Upgrade to Pro — share decks privately, control downloads, hide ads and more …

MFA_Petfriendly.pdf

Christine
November 15, 2022
Technology
0
210

 MFA_Petfriendly.pdf

Christine

November 15, 2022
Tweet

More Decks by Christine

See All by Christine
One does not simply add MFA
tech_christine
0
59
Listening - Your Communication Superpower
tech_christine
0
220
Hanami 2.0 and You
tech_christine
1
280
ONE DOES NOT SIMPLY ADD MFA
tech_christine
0
370
One does not simply add MFA
tech_christine
0
210
Hack Your Brain - Improve yourself and your work
tech_christine
0
600
A tale of two sides of 2FA
tech_christine
0
530
A tale of two sides of 2FA
tech_christine
0
570
What does your Instagram say about you? Exploring Google Cloud Vision
tech_christine
0
200

Other Decks in Technology

See All in Technology
開発者のための FinOps/FinOps for Engineers
oracle4engineer
PRO
2
200
Pwned Labsのすゝめ
ken5scal
2
510
JAWS FESTA 2024「バスロケ」GPS×サーバーレスの開発と運用の舞台裏/jawsfesta2024-bus-gps-serverless
ma2shita
3
270
Aurora PostgreSQLがCloudWatch Logsに 出力するログの課金を削減してみる #jawsdays2025
non97
1
230
目標と時間軸 〜ベイビーステップでケイパビリティを高めよう〜
kakehashi
PRO
8
830
アジャイルな開発チームでテスト戦略の話は誰がする? / Who Talks About Test Strategy?
ak1210
1
660
データエンジニアリング領域におけるDuckDBのユースケース
chanyou0311
9
2.5k
4th place solution Eedi - Mining Misconceptions in Mathematics
rist
0
150
AWSアカウントのセキュリティ自動化、どこまで進める? 最適な設計と実践ポイント
yuobayashi
7
850
LINE NEWSにおけるバックエンド開発
lycorptech_jp
PRO
0
320
Platform Engineeringで クラウドの「楽しくない」を解消しよう
jacopen
4
110
LINEギフトにおけるバックエンド開発
lycorptech_jp
PRO
0
380

Featured

See All Featured
Documentation Writing (for coders)
carmenintech
68
4.6k
Designing on Purpose - Digital PM Summit 2013
jponch
117
7.1k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
Git: the NoSQL Database
bkeepers
PRO
428
65k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
13
1k
A Tale of Four Properties
chriscoyier
158
23k
Typedesign – Prime Four
hannesfritz
41
2.5k
Practical Orchestrator
shlominoach
186
10k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Large-scale JavaScript Application Architecture
addyosmani
511
110k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
21
2.5k
Into the Great Unknown - MozCon
thekraken
35
1.6k

Transcript

  1. @christine@ruby.social One does not simply add MFA Just like a

    walk into Mordor, good MFA is a journey

  2. @christine@ruby.social What you will learn ✓ What is MFA ✓

    How to secure your accounts ✓ What are the MFA types ✓ How to protect users and secure an application ✓ Potential testing steps ✓ MFA implementation best practices "Its black gates are guarded by more than just orcs. "

  3. @christine@ruby.social Taking notes or pictures 📝 Asking foolish questions 🤔

    christine-seeman.com/talks Things you don't need to worry about "There is evil there that does not sleep, and the Great Eye is ever watchful"
  4. None
  5. None
  6. None

  7. @christine@ruby.social Back to the beginning To when you signed up

    for

  8. @christine@ruby.social

  9. @christine@ruby.social

  10. None

  11. @christine@ruby.social What was the hacker up to? Calling your mobile

    provider

  12. @christine@ruby.social On the phone with your mobile provider... Using social

    engineering

  13. @christine@ruby.social Now they have all the access... Sim swap/sim hijacking

  14. None

  15. @christine@ruby.social issms2fasecure.com/assets/sim_swaps-01-10-2020.pdf

  16. @christine@ruby.social

  17. “ @christine@ruby.social We learned that SMS-based authentication is not nearly

    as secure as we would hope, and the main attack was via SMS intercept Christopher Slowe Reddit chief technology of fi cer and founding engineer August 2018

  18. @christine@ruby.social What is authentication? The process of verifying that someone

    or something is the actual entity that they claim to be. - OWASP.org (these people know what they are talking about when it comes to security)

  19. @christine@ruby.social ... but what are the different factors of auth?

    ✔Factor is knowledge (i.e. your password) ✔Is the other method choice - Possession (token/soft token) - Identity (biometrics)

  20. @christine@ruby.social 2FA = 2SV = MFA = 2F? = ???

    What about all those other acronyms...

  21. @christine@ruby.social Why didn't MFA help? •SMS was used •For most

    users MFA won’t even be enabled

  22. @christine@ruby.social • Most common • Most compromised • Not recommended

    by NIST since 2016 SMS

  23. @christine@ruby.social If SMS wasn't bad enough •SS7 (network shared by

    every telecom) has it's own vulnerabilities •Text messages that are sent can be intercepted

  24. @christine@ruby.social Let's figure out all the ways to hack it...

    1. Sim-swap (aka what just happened to us) 2. Port-out scam 3. Brute force on the application itself 4. Exploit SS7 weakness

  25. @christine@ruby.social • Associated with certain authorized devices • Not visible

    on a locked phone screen Push Based

  26. @christine@ruby.social … Push Based has major drawbacks too September 15th,

    2022

  27. @christine@ruby.social Security Questions • Convient • Just an extension of

    your first factor, password (knowledge) 🤨 ❓ ❓

  28. @christine@ruby.social Email • Convient • Should only be used with

    verified emails • Less Common, may be in use but not referred to as 2FA

  29. @christine@ruby.social Time-based One Time Password aka app based aka soft

    token • Authy • Google Authenticator • 1Password TOTP

  30. @christine@ruby.social Token based Physical keys that can auth • FIDO2/WebAuthn

    • USB drive • near- fi eld communication • Many use U2F (Universal 2nd Factor)

  31. @christine@ruby.social OTP vs U2F

  32. @christine@ruby.social OTP U2F • User has physical device • Strong

    security from public key cryptography • No personal information associated with a key • Users type in codes • Set up and provision required • Secrets stored, providing a single point of attack

  33. What would you change now?

  34. @christine@ruby.social Secure Your Account 1. Use long password/passphrase 2. Secure

    with alternate authentication method 3. Use a VOIP number 4. Don't reuse passwords 5. Pin/password protect phone provider Keep on being @awesome

  35. @christine@ruby.social But wait... Now you are the developer at jiffygram

    (an insta rival) How do you secure your users from all the bad stuff out there?

  36. @christine@ruby.social • Developers • Designers • Infrastructure • Managers •

    Not just info sec! Security is everyone's job

  37. @christine@ruby.social wmcactionnews5.com/2019/12/11/family-says-hackers-accessed-ring-camera-their-year-old-daughters-room

  38. @christine@ruby.social nbc-2.com/story/41428183/stranger-spews-racial-slurs-over-familys-hacked-ring-camera

  39. @christine@ruby.social Back to your security basics 1. Strong passwords/passphrase 💪

    2. Don't make them be rotated 🔁 3. Store the hash securely 🔒 4. Only store sensitive data that you need ⛔

  40. https://xkcd.com/936/ @christine@ruby.social

  41. @christine@ruby.social Why this helps •Greater entropy = harder to brute

    force the password •Passwords should be hard to guess, but easy to remember •Extra length + randomness allows for more entropy (strength)
  42. None
  43. None

  44. Do this 😄

  45. None

  46. @christine@ruby.social

  47. Not this 😞

  48. ⬆ that is 6 a's

  49. ⬆ that is just six aaaaaa that ended up working

  50. @christine@ruby.social Let's talk about password hash encryption • Just an

    algorithm that takes data and produces fixed-size output • Some hashes are stronger then others • MD5/SHA-1 = 👎 • SHA-256/512-bit SHA-2= 👍 • If possible with performance, use an adaptive one-way function

  51. @christine@ruby.social Strong recommended adaptive functions Argon2 PBKDF2 Scrypta Bcrypt Head

    on over to OWASP.org for more details

  52. “ @christine@ruby.social …we made the decision to rotate customer accounts

    on May 5, 2022, out of an abundance of caution due to not all of the customers having multi-factor authentication (MFA) enabled at the time and potential for password reuse. Bob Wise Heroku General Manager and Salesforce

  53. @christine@ruby.social ...a user lost their phone/app access/token • Recovery codes

    to the rescue! 🦹 • Allows access to application • Shown once, used once

  54. Choose your path DIY BUY

  55. @christine@ruby.social If you choose to BUY •Choose your vendor wisely

    •What factor choices are available? •What are your authorization and authentication needs?

  56. @christine@ruby.social If you choose DIY More flexibility More security surface

    area to cover More control over the user experience

  57. @christine@ruby.social Rate limiting prevents brute force attacks @tech_christine

  58. @christine@ruby.social Rate limiting prevents brute force attacks

  59. @christine@ruby.social Use a truncated exponential back-off algorithm

  60. @christine@ruby.social What is an exponential back-off algorithm?

  61. @christine@ruby.social Get user buy-in

  62. @christine@ruby.social

  63. @christine@ruby.social ✓ Make it easy opt in ✓ Make it

    easy to add ✓ Make it visible ✓Make it flexible

  64. @christine@ruby.social Not this 😢 American Express OpenShift Net fl ix

    Pandora Pinterest Spotify Target Best Buy State Farm AT&T Twitter (well not right now) 🚫 MFA

  65. @christine@ruby.social • For editing/removing of MFA require credentials • If

    authentication does fail, be generic in error response More authentication

  66. Do this "Login failed - invalid user ID or password"

    😙

  67. Not this "Login for User awesome: invalid password" "Login failed,

    invalid user ID" "Login failed; account disabled" "Login failed; this user is not active" 😖

  68. @christine@ruby.social Are we doing all we can to protect our

    users?

  69. @christine@ruby.social

  70. @christine@ruby.social Users with the most amount of privilege, 2FA is

    a requirement not optional

  71. @christine@ruby.social

  72. @christine@ruby.social MFA can help but... • Can only improve security

    if you are following secure password practices • Some MFA methods are more secure then others
  73. None

  74. @christine@ruby.social Thanks for having me PetFriendly! Tyson Reeder for the

    final graphic @tysondreeder For references and further reading checkout christine-seeman.com/talks

  75. @christine@ruby.social What questions can I answer?

  76. code!!

  77. @christine@ruby.social Twilio API Example

  78. @christine@ruby.social The Ruby One Time Password Library Example

  79. @christine@ruby.social

  80. @christine@ruby.social But you need to get this code to your

    user...

  81. @christine@ruby.social Authy One Touch API Example

  82. @christine@ruby.social QR Code Rendering https://github.com/whomwah/rqrcode ROTP: TOTP https://github.com/mdp/rotp Twilio Ruby

    API https://www.twilio.com/docs/libraries/ruby Auth Ruby API https://github.com/twilio/authy-ruby