One does not simply add MFA

Transcript

1. One does not simply add MFA Good MFA is a

   journey @[email protected]

2. Art by Maja Vonge Cornils

3. What you will learn ✓ What is MFA ✓ How

   to secure your accounts ✓ What are the MFA types ✓ How to protect users and secure an application ✓ Potential testing steps ✓ MFA implementation best practices "Its black gates are guarded by more than just orcs.” @[email protected]

4. Taking notes or pictures 📝 Asking foolish questions 🤔 Things

   you don't need to worry about "There is evil there that does not sleep, and the Great Eye is ever watchful" @[email protected] Slides QR code

5. Let our journey begin…

6. None

7. @[email protected]

8. None

9. Back to the beginning… To when you signed up for

10. @[email protected]

11. @[email protected]

12. None

13. @[email protected]

14. What was the hacker up to? 🤔 Calling your mobile

    provider @[email protected]

15. On the phone with your mobile provider... Using social engineering

    @[email protected]

16. Now they have all the access... Sim swap/sim hijacking @[email protected]

17. None

18. issms2fasecure.com/assets/sim_swaps-01-10-2020.pdf

19. @[email protected]

20. @[email protected] Let’s check on some recent hacks

21. @[email protected] August 2021 Then 2022 … then again 2023

22. “ We learned that SMS-based authentication is not nearly as

    secure as we would hope, and the main attack was via SMS intercept Christopher Slowe Reddit chief technology o ffi cer and founding engineer August 2018

23. What is authentication? The process of verifying that someone or

    something is the actual entity that they claim to be. - OWASP.org (these people know what they are talking about when it comes to security)

24. ... but what are the different factors of auth? •

    Factor is knowledge (i.e. your password) • Is the other method choice • Possession (token/soft token) • Identity (biometrics)

25. 2FA = 2SV = MFA = 2F What about all

    those other acronyms... @[email protected]

26. Why didn't MFA help? @[email protected] • SMS was used •

    For most users MFA won’t even be enabled

27. Let’s travel deeper to discover all of our factor choices

28. • Most common • Most compromised • Not recommended by

    NIST since 2016 @[email protected] SMS

29. • SS7 (network shared by every telecom) has it's own

    vulnerabilities • Text messages that are sent can be intercepted If SMS wasn't bad enough @[email protected]

30. Let's figure out all the ways to hack it... 1.

    Sim-swap (aka what just happened to us) 2. Port-out scam 3. Brute force on the application itself 4. Exploit SS7 weakness @[email protected]

31. Push Based

32. Push Based • Associated with certain authorized devices • Not

    visible on a locked phone screen

33. Push Based Has Drawbacks September 15th, 2022

34. Security Questions ❓ ❓

35. Security Questions • User answers a set of questions during

    sign-up • For example • Merry’s mother’s maiden name? • What is the shire’s address?

36. Email

37. Email • At login time, an email with verification code

    is sent to user • Convient • Should only be used with verified emails • Less Common, may be in use but may not

38. Example email verification step Awesome

39. TOTP

40. TOTP Time-based One Time Password aka app based aka soft

    token • Authy • Google Authenticator • 1Password

41. A word of caution with Google Authenticator

42. 😬 A word of caution with Google Authenticator

43. Token Based

44. Token Based Physical keys that can authenticate • FIDO2/WebAuthn •

    USB drive • Near-field communication • Many use U2F (Universal 2nd Factor)

45. OTP vs U2F @[email protected]

46. OTP U2F • User has physical device • Strong security

    from public key cryptography • No personal information associated with a key • Users type in codes • Set up and provision required • Secrets stored, providing a single point of attack @[email protected]

47. Are passkeys a factor? No… but they are good authentication

    solution

48. What would you change now?

49. Secure Your Account 1. Use long password/ passphrase 2. Secure

    with alternate authentication method 3. Use a VOIP number 4. Don't reuse passwords 5. Pin/password protect phone provider Keep on being @awesome @[email protected]

50. … now let’s put a twist on our story @[email protected]

51. @[email protected]

52. Well that would’ve shortened the movies 😏 @[email protected]

53. Not that twist... • Now you are the engineer at

    shiregram (an insta rival) • How do you secure your users from all the bad stuff out there? @[email protected]

54. Security is everyone's job YOU MEAN TO INFORMATION SECURITY IS

55. • Engineers • Designers • Infrastructure • Managers • Not

    just info sec! Security is everyone's job

56. wmcactionnews5.com/2019/12/11/family-says-hackers-accessed-ring-camera-their-year-old-daughters-room

57. nbc-2.com/story/41428183/stranger-spews-racial-slurs-over-familys-hacked-ring-camera

58. Back to your security basics • Strong passwords/passphrase 💪 •

    Don't make them be rotated 🔁 • Store the hash securely 🔒 • Only store sensitive data that you need ⛔ @[email protected]

59. https://xkcd.com/936/ Strong passwords/passphrase 💪

60. Why this helps • Greater entropy = harder to brute

    force the password • Passwords should be hard to guess, but easy to remember @[email protected] Strong passwords/passphrase 💪

61. Strong passwords/passphrase 💪

62. Strong passwords/passphrase 💪

63. Do this @[email protected] Strong passwords/passphrase 💪

64. @[email protected] Strong passwords/passphrase 💪

65. @[email protected] Strong passwords/passphrase 💪

66. Reddit Strong passwords/passphrase 💪

67. Not this @[email protected] Strong passwords/passphrase 💪

68. @[email protected] Strong passwords/passphrase 💪

69. @[email protected] Strong passwords/passphrase 💪

70. Let's talk about password hash encryption • Just an algorithm

    that takes data and produces fixed-size output • Some hashes are stronger then others • MD5/SHA-1 = 👎 • SHA-256/512-bit SHA-2= 👍 @[email protected] Store the hash securely 🔒

71. Adaptive one-way functions, hashes with more spice • Compute a

    one-way (irreversible) transform • Allows configuration of ‘work factor’ • Ex. Argon2, PBKDF2, Scrypta, Bcrypt Head on over to OWASP.org for more details @[email protected] Store the hash securely 🔒

72. “ …we made the decision to rotate customer accounts on

    May 5, 2022, out of an abundance of caution due to not all of the customers having multi-factor authentication (MFA) enabled at the time and potential for password reuse. Bob Wise Heroku General Manager and Salesforce @[email protected]

73. DIY or BUY Choose your User Authentication Journey

74. DIY or BUY Choose your User Authentication Journey

75. DIY or BUY Choose your User Authentication Journey

76. If you choose to BUY

77. Open Source available too!

78. If you choose to BUY • Choose your vendor wisely

    • What factor choices are available? • What are your authorization and authentication needs?

79. If you choose DIY • More flexibility • More security

    surface area to cover • More control over the user experience • More choices… • When to require re-authentication of MFA • Should re-auth occur on new ip/browser/period of time

80. Some things to keep in mind no matter your path…

81. Rate limiting prevents brute force attacks

82. Use a truncated exponential back- off algorithm

83. Uh wut now?

84. What is an exponential back-off algorithm?

85. Get user buy-in @[email protected]

86. Make it easy on your users

87. • Make it easy opt in • Make it easy

    to add • Make it visible • Make it flexible Make it easy on your users

88. Do this

89. Not this

90. If you choose DIY… Require more authentication IT COMES IN

    PINTS?

91. • For editing/removing of MFA require credentials • If authentication

    does fail, be generic in error response If you choose DIY… Require more authentication

92. "Login failed - invalid user ID or password” Do this

93. "Login for User awesome: invalid password" "Login failed, invalid user

    ID" "Login failed; account disabled" "Login failed; this user is not active" Not this

94. @[email protected] Are we doing all we can to protect our

    users?
95. None

96. Users with the most privilege, MFA is a requirement not

    optional @[email protected]

97. As we come to the end of our journey…

98. MFA can help but... • Can only improve security if

    you are following secure password practices • Some MFA methods are more secure then others
99. None

100. Thanks for having me HDC! Thanks to: Tyson Reeder slide

     design and final graphic @tysondreeder For references and further reading checkout christine-seeman.com/talks @[email protected]

101. What questions can I answer? @[email protected]

102. Slides QR code @[email protected]

103. @[email protected] wpengine.careers

104. Everyone needs a product designer friend (thanks again Tyson!)

105. #093840 #DCCEFE #FFEEA7 #A3FBBC #DCCEFE 32px - Large Heading 40px

     - Only text on slide 24px - Body Image frame - teal - 3px wide

106. Creating duotone bg images https://medialoot.com/duotones/ Go here Click the camera

     and upload an image from your computer. Then go to the color tab and choose custom at the bottom. I try to stick to colors from the deck. Then drop it in and lower the opacity.