Two Step WordPress Security

Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

Two Step   WordPress Security Kaspars Dambis WordCamp Norway / February 20, 2016

Slide 3

Slide 3 text

Authentication Authorization Who are you? Authentication What can you do?

Slide 4

Slide 4 text

Demo: WordPress and  Public Key Infrastructure

Slide 5

Slide 5 text

Authentication Source: http://www.andrews-sykes.com/blog/wp-content/uploads/2014/06/Reception_Metropol.jpg

Slide 6

Slide 6 text

Authorization Source: http://www.juliebolder.com/weeds_2010_season_6.htm

Slide 7

Slide 7 text

One Step Authentication

Slide 8

Slide 8 text

One Step Authentication

Slide 9

Slide 9 text

Two Step Something You Know Authentication Something You Have +

Slide 10

Slide 10 text

Two Step Authentication Something You Have +

Slide 11

Slide 11 text

Two Step Authentication + PIN

Slide 12

Slide 12 text

But There is a Problem

Slide 13

Slide 13 text

Bad User Experience

Slide 14

Slide 14 text

Bad User Experience

Slide 15

Slide 15 text

123456  password  12345678  qwerty  12345  123456789  letmein Source: http://gizmodo.com/the-25-most-popular-passwords-of-2015-were-all-such-id-1753591514 Passwords

Slide 16

Slide 16 text

A UX Problem

Slide 17

Slide 17 text

A UX Problem

Slide 18

Slide 18 text

A UX Problem

Slide 19

Slide 19 text

https://xkcd.com/936/

Slide 20

Slide 20 text

Tr0ub4dor&3 https://xkcd.com/936/ 3 days at 1000 guesses per second

Slide 21

Slide 21 text

https://xkcd.com/936/ 550 years at 1000 guesses per second correct horse battery staple

Slide 22

Slide 22 text

https://xkcd.com/936/ correct horse battery staple but 25 keystrokes

Slide 23

Slide 23 text

• One “Master” Password • Password Generation • Password Auto-ﬁll • Available on Desktop   and Mobile Use a Password Manager

Slide 24

Slide 24 text

• One “Master” Password • Password Generation • Password Auto-ﬁll • Available on Desktop   and Mobile Use a Password Manager Social Engineering

Slide 25

Slide 25 text

What about Two Step?

Slide 26

Slide 26 text

Two Step: One-Time Passwords +

Slide 27

Slide 27 text

You still have to type in 6 digits every time Two Step: One-Time Passwords

Slide 28

Slide 28 text

Two Step: One-Time Passwords Demo?

Slide 29

Slide 29 text

Two Step: PKI Smartcards Have to use a SmartCard reader and install drivers on every computer Uses a secure element for all cryptographic functions

Slide 30

Slide 30 text

Source: http://www.notebookcheck.net/Review-Lenovo-ThinkPad-T440p-20AN-006VGE-Notebook.108423.0.html

Slide 31

Slide 31 text

… is there a solution?

Slide 32

Slide 32 text

Universal   2nd Factor

Slide 33

Slide 33 text

FIDO Alliance Fast IDentity Online • Formed in 2012 to create   a new industry standard • Initially worked on a Password-less protocol • U2F started by Google, Yubico and NXP in 2011 and joined FIDO in 2013

Slide 34

Slide 34 text

No content

Slide 35

Slide 35 text

Universal 2nd Factor

Slide 36

Slide 36 text

The Promise of U2F It Just Works! * * in Google Chrome for now

Slide 37

Slide 37 text

No content

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

No content

Slide 40

Slide 40 text

Stina  Ehrensvard CEO & Founder

Slide 41

Slide 41 text

July 2015  A feature plugin was approved for core.  https://wordpress.org/plugins/two-factor/ December 2015  “We can’t have users lock themselves out” January 2016  Decided to work only on Application Passwords to meet the 4.5 cycle (April 2016). Join #core-passwords on WordPress Slack! Two Step in WordPress Core

Slide 42

Slide 42 text

No content

Slide 43

Slide 43 text

https://twofactorauth.org

Slide 44

Slide 44 text

Get Your U2F Key Yubico.com Coupon Code: wordcamp2016-100yk4

Slide 45

Slide 45 text

Kaspars Dambis kaspars.net [email protected] A134 BA02 60D4 3F8E ACC8  89D9 94F1 3532 A319 EA5D We’re hiring! xwp.co/jobs