Security For The People
 End-User Authentication Security On The Internet Mark Stanislav [email protected] 

Security Is A Process, Not A Product. 

A Few Notes on Research Methodology • Worked “backwards” by establishing a list of services that provide users with availability of two-factor authentication • Provides us with a more security-forward data set to begin with
 • Gathered additional details per service regarding not just 2FA details but also TLS usage, browser headers, and cookie security ! • Focus on data completeness and accuracy as much as reasonably possible but this is *not* a scientific study ! • Does not include software packages with two factor 

Primary Data Points Utilized Two-Factor Authentication When was it first offered to users? How do users enroll to enable it? What method(s) are available? Browser Security Features HTTP Strict Transport Security Content Security Policy X-Frame-Options X-XSS-Protection Session Cookie HttpOnly Transport Security Do they utilize SSL/TLS for logins? What is their SSL Labs score? Session Cookie Secure X-Content-Type-Options What do companies even call it? 

Gathering Data Can Be Really, Really Annoying 

Two Factor Deployments Per Year Since 2005 Number of Deployments 0 9 18 27 36 45 Year of Deployment 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 30 47 18 13 7 5 4 3 3 2 * Note, data is only through June 2014 * • Google Authenticator’s presence in 2011 has likely led to the mass adoption of TOTP • Many services that support TOTP just say they use Authenticator • Facebook also enabled 2FA for users in 2011 • Allows SMS + TOTP 

How Does A User Actually Enroll In Two Factor? Number of Services 0 26 53 79 106 132 Method of Two Factor Enrollment Phone Call E-Mail Mixed Self Enroll 132 4 3 2 • Ease of enrollment is crucial for adoption of security controls • Having to call, fax, or even e-mail may be enough for a user to go “this seems like too much effort…” ! • It’s great to see such a high percent of services allowing users to self enroll (94%) • But what about ease of use? 

Collective Method Availability Across Services Number of Services Offering 0 14 29 43 58 72 Method E-Mail SMS Call Card Token Yubikey TOTP HOTP Mobile Duo Authy Rublon 1 12 6 25 2 74 13 15 7 14 62 14 • 12 of the 74 services that support TOTP are Bitcoin related • 92% of all Bitcoin services offer TOTP, 62% only offer it to use • 73% of hardware token-enabled services are financial or gaming 

Companies Should Point Out Two Factor Availability Shown upon first login… nice work, Zoho! 

2% 4% 11% 33% 51% 1 2 3 4 5+ • Of services that offer only a single method, 51% provide TOTP and 14% provide SMS ! • 62% of services that offer two methods pair TOTP with SMS ! • MailChimp and OneLogin offer five methods for users to leverage • …Clavid offers six methods! Number Of Methods Per Service By Percentage 

Two Factor Moniker Usage Since 2005 Deployment Year 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 Moniker Usage Per Year 0 9 19 28 38 47 3 4 3 4 2 1 1 1 5 10 5 2 2 1 2 1 1 1 1 20 33 12 6 2 2 3 2 2 2FA MFA 2SV Other * Note, data is only through July 2014 * Google Deploys 2SV • 2-Step Verification as a moniker seems to be going away… • 2011: 15% • 2012: 28% • 2013: 21% • 2014: 17% • “Other” is usually for custom branding of the service’s feature 

Built-In Two Factor Bypass? Recovery Gone Wrong. Can’t 2FA? No Problem! Just replace it with more 1-factor :) 

A Bit Of A Glossary HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents are to interact with it using only secure HTTPS connections. Content Security Policy (CSP) provides a header that allows websites to declare approved sources of content that browsers should be allowed to load on that page. X-Frame-Options can prevent any framing, prevent framing by external sites, or allow framing only by the specified site. X-XSS-Protection enables the XSS filter built into most web browsers — IE8, for instance, already has this on by default. X-Content-Type-Options reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable/dynamic HTML. Mostly a copy/paste from Wikipedia and OWASP <3 ‘Secure’ Cookie makes supported browsers only send cookies with the secure flag when the request is going to a HTTPS page. ‘HttpOnly’ Cookie mitigates cross-site scripting (XSS) attacks by not allowing supported browsers to access cookies client-side 

Browser Security Features For Service Logins Total Sites HSTS CSP X-FRAME X-XSS X-Content Cookie! Secure Cookie! HttpOnly All Sectors 141 38% 7% 56% 22% 22% 75% 78% Technology 83 40% 10% 49% 20% 20% 73% 78% Financial 36 33% 8% 50% 14% 8% 69% 64% Gaming 12 17% 0% 25% 8% 0% 58% 67% Retail 4 50% 0% 75% 50% 50% 75% 100% Social 6 50% 17% 83% 17% 33% 100% 83% • Gaming is far behind versus other sectors for browser security • Likely because most users spend little time in the browser • Social media organizations have more of a focus on browser security due to the common nature of client-side attacks against users 

Browser Security All-Stars 4 of 141 services utilized all of tested browser security features 12 more had all security features except Content Security Policy 

Unexpected Headers During Research If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header. WordPress.com: x-hacker REKEYED: 2014-04-08; see http://heartbleedheader.com App.net: heartbleed We’re hiring! Apply at [email protected], use this header in your subject Directnic: X-Hackers 

SSL/TLS Implementation for Service Logins Total Occurrences 0 7 14 21 28 35 Score A+ A A- B C F 17 3 34 34 32 21 • 14 of the ‘F’ ratings were because of the OpenSSL CCS vulnerability (CVE-2014-0224) • Star Wars: The Old Republic actually supported SSL v2! ! • Amazingly enough, SSLTrust of all people received a ‘C’ rating for their allowance of both 40- bit and 56-bit cipher suites 

We Take Security Seriously, Erm… 

Browser Security + SSL Security All-Stars 2 of 141 services utilized all of tested browser security features and managed to receive an ‘A+’ SSL implementation rating 

The Weirdest Thing I Saw During Research They don’t use SSL at all and do JS crypto for logins 

Security Pages — Yes, Really :) Many companies dedicate an entire page (or at least a big section of a page) to how they protect you and how you can protect yourself …and others definitely do not… Seems legit. Example #1 Example #2 Example #3 

Security Pages Across Two Factor-enabled Services Count 0 18 36 54 72 90 Security Page Yes No 51 90 • 15 of 51 sites (29%) that do not have a security page are in the domain registration/DNS space • …including GoDaddy, NameCheap, and Hover ! • Some of these pages even have a bug bounty and/or responsible disclosure section which is fantastic for further helping to protect users • …including Google, Facebook, and Coinkite ! • These pages show real concern for security and transparency — we could use more! 

So What Does This All Mean? • Consider the data points we now have: • Browser security (HTTP headers and cookie security) • Transport security (SSL/TLS implementation) • Strong authentication (two factor deployments) • Corporate security focus (company security page) ! • What if we could assign a point-scale to those data points and create a composite value of authentication security per service? • …and what if you had no idea what the hell you were doing? 

Mark’s Authentication Security Scoring Algorithm — Crudely Realized Edition MASSACRE 

How Do We Get a Composite MASSACRE Score? SSL Implementation Score Points A+, A, A-! B+, B, B- 15 C+, C, C-! D+, D, D- 10 F! No SSL/TLS 0 Security Page Exists? Points Yes 5 Browser Security Features Feature Points HTTP Strict Transport Security 10 Content Security Policy 15 X-Frame-Options 10 X-XSS-Protection 5 X-Content-Type-Options 5 Secure Session Cookie 10 HttpOnly Session Cookie 10 100 point scale… add up values to get a score! Two Factor Enabled? Points Yes 15 

Professional MASSACRE Scale 81-100 61-80 41-60 21-40 0-20 5 Score Count 27 53 41 15 Keep in mind, everyone “starts” with 15 points 

MASSACRE Scoring Outcomes — Best and Worst! Company Score GitHub 100 Kraken 100 LastPass 100 FastMail 95 Facebook 90 Best Scores Company Score easyDNS 15 Frostbox 15 Sendloop 15 Fabulous 20 Pobox 20 Worst Scores Sector Company Score Technology Github, LastPass 100 Financial Kraken 100 Gaming Elder Scrolls Online 65 Retail Etsy 85 Social Facebook 90 Best Per Sector Worst Per Sector Sector Company Score Technology easyDNS, Frostbox, Sendloop 15 Financial WeMineLTC 30 Gaming Guild Wars 2, Star Wars: Old Republic, Wildstar 35 Retail Humble Bundle 50 Social HootSuite 45 

Further Parsing MASSACRE Scores Mean Median Mode 57 55 55 Mean Median Mode 57 55 75 Technology Mean Median Mode 57 55 55 Financial Overall Values Mean Median Mode 47 48 N/A Gaming Mean Median Mode 68 68 N/A Retail Mean Median Mode 72 73 N/A Social 

How Do Security Features Increase MASSACRE Scores? Mean Median Mode 57 55 55 Overall Values Mean Median Mode 87 93 100 CSP Enabled Mean Median Mode 63 65 55 Security Page? Mean Median Mode 75 75 75 HSTS Enabled Mean Median Mode 60 55 55 SSL ~(A|B) Mean Median Mode 40 40 N/A SSL ~(C|D) Mean Median Mode 37 35 N/A SSL ~(F/None) 

MASSACRE FAQ, #1 

MASSACRE FAQ, #2 

MASSACRE FAQ, #3 

Have A Crappy Algorithm? Make A Crappy Extension! 

Breaches Of Service Security (Data Loss, Especially) • A breach does not include DDoS attacks, direct phishing against customers, dumb users, etc. • 28% of services had a public corporate breach • Breached services had an average MASSACRE score of 64 while unbreached had a worse, 54 • So, moot point. Everyone can get hacked :) Count 0 18 36 54 72 90 Corporate Breach Yes No 102 39 Sector Total # Breached % Breached Technology 83 19 23% Financial 36 11 31% Gaming 12 3 25% Retail 4 2 50% Social 6 4 67% 

Two Factor Deployments After A Breach • Of 37 services that had a deployment date and a breach data, 54% already offered some form of two-factor authentication ! • Of the 19 services that added 2FA after a breach, it took an average of 255 days to deploy with a median of 128 days • It took Linode, Dropbox, MaxCDN, and Buffer < 1 month to deploy
 • 74% offer TOTP (52% offer it across all services) • 63% provide 2+ methods (49% across all services) 

SaaS 2FA Service Provider Shoot-Out! • Includes 2FA providers with a customer login on their web site • Sorry if I missed your company, it was definitely not on purpose! • I am assuming these services all require 2FA for logins :) Company HSTS CSP X-Frame X-XSS X-Content Cookie
 Secure Cookie! HttpOnly SSL 
 Score Security
 Page MASSACRE Authy ✓ ✗ ✓ ✓ ✓ ✗ ✓ F ✓ 60 Duo Security ✓ ✓ ✓ ✗ ✗ ✓ ✓ A+ ✓ 90 LaunchKey ✓ ✗ ✓ ✓ ✓ ✓ ✓ A+ ✓ 85 MePIN ✗ ✗ ✗ ✗ ✗ ✗ ✓ B ✗ 40 Rublon ✗ ✗ ✗ ✗ ✗ ✓ ✓ A- ✓ 55 SAASPASS ✗ ✗ ✗ ✗ ✗ ✓ ✓ A ✗ 50 TeleSign ✗ ✗ ✗ ✗ ✗ ✗ ✗ A- ✗ 30 TextPower ✗ ✗ ✗ ✗ ✗ ✓ ✗ F ✗ 25 *phew* glad Duo didn’t lose :P 

Random Thoughts On Lessons Learned • Scouring the Internet to find release dates and documentation for service features is way harder than it should be
 • Authentication security still ultimately comes down to the security of your operations and your codebase • Bug in your authentication code? None of this other stuff really matters
 • We need better SSL implementations and more security pages for services! Data research is tiring, let’s just break stuff. 

Thanks Go Out To… • Vikas Kumar and Domenic Rizzolo, two of the amazing interns at Duo Security for doing a ton of data gathering and organization ! • http://twofactorauth.org for being a hugely helpful resource for trying to aggregate 2FA-enabled sites/services to get started with • https://www.ssllabs.com/ssltest/ from Qualys for SSL Scoring
 • Steve Werby did similar research on a grander scale last year — http://www.slideshare.net/stevewerby/crunching-the- top-10000-websites-password-policies-and-controls- presented-by-steve-werby-at-rich-sec-2013 

All Done! Questions? E-Mail:
 [email protected] ! Twitter: 
 @markstanislav 
 Presentations:
 speakerdeck.com/mstanislav