Slide 1
Slide 1 text
2FA, WTF?
Slide 2
Slide 2 text
HACKERS
Slide 3
Slide 3 text
ARE
Slide 4
Slide 4 text
EVERYWHERE
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
No content
Slide 9
Slide 9 text
2FA, WTF?
Slide 10
Slide 10 text
PART 1
THE HORRIFYING
REALITY OF PASSWORD
SECURITY
Slide 11
Slide 11 text
No content
Slide 12
Slide 12 text
nash
Slide 13
Slide 13 text
I WAS HACKED
Slide 14
Slide 14 text
MAT HONAN
Slide 15
Slide 15 text
Mat Honan's Hackers' Timeline
1. Found Gmail address on his personal site
2. Entered address in Gmail and found his @me.com
back up email
3. Called Amazon to add a credit card to file
4. Called Amazon again to reset password and got
access
5. 4:33pm: called Apple to reset password
6. 4:50pm: reset AppleID password and gained
access to email
@philnash
Slide 16
Slide 16 text
Mat Honan's Hackers' Timeline
7. 4:52pm: reset Gmail account password
8. 5:01pm: wiped iPhone
9. 5:02pm: reset Twitter password
10. 5:05pm: wiped MacBook and deleted Google
account
11. 5:12pm: posted to Twitter taking credit for the
hack
@philnash
Slide 17
Slide 17 text
@MAT
Slide 18
Slide 18 text
https:/
/twitter.com/TheTimeCowboy/status/287536855828795393
@philnash
Slide 19
Slide 19 text
STRONGER
PASSWORDS
Slide 20
Slide 20 text
ARE HARDER
TO REMEMBER
Slide 21
Slide 21 text
REUSE
Slide 22
Slide 22 text
ASHLEY MADISON
Slide 23
Slide 23 text
TOP 5 PASSWORDS
Slide 24
Slide 24 text
5) 123456789
Slide 25
Slide 25 text
4) DEFAULT
Slide 26
Slide 26 text
3) password
Slide 27
Slide 27 text
2) 12345
Slide 28
Slide 28 text
1) 123456
Slide 29
Slide 29 text
Ashley Madison Top 10 Passwords
1. 123456 - 120,511 users
2. 12345 - 48,452 users
3. password - 39,448 users
4. DEFAULT - 34,275 users
5. 123456789 - 26,620 users
6. qwerty - 20,778 users
7. 12345678 - 14,172 users
8. abc123 - 10,869 users
9. NSFW - 10,683 users
10. 1234567 - 9,468 users
Source: http:/
/qz.com/501073/the-top-100-passwords-on-ashley-madison/
@philnash
Slide 30
Slide 30 text
MARK ZUCKERBURG
Slide 31
Slide 31 text
dadada
Slide 32
Slide 32 text
I WAS HACKED
Slide 33
Slide 33 text
@philnash
Slide 34
Slide 34 text
Compromised sites
• Adobe
• Yahoo
• LinkedIn
• Tumblr
• MySpace
• DropBox
• Bitly
• Disqus
@philnash
Slide 35
Slide 35 text
@philnash
Slide 36
Slide 36 text
@philnash
Slide 37
Slide 37 text
No content
Slide 38
Slide 38 text
YOUR USERS ARE ONLY
AS SECURE AS THEIR
WEAKEST PASSWORD
Slide 39
Slide 39 text
PART 2
SMS, SS7, OTP, 2FA
Slide 40
Slide 40 text
2FA
Slide 41
Slide 41 text
TWO FACTOR
AUTHENTICATION
Slide 42
Slide 42 text
Two Factor Authentication
2FA is a security process in which a user provides
two different forms of identification in order to
authenticate themself with a system.
The two forms must come from different
categories. Normally something you know and
something you have.
@philnash
Slide 43
Slide 43 text
SMS, TOKENS,
PUSH
Slide 44
Slide 44 text
SMS
Slide 45
Slide 45 text
2FA
import random
random_num = random.randint(0, 999999)
code = str(random_num).rjust(6, "0")
user.login_code = code
user.save()
01.
02.
03.
04.
05.
06.
@philnash
Slide 46
Slide 46 text
2FA
from twilio.rest import Client
import os
client = Client(os.environ['ACCOUNT_SID'], os.environ['AUTH_TOKEN'])
message = client.messages.create(
to=user.phone_number,
from_=os.environ['PHONE_NUMBER'],
body=f'Your login code is {code}')
01.
02.
03.
04.
05.
06.
07.
08.
@philnash
Slide 47
Slide 47 text
SMS: Pros
Almost everyone in the world can receive SMS
messages
@philnash
Slide 48
Slide 48 text
SMS: Cons
Costs per message
Requires signal
SMS is broken
@philnash
Slide 49
Slide 49 text
PART 2.1
THE HORRIFYING
REALITY OF SMS
SECURITY
Slide 50
Slide 50 text
SOCIAL
ENGINEERING
Slide 51
Slide 51 text
No content
Slide 52
Slide 52 text
IF YOU CAN ACCESS AN
ACCOUNT WITH JUST
ONE FACTOR
IT'S NOT 2FA
Slide 53
Slide 53 text
SS7
Slide 54
Slide 54 text
2FA OVER SMS IS STILL
BETTER THAN JUST
PASSWORDS
Slide 55
Slide 55 text
TOKENS
Slide 56
Slide 56 text
HOTP + TOTP
Slide 57
Slide 57 text
@philnash
Slide 58
Slide 58 text
HOTP
HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF
HOTP-Value = HOTP(K,C) mod 10d
@philnash
Slide 59
Slide 59 text
DEMO
Slide 60
Slide 60 text
https:/
/github.com/pyauth/pyotp
@philnash
Slide 61
Slide 61 text
https:/
/github.com/django-otp/django-otp
@philnash
Slide 62
Slide 62 text
SHARING
SECRETS
Slide 63
Slide 63 text
QR code
otpauth:/
/TYPE/LABEL?PARAMETERS
otpauth:/
/totp/2FAWTF:[email protected]?
secret=JBSWY3DPEHPK3PXP&issuer=2FAWTF
@philnash
Slide 64
Slide 64 text
DEMO
Slide 65
Slide 65 text
Tokens: Pros
Free to use
Works offline
@philnash
Slide 66
Slide 66 text
Tokens: Cons
Requires a smart phone
Needs backup codes to recover account
QR codes can be intercepted
@philnash
Slide 67
Slide 67 text
PUSH
Slide 68
Slide 68 text
0:00 / 0:21
Slide 69
Slide 69 text
Push: Pros
Much better user experience
Most secure
@philnash
Slide 70
Slide 70 text
Push: Cons
Requires a smart phone
Requires a native app
Requires more work on your web application
Can't use offline
@philnash
Slide 71
Slide 71 text
Implement 2FA with Authy
https:/
/twil.io/flask-2fa
https:/
/twil.io/django-2fa
@philnash
Slide 72
Slide 72 text
https:/
/twitter.com/status_updates/status/656435611289653248
@philnash
Slide 73
Slide 73 text
SUMMARY
Slide 74
Slide 74 text
USERS ARE
BAD WITH
PASSWORDS
Slide 75
Slide 75 text
OTHER
WEBSITES ARE
BAD WITH
PASSWORDS
Slide 76
Slide 76 text
2FA CAN BE
PUSH, TOKEN
OR SMS
Slide 77
Slide 77 text
2FA IS FOR
YOUR USERS
Slide 78
Slide 78 text
No content
Slide 79
Slide 79 text
2FA, WTF?
Slide 80
Slide 80 text
2FA, FTW!
Slide 81
Slide 81 text
THANKS!