“ @tech_christine We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept Christopher Slowe Reddit chief technology officer and founding engineer August 2018
@tech_christine What is authentication? The process of verifying that someone or something is the actual entity that they claim to be. - OWASP.org (these people know what they are talking about when it comes to security)
@tech_christine ... but what are the different factors of auth? 1 factor is knowledge (i.e. your password) 2 is the other method choice - Possession (token/soft token) - Identity (biometrics)
@tech_christine 2FA == 2SV == MFA 2FA = Two factor authentication 2SV = Two Step verification MFA = Multi-factor authentication What about all those other acronyms...
@tech_christine If SMS wasn't bad enough •SS7 (network shared by every telecom) has it's own vulnerabilities •Text messages that are sent can be intercepted
@tech_christine Let's figure out all the ways SMS can be hacked... 1. Sim-swap (aka what just happened to us) 2. Port-out scam 3. Brute force on the application itself 4. Exploit SS7 weakness
@tech_christine OTP U2F • User has physical device • Strong security from public key cryptography • No personal information associated with a key • Users type in codes • Set up and provision required • Secrets stored, providing a single point of attack
@tech_christine Secure Your Account 1.Use a VOIP number 2.Don't reuse passwords 3.Use long passwords 4.Secure with alternate authentication method 5.Pin/password protect phone provider Keep on being @awesome
@tech_christine But wait... •Now you are the developer at an jiffygram (an insta rival) •How do you secure your users from all the bad stuff out there?
@tech_christine Back to your security basics 1. Strong passwords ! 2. Don't make them be rotated 3. Store the hash securely 4. Only store sensitive data that you need ⛔
@tech_christine Let's talk about password hash encryption • Just an algorithm that takes data and produces fixed-size output • Some hashes are stronger then others • MD5/SHA-1 = ) • SHA-256/DES = * • If possible with performance, use an adaptive one-way function
@tech_christine Strong recommended adaptive functions 1. Argon2 - winner of the password hashing competition, should be considered first choice for new applications 2. PBKDF2 - when FIPS certification or enterprise support on many platforms is required 3. Scrypt - where resisting any/all hardware accelerated attacks is necessary but support isn’t 4. Bcrypt - where PBKDF2 or Scrypt support is not available Head on over to OWASP.org for more details
@tech_christine Example in Ruby login_request if retries <= max_retries retries += 1 sleep (retries + rand(100)/1000) retry else raise "You've hit your max retries!" end
Not this "Login for User foo: invalid password" "Login failed, invalid user ID" "Login failed; account disabled" "Login failed; this user is not active"
@tech_christine Thanks for having me KCDC! All the organizers and volunteers deserve 0 0 0 Tyson Reeder for the final graphic @tysondreeder For references and further reading checkout https://christine-seeman.com/talks