Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Let’s stop blaming our users for getting hacked...

Scott Brady
June 11, 2020
Programming
2
460

Let’s stop blaming our users for getting hacked when it is our problem to solve

Users cannot secure your web applications through password choice alone. You cannot blame them for this; it is not their problem to solve. It is ours, as security professionals, identity professionals, and software developers.

Typical 2FA implementations such as TOTP and push notification have had some success, but they can be frustrating to use and are still vulnerable to basic phishing techniques. OWASP and NIST are now recommending FIDO2, which offers a realistic solution in the form of frictionless, possession-based authentication that has inbuilt anti-phishing techniques. But what does FIDO2 look like to a developer and how does it actually work?

In this talk, I’m going to look at:
- why common 2FA mechanisms aren’t up to scratch
- how to phish your friends using Evilginx
- spooky biometrics
- how to use WebAuthn and FIDO2 to protect your users

Scott Brady

June 11, 2020
Tweet

Other Decks in Programming

See All in Programming
型付き API リクエストを実現するいくつかの手法とその選択 / Typed API Request
euxn23
8
2.2k
Compose 1.7のTextFieldはPOBox Plusで日本語変換できない
tomoya0x00
0
190
とにかくAWS GameDay!AWSは世界の共通言語! / Anyway, AWS GameDay! AWS is the world's lingua franca!
seike460
PRO
1
860
Generative AI Use Cases JP (略称:GenU)奮闘記
hideg
1
290
NSOutlineView何もわからん:( 前編 / I Don't Understand About NSOutlineView :( Pt. 1
usagimaru
0
330
TypeScript Graph でコードレビューの心理的障壁を乗り越える
ysk8hori
2
1.1k
OnlineTestConf: Test Automation Friend or Foe
maaretp
0
110
よくできたテンプレート言語として TypeScript + JSX を利用する試み / Using TypeScript + JSX outside of Web Frontend #TSKaigiKansai
izumin5210
6
1.7k
AI時代におけるSRE、
あるいはエンジニアの生存戦略
pyama86
6
1.1k
Snowflake x dbtで作るセキュアでアジャイルなデータ基盤
tsoshiro
2
520
アジャイルを支えるテストアーキテクチャ設計/Test Architecting for Agile
goyoki
9
3.3k
Arm移行タイムアタック
qnighy
0
310

Featured

See All Featured
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
The Pragmatic Product Professional
lauravandoore
31
6.3k
BBQ
matthewcrist
85
9.3k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
Teambox: Starting and Learning
jrom
133
8.8k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Facilitating Awesome Meetings
lara
50
6.1k
Building Flexible Design Systems
yeseniaperezcruz
327
38k

Transcript

  1. © 2020 Rock Solid Knowledge “Let’s stop blaming our users

    for getting hacked when it is our problem to solve” Scott Brady

  2. © 2020 Rock Solid Knowledge Introductions • IdentityServer.com - @rskltd

    • ScottBrady91.com - @scottbrady91 2

  3. © 2020 Rock Solid Knowledge Passwords - We’ve come a

    long way xkcd.com/936/

  4. © 2020 Rock Solid Knowledge Or have we? ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security

  5. © 2020 Rock Solid Knowledge Okay, maybe not theverge.com/tldr/2018/10/11/17964848/kanye-west-iphone-passcode-trump-iplane-apple-meeting

  6. © 2020 Rock Solid Knowledge Thanks, Gran

  7. © 2020 Rock Solid Knowledge Why are passwords so popular?

  8. © 2020 Rock Solid Knowledge Then why am I hating

    on passwords? haveibeenpwned.com

  9. © 2020 Rock Solid Knowledge Thanks, Bill cnet.com/news/gates-predicts-death-of-the-password

  10. © 2020 Rock Solid Knowledge Hang on a minute, why

    do we care? • Authentication • to prevent unauthorized access • Attacks • Targeted • Untargeted • Methods • Stolen credentials • Guessed credentials • How much do you care?

  11. © 2020 Rock Solid Knowledge This is a problem Number

    of sites deemed dangerous by Google Safe Browsing (2007 – 2019) transparencyreport.google.com/safe-browsing/overview

  12. © 2020 Rock Solid Knowledge What can we do to

    improve passwords? • Store passwords correctly • Make the user choose a better password • Education • Password strength

  13. © 2020 Rock Solid Knowledge Passwordless: Let someone else care

    medium.com

  14. © 2020 Rock Solid Knowledge Knowledge-Based Authentication

  15. © 2020 Rock Solid Knowledge Avoid snake oil If it

    still comes down to something you know, consider it snake oil

  16. © 2020 Rock Solid Knowledge Improve by adding another factor

    • Something you know (passwords) • Something you are • Something you own

  17. © 2020 Rock Solid Knowledge SMS OTP

  18. © 2020 Rock Solid Knowledge “SMS 2FA is weak AF”

    gizmodo.com/psa-sms-2fa-is-weak-af-1834681656

  19. © 2020 Rock Solid Knowledge SMS Phishing

  20. © 2020 Rock Solid Knowledge SMS OTP: Reality

  21. © 2020 Rock Solid Knowledge TOTP (and other soft tokens)

  22. © 2020 Rock Solid Knowledge How do soft tokens work?

    gizmodo.com/psa-sms-2fa-is-weak-af-1834681656

  23. © 2020 Rock Solid Knowledge TOTP authentication 381057

  24. © 2020 Rock Solid Knowledge TOTP: It’s just another shared

    secret • Not going to save you in a breach • Opinion: still something you know • Article: “Software Tokens Won't Save You”

  25. © 2020 Rock Solid Knowledge Demo Phish your friends with

    Evilginx

  26. © 2020 Rock Solid Knowledge Phishing

  27. © 2020 Rock Solid Knowledge Evilginx User Phishing Site Target

  28. © 2020 Rock Solid Knowledge Phishing

  29. © 2020 Rock Solid Knowledge Phishing

  30. © 2020 Rock Solid Knowledge Spooky biometrics • Bit of

    an unknown • Two types • Physical • Behavioural

  31. © 2020 Rock Solid Knowledge Unreliable? youtube.com/watch?v=dUMH6DVYskc

  32. © 2020 Rock Solid Knowledge No, they are just probabilistic

    • Acceptable false match rate = 1 in 1000 • Don’t send across the internet • Should not be considered a secret • Physical is public • Behavioural is public • Mitigate with presentation attack detection • Good for local auth only • NIST SP 800-63b – 5.2.3 Use of Biometrics

  33. © 2020 Rock Solid Knowledge Push notifications

  34. © 2020 Rock Solid Knowledge Not for me • Proprietary!

    • Distracts us from a much better solution…

  35. © 2020 Rock Solid Knowledge Solution

  36. © 2020 Rock Solid Knowledge What is FIDO? • FIDO2

    • WebAuthn • CTAP2

  37. © 2020 Rock Solid Knowledge What is FIDO? Security keys!

  38. © 2020 Rock Solid Knowledge What is FIDO? The flow

    Server (FIDO Relying Party) Browser (WebAuthn) Security Key (FIDO Authenticator)

  39. What is FIDO? The flow caniuse.com/#search=webauthn

  40. © 2020 Rock Solid Knowledge What is FIDO? The flow

    Server (FIDO Relying Party) Browser (WebAuthn) Security Key (FIDO Authenticator)

  41. © 2020 Rock Solid Knowledge What FIDO brings to the

    table Useless in a breach “Unphishable”

  42. © 2020 Rock Solid Knowledge

  43. © 2020 Rock Solid Knowledge

  44. © 2020 Rock Solid Knowledge

  45. © 2020 Rock Solid Knowledge What FIDO brings to the

    table Protection for the at-risk High-Value Employees Advanced Protection Program

  46. © 2020 Rock Solid Knowledge So security keys are the

    future?

  47. © 2020 Rock Solid Knowledge But what about passwords?

  48. © 2020 Rock Solid Knowledge How hard is this to

    implement? WebAuthn

  49. © 2020 Rock Solid Knowledge How hard is this to

    implement? ASP.NET Core OSS (Anders Åberg) Commercial (Rock Solid Knowledge – IdentityServer.com)

  50. © 2020 Rock Solid Knowledge FIDO2 relying party Challenge -

    OSS

  51. © 2020 Rock Solid Knowledge FIDO2 relying party Challenge –

    IdentityServer.com

  52. © 2020 Rock Solid Knowledge FIDO2 relying party Validation -

    OSS

  53. © 2020 Rock Solid Knowledge FIDO2 relying party Validation –

    IdentityServer.com github.com/abergs/fido2-net-lib OR github.com/RockSolidKnowledge/Samples.Fido

  54. © 2020 Rock Solid Knowledge Simple rankings Password SMS TOTP

    Push Notifications FIDO2 (WebAuthn)

  55. © 2020 Rock Solid Knowledge Pragmatic rankings security.googleblog.com/2019/05/new-research-how-effective-is-basic.html

  56. © 2020 Rock Solid Knowledge Solution: hedgehog-based authentication gizmodo.co.uk/2016/11/hedgehog-based-authentication-is-the-only-way-to-be-truly-secure

  57. © 2020 Rock Solid Knowledge The end

  58. © 2020 Rock Solid Knowledge Passwords: we still make mistakes

    (bonus) theverge.com/2018/5/3/17316684/twitter-password-bug-security-flaw-exposed-change-now theverge.com/2019/3/21/18275837/facebook-plain-text-password-storage-hundreds-millions-users

  59. © 2020 Rock Solid Knowledge Improving transport with PAKE (bonus)

    blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/ Password Authenticated Key Exchange (PAKE)