Slide 1

Slide 1 text

2FA, WTF? Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 2

Slide 2 text

Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 3

Slide 3 text

HI! I'm Dominik! Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 4

Slide 4 text

About me Developer Evangelist at Get in touch with me! @dkundel [email protected] github/dkundel Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 5

Slide 5 text

HACKERS! Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 6

Slide 6 text

Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 7

Slide 7 text

Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 8

Slide 8 text

Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 9

Slide 9 text

2FA, WTF? Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 10

Slide 10 text

Two-Factor Authentication Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 11

Slide 11 text

Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 12

Slide 12 text

Two-Factor Authentication Two different forms of identification from the user Typically: → Something that you know → Something that you have Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 13

Slide 13 text

Why? Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 14

Slide 14 text

Passwords Alone Are Weak Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 15

Slide 15 text

Story Time! Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 16

Slide 16 text

Mark Zuckerberg Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 17

Slide 17 text

Users are bad with passwords! Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 18

Slide 18 text

Top 10 Passwords of 2015 1. 123456 2. password 3. 12345678 4. qwerty 5. 12345 6. 123456789 7. football 8. 1234 9. 1234567 10. baseball Source: https://www.teamsid.com/worst-passwords-2015/ Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 19

Slide 19 text

Other websites are bad with passwords! Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 20

Slide 20 text

Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 21

Slide 21 text

Mat Honan Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 22

Slide 22 text

Hacking Timeline → Hackers find his personal website and then his Gmail → Detect alternative email through Gmail password recovery → Get Honan's address through whois on his domain → Phone Amazon to add a new credit card to Honan's account → Call again to recover the Amazon account → Hacker log into Amazon to retrieve last 4 digits of his actual card Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 23

Slide 23 text

Hacking Timeline → 4:33pm Call Apple to recover the iCloud access using the billing address and 4 digits of the credit card → 4:50pm Permanently reset iCloud password → 4:52pm Reset Gmail password → 5:00pm Hacker delete his iPad and iPhone → 5:02pm Reset Twitter password → 5:05pm Wipe Macbook → 5:12pm Hacker tweet to tack credit Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 24

Slide 24 text

@mat Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 25

Slide 25 text

Social engineering works! Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 26

Slide 26 text

Passwords Alone Are Weak Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 27

Slide 27 text

Physical protection layer for a digital world Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 28

Slide 28 text

Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 29

Slide 29 text

How? Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 30

Slide 30 text

Typical User Registration Flow 1. User visits registration page 2. Enters username and password 3. User is logged in Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 31

Slide 31 text

Typical User Log-in Flow 1. User visits log-in page 2. Enters username and password 3. System verifies details 4. User is logged in Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 32

Slide 32 text

Phone 2FA SMS / Voice Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 33

Slide 33 text

SMS-based User Registration Flow 1. User visits registration page 2. Enters username, password and phone number 3. Verifies phone number 4. User is logged in Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 34

Slide 34 text

SMS-based User Log-in Flow 1. User visits log-in page 2. Enters username and password 3. System verifies details 4. System sends verification code to user by SMS 5. User enters verification code 6. System verifies code 7. User is logged in Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 35

Slide 35 text

Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 36

Slide 36 text

DeRay Mckesson Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 37

Slide 37 text

One-time Passwords 2FA Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 38

Slide 38 text

OTP-based User Registration Flow 1. User visits registration page 2. Enters username and password 3. Generate secret for the user 4. Share secret with the user 5. User is logged in Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 39

Slide 39 text

OTP-based User Log-in Flow 1. User visits log-in page 2. Enters username and password 3. System verifies details 4. User opens auth app 5. Enters app verification code on site 6. System verifies code 7. User is logged in Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 40

Slide 40 text

Secret based Codes Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 41

Slide 41 text

HOTP/TOTP Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 42

Slide 42 text

HOTP Formula HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF HOTP-Value = HOTP(K,C) mod 10d Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 43

Slide 43 text

https://github.com/guyht/notp Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 44

Slide 44 text

DEMO Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 45

Slide 45 text

Sharing Secrets Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 46

Slide 46 text

QR Codes otpauth://TYPE/LABEL?PARAMETERS otpauth://totp/Example:[email protected]?secret=MySecret&issuer=Example Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 47

Slide 47 text

Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 48

Slide 48 text

Friends don't let friends write their own authentication frameworks! Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 49

Slide 49 text

Friends don't let friends write their own two-factor authentication frameworks! Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 50

Slide 50 text

Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 51

Slide 51 text

Authy-based User Registration Flow 1. User visits registration page 2. Enters username, password and phone number 3. System registers user with Authy 4. User is logged in Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 52

Slide 52 text

Authy-based User Log-in Flow 1. User visits log-in page 2. Enters username and password 3. System verifies details 4. Authy prompts user 5. User enters app verification code on site 6. System verifies success with Authy 7. User is logged in Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 53

Slide 53 text

UX or 2FA Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 54

Slide 54 text

Push notifications (OneTouch) Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 55

Slide 55 text

Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 56

Slide 56 text

Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 57

Slide 57 text

Summary Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 58

Slide 58 text

Users are bad with passwords! Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 59

Slide 59 text

Other websites are bad with passwords! Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 60

Slide 60 text

Social engineering works! Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 61

Slide 61 text

2FA can be push, tokens or SMS Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 62

Slide 62 text

2FA is for your users! Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 63

Slide 63 text

Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 64

Slide 64 text

Thank You! @dkundel [email protected] github/dkundel Dominik Kundel | @dkundel | View Source Berlin 2016

Slide 65

Slide 65 text

Credits: http://www.hackercg.com/wp-content/uploads/2015/12/Hacker.jpg http://www.v3.co.uk/IMG/494/302494/hacker-hacking-dark-hoodie.jpg http://qruniversity.hipscan.net/sites/default/files/article-images/computer- hacker.jpg http://www.wpdroids.com/wp-content/uploads/2014/12/How-to-scan-QR-code- in-your-Smartphone.jpg https://img1.etsystatic.com/036/0/9343025/il_fullxfull.654477583_8ktu.jpg http://cdn1.tnwcdn.com/wp-content/blogs.dir/1/files/2015/01/mark-zuckerberg- qa-colombia.png https://lastpass.com/press-room/ http://66.media.tumblr.com/d19d0b84160d51e696aeaa939b84f4de/ tumblrns7wyq9uVl1qhub34o10r1_500.gif Dominik Kundel | @dkundel | View Source Berlin 2016