS

  63. None

  64. THANKS!

  65. Thanks! @philnash h p:/ /philna.sh [email protected] h ps:/ /joind.in/talk/7b975