Tweet
Tweet

Slide 1

Slide 1 text

2FA, WTF?

Slide 2

Slide 2 text

HACKERS

Slide 3

Slide 3 text

ARE

Slide 4

Slide 4 text

EVERYWHERE

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

Phil Nash @philnash h p:/ /philna.sh philnash@twilio.com

Slide 9

Slide 9 text

2FA, WTF?

Slide 10

Slide 10 text

TWO FACTOR AUTHENTICATION

Slide 11

Slide 11 text

Two Factor Authen ca on 2FA is a security process in which a user provides two different forms of iden fica on in order to authen cate themself with a system. The two forms must come from different categories. Normally something you know and something you have.

Slide 12

Slide 12 text

WHY?

Slide 13

Slide 13 text

MAT HONAN

Slide 14

Slide 14 text

Mat Honan's Hackers' Timeline 1.  Found Gmail address on his personal site 2.  Entered address in Gmail and found his @me.com back up email 3.  Called Amazon to add a credit card to file 4.  Called Amazon again to reset password and got access 5.  4:33pm: called Apple to reset password 6.  4:50pm: reset AppleID password and gained access to email

Slide 15

Slide 15 text

Mat Honan's Hackers' Timeline 7.  4:52pm: reset Gmail account password 8.  5:01pm: wiped iPhone 9.  5:02pm: reset Twi er password 10.  5:05pm: wiped MacBook and deleted Google account 11.  5:12pm: posted to Twi er taking credit for the hack

Slide 16

Slide 16 text

@MAT

Slide 17

Slide 17 text

WHY?

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

ASHLEY MADISON

Slide 20

Slide 20 text

Ashley Madison Top 10 Passwords 1.  123456 2.  12345 3.  password 4.  DEFAULT 5.  123456789 6.  qwerty 7.  12345678 8.  abc123 9.  NSFW 10.  1234567

Slide 21

Slide 21 text

Ashley Madison Top 10 Passwords 1.  123456 ‐ 120,511 users 2.  12345 ‐ 48,452 users 3.  password ‐ 39,448 users 4.  DEFAULT ‐ 34,275 users 5.  123456789 ‐ 26,620 users 6.  qwerty ‐ 20,778 users 7.  12345678 ‐ 14,172 users 8.  abc123 ‐ 10,869 users 9.  NSFW ‐ 10,683 users 10.  1234567 ‐ 9,468 users Source: h p:/ /qz.com/501073/the‐top‐100‐passwords‐on‐ashley‐madison/

Slide 22

Slide 22 text

HOW?

Slide 23

Slide 23 text

User Registra on Flow 1.  Visit registra on page 2.  Sign up with username and password 3.  User is logged in

Slide 24

Slide 24 text

User Log In Flow 1.  Visit login page 2.  Enter username and password 3.  System verifies details 4.  User is logged in

Slide 25

Slide 25 text

SMS

Slide 26

Slide 26 text

User Registra on Flow 1.  Visit registra on page 2.  Sign up with username, password and phone nunber 3.  User is logged in

Slide 27

Slide 27 text

User Log In Flow 1.  Visit login page 2.  Enter username and password 3.  System verifies details 4.  Verifica on code sent to user by SMS 5.  User enters verifica on code 6.  System verifies code 7.  User is logged in

Slide 28

Slide 28 text

PROS/CONS

Slide 29

Slide 29 text

SOFT TOKEN

Slide 30

Slide 30 text

User Registra on Flow 1.  Visit registra on page 2.  Sign up with username, password 3.  Generate a secret for the user 4.  Share the secret somehow 5.  User is logged in

Slide 31

Slide 31 text

User Log In Flow 1.  Visit login page 2.  Enter username and password 3.  System verifies details 4.  User opens auth app 5.  User finds app verifica on code and enters on site 6.  System verifies code 7.  User is logged in

Slide 32

Slide 32 text

SECRETS

Slide 33

Slide 33 text

HOTP/TOTP

Slide 34

Slide 34 text

HOTP H O T P ( K , C ) = T r u n c a t e ( H M A C ( K , C ) ) & 0 x 7 F F F F F F F H O T P - V a l u e = H O T P ( K , C ) m o d 1 0 d

Slide 35

Slide 35 text

h ps:/ /github.com/guyht/notp

Slide 36

Slide 36 text

TOTP

Slide 37

Slide 37 text

DEMO

Slide 38

Slide 38 text

SHARING SECRETS

Slide 39

Slide 39 text

QR code otpauth:/ /TYPE/LABEL?PARAMETERS otpauth:/ /totp/Example:philnash@twilio.com?secret=JBSWY3DPEHPK3PXP&issuer=Example

Slide 40

Slide 40 text

No content

Slide 41

Slide 41 text

PROS/CONS

Slide 42

Slide 42 text

CAN IT BE BETTER?

Slide 43

Slide 43 text

FRIENDS DON'T LET FRIENDS WRITE THEIR OWN AUTHENTICATION FRAMEWORKS

Slide 44

Slide 44 text

FRIENDS DON'T LET FRIENDS WRITE THEIR OWN TWO FACTOR AUTHENTICATION FRAMEWORKS

Slide 45

Slide 45 text

No content

Slide 46

Slide 46 text

User Registra on Flow 1.  Visit registra on page 2.  Sign up with username, password and phone nunber 3.  System registers User with Authy 4.  User is logged in

Slide 47

Slide 47 text

User Log In Flow 1.  Visit login page 2.  Enter username and password 3.  System verifies details 4.  Authy prompts user 5.  User finds app verifica on code and enters on site 6.  System verifies code with Authy 7.  User is logged in

Slide 48

Slide 48 text

THE FUTURE

Slide 49

Slide 49 text

PUSH NOTIFICATIONS

Slide 50

Slide 50 text

0:21

Slide 51

Slide 51 text

PROS/CONS

Slide 52

Slide 52 text

SUMMARY

Slide 53

Slide 53 text

USERS ARE BAD WITH PASSWORDS

Slide 54

Slide 54 text

OTHER WEBSITES ARE BAD WITH PASSWORDS

Slide 55

Slide 55 text

2FA CAN BE PUSH, TOKEN OR SMS

Slide 56

Slide 56 text

2FA IS FOR YOUR USERS

Slide 57

Slide 57 text

No content

Slide 58

Slide 58 text

THANKS!

Slide 59

Slide 59 text

Use code PNASH20 for 20% off ckets

Slide 60

Slide 60 text

Thanks! @philnash h p:/ /philna.sh philnash@twilio.com