Let’s stop blaming our users for getting hacked when it is our problem to solve

Transcript

1. © 2020 Rock Solid Knowledge “Let’s stop blaming our users

   for getting hacked when it is our problem to solve” Scott Brady

2. © 2020 Rock Solid Knowledge Introductions • IdentityServer.com - @rskltd

   • ScottBrady91.com - @scottbrady91 2

3. © 2020 Rock Solid Knowledge Passwords - We’ve come a

   long way xkcd.com/936/

4. © 2020 Rock Solid Knowledge Or have we? ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security

5. © 2020 Rock Solid Knowledge Okay, maybe not theverge.com/tldr/2018/10/11/17964848/kanye-west-iphone-passcode-trump-iplane-apple-meeting

6. © 2020 Rock Solid Knowledge Thanks, Gran

7. © 2020 Rock Solid Knowledge Why are passwords so popular?

8. © 2020 Rock Solid Knowledge Then why am I hating

   on passwords? haveibeenpwned.com

9. © 2020 Rock Solid Knowledge Thanks, Bill cnet.com/news/gates-predicts-death-of-the-password

10. © 2020 Rock Solid Knowledge Hang on a minute, why

    do we care? • Authentication • to prevent unauthorized access • Attacks • Targeted • Untargeted • Methods • Stolen credentials • Guessed credentials • How much do you care?

11. © 2020 Rock Solid Knowledge This is a problem Number

    of sites deemed dangerous by Google Safe Browsing (2007 – 2019) transparencyreport.google.com/safe-browsing/overview

12. © 2020 Rock Solid Knowledge What can we do to

    improve passwords? • Store passwords correctly • Make the user choose a better password • Education • Password strength

13. © 2020 Rock Solid Knowledge Passwordless: Let someone else care

    medium.com

14. © 2020 Rock Solid Knowledge Knowledge-Based Authentication

15. © 2020 Rock Solid Knowledge Avoid snake oil If it

    still comes down to something you know, consider it snake oil

16. © 2020 Rock Solid Knowledge Improve by adding another factor

    • Something you know (passwords) • Something you are • Something you own

17. © 2020 Rock Solid Knowledge SMS OTP

18. © 2020 Rock Solid Knowledge “SMS 2FA is weak AF”

    gizmodo.com/psa-sms-2fa-is-weak-af-1834681656

19. © 2020 Rock Solid Knowledge SMS Phishing

20. © 2020 Rock Solid Knowledge SMS OTP: Reality

21. © 2020 Rock Solid Knowledge TOTP (and other soft tokens)

22. © 2020 Rock Solid Knowledge How do soft tokens work?

    gizmodo.com/psa-sms-2fa-is-weak-af-1834681656

23. © 2020 Rock Solid Knowledge TOTP authentication 381057

24. © 2020 Rock Solid Knowledge TOTP: It’s just another shared

    secret • Not going to save you in a breach • Opinion: still something you know • Article: “Software Tokens Won't Save You”

25. © 2020 Rock Solid Knowledge Demo Phish your friends with

    Evilginx

26. © 2020 Rock Solid Knowledge Phishing

27. © 2020 Rock Solid Knowledge Evilginx User Phishing Site Target

28. © 2020 Rock Solid Knowledge Phishing

29. © 2020 Rock Solid Knowledge Phishing

30. © 2020 Rock Solid Knowledge Spooky biometrics • Bit of

    an unknown • Two types • Physical • Behavioural

31. © 2020 Rock Solid Knowledge Unreliable? youtube.com/watch?v=dUMH6DVYskc

32. © 2020 Rock Solid Knowledge No, they are just probabilistic

    • Acceptable false match rate = 1 in 1000 • Don’t send across the internet • Should not be considered a secret • Physical is public • Behavioural is public • Mitigate with presentation attack detection • Good for local auth only • NIST SP 800-63b – 5.2.3 Use of Biometrics

33. © 2020 Rock Solid Knowledge Push notifications

34. © 2020 Rock Solid Knowledge Not for me • Proprietary!

    • Distracts us from a much better solution…

35. © 2020 Rock Solid Knowledge Solution

36. © 2020 Rock Solid Knowledge What is FIDO? • FIDO2

    • WebAuthn • CTAP2

37. © 2020 Rock Solid Knowledge What is FIDO? Security keys!

38. © 2020 Rock Solid Knowledge What is FIDO? The flow

    Server (FIDO Relying Party) Browser (WebAuthn) Security Key (FIDO Authenticator)

39. What is FIDO? The flow caniuse.com/#search=webauthn

40. © 2020 Rock Solid Knowledge What is FIDO? The flow

    Server (FIDO Relying Party) Browser (WebAuthn) Security Key (FIDO Authenticator)

41. © 2020 Rock Solid Knowledge What FIDO brings to the

    table Useless in a breach “Unphishable”

42. © 2020 Rock Solid Knowledge

43. © 2020 Rock Solid Knowledge

44. © 2020 Rock Solid Knowledge

45. © 2020 Rock Solid Knowledge What FIDO brings to the

    table Protection for the at-risk High-Value Employees Advanced Protection Program

46. © 2020 Rock Solid Knowledge So security keys are the

    future?

47. © 2020 Rock Solid Knowledge But what about passwords?

48. © 2020 Rock Solid Knowledge How hard is this to

    implement? WebAuthn

49. © 2020 Rock Solid Knowledge How hard is this to

    implement? ASP.NET Core OSS (Anders Åberg) Commercial (Rock Solid Knowledge – IdentityServer.com)

50. © 2020 Rock Solid Knowledge FIDO2 relying party Challenge -

    OSS

51. © 2020 Rock Solid Knowledge FIDO2 relying party Challenge –

    IdentityServer.com

52. © 2020 Rock Solid Knowledge FIDO2 relying party Validation -

    OSS

53. © 2020 Rock Solid Knowledge FIDO2 relying party Validation –

    IdentityServer.com github.com/abergs/fido2-net-lib OR github.com/RockSolidKnowledge/Samples.Fido

54. © 2020 Rock Solid Knowledge Simple rankings Password SMS TOTP

    Push Notifications FIDO2 (WebAuthn)

55. © 2020 Rock Solid Knowledge Pragmatic rankings security.googleblog.com/2019/05/new-research-how-effective-is-basic.html

56. © 2020 Rock Solid Knowledge Solution: hedgehog-based authentication gizmodo.co.uk/2016/11/hedgehog-based-authentication-is-the-only-way-to-be-truly-secure

57. © 2020 Rock Solid Knowledge The end

58. © 2020 Rock Solid Knowledge Passwords: we still make mistakes

    (bonus) theverge.com/2018/5/3/17316684/twitter-password-bug-security-flaw-exposed-change-now theverge.com/2019/3/21/18275837/facebook-plain-text-password-storage-hundreds-millions-users

59. © 2020 Rock Solid Knowledge Improving transport with PAKE (bonus)

    blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/ Password Authenticated Key Exchange (PAKE)