Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Let’s stop blaming our users for getting hacked when it is our problem to solve

Scott Brady
June 11, 2020
Programming
1
260

Let’s stop blaming our users for getting hacked when it is our problem to solve

Users cannot secure your web applications through password choice alone. You cannot blame them for this; it is not their problem to solve. It is ours, as security professionals, identity professionals, and software developers.

Typical 2FA implementations such as TOTP and push notification have had some success, but they can be frustrating to use and are still vulnerable to basic phishing techniques. OWASP and NIST are now recommending FIDO2, which offers a realistic solution in the form of frictionless, possession-based authentication that has inbuilt anti-phishing techniques. But what does FIDO2 look like to a developer and how does it actually work?

In this talk, I’m going to look at:
- why common 2FA mechanisms aren’t up to scratch
- how to phish your friends using Evilginx
- spooky biometrics
- how to use WebAuthn and FIDO2 to protect your users

Scott Brady

June 11, 2020
Tweet

Other Decks in Programming

See All in Programming
アプリケーションパフォーマンスの計測と改善の方法を勉強している話
devoc
10
2.4k
Managing State Beyond ViewModels and Hilt (Updated)
vrallev
3
590
組織のコード品質を向上させる “レビューシステム”の取り組み
pospome
6
3.7k
Kubernetesソースコードリーディング入門
bells17
15
2.7k
PHP8.2にバージョンアップして もっと型表現を豊かにしよう
akitotsukahara
0
150
わかる!Hashicorp Waypoint | HashiTalks: Japan2023
kazue
0
260
ブラウザで「今すぐ」gemを読み込む方法 / Load-gem-from-browser-JUST-NOW
lnit
0
280
第6回 AWSとGitHub勉強会 - AWS ECS Fargate環境の構築 -
ogiwarat
0
110
How I used Siri, PaLM, LangChain, and Firebase to create an Exobrain
peterfriese
0
230
Rich UI implementation examples using Jetpack Compose (Jetpack Composeを活用した強力なUI表現の実装実例)
iimokoy
0
810
リアーキテクチャによってどうなりたいか/re-architecture
suzukihoge
2
260
The PHP Revolution Is Underway: FrankenPHP 1.0 Beta
dunglas
0
1.8k

Featured

See All Featured
Stop Working from a Prison Cell
hatefulcrawdad
265
18k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
Product Roadmaps are Hard
iamctodd
42
8.7k
Writing Fast Ruby
sferik
615
59k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
219
21k
How To Stay Up To Date on Web Technology
chriscoyier
780
250k
Happy Clients
brianwarren
92
6k
Six Lessons from altMBA
skipperchong
17
2.6k
4 Signs Your Business is Dying
shpigford
172
21k
In The Pink: A Labor of Love
frogandcode
135
21k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
26
5.5k
Visualization
eitanlees
131
13k

Transcript

  1. © 2020 Rock Solid Knowledge
    “Let’s stop blaming our users for getting hacked
    when it is our problem to solve”
    Scott Brady

    View Slide

  2. © 2020 Rock Solid Knowledge
    Introductions
    • IdentityServer.com - @rskltd
    • ScottBrady91.com - @scottbrady91
    2

    View Slide

  3. © 2020 Rock Solid Knowledge
    Passwords - We’ve come a long way
    xkcd.com/936/

    View Slide

  4. © 2020 Rock Solid Knowledge
    Or have we?
    ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security

    View Slide

  5. © 2020 Rock Solid Knowledge
    Okay, maybe not
    theverge.com/tldr/2018/10/11/17964848/kanye-west-iphone-passcode-trump-iplane-apple-meeting

    View Slide

  6. © 2020 Rock Solid Knowledge
    Thanks, Gran

    View Slide

  7. © 2020 Rock Solid Knowledge
    Why are passwords so popular?

    View Slide

  8. © 2020 Rock Solid Knowledge
    Then why am I hating on passwords?
    haveibeenpwned.com

    View Slide

  9. © 2020 Rock Solid Knowledge
    Thanks, Bill
    cnet.com/news/gates-predicts-death-of-the-password

    View Slide

  10. © 2020 Rock Solid Knowledge
    Hang on a minute, why do we care?
    • Authentication
    • to prevent unauthorized access
    • Attacks
    • Targeted
    • Untargeted
    • Methods
    • Stolen credentials
    • Guessed credentials
    • How much do you care?

    View Slide

  11. © 2020 Rock Solid Knowledge
    This is a problem
    Number of sites deemed dangerous by Google Safe Browsing (2007 – 2019)
    transparencyreport.google.com/safe-browsing/overview

    View Slide

  12. © 2020 Rock Solid Knowledge
    What can we do to improve passwords?
    • Store passwords correctly
    • Make the user choose a better password
    • Education
    • Password strength

    View Slide

  13. © 2020 Rock Solid Knowledge
    Passwordless: Let someone else care
    medium.com

    View Slide

  14. © 2020 Rock Solid Knowledge
    Knowledge-Based Authentication

    View Slide

  15. © 2020 Rock Solid Knowledge
    Avoid snake oil
    If it still comes down to something you
    know, consider it snake oil

    View Slide

  16. © 2020 Rock Solid Knowledge
    Improve by adding another factor
    • Something you know (passwords)
    • Something you are
    • Something you own

    View Slide

  17. © 2020 Rock Solid Knowledge
    SMS OTP

    View Slide

  18. © 2020 Rock Solid Knowledge
    “SMS 2FA is weak AF”
    gizmodo.com/psa-sms-2fa-is-weak-af-1834681656

    View Slide

  19. © 2020 Rock Solid Knowledge
    SMS Phishing

    View Slide

  20. © 2020 Rock Solid Knowledge
    SMS OTP: Reality

    View Slide

  21. © 2020 Rock Solid Knowledge
    TOTP (and other soft tokens)

    View Slide

  22. © 2020 Rock Solid Knowledge
    How do soft tokens work?
    gizmodo.com/psa-sms-2fa-is-weak-af-1834681656

    View Slide

  23. © 2020 Rock Solid Knowledge
    TOTP authentication
    381057

    View Slide

  24. © 2020 Rock Solid Knowledge
    TOTP: It’s just another shared secret
    • Not going to save you in a breach
    • Opinion: still something you know
    • Article: “Software Tokens Won't Save You”

    View Slide

  25. © 2020 Rock Solid Knowledge
    Demo
    Phish your friends with Evilginx

    View Slide

  26. © 2020 Rock Solid Knowledge
    Phishing

    View Slide

  27. © 2020 Rock Solid Knowledge
    Evilginx
    User Phishing Site Target

    View Slide

  28. © 2020 Rock Solid Knowledge
    Phishing

    View Slide

  29. © 2020 Rock Solid Knowledge
    Phishing

    View Slide

  30. © 2020 Rock Solid Knowledge
    Spooky biometrics
    • Bit of an unknown
    • Two types
    • Physical
    • Behavioural

    View Slide

  31. © 2020 Rock Solid Knowledge
    Unreliable?
    youtube.com/watch?v=dUMH6DVYskc

    View Slide

  32. © 2020 Rock Solid Knowledge
    No, they are just probabilistic
    • Acceptable false match rate = 1 in 1000
    • Don’t send across the internet
    • Should not be considered a secret
    • Physical is public
    • Behavioural is public
    • Mitigate with presentation attack detection
    • Good for local auth only
    • NIST SP 800-63b – 5.2.3 Use of Biometrics

    View Slide

  33. © 2020 Rock Solid Knowledge
    Push notifications

    View Slide

  34. © 2020 Rock Solid Knowledge
    Not for me
    • Proprietary!
    • Distracts us from a much better solution…

    View Slide

  35. © 2020 Rock Solid Knowledge
    Solution

    View Slide

  36. © 2020 Rock Solid Knowledge
    What is FIDO?
    • FIDO2
    • WebAuthn
    • CTAP2

    View Slide

  37. © 2020 Rock Solid Knowledge
    What is FIDO?
    Security keys!

    View Slide

  38. © 2020 Rock Solid Knowledge
    What is FIDO?
    The flow
    Server
    (FIDO Relying Party)
    Browser
    (WebAuthn)
    Security Key
    (FIDO Authenticator)

    View Slide

  39. What is FIDO?
    The flow
    caniuse.com/#search=webauthn

    View Slide

  40. © 2020 Rock Solid Knowledge
    What is FIDO?
    The flow
    Server
    (FIDO Relying Party)
    Browser
    (WebAuthn)
    Security Key
    (FIDO Authenticator)

    View Slide

  41. © 2020 Rock Solid Knowledge
    What FIDO brings to the table
    Useless in a breach “Unphishable”

    View Slide

  42. © 2020 Rock Solid Knowledge

    View Slide

  43. © 2020 Rock Solid Knowledge

    View Slide

  44. © 2020 Rock Solid Knowledge

    View Slide

  45. © 2020 Rock Solid Knowledge
    What FIDO brings to the table
    Protection for the at-risk
    High-Value Employees Advanced Protection Program

    View Slide

  46. © 2020 Rock Solid Knowledge
    So security keys are the future?

    View Slide

  47. © 2020 Rock Solid Knowledge
    But what about passwords?

    View Slide

  48. © 2020 Rock Solid Knowledge
    How hard is this to implement?
    WebAuthn

    View Slide

  49. © 2020 Rock Solid Knowledge
    How hard is this to implement?
    ASP.NET Core
    OSS
    (Anders Åberg)
    Commercial
    (Rock Solid Knowledge – IdentityServer.com)

    View Slide

  50. © 2020 Rock Solid Knowledge
    FIDO2 relying party
    Challenge - OSS

    View Slide

  51. © 2020 Rock Solid Knowledge
    FIDO2 relying party
    Challenge – IdentityServer.com

    View Slide

  52. © 2020 Rock Solid Knowledge
    FIDO2 relying party
    Validation - OSS

    View Slide

  53. © 2020 Rock Solid Knowledge
    FIDO2 relying party
    Validation – IdentityServer.com
    github.com/abergs/fido2-net-lib OR github.com/RockSolidKnowledge/Samples.Fido

    View Slide

  54. © 2020 Rock Solid Knowledge
    Simple rankings
    Password SMS TOTP
    Push
    Notifications
    FIDO2
    (WebAuthn)

    View Slide

  55. © 2020 Rock Solid Knowledge
    Pragmatic rankings
    security.googleblog.com/2019/05/new-research-how-effective-is-basic.html

    View Slide

  56. © 2020 Rock Solid Knowledge
    Solution: hedgehog-based authentication
    gizmodo.co.uk/2016/11/hedgehog-based-authentication-is-the-only-way-to-be-truly-secure

    View Slide

  57. © 2020 Rock Solid Knowledge
    The end

    View Slide

  58. © 2020 Rock Solid Knowledge
    Passwords: we still make mistakes (bonus)
    theverge.com/2018/5/3/17316684/twitter-password-bug-security-flaw-exposed-change-now
    theverge.com/2019/3/21/18275837/facebook-plain-text-password-storage-hundreds-millions-users

    View Slide

  59. © 2020 Rock Solid Knowledge
    Improving transport with PAKE (bonus)
    blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/
    Password Authenticated Key Exchange (PAKE)

    View Slide