2FA, U2F, OOB, and Other Terrifying Security Acronyms

Slide 1

Slide 1 text

2FA, U2F, OOB, and Other Terrifying Security Acronyms php[world] 2017

Slide 2

Slide 2 text

SMS 2FA Horror Story

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

SS7 • Signaling System 7 • Developed in 1975 to manage phone network switching • The framework has several vulnerabilities • Anyone can track user movements with 70% success • Calls and messages can be forwarded to third parties

Slide 5

Slide 5 text

Why SMS 2FA is Insecure

Slide 6

Slide 6 text

Why SMS 2FA is Insecure

Slide 7

Slide 7 text

Why SMS 2FA is Insecure

Slide 8

Slide 8 text

Why SMS 2FA is Insecure

Slide 9

Slide 9 text

Why SMS 2FA is Insecure

Slide 10

Slide 10 text

NIST Discourages SMS • In 2016, announced that SMS was “deprecated” as a second factor • Later clarified who the deprecation was for • As of the latest guidance, SMS is still allowed, just discouraged

Slide 11

Slide 11 text

So What Now?

Slide 12

Slide 12 text

OOB • OOB means “out of band” • Applies to more than just security • Imagine a speaker sending their presentation ahead of time • … or a courier delivering a package to an event venue for you • The point is to leverage multiple channels of communication • It’s hard to leverage exploits in multiple channels simultaneously

Slide 13

Slide 13 text

OOB: HOTP • HMAC-base One-Time Password • Leverages a shared secret key • Uses a counter to guarantee every OTP is unique • Can use a hardware or a software token

Slide 14

Slide 14 text

OOB: TOTP • Time-based One-Time Password • Fundamentally identical to HOTP • Uses a timestamp as a counter • Also available in hardware or software

Slide 15

Slide 15 text

OOB: Magic Links • Send a one-time password token via email • Tied to a user, functions like a password • Can also use as a first factor • Only as secure as your user’s inbox

Slide 16

Slide 16 text

U2F • Universal Second (2) Factor • Open standard from the FIDO Alliance • Fast Identity Online • Industry group established in 2013 • Built on top of HMAC and asymmetric keys • Supported by (almost) all major browsers

Slide 17

Slide 17 text

Mobile Push: • APNS - Apple Push Notification Services • GCM - Google Cloud Messaging • SNS - Amazon Simple Notification Service • Submit a challenge to a mobile device to be signed and returned • Can leverage a securely-stored private key APNS, GCM, SNS

Slide 18

Slide 18 text

Other Providers • Auth0 - Magic links, SMS • Authy - App • Duo - App, 2FA • Yuibco - Hardware tokens

Slide 19

Slide 19 text

Keep in mind … • NIST’s SMS deprecation is a recommendation, not a requirement • Using SMS for 2FA is better than nothing • SS7 is exploitable, but the exploits are difficult • All of these 2FA providers offer SDKs - use them • Never roll your own when it comes to auth - use a proven solution

Slide 20

Slide 20 text

[email protected] (844) 628-2872 www.tozny.com THANK YOU!

Slide 21

Slide 21 text

Questions?