Slide 1
Slide 1 text
@tech_christine
To 2FA or not to 2FA?
Let's answer this question!
Two factor authentication the worst, the best, and everything in-between
Slide 2
Slide 2 text
@tech_christine
Flywheel
Slide 3
Slide 3 text
No content
Slide 4
Slide 4 text
@tech_christine
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
@tech_christine
Back to the beginning
To when you signed up for
Slide 8
Slide 8 text
@tech_christine
Slide 9
Slide 9 text
@tech_christine
What was the
hacker up to?
Calling your mobile provider
Slide 10
Slide 10 text
@tech_christine
Still on the
phone with your
mobile
provider...
Using social engineering
Slide 11
Slide 11 text
@tech_christine
And now they
have all the
access...
Sim swap/sim hijacking
Slide 12
Slide 12 text
@tech_christine
Slide 13
Slide 13 text
“
@tech_christine
We learned that SMS-based
authentication is not nearly as
secure as we would hope, and the
main attack was via SMS intercept
Christopher Slowe
Reddit chief technology officer and founding engineer
August 2018
Slide 14
Slide 14 text
@tech_christine
What is authentication?
The process of verifying that someone or
something is the actual entity that they
claim to be.
- OWASP.org
(these people know what they are talking about when it comes to security)
Slide 15
Slide 15 text
@tech_christine
... but what are the different factors of auth?
1 factor is knowledge (i.e. your password)
2 is the other method choice
- Possession (token/soft token)
- Identity (biometrics)
Slide 16
Slide 16 text
@tech_christine
2FA == 2SV == MFA
2FA = Two factor authentication
2SV = Two Step verification
MFA = Multi-factor authentication
What about all those other acronyms...
Slide 17
Slide 17 text
@tech_christine
Why didn't 2FA help?
•SMS was used
•2FA wasn't even enabled
Slide 18
Slide 18 text
@tech_christine
• Most common
• Most compromised
• Not recommended
by NIST since 2016
SMS
Slide 19
Slide 19 text
@tech_christine
If SMS wasn't bad enough
•SS7 (network shared by every telecom)
has it's own vulnerabilities
•Text messages that are sent can be
intercepted
Slide 20
Slide 20 text
@tech_christine
Let's figure out
all the ways
SMS can be
hacked...
1. Sim-swap (aka what just
happened to us)
2. Port-out scam
3. Brute force on the
application itself
4. Exploit SS7 weakness
Slide 21
Slide 21 text
@tech_christine
Time-based One Time Password
aka app based
aka soft token
• Authy
• Google Authenticator
• 1Password
TOTP
Slide 22
Slide 22 text
@tech_christine
• Associated with certain
authorized devices
• Not visible on a locked
phone screen
Push Based
Slide 23
Slide 23 text
@tech_christine
Token based
Physical keys that can auth
• USB drive
• near-field communication
• Many use U2F (Universal
2nd Factor)
Slide 24
Slide 24 text
@tech_christine
OTP vs U2F
Slide 25
Slide 25 text
@tech_christine
OTP U2F
• User has physical
device
• Strong security from
public key
cryptography
• No personal
information associated
with a key
• Users type in codes
• Set up and provision
required
• Secrets stored, providing
a single point of attack
Slide 26
Slide 26 text
What would you change now?
Slide 27
Slide 27 text
@tech_christine
Secure Your Account
1.Use a VOIP number
2.Don't reuse passwords
3.Use long password/passphrase
4.Secure with alternate authentication method
5.Pin/password protect phone provider
Keep on being @awesome
Slide 28
Slide 28 text
@tech_christine
But wait...
Now you are the developer at jiffygram (an insta rival)
How do you secure your users from all the bad stuff out
there?
Slide 29
Slide 29 text
@tech_christine
•Developers
•Designers
•Infrastructure
•Managers
•Not just info sec!
Security is everyone's job
Slide 30
Slide 30 text
@tech_christine
Back to your security basics
1. Strong passwords/passphrase !
2. Don't make them be rotated
3. Store the hash securely
4. Only store sensitive data that you
need ⛔
Slide 31
Slide 31 text
https://xkcd.com/936/
@tech_christine
Slide 32
Slide 32 text
Do this
@tech_christine
Slide 33
Slide 33 text
⬆ that is 6 a's
Not this
☹
@tech_christine
Slide 34
Slide 34 text
Definitely
not this
either
@tech_christine
Slide 35
Slide 35 text
@tech_christine
Let's talk about password hash encryption
• Just an algorithm that takes data and
produces fixed-size output
• Some hashes are stronger then others
• MD5/SHA-1 = )
• SHA-256/DES = *
• If possible with performance, use an adaptive
one-way function
Slide 36
Slide 36 text
@tech_christine
Strong recommended adaptive functions
1. Argon2 - winner of the password hashing
competition, should be considered first choice for
new applications
2. PBKDF2 - when FIPS certification or enterprise
support on many platforms is required
3. Scrypt - where resisting any/all hardware
accelerated attacks is necessary but support isn’t
4. Bcrypt - where PBKDF2 or Scrypt support is not
available
Head on over to OWASP.org for more details
Slide 37
Slide 37 text
@tech_christine
...a user lost their phone/app access/token
• Recovery codes to
the rescue! +
• Allows access to
application
• Shown once, used
once
Slide 38
Slide 38 text
@tech_christine
lessons learned
2FA Implementation
@tech_christine
Slide 39
Slide 39 text
@tech_christine
Rate limiting prevents brute force attacks
@tech_christine
Slide 40
Slide 40 text
@tech_christine
Rate limiting prevents brute force attacks
@tech_christine
Slide 41
Slide 41 text
@tech_christine
Use a truncated exponential back-off algorithm
@tech_christine
Slide 42
Slide 42 text
@tech_christine
What is an exponential back-off algorithm?
Slide 43
Slide 43 text
@tech_christine
Example in Ruby
login_request
if retries <= max_retries
retries += 1
sleep (retries + rand(100)/1000)
retry
else
raise "You've hit your max retries!"
end
Slide 44
Slide 44 text
@tech_christine
Get user buy-in
Slide 45
Slide 45 text
@tech_christine
Slide 46
Slide 46 text
@tech_christine
•Make it easy opt in
•Make it easy to add
•Make it visible
Slide 47
Slide 47 text
@tech_christine
Do this
Slide 48
Slide 48 text
@tech_christine
Not this
American Express
OpenShift
Netflix
Pandora
Pinterest
Spotify
Target
Best Buy
Freshbooks
State Farm
AT&T
2FA
Slide 49
Slide 49 text
@tech_christine
Enforce authentication on all pages
Slide 50
Slide 50 text
@tech_christine
• For editing/removing of
2FA require credentials
• If authentication does
fail, be generic in error
response
Moar authentication
Slide 51
Slide 51 text
Do this
"Login failed - invalid user ID or password"
Slide 52
Slide 52 text
Not this
"Login for User foo: invalid password"
"Login failed, invalid user ID"
"Login failed; account disabled"
"Login failed; this user is not active"
Slide 53
Slide 53 text
@tech_christine
Users with the most amount of
privilege, 2FA is a requirement
not optional
Slide 54
Slide 54 text
The answer to the question
The
Hitchhiker's
Guide to the
Galaxy
Douglas Adams
Slide 55
Slide 55 text
@tech_christine
Yes to 2FA but...
•Can improve security if you are
following secure password practices
•Some 2FA methods are more secure
then others
Slide 56
Slide 56 text
No content
Slide 57
Slide 57 text
@tech_christine
Thanks for having me Nebraska.code!
All the organizers and volunteers deserve
0 0 0
Tyson Reeder for the final graphic
@tysondreeder
For references and further reading checkout
https://christine-seeman.com/talks
Slide 58
Slide 58 text
@tech_christine
getflywheel.com/about/careers
Slide 59
Slide 59 text
@tech_christine
What questions can I answer?
Slide 60
Slide 60 text
@tech_christine
Slide 61
Slide 61 text
@tech_christine
Twilio API Example
Slide 62
Slide 62 text
@tech_christine
The Ruby One Time Password Library Example
Slide 63
Slide 63 text
@tech_christine
Slide 64
Slide 64 text
@tech_christine
But you need to
get this code to
your user...
Slide 65
Slide 65 text
@tech_christine
Authy One Touch API Example
Slide 66
Slide 66 text
@tech_christine
QR Code Rendering
https://github.com/whomwah/rqrcode
ROTP: TOTP
https://github.com/mdp/rotp
Twilio Ruby API
https://www.twilio.com/docs/libraries/ruby
Auth Ruby API
https://github.com/twilio/authy-ruby