Slide 1
Slide 1 text
One does not simply add MFA
It’s not just a walk into Mordor, good MFA is a journey
@[email protected]
Slide 2
Slide 2 text
Art by Maja Vonge Cornils
Slide 3
Slide 3 text
What you will learn
✓ What is MFA
✓ How to secure your
accounts
✓ What are the MFA types
✓ How to protect users and
secure an application
✓ Potential testing steps
✓ MFA implementation best
practices
"Its black gates are guarded by more than just orcs.” @[email protected]
Slide 4
Slide 4 text
Taking notes or pictures 📝
Asking foolish questions 🤔
Things you don't need to worry about
"There is evil there that does not sleep, and the Great Eye is ever watchful" @[email protected]
Slides QR code
Slide 5
Slide 5 text
Let our journey begin…
Slide 6
Slide 6 text
No content
Slide 8
Slide 8 text
No content
Slide 9
Slide 9 text
Back to the beginning…
To when you signed up for
Slide 12
Slide 12 text
No content
Slide 15
Slide 15 text
On the phone with
your mobile
provider...
Using social engineering
@[email protected]
Slide 17
Slide 17 text
No content
Slide 18
Slide 18 text
issms2fasecure.com/assets/sim_swaps-01-10-2020.pdf
Slide 22
Slide 22 text
@[email protected]
optus.com.au/about/media-centre/media-releases/2022/09/optus-notifies-customers-of-cyberattack
22 September 2022
Slide 23
Slide 23 text
“ We learned that SMS-based authentication
is not nearly as secure as we would hope,
and the main attack was via SMS intercept
Christopher Slowe
Reddit chief technology officer and founding engineer
August 2018
Slide 24
Slide 24 text
What is authentication?
The process of verifying that someone or
something is the actual entity that they claim
to be.
- OWASP.org
(these people know what they are talking about when it comes to security)
Slide 25
Slide 25 text
... but what are the different factors of auth?
• Factor is knowledge (i.e. your password)
• Is the other method choice
• Possession (token/soft token)
• Identity (biometrics)
Slide 26
Slide 26 text
2FA = 2SV = MFA = 2F
What about all those other acronyms...
@[email protected]
Slide 27
Slide 27 text
Why didn't MFA help?
@[email protected]
• SMS was used
• For most users MFA won’t even be enabled
Slide 28
Slide 28 text
Let’s travel deeper
to discover all of our factor choices
Slide 29
Slide 29 text
• Most common
• Most compromised
• Not recommended
by NIST since 2016
@[email protected]
SMS
Slide 30
Slide 30 text
• SS7 (network shared by every telecom) has it's
own vulnerabilities
• Text messages that are sent can be
intercepted
If SMS wasn't bad enough
@[email protected]
Slide 31
Slide 31 text
Let's figure out
all the ways to
hack it...
1. Sim-swap (aka what just
happened to us)
2. Port-out scam
3. Brute force on the application
itself
4. Exploit SS7 weakness
@[email protected]
Slide 32
Slide 32 text
Push Based
Slide 33
Slide 33 text
Push Based
•Associated with certain
authorized devices
•Not visible on a locked phone
screen
Slide 34
Slide 34 text
Push Based Has Drawbacks
September 15th, 2022
Slide 35
Slide 35 text
Security Questions
❓ ❓
Slide 36
Slide 36 text
Security Questions
• User answers a set of questions during
sign-up
• For example
• Merry’s mother’s maiden name?
• What is the shire’s address?
Slide 37
Slide 37 text
Email
Slide 38
Slide 38 text
Email
• At login time, an email with verification
code is sent to user
• Convient
• Should only be used with verified
emails
Slide 39
Slide 39 text
Example email verification step
Awesome
Slide 40
Slide 40 text
TOTP
Slide 41
Slide 41 text
TOTP
Time-based One Time Password
aka app based
aka soft token
• Authy
• Google Authenticator
• 1Password
Slide 42
Slide 42 text
Token Based
Slide 43
Slide 43 text
Token Based
Physical keys that can authenticate
• FIDO2/WebAuthn
• USB drive
• Near-field communication
• Many use U2F (Universal 2nd Factor)
Slide 45
Slide 45 text
OTP U2F
• User has physical device
• Strong security from public
key cryptography
• No personal information
associated with a key
• Users type in codes
• Set up and provision
required
• Secrets stored, providing
a single point of attack
@[email protected]
Slide 46
Slide 46 text
What would you change now?
Slide 47
Slide 47 text
Secure Your Account
1. Use long password/
passphrase
2. Secure with alternate
authentication method
3. Use a VOIP number
4. Don't reuse passwords
5. Pin/password protect
phone provider
Keep on being @awesome
@[email protected]
Slide 50
Slide 50 text
Not that twist...
• Now you are the engineer at shiregram (an
insta rival)
• How do you secure your users from all the
bad stuff out there?
@[email protected]
Slide 51
Slide 51 text
Security is everyone's job
YOU MEAN TO
INFORMATION SECURITY IS
PART OF MY JOB TOO??
Slide 52
Slide 52 text
• Engineers
• Designers
• Infrastructure
• Managers
• Not just info sec!
Security is everyone's job
Slide 53
Slide 53 text
wmcactionnews5.com/2019/12/11/family-says-hackers-accessed-ring-camera-their-year-old-daughters-room
Slide 54
Slide 54 text
nbc-2.com/story/41428183/stranger-spews-racial-slurs-over-familys-hacked-ring-camera
Slide 55
Slide 55 text
Back to your security basics
• Strong passwords/passphrase 💪
• Don't make them be rotated 🔁
• Store the hash securely 🔒
• Only store sensitive data that you need ⛔
@[email protected]
Slide 56
Slide 56 text
https://xkcd.com/936/
Strong passwords/passphrase 💪
Slide 57
Slide 57 text
Why this helps
• Greater entropy = harder to brute force the password
• Passwords should be hard to guess, but easy to
remember
• Extra length + randomness allows for more entropy
@[email protected]
Strong passwords/passphrase 💪
Slide 58
Slide 58 text
Strong passwords/passphrase 💪
Slide 59
Slide 59 text
Strong passwords/passphrase 💪
Slide 63
Slide 63 text
Reddit
Strong passwords/passphrase 💪
Slide 67
Slide 67 text
Let's talk about password hash encryption
• Just an algorithm that takes data and produces
fixed-size output
• Some hashes are stronger then others
• MD5/SHA-1 = 👎
• SHA-256/512-bit SHA-2= 👍
@[email protected]
Store the hash securely 🔒
Slide 68
Slide 68 text
Adaptive one-way functions, hashes with more spice
• Compute a one-way (irreversible) transform
• Allows configuration of ‘work factor’
• Ex. Argon2, PBKDF2, Scrypta, Bcrypt
Head on over to OWASP.org for more details
@[email protected]
Store the hash securely 🔒
Slide 69
Slide 69 text
“ …we made the decision to rotate customer accounts on
May 5, 2022, out of an abundance of caution due to not
all of the customers having multi-factor authentication
(MFA) enabled at the time and potential for password
reuse.
Bob Wise
Heroku General Manager and Salesforce
@[email protected]
Slide 70
Slide 70 text
DIY or BUY
Choose your User Authentication Journey
Slide 71
Slide 71 text
DIY or BUY
Choose your User Authentication Journey
Slide 72
Slide 72 text
DIY or BUY
Choose your User Authentication Journey
Slide 73
Slide 73 text
If you choose to BUY
Slide 74
Slide 74 text
If you choose to BUY
• Choose your vendor wisely
• What factor choices are available?
• What are your authorization and
authentication needs?
Slide 75
Slide 75 text
If you choose DIY
• More flexibility
• More security surface area to cover
• More control over the user experience
• More choices…
• When to require re-authentication of MFA
• Should re-auth occur on new ip/browser/period of time
Slide 76
Slide 76 text
Some things to keep in
mind no matter your path…
Slide 77
Slide 77 text
Rate limiting prevents brute force attacks
Slide 78
Slide 78 text
Use a truncated exponential back-off
algorithm
Slide 79
Slide 79 text
Uh wut now?
Slide 80
Slide 80 text
What is an exponential back-off algorithm?
Slide 82
Slide 82 text
Make it easy on your users
Slide 83
Slide 83 text
• Make it easy opt in
• Make it easy to add
• Make it visible
• Make it flexible
Make it easy on your users
Slide 84
Slide 84 text
Do this
Slide 85
Slide 85 text
Not this
Slide 86
Slide 86 text
If you choose DIY…
Require more authentication
IT COMES IN PINTS?
Slide 87
Slide 87 text
• For editing/removing of MFA require
credentials
• If authentication does fail, be generic
in error response
If you choose DIY…
Require more authentication
Slide 88
Slide 88 text
"Login failed - invalid user ID or
password”
Do this
Slide 89
Slide 89 text
"Login for User awesome: invalid
password"
"Login failed, invalid user ID"
"Login failed; account disabled"
"Login failed; this user is not active"
Not this
Slide 91
Slide 91 text
No content
Slide 92
Slide 92 text
Users with the most privilege, MFA is
a requirement not optional
@[email protected]
Slide 93
Slide 93 text
As we come to the end of our
journey…
Slide 94
Slide 94 text
MFA can help but...
• Can only improve security if you are
following secure password practices
• Some MFA methods are more secure
then others
Slide 95
Slide 95 text
No content
Slide 96
Slide 96 text
Thanks for having me YOW! Brisbane
Thanks to:
Tyson Reeder slide design and final graphic
@tysondreeder
For references and further reading checkout
christine-seeman.com/talks
@[email protected]
Slide 100
Slide 100 text
Everyone needs a product designer
friend (thanks again Tyson!)
Slide 101
Slide 101 text
#093840 #DCCEFE #FFEEA7 #A3FBBC #DCCEFE
32px - Large Heading
40px - Only text on slide
24px - Body
Image frame -
teal - 3px wide
Slide 102
Slide 102 text
Creating duotone bg images
https://medialoot.com/duotones/
Go here
Click the camera and upload an image from your computer. Then go to the
color tab and choose custom at the bottom. I try to stick to colors from the
deck. Then drop it in and lower the opacity.