One does not simply add MFA

Transcript

1. One does not simply add MFA Good MFA is a

   journey @christine@ruby.social

2. Art by Maja Vonge Cornils

3. What you will learn ✓ What is MFA ✓ How

   to secure your accounts ✓ What are the MFA types ✓ How to protect users and secure an application ✓ Potential testing steps ✓ MFA implementation best practices "Its black gates are guarded by more than just orcs.” @christine@ruby.social

4. Taking notes or pictures 📝 Asking foolish questions 🤔 Things

   you don't need to worry about "There is evil there that does not sleep, and the Great Eye is ever watchful" @christine@ruby.social Slides QR code

5. Let our journey begin…

6. None

7. @christine@ruby.social

8. None

9. Back to the beginning… To when you signed up for

10. @christine@ruby.social

11. @christine@ruby.social

12. None

13. @christine@ruby.social

14. What was the hacker up to? 🤔 Calling your mobile

    provider @christine@ruby.social

15. On the phone with your mobile provider... Using social engineering

    @christine@ruby.social

16. Now they have all the access... Sim swap/sim hijacking @christine@ruby.social

17. None

18. issms2fasecure.com/assets/sim_swaps-01-10-2020.pdf

19. @christine@ruby.social

20. @christine@ruby.social Let’s check on some recent hacks

21. @christine@ruby.social August 2021 Then 2022 … then again 2023

22. “ We learned that SMS-based authentication is not nearly as

    secure as we would hope, and the main attack was via SMS intercept Christopher Slowe Reddit chief technology o ffi cer and founding engineer August 2018

23. What is authentication? The process of verifying that someone or

    something is the actual entity that they claim to be. - OWASP.org (these people know what they are talking about when it comes to security)

24. ... but what are the different factors of auth? •

    Factor is knowledge (i.e. your password) • Is the other method choice • Possession (token/soft token) • Identity (biometrics)

25. 2FA = 2SV = MFA = 2F What about all

    those other acronyms... @christine@ruby.social

26. Why didn't MFA help? @christine@ruby.social • SMS was used •

    For most users MFA won’t even be enabled

27. Let’s travel deeper to discover all of our factor choices

28. • Most common • Most compromised • Not recommended by

    NIST since 2016 @christine@ruby.social SMS

29. • SS7 (network shared by every telecom) has it's own

    vulnerabilities • Text messages that are sent can be intercepted If SMS wasn't bad enough @christine@ruby.social

30. Let's figure out all the ways to hack it... 1.

    Sim-swap (aka what just happened to us) 2. Port-out scam 3. Brute force on the application itself 4. Exploit SS7 weakness @christine@ruby.social

31. Push Based

32. Push Based • Associated with certain authorized devices • Not

    visible on a locked phone screen

33. Push Based Has Drawbacks September 15th, 2022

34. Security Questions ❓ ❓

35. Security Questions • User answers a set of questions during

    sign-up • For example • Merry’s mother’s maiden name? • What is the shire’s address?

36. Email

37. Email • At login time, an email with verification code

    is sent to user • Convient • Should only be used with verified emails • Less Common, may be in use but may not

38. Example email verification step Awesome

39. TOTP

40. TOTP Time-based One Time Password aka app based aka soft

    token • Authy • Google Authenticator • 1Password

41. A word of caution with Google Authenticator

42. 😬 A word of caution with Google Authenticator

43. Token Based

44. Token Based Physical keys that can authenticate • FIDO2/WebAuthn •

    USB drive • Near-field communication • Many use U2F (Universal 2nd Factor)

45. OTP vs U2F @christine@ruby.social

46. OTP U2F • User has physical device • Strong security

    from public key cryptography • No personal information associated with a key • Users type in codes • Set up and provision required • Secrets stored, providing a single point of attack @christine@ruby.social

47. Are passkeys a factor? No… but they are good authentication

    solution

48. What would you change now?

49. Secure Your Account 1. Use long password/ passphrase 2. Secure

    with alternate authentication method 3. Use a VOIP number 4. Don't reuse passwords 5. Pin/password protect phone provider Keep on being @awesome @christine@ruby.social

50. … now let’s put a twist on our story @christine@ruby.social

51. @christine@ruby.social

52. Well that would’ve shortened the movies 😏 @christine@ruby.social

53. Not that twist... • Now you are the engineer at

    shiregram (an insta rival) • How do you secure your users from all the bad stuff out there? @christine@ruby.social

54. Security is everyone's job YOU MEAN TO INFORMATION SECURITY IS

55. • Engineers • Designers • Infrastructure • Managers • Not

    just info sec! Security is everyone's job

56. wmcactionnews5.com/2019/12/11/family-says-hackers-accessed-ring-camera-their-year-old-daughters-room

57. nbc-2.com/story/41428183/stranger-spews-racial-slurs-over-familys-hacked-ring-camera

58. Back to your security basics • Strong passwords/passphrase 💪 •

    Don't make them be rotated 🔁 • Store the hash securely 🔒 • Only store sensitive data that you need ⛔ @christine@ruby.social

59. https://xkcd.com/936/ Strong passwords/passphrase 💪

60. Why this helps • Greater entropy = harder to brute

    force the password • Passwords should be hard to guess, but easy to remember @christine@ruby.social Strong passwords/passphrase 💪

61. Strong passwords/passphrase 💪

62. Strong passwords/passphrase 💪

63. Do this @christine@ruby.social Strong passwords/passphrase 💪

64. @christine@ruby.social Strong passwords/passphrase 💪

65. @christine@ruby.social Strong passwords/passphrase 💪

66. Reddit Strong passwords/passphrase 💪

67. Not this @christine@ruby.social Strong passwords/passphrase 💪

68. @christine@ruby.social Strong passwords/passphrase 💪

69. @christine@ruby.social Strong passwords/passphrase 💪

70. Let's talk about password hash encryption • Just an algorithm

    that takes data and produces fixed-size output • Some hashes are stronger then others • MD5/SHA-1 = 👎 • SHA-256/512-bit SHA-2= 👍 @christine@ruby.social Store the hash securely 🔒

71. Adaptive one-way functions, hashes with more spice • Compute a

    one-way (irreversible) transform • Allows configuration of ‘work factor’ • Ex. Argon2, PBKDF2, Scrypta, Bcrypt Head on over to OWASP.org for more details @christine@ruby.social Store the hash securely 🔒

72. “ …we made the decision to rotate customer accounts on

    May 5, 2022, out of an abundance of caution due to not all of the customers having multi-factor authentication (MFA) enabled at the time and potential for password reuse. Bob Wise Heroku General Manager and Salesforce @christine@ruby.social

73. DIY or BUY Choose your User Authentication Journey

74. DIY or BUY Choose your User Authentication Journey

75. DIY or BUY Choose your User Authentication Journey

76. If you choose to BUY

77. Open Source available too!

78. If you choose to BUY • Choose your vendor wisely

    • What factor choices are available? • What are your authorization and authentication needs?

79. If you choose DIY • More flexibility • More security

    surface area to cover • More control over the user experience • More choices… • When to require re-authentication of MFA • Should re-auth occur on new ip/browser/period of time

80. Some things to keep in mind no matter your path…

81. Rate limiting prevents brute force attacks

82. Use a truncated exponential back- off algorithm

83. Uh wut now?

84. What is an exponential back-off algorithm?

85. Get user buy-in @christine@ruby.social

86. Make it easy on your users

87. • Make it easy opt in • Make it easy

    to add • Make it visible • Make it flexible Make it easy on your users

88. Do this

89. Not this

90. If you choose DIY… Require more authentication IT COMES IN

    PINTS?

91. • For editing/removing of MFA require credentials • If authentication

    does fail, be generic in error response If you choose DIY… Require more authentication

92. "Login failed - invalid user ID or password” Do this

93. "Login for User awesome: invalid password" "Login failed, invalid user

    ID" "Login failed; account disabled" "Login failed; this user is not active" Not this

94. @christine@ruby.social Are we doing all we can to protect our

    users?
95. None

96. Users with the most privilege, MFA is a requirement not

    optional @christine@ruby.social

97. As we come to the end of our journey…

98. MFA can help but... • Can only improve security if

    you are following secure password practices • Some MFA methods are more secure then others
99. None

100. Thanks for having me HDC! Thanks to: Tyson Reeder slide

     design and final graphic @tysondreeder For references and further reading checkout christine-seeman.com/talks @christine@ruby.social

101. What questions can I answer? @christine@ruby.social

102. Slides QR code @christine@ruby.social

103. @christine@ruby.social wpengine.careers

104. Everyone needs a product designer friend (thanks again Tyson!)

105. #093840 #DCCEFE #FFEEA7 #A3FBBC #DCCEFE 32px - Large Heading 40px

     - Only text on slide 24px - Body Image frame - teal - 3px wide

106. Creating duotone bg images https://medialoot.com/duotones/ Go here Click the camera

     and upload an image from your computer. Then go to the color tab and choose custom at the bottom. I try to stick to colors from the deck. Then drop it in and lower the opacity.