$30 off During Our Annual Pro Sale. View Details »

One does not simply add MFA

Christine
November 29, 2022

One does not simply add MFA

Christine

November 29, 2022
Tweet

More Decks by Christine

Other Decks in Technology

Transcript

  1. @[email protected]
    One does not simply add MFA


    Just like a walk into Mordor, good MFA is a journey

    View Slide

  2. @[email protected]
    What you will learn
    ✓ What is MFA


    ✓ How to secure your
    accounts


    ✓ What are the MFA types


    ✓ How to protect users and
    secure an application


    ✓ Potential testing steps


    ✓ MFA implementation best
    practices
    "Its black gates are guarded by more than just orcs. "

    View Slide

  3. @[email protected]
    Taking notes or pictures 📝


    Asking foolish questions 🤔


    christine-seeman.com/talks
    Things you don't need to worry about
    "There is evil there that does not sleep, and the Great Eye is ever watchful"

    View Slide

  4. Let our journey begin…

    View Slide

  5. View Slide

  6. View Slide

  7. View Slide

  8. @[email protected]
    Back to the beginning
    To when you signed up for

    View Slide

  9. View Slide

  10. View Slide

  11. View Slide

  12. View Slide

  13. @[email protected]
    What was the
    hacker up to?
    Calling your mobile provider

    View Slide

  14. @[email protected]
    On the phone
    with your mobile
    provider...
    Using social engineering

    View Slide

  15. @[email protected]
    Now they have
    all the access...
    Sim swap/sim hijacking

    View Slide

  16. View Slide

  17. @[email protected]
    issms2fasecure.com/assets/sim_swaps-01-10-2020.pdf

    View Slide

  18. View Slide


  19. @[email protected]
    We learned that SMS-based
    authentication is not nearly as
    secure as we would hope, and the
    main attack was via SMS intercept


    Christopher Slowe


    Reddit chief technology of
    fi
    cer and founding engineer


    August 2018

    View Slide

  20. @[email protected]
    What is authentication?
    The process of verifying that someone or
    something is the actual entity that they claim
    to be.


    - OWASP.org


    (these people know what they are talking about when it comes to security)

    View Slide

  21. @[email protected]
    ... but what are the different factors of auth?
    ✔Factor is knowledge (i.e. your password)


    ✔Is the other method choice


    - Possession (token/soft token)


    - Identity (biometrics)

    View Slide

  22. @[email protected]
    2FA = 2SV = MFA = 2F? = ???


    What about all those other acronyms...

    View Slide

  23. @[email protected]
    Why didn't MFA help?
    •SMS was used


    •For most users MFA won’t even be enabled

    View Slide

  24. @[email protected]
    • Most common


    • Most compromised


    • Not recommended
    by NIST since 2016
    SMS

    View Slide

  25. @[email protected]
    If SMS wasn't bad enough
    •SS7 (network shared by every telecom) has
    it's own vulnerabilities


    •Text messages that are sent can be
    intercepted

    View Slide

  26. @[email protected]
    Let's figure out
    all the ways to
    hack it...
    1. Sim-swap (aka what just
    happened to us)
    2. Port-out scam
    3. Brute force on the
    application itself
    4. Exploit SS7 weakness

    View Slide

  27. @[email protected]
    • Associated with certain
    authorized devices


    • Not visible on a locked
    phone screen
    Push Based

    View Slide

  28. @[email protected]
    … Push Based has
    major drawbacks too
    September 15th, 2022

    View Slide

  29. @[email protected]
    Security Questions
    • User answers a set of questions during sign-up


    • For example


    • Merry’s mother’s maiden name?


    • What is the shire’s address?


    • Just an extension of your first factor, password
    (knowledge)
    ❓ ❓

    View Slide

  30. @[email protected]
    Email
    • At login time, an email with verification
    code is sent to user


    • Convient


    • Should only be used with verified emails


    • Less Common, may be in use but may
    not referred to as MFA

    View Slide

  31. @[email protected]
    Example email verification step
    Awesome

    View Slide

  32. @[email protected]
    Time-based One Time Password


    aka app based


    aka soft token


    • Authy


    • Google Authenticator


    • 1Password
    TOTP

    View Slide

  33. @[email protected]
    Token based
    Physical keys that can auth




    • FIDO2/WebAuthn


    • USB drive


    • near-
    fi
    eld communication


    • Many use U2F (Universal
    2nd Factor)


    View Slide

  34. @[email protected]
    OTP vs U2F

    View Slide

  35. @[email protected]
    OTP U2F
    • User has physical device


    • Strong security from
    public key cryptography


    • No personal information
    associated with a key
    • Users type in codes


    • Set up and provision required


    • Secrets stored, providing a
    single point of attack

    View Slide

  36. What would you change now?

    View Slide

  37. @[email protected]
    Secure Your Account
    1. Use long password/passphrase


    2. Secure with alternate authentication method


    3. Use a VOIP number


    4. Don't reuse passwords


    5. Pin/password protect phone provider


    Keep on being @awesome

    View Slide

  38. @[email protected]
    … now let’s put a
    twist on our story

    View Slide

  39. @[email protected]
    Not that twist...
    Now you are the developer at shiregram (an insta rival)


    How do you secure your users from all the bad stuff
    out there?

    View Slide

  40. @[email protected]
    • Developers


    • Designers


    • Infrastructure


    • Managers


    • Not just info sec!
    Security is everyone's job
    YOU MEAN TO TELL ME
    INFORMATION SECURITY IS PART OF


    MY JOB TOO!?

    View Slide

  41. @[email protected]
    wmcactionnews5.com/2019/12/11/family-says-hackers-accessed-ring-camera-their-year-old-daughters-room

    View Slide

  42. @[email protected]
    nbc-2.com/story/41428183/stranger-spews-racial-slurs-over-familys-hacked-ring-camera

    View Slide

  43. @[email protected]
    Back to your security basics
    1. Strong passwords/passphrase 💪


    2. Don't make them be rotated 🔁


    3. Store the hash securely 🔒


    4. Only store sensitive data that you need ⛔

    View Slide

  44. https://xkcd.com/936/ @[email protected]

    View Slide

  45. @[email protected]
    Why this helps
    •Greater entropy = harder to brute force the password


    •Passwords should be hard to guess, but easy to remember


    •Extra length + randomness allows for more entropy
    (strength)

    View Slide

  46. View Slide

  47. View Slide

  48. Do this 😄

    View Slide

  49. View Slide

  50. View Slide

  51. Not this 😞

    View Slide

  52. ⬆ that is 6 a's

    View Slide

  53. Not this


    either 😧

    View Slide

  54. @[email protected]
    Let's talk about password hash encryption
    • Just an algorithm that takes data and produces fixed-size output


    • Some hashes are stronger then others


    • MD5/SHA-1 = 👎


    • SHA-256/512-bit SHA-2= 👍


    • If possible with performance, use an adaptive one-way function

    View Slide

  55. @[email protected]
    Strong recommended adaptive functions
    Argon2


    PBKDF2


    Scrypta


    Bcrypt


    Head on over to OWASP.org for more details

    View Slide


  56. @[email protected]
    …we made the decision to rotate customer
    accounts on May 5, 2022, out of an abundance
    of caution due to not all of the customers
    having multi-factor authentication (MFA)
    enabled at the time and potential for password
    reuse.


    Bob Wise


    Heroku General Manager and Salesforce


    View Slide

  57. @[email protected]
    ...a user lost their phone/app access/token
    • Recovery codes to
    the rescue! 🦹


    • Allows access to
    application


    • Shown once, used
    once

    View Slide

  58. Choose your path
    DIY BUY

    View Slide

  59. @[email protected]
    If you choose to BUY
    •Choose your vendor wisely


    •What factor choices are available?


    •What are your authorization and
    authentication needs?


    •Can you export your data?

    View Slide

  60. @[email protected]
    If you choose DIY
    More flexibility
    More security surface area to cover
    More control over the user experience

    View Slide

  61. Somethings to keep in mind no matter your path…

    View Slide

  62. @[email protected]
    Rate limiting
    prevents brute
    force attacks
    Rate limiting prevents brute force attacks

    View Slide

  63. @[email protected]
    Use a truncated exponential back-off algorithm
    Uh wut now?

    View Slide

  64. @[email protected]
    What is an exponential back-off algorithm?

    View Slide

  65. @[email protected]
    Get user buy-in

    View Slide

  66. @[email protected]
    ✓ Make it easy opt in


    ✓ Make it easy to add
    ✓ Make it visible


    ✓Make it flexible
    Make it easy on your users

    View Slide

  67. @[email protected]
    Not this 😢
    American Express


    OpenShift


    Net
    fl
    ix


    Pandora


    Pinterest


    Spotify


    Target


    Best Buy


    State Farm


    AT&T


    Twitter (well not right now)
    🚫 MFA

    View Slide

  68. @[email protected]
    Do this 😄

    View Slide

  69. @[email protected]
    • For editing/removing of
    MFA require credentials


    • If authentication does
    fail, be generic in error
    response
    More authentication
    IT COMES IN PINTS?

    View Slide

  70. Do this


    "Login failed - invalid user ID or password"


    😙

    View Slide

  71. Not this


    "Login for User awesome: invalid password"


    "Login failed, invalid user ID"


    "Login failed; account disabled"


    "Login failed; this user is not active"


    😖

    View Slide

  72. @[email protected]
    Are we doing all we can to protect our users?

    View Slide

  73. View Slide

  74. @[email protected]
    Users with the most amount of
    privilege, 2FA is a requirement
    not optional

    View Slide

  75. View Slide

  76. @[email protected]
    MFA can help but...
    Can only improve security if you are following secure
    password practices
    Some MFA methods are more secure then others

    View Slide

  77. View Slide

  78. Thanks for having me WP Engine Omaha friends!


    Thanks to:


    Tyson Reeder for the final graphic


    @tysondreeder


    For references and further reading checkout


    christine-seeman.com/talks


    Find me on mastodon @[email protected]

    View Slide

  79. @[email protected]
    What questions can I answer?

    View Slide

  80. code!!

    View Slide

  81. @[email protected]
    Twilio API Example

    View Slide

  82. @[email protected]
    The Ruby One Time Password Library Example

    View Slide

  83. View Slide

  84. @[email protected]
    But you need to
    get this code to
    your user...

    View Slide

  85. @[email protected]
    Authy One Touch API Example

    View Slide

  86. @[email protected]
    QR Code Rendering
    https://github.com/whomwah/rqrcode
    ROTP: TOTP
    https://github.com/mdp/rotp
    Twilio Ruby API
    https://www.twilio.com/docs/libraries/ruby
    Auth Ruby API
    https://github.com/twilio/authy-ruby

    View Slide