WTF, 2FA!? Y U NO PROTECT ME? - Omaha Ruby Meetup

by Christine

Slide 1

Slide 1 text

@tech_christine WTF, 2FA!? Y U NO PROTECT ME? Two factor authentication the worst, the best, and everything in-between

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

@tech_christine

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

@tech_christine Back to the beginning

Slide 6

Slide 6 text

@tech_christine What was the hacker up to? Calling your mobile provider

Slide 7

Slide 7 text

@tech_christine Still on the phone with your mobile provider... Using social engineering

Slide 8

Slide 8 text

@tech_christine And now they have all the access... Sim swap/sim hijacking

Slide 9

Slide 9 text

@tech_christine

Slide 10

Slide 10 text

“ @tech_christine We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept Christopher Slowe Reddit chief technology ofﬁcer and founding engineer August 2018

Slide 11

Slide 11 text

@tech_christine What is authentication? The process of verifying that someone or something is the actual entity that they claim to be. - OWASP.org (these people know what they are talking about when it comes to security)

Slide 12

Slide 12 text

@tech_christine ... but what are the different factors of auth? 1 factor is knowledge (i.e. your password) 2 is the other method choice - Possession (token/soft token) - Identity (biometrics)

Slide 13

Slide 13 text

@tech_christine 2FA == 2SV == MFA 2FA = Two factor authentication 2SV = Two Step verification MFA = Multi-factor authentication What about all those other acronyms...

Slide 14

Slide 14 text

@tech_christine Why didn't 2FA help? •SMS was used •2FA wasn't even enabled

Slide 15

Slide 15 text

@tech_christine •Most common •Most compromised •Not recommended by NIST since 2016 SMS

Slide 16

Slide 16 text

@tech_christine Twilio API Example

Slide 17

Slide 17 text

@tech_christine Let's figure out all the ways SMS can be hacked... 1. Sim-swap (aka what just happened to us) 2. Port-out scam 3. Brute force on the application itself

Slide 18

Slide 18 text

@tech_christine Time-based One Time Password aka app based aka soft token •Authy •Google Authenticator •1Password TOTP

Slide 19

Slide 19 text

@tech_christine The Ruby One Time Password Library Example

Slide 20

Slide 20 text

@tech_christine

Slide 21

Slide 21 text

@tech_christine But you need to get this code to your user...

Slide 22

Slide 22 text

@tech_christine •Associated with certain authorized devices •Not visible on a locked phone screen Push Based

Slide 23

Slide 23 text

@tech_christine Authy One Touch API Example

Slide 24

Slide 24 text

@tech_christine Token based Physical keys that can auth •USB drive •near-ﬁeld communication •Many use U2F (Universal 2nd Factor)

Slide 25

Slide 25 text

@tech_christine OTP vs U2F

Slide 26

Slide 26 text

@tech_christine OTP U2F •User has physical device •Strong security from public key cryptography •No personal information is associated with a key •Users type in codes •Set up and provision required •Secrets stored, providing a single point of attack

Slide 27

Slide 27 text

What would you change now?

Slide 28

Slide 28 text

@tech_christine So what could you have changed? •Setting up with a VOIP number •Secure with alternate authentication method •Pin/password protect phone provider Keep on being @awesome

Slide 29

Slide 29 text

@tech_christine ...wait I lost my phone/app access/token Use a recovery code Allows you access to application

Slide 30

Slide 30 text

@tech_christine More on recovery codes •Stored as hashes •One time use •Shown only once

Slide 31

Slide 31 text

@tech_christine 2FA Implementation Best Practices •Rate limiting prevents brute force attacks •Use truncated exponential back-off algorithm

Slide 32

Slide 32 text

@tech_christine What is an exponential back-off algorithm?

Slide 33

Slide 33 text

@tech_christine Example in Ruby login_request if retries <= max_retries retries += 1 sleep (retries + rand(100)/1000) retry else raise "You've hit your max retries!" end

Slide 34

Slide 34 text

@tech_christine Get user buy-in Enforce authentication on all pages Users with the most amount of privilege 2FA is a requirement not optional

Slide 35

Slide 35 text

@tech_christine QR Code Rendering https://github.com/whomwah/rqrcode ROTP: TOTP https://github.com/mdp/rotp Twilio Ruby API https://www.twilio.com/docs/libraries/ruby Auth Ruby API https://github.com/twilio/authy-ruby

Slide 36

Slide 36 text

@tech_christine What questions can I answer?

Slide 37

Slide 37 text

No content

Slide 38

Slide 38 text

@tech_christine Thanks for having me Ruby and Open Source Meetup! Tyson Reeder for the final graphic(@tysondreeder) For references and further reading checkout https://christine-seeman.com/talks/