$30 off During Our Annual Pro Sale. View Details »

A tale of two sides of 2FA

Christine
January 31, 2020
Programming
0
450

A tale of two sides of 2FA

Two-factor/Multi-factor authentication (2FA/MFA/whatever your choice of acronym) is an important security pillar in any application, but sometimes it fails us as users and developers. How you use and implement 2FA can have huge impacts on how secure it will be, and the protection it ultimately provides.

Finding best practices about implementing 2FA can be difficult. Learn from a real world implementation, and come out knowing how to protect yourself and how to not let down your users.

Christine

January 31, 2020
Tweet

More Decks by Christine

See All by Christine
Listening - Your Communication Superpower
tech_christine
0
99
Hanami 2.0 and You
tech_christine
0
160
ONE DOES NOT SIMPLY ADD MFA
tech_christine
0
290
One does not simply add MFA
tech_christine
0
140
MFA_Petfriendly.pdf
tech_christine
0
140
Hack Your Brain - Improve yourself and your work
tech_christine
0
420
A tale of two sides of 2FA
tech_christine
0
510
What does your Instagram say about you? Exploring Google Cloud Vision
tech_christine
0
140
Hack your brain - Ways to improve your thought processes
tech_christine
0
380

Other Decks in Programming

See All in Programming
Modern Java for the Masses! Is Java Still Relevant?
deepu105
1
430
ちょうぜつ本の紹介 (クリーンアーキテクチャとパッケージ原則)
suzukimar
0
270
Introducing Kotlin Multiplatform in an existing mobile app - Workshop Edition | DevFest Berlin 23
prof18
0
210
MTDDC Meetup TOKYO 2023
chinen
1
190
ユーザー登録とログインフォームにautocomplete属性を使いましょう
ivanova1991
2
1.6k
フロントエンドの書くべきだったテスト、書かなくてよかったテスト
takefumiyoshii
31
11k
The Secret Ingredient: How to Understand and Resolve Just about Any Flaky Test
aridlehoover
PRO
1
210
Spring + Localstack : usando aws de forma gratuita
kamilahsantos
2
110
BigQuery のデータ品質やデータ活用を高める Dataplex 等の活用
mot_techtalk
4
850
Prepare for Jakarta EE 11
ivargrimstad
0
1.5k
DartによるBFF構築・運用 〜 Dart Frog × Melos 〜
yumnumm
1
1.3k
Drag & Drop in LazyColumn
goutarouh
0
330

Featured

See All Featured
Large-scale JavaScript Application Architecture
addyosmani
501
110k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
0
270
A Philosophy of Restraint
colly
194
15k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.4k
Building Adaptive Systems
keathley
29
1.6k
Typedesign – Prime Four
hannesfritz
35
1.8k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
33
8.6k
Raft: Consensus for Rubyists
vanstee
130
6k
Creatively Recalculating Your Daily Design Routine
revolveconf
208
11k
For a Future-Friendly Web
brad_frost
168
8.4k
How to train your dragon (web standard)
notwaldorf
71
4.8k
Rails Girls Zürich Keynote
gr2m
90
12k

Transcript

  1. @tech_christine
    A tale of two sides of 2FA
    It can be the best of security, or the worst of security

    View Slide

  2. @tech_christine
    What you will learn
    ✓ What is 2FA/MFA
    ✓ How to secure your accounts
    ✓ What are the 2FA types
    ✓ How to protect users and
    secure an application
    ✓ Potential testing steps
    ✓ 2FA development best
    practices
    "...it was the age of wisdom, it was the age of
    foolishness..."

    View Slide

  3. @tech_christine
    Taking notes or pictures
    Asking stupid questions
    https://christine-seeman.com/talks
    Things you don't need to worry about
    "...it was the epoch of belief, it was the epoch of
    incredulity..."

    View Slide

  4. @tech_christine
    London and Paris

    View Slide

  5. @tech_christine
    User and Developer

    View Slide

  6. @tech_christine

    View Slide

  7. View Slide

  8. View Slide

  9. @tech_christine
    Back to the beginning
    To when you signed up for

    View Slide

  10. @tech_christine

    View Slide

  11. @tech_christine

    View Slide

  12. @tech_christine

    View Slide

  13. @tech_christine
    What was the
    hacker up to?
    Calling your mobile provider

    View Slide

  14. @tech_christine
    On the phone
    with your mobile
    provider...
    Using social engineering

    View Slide

  15. @tech_christine
    Now they have
    all the access...
    Sim swap/sim hijacking

    View Slide

  16. @tech_christine

    View Slide

  17. @tech_christine
    issms2fasecure.com/assets/sim_swaps-01-10-2020.pdf

    View Slide

  18. @tech_christine

    View Slide


  19. @tech_christine
    We learned that SMS-based
    authentication is not nearly as
    secure as we would hope, and the
    main attack was via SMS intercept
    Christopher Slowe
    Reddit chief technology officer and founding engineer
    August 2018

    View Slide

  20. @tech_christine
    What is authentication?
    The process of verifying that someone or
    something is the actual entity that they claim
    to be.
    - OWASP.org
    (these people know what they are talking about when it comes to security)

    View Slide

  21. @tech_christine
    ... but what are the different factors of auth?
    1. Factor is knowledge (i.e. your password)
    2. Is the other method choice
    - Possession (token/soft token)
    - Identity (biometrics)

    View Slide

  22. @tech_christine
    2FA = 2SV = MFA = 2F
    What about all those other acronyms...

    View Slide

  23. @tech_christine
    Why didn't 2FA help?
    •SMS was used
    •2FA wasn't even enabled

    View Slide

  24. @tech_christine
    • Most common
    • Most compromised
    • Not recommended
    by NIST since 2016
    SMS

    View Slide

  25. @tech_christine
    If SMS wasn't bad enough
    •SS7 (network shared by every telecom) has
    it's own vulnerabilities
    •Text messages that are sent can be
    intercepted

    View Slide

  26. @tech_christine
    Let's figure out
    all the ways to
    hack it...
    1. Sim-swap (aka what just
    happened to us)
    2. Port-out scam
    3. Brute force on the
    application itself
    4. Exploit SS7 weakness

    View Slide

  27. @tech_christine
    Time-based One Time Password
    aka app based
    aka soft token
    • Authy
    • Google Authenticator
    • 1Password
    TOTP

    View Slide

  28. @tech_christine
    • Associated with certain
    authorized devices
    • Not visible on a locked
    phone screen
    Push Based

    View Slide

  29. @tech_christine
    Email
    • Convient
    • Should only be used with
    verified emails
    • Less Common, may be in use
    but not referred to as 2FA

    View Slide

  30. @tech_christine
    Token based
    Physical keys that can auth
    • USB drive
    • near-field communication
    • Many use U2F (Universal
    2nd Factor)

    View Slide

  31. @tech_christine
    OTP vs U2F

    View Slide

  32. @tech_christine
    OTP U2F
    • User has physical
    device
    • Strong security from
    public key
    cryptography
    • No personal
    information associated
    with a key
    • Users type in codes
    • Set up and provision
    required
    • Secrets stored, providing
    a single point of attack

    View Slide

  33. What would you change now?

    View Slide

  34. @tech_christine
    Secure Your Account
    1. Use long password/passphrase
    2. Secure with alternate authentication method
    3. Use a VOIP number
    4. Don't reuse passwords
    5. Pin/password protect phone provider
    Keep on being @awesome

    View Slide

  35. @tech_christine
    But wait...
    Now you are the developer at jiffygram (an insta rival)
    How do you secure your users from all the bad stuff
    out there?

    View Slide

  36. @tech_christine
    • Developers
    • Designers
    • Infrastructure
    • Managers
    • Not just info sec!
    Security is everyone's job

    View Slide

  37. @tech_christine
    wmcactionnews5.com/2019/12/11/family-says-hackers-accessed-ring-camera-their-year-old-daughters-room

    View Slide

  38. @tech_christine
    nbc-2.com/story/41428183/stranger-spews-racial-slurs-over-familys-hacked-ring-camera

    View Slide

  39. @tech_christine
    Back to your security basics
    1. Strong passwords/passphrase #
    2. Don't make them be rotated
    3. Store the hash securely
    4. Only store sensitive data that you need ⛔

    View Slide

  40. https://xkcd.com/936/
    @tech_christine

    View Slide

  41. @tech_christine
    Why this helps
    •Greater entropy = harder to brute force the password
    •Passwords should be hard to guess, but easy to remember
    •Extra length + randomness allows for more entropy
    (strength)

    View Slide

  42. View Slide

  43. View Slide

  44. Do this
    @tech_christine

    View Slide

  45. @tech_christine

    View Slide

  46. Not this ☹
    @tech_christine

    View Slide

  47. ⬆ that is 6 a's @tech_christine

    View Slide

  48. Not this
    either
    @tech_christine

    View Slide

  49. @tech_christine
    Let's talk about password hash encryption
    • Just an algorithm that takes data and produces
    fixed-size output
    • Some hashes are stronger then others
    • MD5/SHA-1 = +
    • SHA-256/512-bit SHA-2= ,
    • If possible with performance, use an adaptive one-
    way function

    View Slide

  50. @tech_christine
    Strong recommended adaptive functions
    Argon2
    PBKDF2
    Scrypta
    Bcrypt
    Head on over to OWASP.org for more details

    View Slide

  51. @tech_christine
    ...a user lost their phone/app access/token
    • Recovery codes to
    the rescue! -
    • Allows access to
    application
    • Shown once, used
    once

    View Slide

  52. @tech_christine
    lessons learned
    2FA Implementation
    @tech_christine

    View Slide

  53. Buy
    DYI

    View Slide

  54. View Slide

  55. @tech_christine
    Rate limiting prevents brute force attacks
    @tech_christine

    View Slide

  56. @tech_christine
    Rate limiting prevents brute force attacks
    @tech_christine

    View Slide

  57. @tech_christine
    Use a truncated exponential back-off algorithm
    @tech_christine

    View Slide

  58. @tech_christine
    What is an exponential back-off algorithm?

    View Slide

  59. @tech_christine
    Code example in
    Ruby
    login_request
    if retries <= max_retries
    retries += 1
    sleep (retries + rand(100)/1000)
    retry
    else
    raise "You've hit your max retries!"
    end

    View Slide

  60. @tech_christine
    Get user buy-in

    View Slide

  61. @tech_christine

    View Slide

  62. @tech_christine
    ✓ Make it easy opt in
    ✓ Make it easy to add
    ✓ Make it visible
    ✓Make it flexible

    View Slide

  63. @tech_christine
    Do this

    View Slide

  64. @tech_christine
    Not this

    American Express
    OpenShift
    Netflix
    Pandora
    Pinterest
    Spotify
    Target
    Best Buy
    Freshbooks
    State Farm
    AT&T
    2FA

    View Slide

  65. @tech_christine
    Enforce authentication on all pages

    View Slide

  66. @tech_christine
    • For editing/removing of
    2FA require credentials
    • If authentication does
    fail, be generic in error
    response
    Moar authentication

    View Slide

  67. Do this
    "Login failed - invalid user ID or password"

    View Slide

  68. Not this
    "Login for User foo: invalid password"
    "Login failed, invalid user ID"
    "Login failed; account disabled"
    "Login failed; this user is not active"

    View Slide

  69. @tech_christine
    Are we doing all we can to protect our users?

    View Slide

  70. @tech_christine

    View Slide

  71. @tech_christine
    Users with the most amount of
    privilege, 2FA is a requirement
    not optional

    View Slide

  72. @tech_christine
    2FA can help but...
    • Can only improve security if you are
    following secure password practices
    • Some 2FA methods are more secure then
    others

    View Slide

  73. View Slide

  74. @tech_christine
    Thanks for having me NDC {London}!
    All the organizers and volunteers deserve
    2 2 2
    Tyson Reeder for the final graphic
    @tysondreeder
    For references and further reading checkout
    christine-seeman.com/talks

    View Slide

  75. @tech_christine
    getflywheel.com/about/careers

    View Slide

  76. @tech_christine
    What questions can I answer?

    View Slide

  77. code!!

    View Slide

  78. @tech_christine
    Twilio API Example

    View Slide

  79. @tech_christine
    The Ruby One Time Password Library Example

    View Slide

  80. @tech_christine

    View Slide

  81. @tech_christine
    But you need to
    get this code to
    your user...

    View Slide

  82. @tech_christine
    Authy One Touch API Example

    View Slide

  83. @tech_christine
    QR Code Rendering
    https://github.com/whomwah/rqrcode
    ROTP: TOTP
    https://github.com/mdp/rotp
    Twilio Ruby API
    https://www.twilio.com/docs/libraries/ruby
    Auth Ruby API
    https://github.com/twilio/authy-ruby

    View Slide