Slide 1

Slide 1 text

Implementing 
 multi-factor authentication Jacob Kaplan-Moss [email protected] Photo by Jordan Wiseman - https://unsplash.com/photos/AsQs1AziQD4

Slide 2

Slide 2 text

@jacobian I MFA

Slide 3

Slide 3 text

@jacobian https://twofactorauth.org/

Slide 4

Slide 4 text

@jacobian

Slide 5

Slide 5 text

@jacobian “Oh , I need to add
 multi-factor auth.”

Slide 6

Slide 6 text

@jacobian Why “multi-factor” instead of “two-factor”?

Slide 7

Slide 7 text

@jacobian Why “multi-factor” instead of “two-factor”? Password IP address User-Agent User behavior User location “Challenges” ...

Slide 8

Slide 8 text

“Possession factors” Photo by #WOCinTech/#WOCinTech Chat - https://flic.kr/p/EFQHok

Slide 9

Slide 9 text

@jacobian 1. Possession factor options 2. Implementation questions 3. Two recommendations: a. MFA for public-facing services b. MFA for internal systems

Slide 10

Slide 10 text

@jacobian 1. Possession factor options 2. Implementation questions 3. Two recommendations: a. MFA for public-facing services b. MFA for internal systems

Slide 11

Slide 11 text

@jacobian Possession factor options: 1. Out-of-band communications 2. Soft Tokens 3. Hard Tokens

Slide 12

Slide 12 text

@jacobian Out-of-band communication e.g. phone calls, emails, SMS, …

Slide 13

Slide 13 text

@jacobian Soft tokens e.g. Google Authenticator, Authy, SecureAuth, RSA...

Slide 14

Slide 14 text

https://www.flickr.com/photos/digitalart/2836613675/ Hard tokens e.g. U2F, RSA keys, YubiKeys, PIV cards, …

Slide 15

Slide 15 text

@jacobian Criteria for comparing possession factors: 1. Risks 2. User Experience 3. Cost

Slide 16

Slide 16 text

@jacobian Risks Can codes be intercepted? Re-used? Brute-forced? Would a token theft/re-use be noticed? How secure against malware is the factor?

Slide 17

Slide 17 text

@jacobian User Experience Multi-factor authentication is useless if your users won’t use it!

Slide 18

Slide 18 text

@jacobian Cost What’s the implementation cost? What’s the per-user cost?

Slide 19

Slide 19 text

@jacobian Comparison:

Slide 20

Slide 20 text

@jacobian Out-of-band communication: Risks Communications can be intercepted Users will set up forwarding schemes Can be compromised by device malware Delivery is usually to the same device being used UX users are familiar with with SMS easy setup for users re-uses devices users already have typing codes is error-prone, not suitable for frequent auths delays in delivery can cause timeouts, frustrating users Cost Typically free for users. Minimal delivery cost for providers (~ $0.01/message)

Slide 21

Slide 21 text

@jacobian Soft tokens Risks Can be compromised by device malware. Typically based around a shared secret, which can be silently stolen. Time-based tokens are vulnerable to theft, brute-forcing, and re-use. Delivery is usually to the same device being used. UX re-uses devices users already have relatively familiar (to experienced users, at least) enrollment can be confusing (TOTP) time skew on devices can make implementation difficult Cost Free to users. Provider costs range from free (e.g. TOTP) to several $/user.

Slide 22

Slide 22 text

@jacobian Hard tokens Risks “Master keys” can be stolen UX “just press the button”; can be suitable for frequent auths some tokens can also be used for encryption, signing lost tokens can mean long lockouts no real standards mean token proliferation Cost At least $20 per user

Slide 23

Slide 23 text

@jacobian 1. Possession factor options 2. Implementation questions 3. Two recommendations: a. MFA for public-facing services b. MFA for internal systems

Slide 24

Slide 24 text

@jacobian

Slide 25

Slide 25 text

@jacobian When should you require a 
 possession factor?

Slide 26

Slide 26 text

@jacobian When should you require a 
 possession factor? Good: upon every login

Slide 27

Slide 27 text

@jacobian When should you require a 
 possession factor? Good: upon every login Better: ... and when performing sensitive actions

Slide 28

Slide 28 text

@jacobian When should you require a 
 possession factor? Good: upon every login Better: ... and when performing sensitive actions Best: ... and based on behavioral analysis

Slide 29

Slide 29 text

@jacobian How should we handle lost tokens?

Slide 30

Slide 30 text

@jacobian Backup codes? How should we handle lost tokens?

Slide 31

Slide 31 text

@jacobian Backup codes? (users don’t save them) How should we handle lost tokens?

Slide 32

Slide 32 text

@jacobian Backup codes? (users don’t save them) Backup phone/emails? How should we handle lost tokens?

Slide 33

Slide 33 text

@jacobian Backup codes? (users don’t save them) Backup phone/emails? (expands attack surface) How should we handle lost tokens?

Slide 34

Slide 34 text

@jacobian Backup codes? (users don’t save them) Backup phone/emails? (expands attack surface) “Contact support”? How should we handle lost tokens?

Slide 35

Slide 35 text

@jacobian Backup codes? (users don’t save them) Backup phone/emails? (expands attack surface) “Contact support”? (vulnerable to social engineering) How should we handle lost tokens?

Slide 36

Slide 36 text

@jacobian Backup codes? (users don’t save them) Backup phone/emails? (expands attack surface) “Contact support”? (vulnerable to social engineering) “sorry; deal with it ”? How should we handle lost tokens?

Slide 37

Slide 37 text

@jacobian Backup codes? (users don’t save them) Backup phone/emails? (expands attack surface) “Contact support”? (vulnerable to social engineering) “sorry; deal with it ”? (not very user-friendly) How should we handle lost tokens?

Slide 38

Slide 38 text

@jacobian 1. Possession factor options 2. Implementation questions 3. Two recommendations: a. MFA for public-facing services b. MFA for internal systems

Slide 39

Slide 39 text

@jacobian MFA for public-facing systems: Factor: Require MFA: Lost tokens:

Slide 40

Slide 40 text

@jacobian MFA for public-facing systems: Factor: Require MFA: Lost tokens: Out-of-band communication, or good soft token implementation (Authy)

Slide 41

Slide 41 text

@jacobian MFA for public-facing systems: Factor: Require MFA: Lost tokens: Out-of-band communication, or good soft token implementation (Authy) at login, and when performing sensitive actions

Slide 42

Slide 42 text

@jacobian MFA for public-facing systems: Factor: Require MFA: Lost tokens: Out-of-band communication, or good soft token implementation (Authy) at login, and when performing sensitive actions backups codes & phone/email backup; don’t allow support to reset MFA

Slide 43

Slide 43 text

@jacobian MFA for internal systems: Factor: Require MFA: Lost tokens:

Slide 44

Slide 44 text

@jacobian MFA for internal systems: Factor: Require MFA: Lost tokens: hard tokens (U2F or Yubikey)

Slide 45

Slide 45 text

@jacobian MFA for internal systems: Factor: Require MFA: Lost tokens: hard tokens (U2F or Yubikey) based on behavior analysis

Slide 46

Slide 46 text

@jacobian MFA for internal systems: Factor: Require MFA: Lost tokens: hard tokens (U2F or Yubikey) based on behavior analysis until real-life identity verification

Slide 47

Slide 47 text

@jacobian “Oh , I need to add
 multi-factor auth.”

Slide 48

Slide 48 text

@jacobian “, I get to add
 multi-factor auth!”

Slide 49

Slide 49 text

Thank you! [email protected] Photo by Hello Goodbye - https://unsplash.com/photos/uGtdjBMK28s

Slide 50

Slide 50 text

Credits: Slide deck based on a template by Alice Bartlett: http://alicebartlett.co.uk/blog/how-to-do-ok-at-slides. Font: Roboto, by Christian Robertson https://www.fontsquirrel.com/fonts/roboto. Photos by: - Unsplash, https://unsplash.com/ - #WOCinTech/#WOCinTech Chat, http://www.wocintechchat.com/ (see slides for individual credits).