A tale of two sides of 2FA

by Christine

Slide 1

Slide 1 text

@tech_christine A tale of two sides of 2FA It can be the best of security, or the worst of security

Slide 2

Slide 2 text

@tech_christine What you will learn ✓ What is 2FA/MFA ✓ How to secure your accounts ✓ What are the 2FA types ✓ How to protect users and secure an application ✓ Potential testing steps ✓ 2FA development best practices "...it was the age of wisdom, it was the age of foolishness..."

Slide 3

Slide 3 text

@tech_christine Taking notes or pictures Asking stupid questions https://christine-seeman.com/talks Things you don't need to worry about "...it was the epoch of belief, it was the epoch of incredulity..."

Slide 4

Slide 4 text

@tech_christine London and Paris

Slide 5

Slide 5 text

@tech_christine User and Developer

Slide 6

Slide 6 text

@tech_christine

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

@tech_christine Back to the beginning To when you signed up for

Slide 10

Slide 10 text

@tech_christine

Slide 11

Slide 11 text

@tech_christine

Slide 12

Slide 12 text

@tech_christine

Slide 13

Slide 13 text

@tech_christine What was the hacker up to? Calling your mobile provider

Slide 14

Slide 14 text

@tech_christine On the phone with your mobile provider... Using social engineering

Slide 15

Slide 15 text

@tech_christine Now they have all the access... Sim swap/sim hijacking

Slide 16

Slide 16 text

@tech_christine

Slide 17

Slide 17 text

@tech_christine issms2fasecure.com/assets/sim_swaps-01-10-2020.pdf

Slide 18

Slide 18 text

@tech_christine

Slide 19

Slide 19 text

“ @tech_christine We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept Christopher Slowe Reddit chief technology ofﬁcer and founding engineer August 2018

Slide 20

Slide 20 text

@tech_christine What is authentication? The process of verifying that someone or something is the actual entity that they claim to be. - OWASP.org (these people know what they are talking about when it comes to security)

Slide 21

Slide 21 text

@tech_christine ... but what are the different factors of auth? 1. Factor is knowledge (i.e. your password) 2. Is the other method choice - Possession (token/soft token) - Identity (biometrics)

Slide 22

Slide 22 text

@tech_christine 2FA = 2SV = MFA = 2F What about all those other acronyms...

Slide 23

Slide 23 text

@tech_christine Why didn't 2FA help? •SMS was used •2FA wasn't even enabled

Slide 24

Slide 24 text

@tech_christine • Most common • Most compromised • Not recommended by NIST since 2016 SMS

Slide 25

Slide 25 text

@tech_christine If SMS wasn't bad enough •SS7 (network shared by every telecom) has it's own vulnerabilities •Text messages that are sent can be intercepted

Slide 26

Slide 26 text

@tech_christine Let's figure out all the ways to hack it... 1. Sim-swap (aka what just happened to us) 2. Port-out scam 3. Brute force on the application itself 4. Exploit SS7 weakness

Slide 27

Slide 27 text

@tech_christine Time-based One Time Password aka app based aka soft token • Authy • Google Authenticator • 1Password TOTP

Slide 28

Slide 28 text

@tech_christine • Associated with certain authorized devices • Not visible on a locked phone screen Push Based

Slide 29

Slide 29 text

@tech_christine Email • Convient • Should only be used with verified emails • Less Common, may be in use but not referred to as 2FA

Slide 30

Slide 30 text

@tech_christine Token based Physical keys that can auth • USB drive • near-ﬁeld communication • Many use U2F (Universal 2nd Factor)

Slide 31

Slide 31 text

@tech_christine OTP vs U2F

Slide 32

Slide 32 text

@tech_christine OTP U2F • User has physical device • Strong security from public key cryptography • No personal information associated with a key • Users type in codes • Set up and provision required • Secrets stored, providing a single point of attack

Slide 33

Slide 33 text

What would you change now?

Slide 34

Slide 34 text

@tech_christine Secure Your Account 1. Use long password/passphrase 2. Secure with alternate authentication method 3. Use a VOIP number 4. Don't reuse passwords 5. Pin/password protect phone provider Keep on being @awesome

Slide 35

Slide 35 text

@tech_christine But wait... Now you are the developer at jiffygram (an insta rival) How do you secure your users from all the bad stuff out there?

Slide 36

Slide 36 text

@tech_christine • Developers • Designers • Infrastructure • Managers • Not just info sec! Security is everyone's job

Slide 37

Slide 37 text

@tech_christine wmcactionnews5.com/2019/12/11/family-says-hackers-accessed-ring-camera-their-year-old-daughters-room

Slide 38

Slide 38 text

@tech_christine nbc-2.com/story/41428183/stranger-spews-racial-slurs-over-familys-hacked-ring-camera

Slide 39

Slide 39 text

@tech_christine Back to your security basics 1. Strong passwords/passphrase # 2. Don't make them be rotated 3. Store the hash securely 4. Only store sensitive data that you need ⛔

Slide 40

Slide 40 text

https://xkcd.com/936/ @tech_christine

Slide 41

Slide 41 text

@tech_christine Why this helps •Greater entropy = harder to brute force the password •Passwords should be hard to guess, but easy to remember •Extra length + randomness allows for more entropy (strength)

Slide 42

Slide 42 text

No content

Slide 43

Slide 43 text

No content

Slide 44

Slide 44 text

Do this @tech_christine

Slide 45

Slide 45 text

@tech_christine

Slide 46

Slide 46 text

Not this ☹ @tech_christine

Slide 47

Slide 47 text

⬆ that is 6 a's @tech_christine

Slide 48

Slide 48 text

Not this either @tech_christine

Slide 49

Slide 49 text

@tech_christine Let's talk about password hash encryption • Just an algorithm that takes data and produces fixed-size output • Some hashes are stronger then others • MD5/SHA-1 = + • SHA-256/512-bit SHA-2= , • If possible with performance, use an adaptive one- way function

Slide 50

Slide 50 text

@tech_christine Strong recommended adaptive functions Argon2 PBKDF2 Scrypta Bcrypt Head on over to OWASP.org for more details

Slide 51

Slide 51 text

@tech_christine ...a user lost their phone/app access/token • Recovery codes to the rescue! - • Allows access to application • Shown once, used once

Slide 52

Slide 52 text

@tech_christine lessons learned 2FA Implementation @tech_christine

Slide 53

Slide 53 text

Buy DYI

Slide 54

Slide 54 text

No content

Slide 55

Slide 55 text

@tech_christine Rate limiting prevents brute force attacks @tech_christine

Slide 56

Slide 56 text

@tech_christine Rate limiting prevents brute force attacks @tech_christine

Slide 57

Slide 57 text

@tech_christine Use a truncated exponential back-off algorithm @tech_christine

Slide 58

Slide 58 text

@tech_christine What is an exponential back-off algorithm?

Slide 59

Slide 59 text

@tech_christine Code example in Ruby login_request if retries <= max_retries retries += 1 sleep (retries + rand(100)/1000) retry else raise "You've hit your max retries!" end

Slide 60

Slide 60 text

@tech_christine Get user buy-in

Slide 61

Slide 61 text

@tech_christine

Slide 62

Slide 62 text

@tech_christine ✓ Make it easy opt in ✓ Make it easy to add ✓ Make it visible ✓Make it flexible

Slide 63

Slide 63 text

@tech_christine Do this

Slide 64

Slide 64 text

@tech_christine Not this American Express OpenShift Netﬂix Pandora Pinterest Spotify Target Best Buy Freshbooks State Farm AT&T 2FA

Slide 65

Slide 65 text

@tech_christine Enforce authentication on all pages

Slide 66

Slide 66 text

@tech_christine • For editing/removing of 2FA require credentials • If authentication does fail, be generic in error response Moar authentication

Slide 67

Slide 67 text

Do this "Login failed - invalid user ID or password"

Slide 68

Slide 68 text

Not this "Login for User foo: invalid password" "Login failed, invalid user ID" "Login failed; account disabled" "Login failed; this user is not active"

Slide 69

Slide 69 text

@tech_christine Are we doing all we can to protect our users?

Slide 70

Slide 70 text

@tech_christine

Slide 71

Slide 71 text

@tech_christine Users with the most amount of privilege, 2FA is a requirement not optional

Slide 72

Slide 72 text

@tech_christine 2FA can help but... • Can only improve security if you are following secure password practices • Some 2FA methods are more secure then others

Slide 73

Slide 73 text

No content

Slide 74

Slide 74 text

@tech_christine Thanks for having me NDC {London}! All the organizers and volunteers deserve 2 2 2 Tyson Reeder for the final graphic @tysondreeder For references and further reading checkout christine-seeman.com/talks

Slide 75

Slide 75 text

@tech_christine getﬂywheel.com/about/careers

Slide 76

Slide 76 text

@tech_christine What questions can I answer?

Slide 77

Slide 77 text

code!!

Slide 78

Slide 78 text

@tech_christine Twilio API Example

Slide 79

Slide 79 text

@tech_christine The Ruby One Time Password Library Example

Slide 80

Slide 80 text

@tech_christine

Slide 81

Slide 81 text

@tech_christine But you need to get this code to your user...

Slide 82

Slide 82 text

@tech_christine Authy One Touch API Example

Slide 83

Slide 83 text

@tech_christine QR Code Rendering https://github.com/whomwah/rqrcode ROTP: TOTP https://github.com/mdp/rotp Twilio Ruby API https://www.twilio.com/docs/libraries/ruby Auth Ruby API https://github.com/twilio/authy-ruby