@tech_christine
WTF, 2FA!? Y U NO PROTECT ME?
Two factor authentication the worst, the best, and everything in-between
Slide 2
Slide 2 text
No content
Slide 3
Slide 3 text
@tech_christine
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
@tech_christine
Back to the beginning
Slide 6
Slide 6 text
@tech_christine
What was the
hacker up to?
Calling your mobile provider
Slide 7
Slide 7 text
@tech_christine
Still on the phone
with your mobile
provider...
Using social engineering
Slide 8
Slide 8 text
@tech_christine
And now they
have all the
access...
Sim swap/sim hijacking
Slide 9
Slide 9 text
@tech_christine
Slide 10
Slide 10 text
“
@tech_christine
We learned that SMS-based authentication
is not nearly as secure as we would hope,
and the main attack was via SMS intercept
Christopher Slowe
Reddit chief technology officer and founding engineer
August 2018
Slide 11
Slide 11 text
@tech_christine
What is authentication?
The process of verifying that someone or
something is the actual entity that they claim to
be.
- OWASP.org
(these people know what they are talking about when it comes to security)
Slide 12
Slide 12 text
@tech_christine
... but what are the different factors of auth?
1 factor is knowledge (i.e. your password)
2 is the other method choice
- Possession (token/soft token)
- Identity (biometrics)
Slide 13
Slide 13 text
@tech_christine
2FA == 2SV == MFA
2FA = Two factor authentication
2SV = Two Step verification
MFA = Multi-factor authentication
What about all those other acronyms...
Slide 14
Slide 14 text
@tech_christine
Why didn't 2FA help?
•SMS was used
•2FA wasn't even enabled
Slide 15
Slide 15 text
@tech_christine
•Most common method
•Most compromised
•Not recommended by
NIST since 2016
SMS
Slide 16
Slide 16 text
@tech_christine
Let's figure out all
the ways SMS can
be hacked...
1. Sim-swap (aka what just
happened to us)
2. Port-out scam
3. Brute force on the
application itself
Slide 17
Slide 17 text
@tech_christine
Time-based One Time Password
aka App based
aka soft token
•Authy
•Google Authenticator
•1Password
TOTP
Slide 18
Slide 18 text
@tech_christine
•Associated with the certain
authorized devices
•Not visible on a locked phone
screen
Push Based Authentication
Slide 19
Slide 19 text
@tech_christine
Token based
Physical keys that can auth
•USB drive
•near-field communication
•Many use U2F (Universal
2nd Factor)
Slide 20
Slide 20 text
What would you change now?
Slide 21
Slide 21 text
@tech_christine
So what could you have changed?
•Setting up with a VOIP number
•Secure with alternate authentication method
•Pin/password protect phone provider
Keep on being @awesome
Slide 22
Slide 22 text
@tech_christine
...wait I lost my phone/app access/token
Use a recovery code
Allows you access to
application
Slide 23
Slide 23 text
@tech_christine
More on recovery codes
•Stored as hashes
•One time use
•Shown only once
Slide 24
Slide 24 text
@tech_christine
2FA Implementation Best Practices
• Rate limiting prevents brute force attacks
• Use a truncated exponential back-off algorithm
Slide 25
Slide 25 text
@tech_christine
What is an exponential back-off algorithm?
Slide 26
Slide 26 text
@tech_christine
Example in Ruby
login_request
if retries <= max_retries
retries += 1
sleep (retries + rand(100)/1000)
retry
else
raise "You've hit your max retries!"
end
Slide 27
Slide 27 text
@tech_christine
Get user buy-in
Enforce authentication on all pages
Users with the most amount of privilege,
2FA is a requirement not optional
Slide 28
Slide 28 text
@tech_christine
Now you are the info sec professional
Slide 29
Slide 29 text
No content
Slide 30
Slide 30 text
@tech_christine
Thank you Kernelcon and all the staff
Tyson Reeder for the final graphic(@tysondreeder)
For references and further reading checkout
https://christine-seeman.com/talks/