A tale of two sides of 2FA

9d7385d9e0c45a30c081fbbf53136e2d?s=47 Christine
January 31, 2020

A tale of two sides of 2FA

Two-factor/Multi-factor authentication (2FA/MFA/whatever your choice of acronym) is an important security pillar in any application, but sometimes it fails us as users and developers. How you use and implement 2FA can have huge impacts on how secure it will be, and the protection it ultimately provides.

Finding best practices about implementing 2FA can be difficult. Learn from a real world implementation, and come out knowing how to protect yourself and how to not let down your users.

9d7385d9e0c45a30c081fbbf53136e2d?s=128

Christine

January 31, 2020
Tweet

Transcript

  1. @tech_christine A tale of two sides of 2FA It can

    be the best of security, or the worst of security
  2. @tech_christine What you will learn ✓ What is 2FA/MFA ✓

    How to secure your accounts ✓ What are the 2FA types ✓ How to protect users and secure an application ✓ Potential testing steps ✓ 2FA development best practices "...it was the age of wisdom, it was the age of foolishness..."
  3. @tech_christine Taking notes or pictures Asking stupid questions https://christine-seeman.com/talks Things

    you don't need to worry about "...it was the epoch of belief, it was the epoch of incredulity..."
  4. @tech_christine London and Paris

  5. @tech_christine User and Developer

  6. @tech_christine

  7. None
  8. None
  9. @tech_christine Back to the beginning To when you signed up

    for
  10. @tech_christine

  11. @tech_christine

  12. @tech_christine

  13. @tech_christine What was the hacker up to? Calling your mobile

    provider
  14. @tech_christine On the phone with your mobile provider... Using social

    engineering
  15. @tech_christine Now they have all the access... Sim swap/sim hijacking

  16. @tech_christine

  17. @tech_christine issms2fasecure.com/assets/sim_swaps-01-10-2020.pdf

  18. @tech_christine

  19. “ @tech_christine We learned that SMS-based authentication is not nearly

    as secure as we would hope, and the main attack was via SMS intercept Christopher Slowe Reddit chief technology officer and founding engineer August 2018
  20. @tech_christine What is authentication? The process of verifying that someone

    or something is the actual entity that they claim to be. - OWASP.org (these people know what they are talking about when it comes to security)
  21. @tech_christine ... but what are the different factors of auth?

    1. Factor is knowledge (i.e. your password) 2. Is the other method choice - Possession (token/soft token) - Identity (biometrics)
  22. @tech_christine 2FA = 2SV = MFA = 2F What about

    all those other acronyms...
  23. @tech_christine Why didn't 2FA help? •SMS was used •2FA wasn't

    even enabled
  24. @tech_christine • Most common • Most compromised • Not recommended

    by NIST since 2016 SMS
  25. @tech_christine If SMS wasn't bad enough •SS7 (network shared by

    every telecom) has it's own vulnerabilities •Text messages that are sent can be intercepted
  26. @tech_christine Let's figure out all the ways to hack it...

    1. Sim-swap (aka what just happened to us) 2. Port-out scam 3. Brute force on the application itself 4. Exploit SS7 weakness
  27. @tech_christine Time-based One Time Password aka app based aka soft

    token • Authy • Google Authenticator • 1Password TOTP
  28. @tech_christine • Associated with certain authorized devices • Not visible

    on a locked phone screen Push Based
  29. @tech_christine Email • Convient • Should only be used with

    verified emails • Less Common, may be in use but not referred to as 2FA
  30. @tech_christine Token based Physical keys that can auth • USB

    drive • near-field communication • Many use U2F (Universal 2nd Factor)
  31. @tech_christine OTP vs U2F

  32. @tech_christine OTP U2F • User has physical device • Strong

    security from public key cryptography • No personal information associated with a key • Users type in codes • Set up and provision required • Secrets stored, providing a single point of attack
  33. What would you change now?

  34. @tech_christine Secure Your Account 1. Use long password/passphrase 2. Secure

    with alternate authentication method 3. Use a VOIP number 4. Don't reuse passwords 5. Pin/password protect phone provider Keep on being @awesome
  35. @tech_christine But wait... Now you are the developer at jiffygram

    (an insta rival) How do you secure your users from all the bad stuff out there?
  36. @tech_christine • Developers • Designers • Infrastructure • Managers •

    Not just info sec! Security is everyone's job
  37. @tech_christine wmcactionnews5.com/2019/12/11/family-says-hackers-accessed-ring-camera-their-year-old-daughters-room

  38. @tech_christine nbc-2.com/story/41428183/stranger-spews-racial-slurs-over-familys-hacked-ring-camera

  39. @tech_christine Back to your security basics 1. Strong passwords/passphrase #

    2. Don't make them be rotated 3. Store the hash securely 4. Only store sensitive data that you need ⛔
  40. https://xkcd.com/936/ @tech_christine

  41. @tech_christine Why this helps •Greater entropy = harder to brute

    force the password •Passwords should be hard to guess, but easy to remember •Extra length + randomness allows for more entropy (strength)
  42. None
  43. None
  44. Do this @tech_christine

  45. @tech_christine

  46. Not this ☹ @tech_christine

  47. ⬆ that is 6 a's @tech_christine

  48. Not this either @tech_christine

  49. @tech_christine Let's talk about password hash encryption • Just an

    algorithm that takes data and produces fixed-size output • Some hashes are stronger then others • MD5/SHA-1 = + • SHA-256/512-bit SHA-2= , • If possible with performance, use an adaptive one- way function
  50. @tech_christine Strong recommended adaptive functions Argon2 PBKDF2 Scrypta Bcrypt Head

    on over to OWASP.org for more details
  51. @tech_christine ...a user lost their phone/app access/token • Recovery codes

    to the rescue! - • Allows access to application • Shown once, used once
  52. @tech_christine lessons learned 2FA Implementation @tech_christine

  53. Buy DYI

  54. None
  55. @tech_christine Rate limiting prevents brute force attacks @tech_christine

  56. @tech_christine Rate limiting prevents brute force attacks @tech_christine

  57. @tech_christine Use a truncated exponential back-off algorithm @tech_christine

  58. @tech_christine What is an exponential back-off algorithm?

  59. @tech_christine Code example in Ruby login_request if retries <= max_retries

    retries += 1 sleep (retries + rand(100)/1000) retry else raise "You've hit your max retries!" end
  60. @tech_christine Get user buy-in

  61. @tech_christine

  62. @tech_christine ✓ Make it easy opt in ✓ Make it

    easy to add ✓ Make it visible ✓Make it flexible
  63. @tech_christine Do this

  64. @tech_christine Not this American Express OpenShift Netflix Pandora Pinterest Spotify

    Target Best Buy Freshbooks State Farm AT&T 2FA
  65. @tech_christine Enforce authentication on all pages

  66. @tech_christine • For editing/removing of 2FA require credentials • If

    authentication does fail, be generic in error response Moar authentication
  67. Do this "Login failed - invalid user ID or password"

  68. Not this "Login for User foo: invalid password" "Login failed,

    invalid user ID" "Login failed; account disabled" "Login failed; this user is not active"
  69. @tech_christine Are we doing all we can to protect our

    users?
  70. @tech_christine

  71. @tech_christine Users with the most amount of privilege, 2FA is

    a requirement not optional
  72. @tech_christine 2FA can help but... • Can only improve security

    if you are following secure password practices • Some 2FA methods are more secure then others
  73. None
  74. @tech_christine Thanks for having me NDC {London}! All the organizers

    and volunteers deserve 2 2 2 Tyson Reeder for the final graphic @tysondreeder For references and further reading checkout christine-seeman.com/talks
  75. @tech_christine getflywheel.com/about/careers

  76. @tech_christine What questions can I answer?

  77. code!!

  78. @tech_christine Twilio API Example

  79. @tech_christine The Ruby One Time Password Library Example

  80. @tech_christine

  81. @tech_christine But you need to get this code to your

    user...
  82. @tech_christine Authy One Touch API Example

  83. @tech_christine QR Code Rendering https://github.com/whomwah/rqrcode ROTP: TOTP https://github.com/mdp/rotp Twilio Ruby

    API https://www.twilio.com/docs/libraries/ruby Auth Ruby API https://github.com/twilio/authy-ruby