Tweet
Tweet

Slide 1

Slide 1 text

© 2020 Rock Solid Knowledge “Let’s stop blaming our users for getting hacked when it is our problem to solve” Scott Brady

Slide 2

Slide 2 text

© 2020 Rock Solid Knowledge Introductions • IdentityServer.com - @rskltd • ScottBrady91.com - @scottbrady91 2

Slide 3

Slide 3 text

© 2020 Rock Solid Knowledge Passwords - We’ve come a long way xkcd.com/936/

Slide 4

Slide 4 text

© 2020 Rock Solid Knowledge Or have we? ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security

Slide 5

Slide 5 text

© 2020 Rock Solid Knowledge Okay, maybe not theverge.com/tldr/2018/10/11/17964848/kanye-west-iphone-passcode-trump-iplane-apple-meeting

Slide 6

Slide 6 text

© 2020 Rock Solid Knowledge Thanks, Gran

Slide 7

Slide 7 text

© 2020 Rock Solid Knowledge Why are passwords so popular?

Slide 8

Slide 8 text

© 2020 Rock Solid Knowledge Then why am I hating on passwords? haveibeenpwned.com

Slide 9

Slide 9 text

© 2020 Rock Solid Knowledge Thanks, Bill cnet.com/news/gates-predicts-death-of-the-password

Slide 10

Slide 10 text

© 2020 Rock Solid Knowledge Hang on a minute, why do we care? • Authentication • to prevent unauthorized access • Attacks • Targeted • Untargeted • Methods • Stolen credentials • Guessed credentials • How much do you care?

Slide 11

Slide 11 text

© 2020 Rock Solid Knowledge This is a problem Number of sites deemed dangerous by Google Safe Browsing (2007 – 2019) transparencyreport.google.com/safe-browsing/overview

Slide 12

Slide 12 text

© 2020 Rock Solid Knowledge What can we do to improve passwords? • Store passwords correctly • Make the user choose a better password • Education • Password strength

Slide 13

Slide 13 text

© 2020 Rock Solid Knowledge Passwordless: Let someone else care medium.com

Slide 14

Slide 14 text

© 2020 Rock Solid Knowledge Knowledge-Based Authentication

Slide 15

Slide 15 text

© 2020 Rock Solid Knowledge Avoid snake oil If it still comes down to something you know, consider it snake oil

Slide 16

Slide 16 text

© 2020 Rock Solid Knowledge Improve by adding another factor • Something you know (passwords) • Something you are • Something you own

Slide 17

Slide 17 text

© 2020 Rock Solid Knowledge SMS OTP

Slide 18

Slide 18 text

© 2020 Rock Solid Knowledge “SMS 2FA is weak AF” gizmodo.com/psa-sms-2fa-is-weak-af-1834681656

Slide 19

Slide 19 text

© 2020 Rock Solid Knowledge SMS Phishing

Slide 20

Slide 20 text

© 2020 Rock Solid Knowledge SMS OTP: Reality

Slide 21

Slide 21 text

© 2020 Rock Solid Knowledge TOTP (and other soft tokens)

Slide 22

Slide 22 text

© 2020 Rock Solid Knowledge How do soft tokens work? gizmodo.com/psa-sms-2fa-is-weak-af-1834681656

Slide 23

Slide 23 text

© 2020 Rock Solid Knowledge TOTP authentication 381057

Slide 24

Slide 24 text

© 2020 Rock Solid Knowledge TOTP: It’s just another shared secret • Not going to save you in a breach • Opinion: still something you know • Article: “Software Tokens Won't Save You”

Slide 25

Slide 25 text

© 2020 Rock Solid Knowledge Demo Phish your friends with Evilginx

Slide 26

Slide 26 text

© 2020 Rock Solid Knowledge Phishing

Slide 27

Slide 27 text

© 2020 Rock Solid Knowledge Evilginx User Phishing Site Target

Slide 28

Slide 28 text

© 2020 Rock Solid Knowledge Phishing

Slide 29

Slide 29 text

© 2020 Rock Solid Knowledge Phishing

Slide 30

Slide 30 text

© 2020 Rock Solid Knowledge Spooky biometrics • Bit of an unknown • Two types • Physical • Behavioural

Slide 31

Slide 31 text

© 2020 Rock Solid Knowledge Unreliable? youtube.com/watch?v=dUMH6DVYskc

Slide 32

Slide 32 text

© 2020 Rock Solid Knowledge No, they are just probabilistic • Acceptable false match rate = 1 in 1000 • Don’t send across the internet • Should not be considered a secret • Physical is public • Behavioural is public • Mitigate with presentation attack detection • Good for local auth only • NIST SP 800-63b – 5.2.3 Use of Biometrics

Slide 33

Slide 33 text

© 2020 Rock Solid Knowledge Push notifications

Slide 34

Slide 34 text

© 2020 Rock Solid Knowledge Not for me • Proprietary! • Distracts us from a much better solution…

Slide 35

Slide 35 text

© 2020 Rock Solid Knowledge Solution

Slide 36

Slide 36 text

© 2020 Rock Solid Knowledge What is FIDO? • FIDO2 • WebAuthn • CTAP2

Slide 37

Slide 37 text

© 2020 Rock Solid Knowledge What is FIDO? Security keys!

Slide 38

Slide 38 text

© 2020 Rock Solid Knowledge What is FIDO? The flow Server (FIDO Relying Party) Browser (WebAuthn) Security Key (FIDO Authenticator)

Slide 39

Slide 39 text

What is FIDO? The flow caniuse.com/#search=webauthn

Slide 40

Slide 40 text

© 2020 Rock Solid Knowledge What is FIDO? The flow Server (FIDO Relying Party) Browser (WebAuthn) Security Key (FIDO Authenticator)

Slide 41

Slide 41 text

© 2020 Rock Solid Knowledge What FIDO brings to the table Useless in a breach “Unphishable”

Slide 42

Slide 42 text

© 2020 Rock Solid Knowledge

Slide 43

Slide 43 text

© 2020 Rock Solid Knowledge

Slide 44

Slide 44 text

© 2020 Rock Solid Knowledge

Slide 45

Slide 45 text

© 2020 Rock Solid Knowledge What FIDO brings to the table Protection for the at-risk High-Value Employees Advanced Protection Program

Slide 46

Slide 46 text

© 2020 Rock Solid Knowledge So security keys are the future?

Slide 47

Slide 47 text

© 2020 Rock Solid Knowledge But what about passwords?

Slide 48

Slide 48 text

© 2020 Rock Solid Knowledge How hard is this to implement? WebAuthn

Slide 49

Slide 49 text

© 2020 Rock Solid Knowledge How hard is this to implement? ASP.NET Core OSS (Anders Åberg) Commercial (Rock Solid Knowledge – IdentityServer.com)

Slide 50

Slide 50 text

© 2020 Rock Solid Knowledge FIDO2 relying party Challenge - OSS

Slide 51

Slide 51 text

© 2020 Rock Solid Knowledge FIDO2 relying party Challenge – IdentityServer.com

Slide 52

Slide 52 text

© 2020 Rock Solid Knowledge FIDO2 relying party Validation - OSS

Slide 53

Slide 53 text

© 2020 Rock Solid Knowledge FIDO2 relying party Validation – IdentityServer.com github.com/abergs/fido2-net-lib OR github.com/RockSolidKnowledge/Samples.Fido

Slide 54

Slide 54 text

© 2020 Rock Solid Knowledge Simple rankings Password SMS TOTP Push Notifications FIDO2 (WebAuthn)

Slide 55

Slide 55 text

© 2020 Rock Solid Knowledge Pragmatic rankings security.googleblog.com/2019/05/new-research-how-effective-is-basic.html

Slide 56

Slide 56 text

© 2020 Rock Solid Knowledge Solution: hedgehog-based authentication gizmodo.co.uk/2016/11/hedgehog-based-authentication-is-the-only-way-to-be-truly-secure

Slide 57

Slide 57 text

© 2020 Rock Solid Knowledge The end

Slide 58

Slide 58 text

© 2020 Rock Solid Knowledge Passwords: we still make mistakes (bonus) theverge.com/2018/5/3/17316684/twitter-password-bug-security-flaw-exposed-change-now theverge.com/2019/3/21/18275837/facebook-plain-text-password-storage-hundreds-millions-users

Slide 59

Slide 59 text

© 2020 Rock Solid Knowledge Improving transport with PAKE (bonus) blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/ Password Authenticated Key Exchange (PAKE)