Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Let’s stop blaming our users for getting hacked when it is our problem to solve

Let’s stop blaming our users for getting hacked when it is our problem to solve

Users cannot secure your web applications through password choice alone. You cannot blame them for this; it is not their problem to solve. It is ours, as security professionals, identity professionals, and software developers.

Typical 2FA implementations such as TOTP and push notification have had some success, but they can be frustrating to use and are still vulnerable to basic phishing techniques. OWASP and NIST are now recommending FIDO2, which offers a realistic solution in the form of frictionless, possession-based authentication that has inbuilt anti-phishing techniques. But what does FIDO2 look like to a developer and how does it actually work?

In this talk, I’m going to look at:
- why common 2FA mechanisms aren’t up to scratch
- how to phish your friends using Evilginx
- spooky biometrics
- how to use WebAuthn and FIDO2 to protect your users

Scott Brady

June 11, 2020
Tweet

Other Decks in Programming

Transcript

  1. © 2020 Rock Solid Knowledge
    “Let’s stop blaming our users for getting hacked
    when it is our problem to solve”
    Scott Brady

    View full-size slide

  2. © 2020 Rock Solid Knowledge
    Introductions
    • IdentityServer.com - @rskltd
    • ScottBrady91.com - @scottbrady91
    2

    View full-size slide

  3. © 2020 Rock Solid Knowledge
    Passwords - We’ve come a long way
    xkcd.com/936/

    View full-size slide

  4. © 2020 Rock Solid Knowledge
    Or have we?
    ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security

    View full-size slide

  5. © 2020 Rock Solid Knowledge
    Okay, maybe not
    theverge.com/tldr/2018/10/11/17964848/kanye-west-iphone-passcode-trump-iplane-apple-meeting

    View full-size slide

  6. © 2020 Rock Solid Knowledge
    Thanks, Gran

    View full-size slide

  7. © 2020 Rock Solid Knowledge
    Why are passwords so popular?

    View full-size slide

  8. © 2020 Rock Solid Knowledge
    Then why am I hating on passwords?
    haveibeenpwned.com

    View full-size slide

  9. © 2020 Rock Solid Knowledge
    Thanks, Bill
    cnet.com/news/gates-predicts-death-of-the-password

    View full-size slide

  10. © 2020 Rock Solid Knowledge
    Hang on a minute, why do we care?
    • Authentication
    • to prevent unauthorized access
    • Attacks
    • Targeted
    • Untargeted
    • Methods
    • Stolen credentials
    • Guessed credentials
    • How much do you care?

    View full-size slide

  11. © 2020 Rock Solid Knowledge
    This is a problem
    Number of sites deemed dangerous by Google Safe Browsing (2007 – 2019)
    transparencyreport.google.com/safe-browsing/overview

    View full-size slide

  12. © 2020 Rock Solid Knowledge
    What can we do to improve passwords?
    • Store passwords correctly
    • Make the user choose a better password
    • Education
    • Password strength

    View full-size slide

  13. © 2020 Rock Solid Knowledge
    Passwordless: Let someone else care
    medium.com

    View full-size slide

  14. © 2020 Rock Solid Knowledge
    Knowledge-Based Authentication

    View full-size slide

  15. © 2020 Rock Solid Knowledge
    Avoid snake oil
    If it still comes down to something you
    know, consider it snake oil

    View full-size slide

  16. © 2020 Rock Solid Knowledge
    Improve by adding another factor
    • Something you know (passwords)
    • Something you are
    • Something you own

    View full-size slide

  17. © 2020 Rock Solid Knowledge
    SMS OTP

    View full-size slide

  18. © 2020 Rock Solid Knowledge
    “SMS 2FA is weak AF”
    gizmodo.com/psa-sms-2fa-is-weak-af-1834681656

    View full-size slide

  19. © 2020 Rock Solid Knowledge
    SMS Phishing

    View full-size slide

  20. © 2020 Rock Solid Knowledge
    SMS OTP: Reality

    View full-size slide

  21. © 2020 Rock Solid Knowledge
    TOTP (and other soft tokens)

    View full-size slide

  22. © 2020 Rock Solid Knowledge
    How do soft tokens work?
    gizmodo.com/psa-sms-2fa-is-weak-af-1834681656

    View full-size slide

  23. © 2020 Rock Solid Knowledge
    TOTP authentication
    381057

    View full-size slide

  24. © 2020 Rock Solid Knowledge
    TOTP: It’s just another shared secret
    • Not going to save you in a breach
    • Opinion: still something you know
    • Article: “Software Tokens Won't Save You”

    View full-size slide

  25. © 2020 Rock Solid Knowledge
    Demo
    Phish your friends with Evilginx

    View full-size slide

  26. © 2020 Rock Solid Knowledge
    Phishing

    View full-size slide

  27. © 2020 Rock Solid Knowledge
    Evilginx
    User Phishing Site Target

    View full-size slide

  28. © 2020 Rock Solid Knowledge
    Phishing

    View full-size slide

  29. © 2020 Rock Solid Knowledge
    Phishing

    View full-size slide

  30. © 2020 Rock Solid Knowledge
    Spooky biometrics
    • Bit of an unknown
    • Two types
    • Physical
    • Behavioural

    View full-size slide

  31. © 2020 Rock Solid Knowledge
    Unreliable?
    youtube.com/watch?v=dUMH6DVYskc

    View full-size slide

  32. © 2020 Rock Solid Knowledge
    No, they are just probabilistic
    • Acceptable false match rate = 1 in 1000
    • Don’t send across the internet
    • Should not be considered a secret
    • Physical is public
    • Behavioural is public
    • Mitigate with presentation attack detection
    • Good for local auth only
    • NIST SP 800-63b – 5.2.3 Use of Biometrics

    View full-size slide

  33. © 2020 Rock Solid Knowledge
    Push notifications

    View full-size slide

  34. © 2020 Rock Solid Knowledge
    Not for me
    • Proprietary!
    • Distracts us from a much better solution…

    View full-size slide

  35. © 2020 Rock Solid Knowledge
    Solution

    View full-size slide

  36. © 2020 Rock Solid Knowledge
    What is FIDO?
    • FIDO2
    • WebAuthn
    • CTAP2

    View full-size slide

  37. © 2020 Rock Solid Knowledge
    What is FIDO?
    Security keys!

    View full-size slide

  38. © 2020 Rock Solid Knowledge
    What is FIDO?
    The flow
    Server
    (FIDO Relying Party)
    Browser
    (WebAuthn)
    Security Key
    (FIDO Authenticator)

    View full-size slide

  39. What is FIDO?
    The flow
    caniuse.com/#search=webauthn

    View full-size slide

  40. © 2020 Rock Solid Knowledge
    What is FIDO?
    The flow
    Server
    (FIDO Relying Party)
    Browser
    (WebAuthn)
    Security Key
    (FIDO Authenticator)

    View full-size slide

  41. © 2020 Rock Solid Knowledge
    What FIDO brings to the table
    Useless in a breach “Unphishable”

    View full-size slide

  42. © 2020 Rock Solid Knowledge

    View full-size slide

  43. © 2020 Rock Solid Knowledge

    View full-size slide

  44. © 2020 Rock Solid Knowledge

    View full-size slide

  45. © 2020 Rock Solid Knowledge
    What FIDO brings to the table
    Protection for the at-risk
    High-Value Employees Advanced Protection Program

    View full-size slide

  46. © 2020 Rock Solid Knowledge
    So security keys are the future?

    View full-size slide

  47. © 2020 Rock Solid Knowledge
    But what about passwords?

    View full-size slide

  48. © 2020 Rock Solid Knowledge
    How hard is this to implement?
    WebAuthn

    View full-size slide

  49. © 2020 Rock Solid Knowledge
    How hard is this to implement?
    ASP.NET Core
    OSS
    (Anders Åberg)
    Commercial
    (Rock Solid Knowledge – IdentityServer.com)

    View full-size slide

  50. © 2020 Rock Solid Knowledge
    FIDO2 relying party
    Challenge - OSS

    View full-size slide

  51. © 2020 Rock Solid Knowledge
    FIDO2 relying party
    Challenge – IdentityServer.com

    View full-size slide

  52. © 2020 Rock Solid Knowledge
    FIDO2 relying party
    Validation - OSS

    View full-size slide

  53. © 2020 Rock Solid Knowledge
    FIDO2 relying party
    Validation – IdentityServer.com
    github.com/abergs/fido2-net-lib OR github.com/RockSolidKnowledge/Samples.Fido

    View full-size slide

  54. © 2020 Rock Solid Knowledge
    Simple rankings
    Password SMS TOTP
    Push
    Notifications
    FIDO2
    (WebAuthn)

    View full-size slide

  55. © 2020 Rock Solid Knowledge
    Pragmatic rankings
    security.googleblog.com/2019/05/new-research-how-effective-is-basic.html

    View full-size slide

  56. © 2020 Rock Solid Knowledge
    Solution: hedgehog-based authentication
    gizmodo.co.uk/2016/11/hedgehog-based-authentication-is-the-only-way-to-be-truly-secure

    View full-size slide

  57. © 2020 Rock Solid Knowledge
    The end

    View full-size slide

  58. © 2020 Rock Solid Knowledge
    Passwords: we still make mistakes (bonus)
    theverge.com/2018/5/3/17316684/twitter-password-bug-security-flaw-exposed-change-now
    theverge.com/2019/3/21/18275837/facebook-plain-text-password-storage-hundreds-millions-users

    View full-size slide

  59. © 2020 Rock Solid Knowledge
    Improving transport with PAKE (bonus)
    blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/
    Password Authenticated Key Exchange (PAKE)

    View full-size slide