Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2FA, WTF? (Rails Israel 2015)

8ec1383b240b5ba15ffb9743fceb3c0e?s=47 Phil Nash
November 25, 2015

2FA, WTF? (Rails Israel 2015)

Everyone is hacking everything. Everything is vulnerable. Your site, your users, even you. Are you worried about this? You should be!

Don't worry, I'm not trying to scare you (that much). We have plenty of safeguards against attempts on our applications' user data. We all (hopefully) recognise Two Factor Auth as one of those safeguards, but what actually goes on under the hood of 2FA?

We'll take a look into generating one time passwords in Ruby, implementing 2FA in Rails applications and the only real life compelling use case for QR codes. Together, we'll make the web a more secure place.

Links:

https://github.com/mdp/rotp

https://www.authy.com/developers/
https://www.twilio.com/authy

8ec1383b240b5ba15ffb9743fceb3c0e?s=128

Phil Nash

November 25, 2015
Tweet

Transcript

  1. 2FA, WTF?

  2. HACKERS

  3. ARE

  4. EVERYWHERE

  5. None
  6. None
  7. None
  8. Phil Nash @philnash h p:/ /philna.sh philnash@twilio.com

  9. 2FA, WTF?

  10. TWO FACTOR AUTHENTICATION

  11. Two Factor Authen ca on 2FA is a security process

    in which a user provides two different forms of iden fica on in order to authen cate themself with a system. The two forms must come from different categories. Normally something you know and something you have.
  12. WHY?

  13. MAT HONAN

  14. Mat Honan's Hackers' Timeline 1.  Found Gmail address on his

    personal site 2.  Entered address in Gmail and found his @me.com back up email 3.  Called Amazon to add a credit card to file 4.  Called Amazon again to reset password and got access 5.  4:33pm: called Apple to reset password 6.  4:50pm: reset AppleID password and gained access to email
  15. Mat Honan's Hackers' Timeline 7.  4:52pm: reset Gmail account password

    8.  5:01pm: wiped iPhone 9.  5:02pm: reset Twi er password 10.  5:05pm: wiped MacBook and deleted Google account 11.  5:12pm: posted to Twi er taking credit for the hack
  16. @MAT

  17. WHY?

  18. None
  19. ASHLEY MADISON

  20. Ashley Madison Top 10 Passwords 1.  123456 2.  12345 3.

     password 4.  DEFAULT 5.  123456789 6.  qwerty 7.  12345678 8.  abc123 9.  NSFW 10.  1234567
  21. Ashley Madison Top 10 Passwords 1.  123456 ‐ 120,511 users

    2.  12345 ‐ 48,452 users 3.  password ‐ 39,448 users 4.  DEFAULT ‐ 34,275 users 5.  123456789 ‐ 26,620 users 6.  qwerty ‐ 20,778 users 7.  12345678 ‐ 14,172 users 8.  abc123 ‐ 10,869 users 9.  NSFW ‐ 10,683 users 10.  1234567 ‐ 9,468 users Source: h p:/ /qz.com/501073/the‐top‐100‐passwords‐on‐ashley‐madison/
  22. None
  23. HOW?

  24. User Registra on Flow 1.  Visit registra on page 2.

     Sign up with username and password 3.  User is logged in
  25. User Log In Flow 1.  Visit login page 2.  Enter

    username and password 3.  System verifies details 4.  User is logged in
  26. SMS

  27. User Registra on Flow 1.  Visit registra on page 2.

     Sign up with username, password and phone nunber 3.  User is logged in
  28. User Log In Flow 1.  Visit login page 2.  Enter

    username and password 3.  System verifies details 4.  Verifica on code sent to user by SMS 5.  User enters verifica on code 6.  System verifies code 7.  User is logged in
  29. PROS/CONS

  30. SOFT TOKEN

  31. User Registra on Flow 1.  Visit registra on page 2.

     Sign up with username, password 3.  Generate a secret for the user 4.  Share the secret somehow 5.  User is logged in
  32. User Log In Flow 1.  Visit login page 2.  Enter

    username and password 3.  System verifies details 4.  User opens auth app 5.  User finds app verifica on code and enters on site 6.  System verifies code 7.  User is logged in
  33. SECRETS

  34. HOTP/TOTP

  35. HOTP H O T P ( K , C )

    = T r u n c a t e ( H M A C ( K , C ) ) & 0 x 7 F F F F F F F H O T P - V a l u e = H O T P ( K , C ) m o d 1 0 d
  36. d e f g e n e r a t

    e _ o t p ( i n p u t , p a d d e d = t r u e ) h m a c = O p e n S S L : : H M A C . d i g e s t ( O p e n S S L : : D i g e s t . n e w ( d i g e s t ) , b y t e _ s e c r e t , i n t _ t o _ b y t e s t r i n g ( i n p u t ) )
  37. o f f s e t = h m a

    c [ - 1 ] . o r d & 0 x f c o d e = ( h m a c [ o f f s e t ] . o r d & 0 x 7 f ) < < 2 4 | ( h m a c [ o f f s e t + 1 ] . o r d & 0 x f f ) < < 1 6 | ( h m a c [ o f f s e t + 2 ] . o r d & 0 x f f ) < < 8 | ( h m a c [ o f f s e t + 3 ] . o r d & 0 x f f )
  38. i f p a d d e d ( c

    o d e % 1 0 * * d i g i t s ) . t o _ s . r j u s t ( d i g i t s , ' 0 ' ) e l s e c o d e % 1 0 * * d i g i t s e n d e n d h ps:/ /github.com/mdp/rotp
  39. TOTP

  40. DEMO

  41. SHARING SECRETS

  42. QR code otpauth:/ /TYPE/LABEL?PARAMETERS otpauth:/ /totp/Example:philnash@twilio.com?secret=JBSWY3DPEHPK3PXP&issuer=Example

  43. None
  44. PROS/CONS

  45. CAN IT BE BETTER?

  46. FRIENDS DON'T LET FRIENDS WRITE THEIR OWN AUTHENTICATION FRAMEWORKS

  47. FRIENDS DON'T LET FRIENDS WRITE THEIR OWN TWO FACTOR AUTHENTICATION

    FRAMEWORKS
  48. None
  49. User Registra on Flow 1.  Visit registra on page 2.

     Sign up with username, password and phone nunber 3.  System registers User with Authy 4.  User is logged in
  50. User Log In Flow 1.  Visit login page 2.  Enter

    username and password 3.  System verifies details 4.  Authy prompts user 5.  User finds app verifica on code and enters on site 6.  System verifies code with Authy 7.  User is logged in
  51. THE FUTURE

  52. PUSH NOTIFICATIONS

  53. None
  54. PROS/CONS

  55. SUMMARY

  56. USERS ARE BAD WITH PASSWORDS

  57. OTHER WEBSITES ARE BAD WITH PASSWORDS

  58. 2FA CAN BE PUSH, TOKEN OR SMS

  59. 2FA IS FOR YOUR USERS

  60. None
  61. THANKS!

  62. None
  63. Help me! On a scale of 0 to 10, how

    likely is it that you would recommend this talk to a friend or colleague? 052‐628‐0335 (+972‐52‐628‐0335)
  64. Thanks! @philnash h p:/ /philna.sh philnash@twilio.com On a scale of

    0 to 10, how likely is it that you would recommend this talk to a friend or colleague? (+972) 052‐628‐0335