$30 off During Our Annual Pro Sale. View Details »

2FA, WTF? at WebCamp Zagreb

Phil Nash
October 29, 2016
Programming
1
430

2FA, WTF? at WebCamp Zagreb

Everyone is hacking everything. Everything is vulnerable. Your site, your users, even you. Are you worried about this? You should be! Don't worry, Phil is not trying to scare you (that much). You have plenty of safeguards against attempts on your applications' user data. We all (hopefully) recognise Two Factor Auth as one of those safeguards, but what actually goes on under the hood of 2FA?

You will discover how to generate one-time passwords and implement 2FA in your applications, and hear the only real-life compelling use case for QR codes. Together, we'll make the web a more secure place.

----

Links:

notp package: https://github.com/guyht/notp

Authy: https://www.authy.com/developers/

Authy OneTouch: https://www.authy.com/product/options/#onetouch

Top passwords 2015: https://www.teamsid.com/worst-passwords-2015/
Ashley Madison passwords: http://cynosureprime.blogspot.ie/2015/09/how-we-cracked-millions-of-ashley.html

Have I Been Pwned? - https://haveibeenpwned.com/

Deray Mckesson Hacked - https://techcrunch.com/2016/06/10/how-activist-deray-mckessons-twitter-account-was-hacked/

How to hack Facebook with just a phone number - http://www.zdnet.com/article/how-to-hack-facebook-with-a-phone-number/

Phil Nash

October 29, 2016
Tweet

More Decks by Phil Nash

See All by Phil Nash
Four steps from JavaScript to TypeScript
philnash
3
260
JavaScript Apps Go Intl - GIDS Live 2021
philnash
2
130
You're on Mute! WebRTC and our Lives on Screen - GIDS Live 2021
philnash
1
150
Better API DX with a CLI - APIdays Jakarta
philnash
0
240
The trouble with webhooks - at Apidays Live Hong Kong
philnash
2
110
Four steps from JavaScript to TypeScript
philnash
0
300
Fantastic passwords and where to find them - at NoRuKo
philnash
34
2.3k
The trouble with webhooks - at APIdays Singapore
philnash
0
190
What's going on with Project Fugu? at DevTalks Reimagined
philnash
0
250

Other Decks in Programming

See All in Programming
緊急SOS!KubernetesのCompletedな10万Jobぜんぶ消す
tk3fftk
3
400
Hono v3 and v4
yusukebe
4
2.7k
Using AI in Software Design: How ChatGPT Can Help With Creating a Solution Architecture
rdmueller
0
190
RP2040のPIOを使う話/KernelVM Hokuriku 6
tnishinaga
0
100
우리모두 삽질한다
pluu
0
230
クソアプリを作ってみた💩 / kusojaku
uhooi
0
190
10年モノのAndroidアプリのコード品質を改善していく、3つの取り組み
okuzawats
0
680
Firebase Hostingを使ってPasskeyをandroidアプリで試してみよう
ryunen344
1
280
進化したWeb技術でPWAをネイティブアプリに近づける / frontend-conf-2023
yuhei_fujita
6
2.7k
WantedlyでFeature Storeを導入する際に考えたこと
zerebom
1
420
DRIVE CHARTのMLOpsを体感しよう
mot_techtalk
1
150
From Spring Boot 2 to Spring Boot 3 with Java 21 and Jakarta EE
ivargrimstad
0
1k

Featured

See All Featured
Robots, Beer and Maslow
schacon
154
7.7k
BBQ
matthewcrist
76
8.5k
Statistics for Hackers
jakevdp
788
220k
Music & Morning Musume
bryan
38
5.2k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
2k
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
215
12k
The World Runs on Bad Software
bkeepers
PRO
59
6.2k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.4k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
240
20k
YesSQL, Process and Tooling at Scale
rocio
160
13k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.4k
Building Better People: How to give real-time feedback that sticks.
wjessup
349
18k

Transcript

  1. 2FA, WTF?

    View Slide

  2. HACKERS

    View Slide

  3. ARE

    View Slide

  4. EVERYWHERE

    View Slide

  5. View Slide

  6. View Slide

  7. View Slide

  8. Phil Nash
    @philnash
    h p:/
    /philna.sh
    [email protected]

    View Slide

  9. 2FA, WTF?

    View Slide

  10. TWO FACTOR
    AUTHENTICATION

    View Slide

  11. Two Factor Authen ca on
    2FA is a security process in which a user provides
    two different forms of iden fica on in order to
    authen cate themself with a system.
    The two forms must come from different categories.
    Normally something you know and something you
    have.

    View Slide

  12. WHY?

    View Slide

  13. MAT HONAN

    View Slide

  14. Mat Honan's Hackers' Timeline
    1.  Found Gmail address on his personal site
    2.  Entered address in Gmail and found his @me.com
    back up email
    3.  Called Amazon to add a credit card to file
    4.  Called Amazon again to reset password and got
    access
    5.  4:33pm: called Apple to reset password
    6.  4:50pm: reset AppleID password and gained access
    to email

    View Slide

  15. Mat Honan's Hackers' Timeline
    7.  4:52pm: reset Gmail account password
    8.  5:01pm: wiped iPhone
    9.  5:02pm: reset Twi er password
    10.  5:05pm: wiped MacBook and deleted Google
    account
    11.  5:12pm: posted to Twi er taking credit for the hack

    View Slide

  16. @MAT

    View Slide

  17. WHY?

    View Slide

  18. View Slide

  19. ASHLEY MADISON

    View Slide

  20. Ashley Madison Top 10 Passwords
    1.  123456
    2.  12345
    3.  password
    4.  DEFAULT
    5.  123456789
    6.  qwerty
    7.  12345678
    8.  abc123
    9.  NSFW
    10.  1234567

    View Slide

  21. Ashley Madison Top 10 Passwords
    1.  123456 ‐ 120,511 users
    2.  12345 ‐ 48,452 users
    3.  password ‐ 39,448 users
    4.  DEFAULT ‐ 34,275 users
    5.  123456789 ‐ 26,620 users
    6.  qwerty ‐ 20,778 users
    7.  12345678 ‐ 14,172 users
    8.  abc123 ‐ 10,869 users
    9.  NSFW ‐ 10,683 users
    10.  1234567 ‐ 9,468 users
    Source: h p:/
    /qz.com/501073/the‐top‐100‐passwords‐on‐ashley‐madison/

    View Slide

  22. MARK ZUCKERBURG

    View Slide

  23. DADADA

    View Slide

  24. View Slide

  25. HOW?

    View Slide

  26. User Registra on Flow
    1.  Visit registra on page
    2.  Sign up with username and password
    3.  User is logged in

    View Slide

  27. User Log In Flow
    1.  Visit login page
    2.  Enter username and password
    3.  System verifies details
    4.  User is logged in

    View Slide

  28. SMS

    View Slide

  29. User Registra on Flow
    1.  Visit registra on page
    2.  Sign up with username, password and phone
    number
    3.  User is logged in

    View Slide

  30. User Log In Flow
    1.  Visit login page
    2.  Enter username and password
    3.  System verifies details
    4.  Verifica on code sent to user by SMS
    5.  User enters verifica on code
    6.  System verifies code
    7.  User is logged in

    View Slide

  31. PROS/CONS

    View Slide

  32. View Slide

  33. View Slide

  34. SOFT TOKEN

    View Slide

  35. User Registra on Flow
    1.  Visit registra on page
    2.  Sign up with username, password
    3.  Generate a secret for the user
    4.  Share the secret somehow
    5.  User is logged in

    View Slide

  36. User Log In Flow
    1.  Visit login page
    2.  Enter username and password
    3.  System verifies details
    4.  User opens auth app
    5.  User finds app verifica on code and enters on site
    6.  System verifies code
    7.  User is logged in

    View Slide

  37. SECRETS

    View Slide

  38. HOTP/TOTP

    View Slide

  39. HOTP
    HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF
    HOTP-Value = HOTP(K,C) mod 10d

    View Slide

  40. TOTP

    View Slide

  41. DEMO

    View Slide

  42. h ps:/
    /github.com/guyht/notp

    View Slide

  43. SHARING
    SECRETS

    View Slide

  44. QR code
    otpauth:/
    /TYPE/LABEL?PARAMETERS
    otpauth:/
    /totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example

    View Slide

  45. View Slide

  46. View Slide

  47. PROS/CONS

    View Slide

  48. CAN IT BE
    BETTER?

    View Slide

  49. FRIENDS DON'T LET
    FRIENDS WRITE THEIR
    OWN AUTHENTICATION
    FRAMEWORKS

    View Slide

  50. FRIENDS DON'T LET
    FRIENDS WRITE THEIR
    OWN TWO FACTOR
    AUTHENTICATION
    FRAMEWORKS

    View Slide

  51. View Slide

  52. User Registra on Flow
    1.  Visit registra on page
    2.  Sign up with username, password and phone
    number
    3.  System registers User with Authy
    4.  User is logged in

    View Slide

  53. User Log In Flow
    1.  Visit login page
    2.  Enter username and password
    3.  System verifies details
    4.  Authy prompts user
    5.  User finds app verifica on code and enters on site
    6.  System verifies code with Authy
    7.  User is logged in

    View Slide

  54. THE FUTURE

    View Slide

  55. PUSH
    NOTIFICATIONS

    View Slide

  56. 0:00 / 0:21

    View Slide

  57. PROS/CONS

    View Slide

  58. SUMMARY

    View Slide

  59. USERS ARE
    BAD WITH
    PASSWORDS

    View Slide

  60. OTHER
    WEBSITES ARE
    BAD WITH
    PASSWORDS

    View Slide

  61. 2FA CAN BE
    PUSH, TOKEN
    OR SMS

    View Slide

  62. 2FA IS FOR
    YOUR USERS

    View Slide

  63. View Slide

  64. THANKS!

    View Slide

  65. Thanks!
    @philnash
    h p:/
    /philna.sh
    [email protected]
    h ps:/
    /joind.in/talk/7b975

    View Slide