$30 off During Our Annual Pro Sale. View Details »

2FA, WTF? at WebCamp Zagreb

Phil Nash
October 29, 2016

2FA, WTF? at WebCamp Zagreb

Everyone is hacking everything. Everything is vulnerable. Your site, your users, even you. Are you worried about this? You should be! Don't worry, Phil is not trying to scare you (that much). You have plenty of safeguards against attempts on your applications' user data. We all (hopefully) recognise Two Factor Auth as one of those safeguards, but what actually goes on under the hood of 2FA?

You will discover how to generate one-time passwords and implement 2FA in your applications, and hear the only real-life compelling use case for QR codes. Together, we'll make the web a more secure place.

----

Links:

notp package: https://github.com/guyht/notp

Authy: https://www.authy.com/developers/

Authy OneTouch: https://www.authy.com/product/options/#onetouch

Top passwords 2015: https://www.teamsid.com/worst-passwords-2015/
Ashley Madison passwords: http://cynosureprime.blogspot.ie/2015/09/how-we-cracked-millions-of-ashley.html

Have I Been Pwned? - https://haveibeenpwned.com/

Deray Mckesson Hacked - https://techcrunch.com/2016/06/10/how-activist-deray-mckessons-twitter-account-was-hacked/

How to hack Facebook with just a phone number - http://www.zdnet.com/article/how-to-hack-facebook-with-a-phone-number/

Phil Nash

October 29, 2016
Tweet

More Decks by Phil Nash

Other Decks in Programming

Transcript

  1. 2FA, WTF?

    View Slide

  2. HACKERS

    View Slide

  3. ARE

    View Slide

  4. EVERYWHERE

    View Slide

  5. View Slide

  6. View Slide

  7. View Slide

  8. Phil Nash
    @philnash
    h p:/
    /philna.sh
    [email protected]

    View Slide

  9. 2FA, WTF?

    View Slide

  10. TWO FACTOR
    AUTHENTICATION

    View Slide

  11. Two Factor Authen ca on
    2FA is a security process in which a user provides
    two different forms of iden fica on in order to
    authen cate themself with a system.
    The two forms must come from different categories.
    Normally something you know and something you
    have.

    View Slide

  12. WHY?

    View Slide

  13. MAT HONAN

    View Slide

  14. Mat Honan's Hackers' Timeline
    1.  Found Gmail address on his personal site
    2.  Entered address in Gmail and found his @me.com
    back up email
    3.  Called Amazon to add a credit card to file
    4.  Called Amazon again to reset password and got
    access
    5.  4:33pm: called Apple to reset password
    6.  4:50pm: reset AppleID password and gained access
    to email

    View Slide

  15. Mat Honan's Hackers' Timeline
    7.  4:52pm: reset Gmail account password
    8.  5:01pm: wiped iPhone
    9.  5:02pm: reset Twi er password
    10.  5:05pm: wiped MacBook and deleted Google
    account
    11.  5:12pm: posted to Twi er taking credit for the hack

    View Slide

  16. @MAT

    View Slide

  17. WHY?

    View Slide

  18. View Slide

  19. ASHLEY MADISON

    View Slide

  20. Ashley Madison Top 10 Passwords
    1.  123456
    2.  12345
    3.  password
    4.  DEFAULT
    5.  123456789
    6.  qwerty
    7.  12345678
    8.  abc123
    9.  NSFW
    10.  1234567

    View Slide

  21. Ashley Madison Top 10 Passwords
    1.  123456 ‐ 120,511 users
    2.  12345 ‐ 48,452 users
    3.  password ‐ 39,448 users
    4.  DEFAULT ‐ 34,275 users
    5.  123456789 ‐ 26,620 users
    6.  qwerty ‐ 20,778 users
    7.  12345678 ‐ 14,172 users
    8.  abc123 ‐ 10,869 users
    9.  NSFW ‐ 10,683 users
    10.  1234567 ‐ 9,468 users
    Source: h p:/
    /qz.com/501073/the‐top‐100‐passwords‐on‐ashley‐madison/

    View Slide

  22. MARK ZUCKERBURG

    View Slide

  23. DADADA

    View Slide

  24. View Slide

  25. HOW?

    View Slide

  26. User Registra on Flow
    1.  Visit registra on page
    2.  Sign up with username and password
    3.  User is logged in

    View Slide

  27. User Log In Flow
    1.  Visit login page
    2.  Enter username and password
    3.  System verifies details
    4.  User is logged in

    View Slide

  28. SMS

    View Slide

  29. User Registra on Flow
    1.  Visit registra on page
    2.  Sign up with username, password and phone
    number
    3.  User is logged in

    View Slide

  30. User Log In Flow
    1.  Visit login page
    2.  Enter username and password
    3.  System verifies details
    4.  Verifica on code sent to user by SMS
    5.  User enters verifica on code
    6.  System verifies code
    7.  User is logged in

    View Slide

  31. PROS/CONS

    View Slide

  32. View Slide

  33. View Slide

  34. SOFT TOKEN

    View Slide

  35. User Registra on Flow
    1.  Visit registra on page
    2.  Sign up with username, password
    3.  Generate a secret for the user
    4.  Share the secret somehow
    5.  User is logged in

    View Slide

  36. User Log In Flow
    1.  Visit login page
    2.  Enter username and password
    3.  System verifies details
    4.  User opens auth app
    5.  User finds app verifica on code and enters on site
    6.  System verifies code
    7.  User is logged in

    View Slide

  37. SECRETS

    View Slide

  38. HOTP/TOTP

    View Slide

  39. HOTP
    HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF
    HOTP-Value = HOTP(K,C) mod 10d

    View Slide

  40. TOTP

    View Slide

  41. DEMO

    View Slide

  42. h ps:/
    /github.com/guyht/notp

    View Slide

  43. SHARING
    SECRETS

    View Slide

  44. QR code
    otpauth:/
    /TYPE/LABEL?PARAMETERS
    otpauth:/
    /totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example

    View Slide

  45. View Slide

  46. View Slide

  47. PROS/CONS

    View Slide

  48. CAN IT BE
    BETTER?

    View Slide

  49. FRIENDS DON'T LET
    FRIENDS WRITE THEIR
    OWN AUTHENTICATION
    FRAMEWORKS

    View Slide

  50. FRIENDS DON'T LET
    FRIENDS WRITE THEIR
    OWN TWO FACTOR
    AUTHENTICATION
    FRAMEWORKS

    View Slide

  51. View Slide

  52. User Registra on Flow
    1.  Visit registra on page
    2.  Sign up with username, password and phone
    number
    3.  System registers User with Authy
    4.  User is logged in

    View Slide

  53. User Log In Flow
    1.  Visit login page
    2.  Enter username and password
    3.  System verifies details
    4.  Authy prompts user
    5.  User finds app verifica on code and enters on site
    6.  System verifies code with Authy
    7.  User is logged in

    View Slide

  54. THE FUTURE

    View Slide

  55. PUSH
    NOTIFICATIONS

    View Slide

  56. 0:00 / 0:21

    View Slide

  57. PROS/CONS

    View Slide

  58. SUMMARY

    View Slide

  59. USERS ARE
    BAD WITH
    PASSWORDS

    View Slide

  60. OTHER
    WEBSITES ARE
    BAD WITH
    PASSWORDS

    View Slide

  61. 2FA CAN BE
    PUSH, TOKEN
    OR SMS

    View Slide

  62. 2FA IS FOR
    YOUR USERS

    View Slide

  63. View Slide

  64. THANKS!

    View Slide

  65. Thanks!
    @philnash
    h p:/
    /philna.sh
    [email protected]
    h ps:/
    /joind.in/talk/7b975

    View Slide