One does not simply add MFA

by Christine

Slide 1

Slide 1 text

@[email protected] One does not simply add MFA Just like a walk into Mordor, good MFA is a journey

Slide 2

Slide 2 text

@[email protected] What you will learn ✓ What is MFA ✓ How to secure your accounts ✓ What are the MFA types ✓ How to protect users and secure an application ✓ Potential testing steps ✓ MFA implementation best practices "Its black gates are guarded by more than just orcs. "

Slide 3

Slide 3 text

@[email protected] Taking notes or pictures 📝 Asking foolish questions 🤔 christine-seeman.com/talks Things you don't need to worry about "There is evil there that does not sleep, and the Great Eye is ever watchful"

Slide 4

Slide 4 text

Let our journey begin…

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

@[email protected] Back to the beginning To when you signed up for

Slide 9

Slide 9 text

@[email protected]

Slide 10

Slide 10 text

@[email protected]

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

@[email protected]

Slide 13

Slide 13 text

@[email protected] What was the hacker up to? Calling your mobile provider

Slide 14

Slide 14 text

@[email protected] On the phone with your mobile provider... Using social engineering

Slide 15

Slide 15 text

@[email protected] Now they have all the access... Sim swap/sim hijacking

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

@[email protected] issms2fasecure.com/assets/sim_swaps-01-10-2020.pdf

Slide 18

Slide 18 text

@[email protected]

Slide 19

Slide 19 text

“ @[email protected] We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept Christopher Slowe Reddit chief technology of fi cer and founding engineer August 2018

Slide 20

Slide 20 text

@[email protected] What is authentication? The process of verifying that someone or something is the actual entity that they claim to be. - OWASP.org (these people know what they are talking about when it comes to security)

Slide 21

Slide 21 text

@[email protected] ... but what are the different factors of auth? ✔Factor is knowledge (i.e. your password) ✔Is the other method choice - Possession (token/soft token) - Identity (biometrics)

Slide 22

Slide 22 text

@[email protected] 2FA = 2SV = MFA = 2F? = ??? What about all those other acronyms...

Slide 23

Slide 23 text

@[email protected] Why didn't MFA help? •SMS was used •For most users MFA won’t even be enabled

Slide 24

Slide 24 text

@[email protected] • Most common • Most compromised • Not recommended by NIST since 2016 SMS

Slide 25

Slide 25 text

@[email protected] If SMS wasn't bad enough •SS7 (network shared by every telecom) has it's own vulnerabilities •Text messages that are sent can be intercepted

Slide 26

Slide 26 text

@[email protected] Let's figure out all the ways to hack it... 1. Sim-swap (aka what just happened to us) 2. Port-out scam 3. Brute force on the application itself 4. Exploit SS7 weakness

Slide 27

Slide 27 text

@[email protected] • Associated with certain authorized devices • Not visible on a locked phone screen Push Based

Slide 28

Slide 28 text

@[email protected] … Push Based has major drawbacks too September 15th, 2022

Slide 29

Slide 29 text

@[email protected] Security Questions • User answers a set of questions during sign-up • For example • Merry’s mother’s maiden name? • What is the shire’s address? • Just an extension of your first factor, password (knowledge) ❓ ❓

Slide 30

Slide 30 text

@[email protected] Email • At login time, an email with verification code is sent to user • Convient • Should only be used with verified emails • Less Common, may be in use but may not referred to as MFA

Slide 31

Slide 31 text

@[email protected] Example email verification step Awesome

Slide 32

Slide 32 text

@[email protected] Time-based One Time Password aka app based aka soft token • Authy • Google Authenticator • 1Password TOTP

Slide 33

Slide 33 text

@[email protected] Token based Physical keys that can auth • FIDO2/WebAuthn • USB drive • near- fi eld communication • Many use U2F (Universal 2nd Factor)

Slide 34

Slide 34 text

@[email protected] OTP vs U2F

Slide 35

Slide 35 text

@[email protected] OTP U2F • User has physical device • Strong security from public key cryptography • No personal information associated with a key • Users type in codes • Set up and provision required • Secrets stored, providing a single point of attack

Slide 36

Slide 36 text

What would you change now?

Slide 37

Slide 37 text

@[email protected] Secure Your Account 1. Use long password/passphrase 2. Secure with alternate authentication method 3. Use a VOIP number 4. Don't reuse passwords 5. Pin/password protect phone provider Keep on being @awesome

Slide 38

Slide 38 text

@[email protected] … now let’s put a twist on our story

Slide 39

Slide 39 text

@[email protected] Not that twist... Now you are the developer at shiregram (an insta rival) How do you secure your users from all the bad stuff out there?

Slide 40

Slide 40 text

@[email protected] • Developers • Designers • Infrastructure • Managers • Not just info sec! Security is everyone's job YOU MEAN TO TELL ME INFORMATION SECURITY IS PART OF MY JOB TOO!?

Slide 41

Slide 41 text

@[email protected] wmcactionnews5.com/2019/12/11/family-says-hackers-accessed-ring-camera-their-year-old-daughters-room

Slide 42

Slide 42 text

@[email protected] nbc-2.com/story/41428183/stranger-spews-racial-slurs-over-familys-hacked-ring-camera

Slide 43

Slide 43 text

@[email protected] Back to your security basics 1. Strong passwords/passphrase 💪 2. Don't make them be rotated 🔁 3. Store the hash securely 🔒 4. Only store sensitive data that you need ⛔

Slide 44

Slide 44 text

https://xkcd.com/936/ @[email protected]

Slide 45

Slide 45 text

@[email protected] Why this helps •Greater entropy = harder to brute force the password •Passwords should be hard to guess, but easy to remember •Extra length + randomness allows for more entropy (strength)

Slide 46

Slide 46 text

No content

Slide 47

Slide 47 text

No content

Slide 48

Slide 48 text

Do this 😄

Slide 49

Slide 49 text

No content

Slide 50

Slide 50 text

@[email protected]

Slide 51

Slide 51 text

Not this 😞

Slide 52

Slide 52 text

⬆ that is 6 a's

Slide 53

Slide 53 text

Not this either 😧

Slide 54

Slide 54 text

@[email protected] Let's talk about password hash encryption • Just an algorithm that takes data and produces fixed-size output • Some hashes are stronger then others • MD5/SHA-1 = 👎 • SHA-256/512-bit SHA-2= 👍 • If possible with performance, use an adaptive one-way function

Slide 55

Slide 55 text

@[email protected] Strong recommended adaptive functions Argon2 PBKDF2 Scrypta Bcrypt Head on over to OWASP.org for more details

Slide 56

Slide 56 text

“ @[email protected] …we made the decision to rotate customer accounts on May 5, 2022, out of an abundance of caution due to not all of the customers having multi-factor authentication (MFA) enabled at the time and potential for password reuse. Bob Wise Heroku General Manager and Salesforce

Slide 57

Slide 57 text

@[email protected] ...a user lost their phone/app access/token • Recovery codes to the rescue! 🦹 • Allows access to application • Shown once, used once

Slide 58

Slide 58 text

Choose your path DIY BUY

Slide 59

Slide 59 text

@[email protected] If you choose to BUY •Choose your vendor wisely •What factor choices are available? •What are your authorization and authentication needs? •Can you export your data?

Slide 60

Slide 60 text

@[email protected] If you choose DIY More flexibility More security surface area to cover More control over the user experience

Slide 61

Slide 61 text

Somethings to keep in mind no matter your path…

Slide 62

Slide 62 text

@[email protected] Rate limiting prevents brute force attacks Rate limiting prevents brute force attacks

Slide 63

Slide 63 text

@[email protected] Use a truncated exponential back-off algorithm Uh wut now?

Slide 64

Slide 64 text

@[email protected] What is an exponential back-off algorithm?

Slide 65

Slide 65 text

@[email protected] Get user buy-in

Slide 66

Slide 66 text

@[email protected] ✓ Make it easy opt in ✓ Make it easy to add ✓ Make it visible ✓Make it flexible Make it easy on your users

Slide 67

Slide 67 text

@[email protected] Not this 😢 American Express OpenShift Net fl ix Pandora Pinterest Spotify Target Best Buy State Farm AT&T Twitter (well not right now) 🚫 MFA

Slide 68

Slide 68 text

@[email protected] Do this 😄

Slide 69

Slide 69 text

@[email protected] • For editing/removing of MFA require credentials • If authentication does fail, be generic in error response More authentication IT COMES IN PINTS?

Slide 70

Slide 70 text

Do this "Login failed - invalid user ID or password" 😙

Slide 71

Slide 71 text

Not this "Login for User awesome: invalid password" "Login failed, invalid user ID" "Login failed; account disabled" "Login failed; this user is not active" 😖

Slide 72

Slide 72 text

@[email protected] Are we doing all we can to protect our users?

Slide 73

Slide 73 text

@[email protected]

Slide 74

Slide 74 text

@[email protected] Users with the most amount of privilege, 2FA is a requirement not optional

Slide 75

Slide 75 text

@[email protected]

Slide 76

Slide 76 text

@[email protected] MFA can help but... Can only improve security if you are following secure password practices Some MFA methods are more secure then others

Slide 77

Slide 77 text

No content

Slide 78

Slide 78 text

Thanks for having me WP Engine Omaha friends! Thanks to: Tyson Reeder for the final graphic @tysondreeder For references and further reading checkout christine-seeman.com/talks Find me on mastodon @[email protected]

Slide 79

Slide 79 text

@[email protected] What questions can I answer?

Slide 80

Slide 80 text

code!!

Slide 81

Slide 81 text

@[email protected] Twilio API Example

Slide 82

Slide 82 text

@[email protected] The Ruby One Time Password Library Example

Slide 83

Slide 83 text

@[email protected]

Slide 84

Slide 84 text

@[email protected] But you need to get this code to your user...

Slide 85

Slide 85 text

@[email protected] Authy One Touch API Example

Slide 86

Slide 86 text

@[email protected] QR Code Rendering https://github.com/whomwah/rqrcode ROTP: TOTP https://github.com/mdp/rotp Twilio Ruby API https://www.twilio.com/docs/libraries/ruby Auth Ruby API https://github.com/twilio/authy-ruby