$30 off During Our Annual Pro Sale. View Details »

ONE DOES NOT SIMPLY ADD MFA

Christine
December 06, 2022

ONE DOES NOT SIMPLY ADD MFA

MFA (Multi-factor authentication) is a vital security pillar for any application, but sometimes it fails us as users and developers. How you use and implement MFA can significantly impact how secure it will be and the protection it ultimately provides. Finding best practices for implementing MFA can be difficult, so learn from a real-world implementation and know how to protect yourself and not let down your users.

Christine

December 06, 2022
Tweet

More Decks by Christine

Other Decks in Technology

Transcript

  1. One does not simply add MFA


    It’s not just a walk into Mordor, good MFA is a journey
    @[email protected]

    View Slide

  2. Art by Maja Vonge Cornils

    View Slide

  3. What you will learn
    ✓ What is MFA

    ✓ How to secure your
    accounts

    ✓ What are the MFA types

    ✓ How to protect users and
    secure an application

    ✓ Potential testing steps

    ✓ MFA implementation best
    practices
    "Its black gates are guarded by more than just orcs.” @[email protected]

    View Slide

  4. Taking notes or pictures 📝


    Asking foolish questions 🤔


    Things you don't need to worry about
    "There is evil there that does not sleep, and the Great Eye is ever watchful" @[email protected]
    Slides QR code

    View Slide

  5. Let our journey begin…

    View Slide

  6. View Slide

  7. View Slide

  8. View Slide

  9. Back to the beginning…
    To when you signed up for

    View Slide

  10. View Slide

  11. View Slide

  12. View Slide

  13. View Slide

  14. What was the
    hacker up to?


    🤔
    Calling your mobile provider
    @[email protected]

    View Slide

  15. On the phone with
    your mobile
    provider...
    Using social engineering
    @[email protected]

    View Slide

  16. Now they have all
    the access...
    Sim swap/sim hijacking
    @[email protected]

    View Slide

  17. View Slide

  18. issms2fasecure.com/assets/sim_swaps-01-10-2020.pdf

    View Slide

  19. View Slide

  20. @[email protected]
    Let’s check on some Aussie Telcos

    View Slide

  21. View Slide

  22. @[email protected]
    optus.com.au/about/media-centre/media-releases/2022/09/optus-notifies-customers-of-cyberattack
    22 September 2022

    View Slide

  23. “ We learned that SMS-based authentication
    is not nearly as secure as we would hope,
    and the main attack was via SMS intercept


    Christopher Slowe


    Reddit chief technology officer and founding engineer


    August 2018

    View Slide

  24. What is authentication?
    The process of verifying that someone or
    something is the actual entity that they claim
    to be.


    - OWASP.org


    (these people know what they are talking about when it comes to security)

    View Slide

  25. ... but what are the different factors of auth?
    • Factor is knowledge (i.e. your password)


    • Is the other method choice


    • Possession (token/soft token)


    • Identity (biometrics)

    View Slide

  26. 2FA = 2SV = MFA = 2F
    What about all those other acronyms...
    @[email protected]

    View Slide

  27. Why didn't MFA help?
    @[email protected]
    • SMS was used


    • For most users MFA won’t even be enabled

    View Slide

  28. Let’s travel deeper


    to discover all of our factor choices

    View Slide

  29. • Most common


    • Most compromised


    • Not recommended
    by NIST since 2016
    @[email protected]
    SMS

    View Slide

  30. • SS7 (network shared by every telecom) has it's
    own vulnerabilities


    • Text messages that are sent can be
    intercepted
    If SMS wasn't bad enough
    @[email protected]

    View Slide

  31. Let's figure out
    all the ways to
    hack it...
    1. Sim-swap (aka what just
    happened to us)


    2. Port-out scam


    3. Brute force on the application
    itself


    4. Exploit SS7 weakness
    @[email protected]

    View Slide

  32. Push Based

    View Slide

  33. Push Based
    •Associated with certain
    authorized devices


    •Not visible on a locked phone
    screen

    View Slide

  34. Push Based Has Drawbacks
    September 15th, 2022

    View Slide

  35. Security Questions
    ❓ ❓

    View Slide

  36. Security Questions
    • User answers a set of questions during
    sign-up


    • For example


    • Merry’s mother’s maiden name?


    • What is the shire’s address?


    View Slide

  37. Email

    View Slide

  38. Email
    • At login time, an email with verification
    code is sent to user


    • Convient


    • Should only be used with verified
    emails


    View Slide

  39. Example email verification step
    Awesome

    View Slide

  40. TOTP

    View Slide

  41. TOTP
    Time-based One Time Password


    aka app based


    aka soft token


    • Authy


    • Google Authenticator


    • 1Password

    View Slide

  42. Token Based

    View Slide

  43. Token Based
    Physical keys that can authenticate




    • FIDO2/WebAuthn


    • USB drive


    • Near-field communication


    • Many use U2F (Universal 2nd Factor)


    View Slide

  44. OTP vs U2F


    @[email protected]

    View Slide

  45. OTP U2F
    • User has physical device


    • Strong security from public
    key cryptography


    • No personal information
    associated with a key
    • Users type in codes


    • Set up and provision
    required


    • Secrets stored, providing
    a single point of attack
    @[email protected]

    View Slide

  46. What would you change now?

    View Slide

  47. Secure Your Account
    1. Use long password/
    passphrase


    2. Secure with alternate
    authentication method


    3. Use a VOIP number


    4. Don't reuse passwords


    5. Pin/password protect
    phone provider
    Keep on being @awesome
    @[email protected]

    View Slide

  48. … now let’s put a twist on our story
    @[email protected]

    View Slide

  49. View Slide

  50. Not that twist...
    • Now you are the engineer at shiregram (an
    insta rival)


    • How do you secure your users from all the
    bad stuff out there?
    @[email protected]

    View Slide

  51. Security is everyone's job
    YOU MEAN TO
    INFORMATION SECURITY IS
    PART OF MY JOB TOO??


    View Slide

  52. • Engineers


    • Designers


    • Infrastructure


    • Managers


    • Not just info sec!
    Security is everyone's job

    View Slide

  53. wmcactionnews5.com/2019/12/11/family-says-hackers-accessed-ring-camera-their-year-old-daughters-room

    View Slide

  54. nbc-2.com/story/41428183/stranger-spews-racial-slurs-over-familys-hacked-ring-camera

    View Slide

  55. Back to your security basics
    • Strong passwords/passphrase 💪


    • Don't make them be rotated 🔁


    • Store the hash securely 🔒


    • Only store sensitive data that you need ⛔
    @[email protected]

    View Slide

  56. https://xkcd.com/936/
    Strong passwords/passphrase 💪

    View Slide

  57. Why this helps
    • Greater entropy = harder to brute force the password


    • Passwords should be hard to guess, but easy to
    remember


    • Extra length + randomness allows for more entropy
    @[email protected]
    Strong passwords/passphrase 💪

    View Slide

  58. Strong passwords/passphrase 💪

    View Slide

  59. Strong passwords/passphrase 💪

    View Slide

  60. Do this
    @[email protected]
    Strong passwords/passphrase 💪

    View Slide

  61. @[email protected]
    Strong passwords/passphrase 💪

    View Slide

  62. @[email protected]
    Strong passwords/passphrase 💪

    View Slide

  63. Reddit
    Strong passwords/passphrase 💪

    View Slide

  64. Not this
    @[email protected]
    Strong passwords/passphrase 💪

    View Slide

  65. @[email protected]
    Strong passwords/passphrase 💪

    View Slide

  66. @[email protected]
    Strong passwords/passphrase 💪

    View Slide

  67. Let's talk about password hash encryption
    • Just an algorithm that takes data and produces
    fixed-size output


    • Some hashes are stronger then others


    • MD5/SHA-1 = 👎


    • SHA-256/512-bit SHA-2= 👍


    @[email protected]
    Store the hash securely 🔒

    View Slide

  68. Adaptive one-way functions, hashes with more spice
    • Compute a one-way (irreversible) transform


    • Allows configuration of ‘work factor’


    • Ex. Argon2, PBKDF2, Scrypta, Bcrypt
    Head on over to OWASP.org for more details
    @[email protected]
    Store the hash securely 🔒

    View Slide

  69. “ …we made the decision to rotate customer accounts on
    May 5, 2022, out of an abundance of caution due to not
    all of the customers having multi-factor authentication
    (MFA) enabled at the time and potential for password
    reuse.


    Bob Wise


    Heroku General Manager and Salesforce


    @[email protected]

    View Slide

  70. DIY or BUY


    Choose your User Authentication Journey

    View Slide

  71. DIY or BUY


    Choose your User Authentication Journey

    View Slide

  72. DIY or BUY


    Choose your User Authentication Journey

    View Slide

  73. If you choose to BUY

    View Slide

  74. If you choose to BUY
    • Choose your vendor wisely


    • What factor choices are available?


    • What are your authorization and
    authentication needs?


    View Slide

  75. If you choose DIY
    • More flexibility


    • More security surface area to cover


    • More control over the user experience


    • More choices…


    • When to require re-authentication of MFA


    • Should re-auth occur on new ip/browser/period of time

    View Slide

  76. Some things to keep in
    mind no matter your path…

    View Slide

  77. Rate limiting prevents brute force attacks

    View Slide

  78. Use a truncated exponential back-off
    algorithm

    View Slide

  79. Uh wut now?

    View Slide

  80. What is an exponential back-off algorithm?

    View Slide

  81. Get user buy-in
    @[email protected]

    View Slide

  82. Make it easy on your users

    View Slide

  83. • Make it easy opt in


    • Make it easy to add


    • Make it visible


    • Make it flexible
    Make it easy on your users

    View Slide

  84. Do this

    View Slide

  85. Not this

    View Slide

  86. If you choose DIY…


    Require more authentication
    IT COMES IN PINTS?

    View Slide

  87. • For editing/removing of MFA require
    credentials


    • If authentication does fail, be generic
    in error response
    If you choose DIY…


    Require more authentication

    View Slide

  88. "Login failed - invalid user ID or
    password”
    Do this

    View Slide

  89. "Login for User awesome: invalid
    password"


    "Login failed, invalid user ID"


    "Login failed; account disabled"


    "Login failed; this user is not active"


    Not this

    View Slide

  90. @[email protected]
    Are we doing all we can to protect
    our users?

    View Slide

  91. View Slide

  92. Users with the most privilege, MFA is
    a requirement not optional
    @[email protected]

    View Slide

  93. As we come to the end of our
    journey…

    View Slide

  94. MFA can help but...
    • Can only improve security if you are
    following secure password practices


    • Some MFA methods are more secure
    then others

    View Slide

  95. View Slide

  96. Thanks for having me YOW! Brisbane


    Thanks to:


    Tyson Reeder slide design and final graphic


    @tysondreeder


    For references and further reading checkout


    christine-seeman.com/talks
    @[email protected]

    View Slide

  97. What questions can I answer?
    @[email protected]

    View Slide

  98. Slides QR code
    @[email protected]

    View Slide

  99. @[email protected]
    wpengine.careers

    View Slide

  100. Everyone needs a product designer
    friend (thanks again Tyson!)

    View Slide

  101. #093840 #DCCEFE #FFEEA7 #A3FBBC #DCCEFE
    32px - Large Heading
    40px - Only text on slide
    24px - Body
    Image frame -
    teal - 3px wide

    View Slide

  102. Creating duotone bg images
    https://medialoot.com/duotones/
    Go here
    Click the camera and upload an image from your computer. Then go to the
    color tab and choose custom at the bottom. I try to stick to colors from the
    deck. Then drop it in and lower the opacity.

    View Slide