Slide 1
Slide 1 text
@[email protected]
One does not simply add MFA
Just like a walk into Mordor, good MFA is a journey
Slide 2
Slide 2 text
@[email protected]
What you will learn
✓ What is MFA
✓ How to secure your accounts
✓ What are the MFA types
✓ How to protect users and
secure an application
✓ Potential testing steps
✓ MFA implementation best
practices
"Its black gates are guarded by more than just orcs. "
Slide 3
Slide 3 text
@[email protected]
Taking notes or pictures 📝
Asking foolish questions 🤔
christine-seeman.com/talks
Things you don't need to worry about
"There is evil there that does not sleep, and the Great Eye is ever watchful"
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
No content
Slide 10
Slide 10 text
No content
Slide 12
Slide 12 text
@[email protected]
On the phone
with your mobile
provider...
Using social engineering
Slide 14
Slide 14 text
No content
Slide 17
Slide 17 text
“
@[email protected]
We learned that SMS-based
authentication is not nearly as
secure as we would hope, and the
main attack was via SMS intercept
Christopher Slowe
Reddit chief technology of
fi
cer and founding engineer
August 2018
Slide 18
Slide 18 text
@[email protected]
What is authentication?
The process of verifying that someone or
something is the actual entity that they claim
to be.
- OWASP.org
(these people know what they are talking about when it comes to security)
Slide 19
Slide 19 text
@[email protected]
... but what are the different factors of auth?
✔Factor is knowledge (i.e. your password)
✔Is the other method choice
- Possession (token/soft token)
- Identity (biometrics)
Slide 20
Slide 20 text
@[email protected]
2FA = 2SV = MFA = 2F? = ???
What about all those other acronyms...
Slide 21
Slide 21 text
@[email protected]
Why didn't MFA help?
•SMS was used
•For most users MFA won’t even be enabled
Slide 22
Slide 22 text
@[email protected]
• Most common
• Most compromised
• Not recommended
by NIST since 2016
SMS
Slide 23
Slide 23 text
@[email protected]
If SMS wasn't bad enough
•SS7 (network shared by every telecom) has
it's own vulnerabilities
•Text messages that are sent can be
intercepted
Slide 24
Slide 24 text
@[email protected]
Let's figure out
all the ways to
hack it...
1. Sim-swap (aka what just
happened to us)
2. Port-out scam
3. Brute force on the
application itself
4. Exploit SS7 weakness
Slide 25
Slide 25 text
@[email protected]
• Associated with certain
authorized devices
• Not visible on a locked
phone screen
Push Based
Slide 27
Slide 27 text
@[email protected]
Security Questions
• Convient
• Just an extension of your first factor,
password (knowledge)
🤨
❓ ❓
Slide 28
Slide 28 text
@[email protected]
Email
• Convient
• Should only be used with
verified emails
• Less Common, may be in use
but not referred to as 2FA
Slide 29
Slide 29 text
@[email protected]
Time-based One Time Password
aka app based
aka soft token
• Authy
• Google Authenticator
• 1Password
TOTP
Slide 30
Slide 30 text
@[email protected]
Token based
Physical keys that can auth
• FIDO2/WebAuthn
• USB drive
• near-
fi
eld communication
• Many use U2F (Universal
2nd Factor)
Slide 32
Slide 32 text
@[email protected]
OTP U2F
• User has physical device
• Strong security from
public key cryptography
• No personal information
associated with a key
• Users type in codes
• Set up and provision required
• Secrets stored, providing a
single point of attack
Slide 33
Slide 33 text
What would you change now?
Slide 34
Slide 34 text
@[email protected]
Secure Your Account
1. Use long password/passphrase
2. Secure with alternate authentication method
3. Use a VOIP number
4. Don't reuse passwords
5. Pin/password protect phone provider
Keep on being @awesome
Slide 35
Slide 35 text
@[email protected]
But wait...
Now you are the developer at jiffygram (an insta rival)
How do you secure your users from all the bad stuff
out there?
Slide 36
Slide 36 text
@[email protected]
• Developers
• Designers
• Infrastructure
• Managers
• Not just info sec!
Security is everyone's job
Slide 37
Slide 37 text
@[email protected]
wmcactionnews5.com/2019/12/11/family-says-hackers-accessed-ring-camera-their-year-old-daughters-room
Slide 38
Slide 38 text
@[email protected]
nbc-2.com/story/41428183/stranger-spews-racial-slurs-over-familys-hacked-ring-camera
Slide 39
Slide 39 text
@[email protected]
Back to your security basics
1. Strong passwords/passphrase 💪
2. Don't make them be rotated 🔁
3. Store the hash securely 🔒
4. Only store sensitive data that you need ⛔
Slide 41
Slide 41 text
@[email protected]
Why this helps
•Greater entropy = harder to brute force the password
•Passwords should be hard to guess, but easy to remember
•Extra length + randomness allows for more entropy
(strength)
Slide 42
Slide 42 text
No content
Slide 43
Slide 43 text
No content
Slide 44
Slide 44 text
Do this 😄
Slide 45
Slide 45 text
No content
Slide 47
Slide 47 text
Not this 😞
Slide 48
Slide 48 text
⬆ that is 6 a's
Slide 49
Slide 49 text
⬆ that is just six aaaaaa that ended up working
Slide 50
Slide 50 text
@[email protected]
Let's talk about password hash encryption
• Just an algorithm that takes data and produces fixed-size output
• Some hashes are stronger then others
• MD5/SHA-1 = 👎
• SHA-256/512-bit SHA-2= 👍
• If possible with performance, use an adaptive one-way function
Slide 51
Slide 51 text
@[email protected]
Strong recommended adaptive functions
Argon2
PBKDF2
Scrypta
Bcrypt
Head on over to OWASP.org for more details
Slide 52
Slide 52 text
“
@[email protected]
…we made the decision to rotate customer
accounts on May 5, 2022, out of an abundance
of caution due to not all of the customers
having multi-factor authentication (MFA)
enabled at the time and potential for password
reuse.
Bob Wise
Heroku General Manager and Salesforce
Slide 53
Slide 53 text
@[email protected]
...a user lost their phone/app access/token
• Recovery codes to
the rescue! 🦹
• Allows access to
application
• Shown once, used
once
Slide 54
Slide 54 text
Choose your path
DIY BUY
Slide 55
Slide 55 text
@[email protected]
If you choose to BUY
•Choose your vendor wisely
•What factor choices are available?
•What are your authorization and
authentication needs?
Slide 56
Slide 56 text
@[email protected]
If you choose DIY
More flexibility
More security surface area to cover
More control over the user experience
Slide 57
Slide 57 text
@[email protected]
Rate limiting prevents brute force attacks
@tech_christine
Slide 63
Slide 63 text
@[email protected]
✓ Make it easy opt in
✓ Make it easy to add
✓ Make it visible
✓Make it flexible
Slide 64
Slide 64 text
@[email protected]
Not this 😢
American Express
OpenShift
Net
fl
ix
Pandora
Pinterest
Spotify
Target
Best Buy
State Farm
AT&T
Twitter (well not right now)
🚫 MFA
Slide 65
Slide 65 text
@[email protected]
• For editing/removing of
MFA require credentials
• If authentication does
fail, be generic in error
response
More authentication
Slide 66
Slide 66 text
Do this
"Login failed - invalid user ID or password"
😙
Slide 67
Slide 67 text
Not this
"Login for User awesome: invalid password"
"Login failed, invalid user ID"
"Login failed; account disabled"
"Login failed; this user is not active"
😖
Slide 70
Slide 70 text
@[email protected]
Users with the most amount of
privilege, 2FA is a requirement
not optional
Slide 72
Slide 72 text
@[email protected]
MFA can help but...
• Can only improve security if you are
following secure password practices
• Some MFA methods are more secure
then others
Slide 73
Slide 73 text
No content
Slide 74
Slide 74 text
@[email protected]
Thanks for having me PetFriendly!
Tyson Reeder for the final graphic
@tysondreeder
For references and further reading checkout
christine-seeman.com/talks
Slide 76
Slide 76 text
code!!
Slide 82
Slide 82 text
@[email protected]
QR Code Rendering
https://github.com/whomwah/rqrcode
ROTP: TOTP
https://github.com/mdp/rotp
Twilio Ruby API
https://www.twilio.com/docs/libraries/ruby
Auth Ruby API
https://github.com/twilio/authy-ruby