Let’s stop blaming our users for getting hacked when it is our problem to solve

Let’s stop blaming our users for getting hacked when it is our problem to solve

Users cannot secure your web applications through password choice alone. You cannot blame them for this; it is not their problem to solve. It is ours, as security professionals, identity professionals, and software developers.

Typical 2FA implementations such as TOTP and push notification have had some success, but they can be frustrating to use and are still vulnerable to basic phishing techniques. OWASP and NIST are now recommending FIDO2, which offers a realistic solution in the form of frictionless, possession-based authentication that has inbuilt anti-phishing techniques. But what does FIDO2 look like to a developer and how does it actually work?

In this talk, I’m going to look at:
- why common 2FA mechanisms aren’t up to scratch
- how to phish your friends using Evilginx
- spooky biometrics
- how to use WebAuthn and FIDO2 to protect your users

A303b79fb5d4deea7be86b9860e3169b?s=128

Scott Brady

June 11, 2020
Tweet

Transcript

  1. © 2020 Rock Solid Knowledge “Let’s stop blaming our users

    for getting hacked when it is our problem to solve” Scott Brady
  2. © 2020 Rock Solid Knowledge Introductions • IdentityServer.com - @rskltd

    • ScottBrady91.com - @scottbrady91 2
  3. © 2020 Rock Solid Knowledge Passwords - We’ve come a

    long way xkcd.com/936/
  4. © 2020 Rock Solid Knowledge Or have we? ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security

  5. © 2020 Rock Solid Knowledge Okay, maybe not theverge.com/tldr/2018/10/11/17964848/kanye-west-iphone-passcode-trump-iplane-apple-meeting

  6. © 2020 Rock Solid Knowledge Thanks, Gran

  7. © 2020 Rock Solid Knowledge Why are passwords so popular?

  8. © 2020 Rock Solid Knowledge Then why am I hating

    on passwords? haveibeenpwned.com
  9. © 2020 Rock Solid Knowledge Thanks, Bill cnet.com/news/gates-predicts-death-of-the-password

  10. © 2020 Rock Solid Knowledge Hang on a minute, why

    do we care? • Authentication • to prevent unauthorized access • Attacks • Targeted • Untargeted • Methods • Stolen credentials • Guessed credentials • How much do you care?
  11. © 2020 Rock Solid Knowledge This is a problem Number

    of sites deemed dangerous by Google Safe Browsing (2007 – 2019) transparencyreport.google.com/safe-browsing/overview
  12. © 2020 Rock Solid Knowledge What can we do to

    improve passwords? • Store passwords correctly • Make the user choose a better password • Education • Password strength
  13. © 2020 Rock Solid Knowledge Passwordless: Let someone else care

    medium.com
  14. © 2020 Rock Solid Knowledge Knowledge-Based Authentication

  15. © 2020 Rock Solid Knowledge Avoid snake oil If it

    still comes down to something you know, consider it snake oil
  16. © 2020 Rock Solid Knowledge Improve by adding another factor

    • Something you know (passwords) • Something you are • Something you own
  17. © 2020 Rock Solid Knowledge SMS OTP

  18. © 2020 Rock Solid Knowledge “SMS 2FA is weak AF”

    gizmodo.com/psa-sms-2fa-is-weak-af-1834681656
  19. © 2020 Rock Solid Knowledge SMS Phishing

  20. © 2020 Rock Solid Knowledge SMS OTP: Reality

  21. © 2020 Rock Solid Knowledge TOTP (and other soft tokens)

  22. © 2020 Rock Solid Knowledge How do soft tokens work?

    gizmodo.com/psa-sms-2fa-is-weak-af-1834681656
  23. © 2020 Rock Solid Knowledge TOTP authentication 381057

  24. © 2020 Rock Solid Knowledge TOTP: It’s just another shared

    secret • Not going to save you in a breach • Opinion: still something you know • Article: “Software Tokens Won't Save You”
  25. © 2020 Rock Solid Knowledge Demo Phish your friends with

    Evilginx
  26. © 2020 Rock Solid Knowledge Phishing

  27. © 2020 Rock Solid Knowledge Evilginx User Phishing Site Target

  28. © 2020 Rock Solid Knowledge Phishing

  29. © 2020 Rock Solid Knowledge Phishing

  30. © 2020 Rock Solid Knowledge Spooky biometrics • Bit of

    an unknown • Two types • Physical • Behavioural
  31. © 2020 Rock Solid Knowledge Unreliable? youtube.com/watch?v=dUMH6DVYskc

  32. © 2020 Rock Solid Knowledge No, they are just probabilistic

    • Acceptable false match rate = 1 in 1000 • Don’t send across the internet • Should not be considered a secret • Physical is public • Behavioural is public • Mitigate with presentation attack detection • Good for local auth only • NIST SP 800-63b – 5.2.3 Use of Biometrics
  33. © 2020 Rock Solid Knowledge Push notifications

  34. © 2020 Rock Solid Knowledge Not for me • Proprietary!

    • Distracts us from a much better solution…
  35. © 2020 Rock Solid Knowledge Solution

  36. © 2020 Rock Solid Knowledge What is FIDO? • FIDO2

    • WebAuthn • CTAP2
  37. © 2020 Rock Solid Knowledge What is FIDO? Security keys!

  38. © 2020 Rock Solid Knowledge What is FIDO? The flow

    Server (FIDO Relying Party) Browser (WebAuthn) Security Key (FIDO Authenticator)
  39. What is FIDO? The flow caniuse.com/#search=webauthn

  40. © 2020 Rock Solid Knowledge What is FIDO? The flow

    Server (FIDO Relying Party) Browser (WebAuthn) Security Key (FIDO Authenticator)
  41. © 2020 Rock Solid Knowledge What FIDO brings to the

    table Useless in a breach “Unphishable”
  42. © 2020 Rock Solid Knowledge

  43. © 2020 Rock Solid Knowledge

  44. © 2020 Rock Solid Knowledge

  45. © 2020 Rock Solid Knowledge What FIDO brings to the

    table Protection for the at-risk High-Value Employees Advanced Protection Program
  46. © 2020 Rock Solid Knowledge So security keys are the

    future?
  47. © 2020 Rock Solid Knowledge But what about passwords?

  48. © 2020 Rock Solid Knowledge How hard is this to

    implement? WebAuthn
  49. © 2020 Rock Solid Knowledge How hard is this to

    implement? ASP.NET Core OSS (Anders Åberg) Commercial (Rock Solid Knowledge – IdentityServer.com)
  50. © 2020 Rock Solid Knowledge FIDO2 relying party Challenge -

    OSS
  51. © 2020 Rock Solid Knowledge FIDO2 relying party Challenge –

    IdentityServer.com
  52. © 2020 Rock Solid Knowledge FIDO2 relying party Validation -

    OSS
  53. © 2020 Rock Solid Knowledge FIDO2 relying party Validation –

    IdentityServer.com github.com/abergs/fido2-net-lib OR github.com/RockSolidKnowledge/Samples.Fido
  54. © 2020 Rock Solid Knowledge Simple rankings Password SMS TOTP

    Push Notifications FIDO2 (WebAuthn)
  55. © 2020 Rock Solid Knowledge Pragmatic rankings security.googleblog.com/2019/05/new-research-how-effective-is-basic.html

  56. © 2020 Rock Solid Knowledge Solution: hedgehog-based authentication gizmodo.co.uk/2016/11/hedgehog-based-authentication-is-the-only-way-to-be-truly-secure

  57. © 2020 Rock Solid Knowledge The end

  58. © 2020 Rock Solid Knowledge Passwords: we still make mistakes

    (bonus) theverge.com/2018/5/3/17316684/twitter-password-bug-security-flaw-exposed-change-now theverge.com/2019/3/21/18275837/facebook-plain-text-password-storage-hundreds-millions-users
  59. © 2020 Rock Solid Knowledge Improving transport with PAKE (bonus)

    blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/ Password Authenticated Key Exchange (PAKE)