To 2FA or not to 2FA? Let's answer this question

9d7385d9e0c45a30c081fbbf53136e2d?s=47 Christine
August 15, 2019

To 2FA or not to 2FA? Let's answer this question

An exploration of two factor authentication from a developer's perspective. It's difficult to find two factor implementation best practices, so attendees will come out of this talk learning some trials and tribulations of a real life implementation of two factor authentication, why the sms based authentication is by far the least secure, and why two factor is not the security bandage that it is billed to be.

9d7385d9e0c45a30c081fbbf53136e2d?s=128

Christine

August 15, 2019
Tweet

Transcript

  1. @tech_christine To 2FA or not to 2FA? Let's answer this

    question! Two factor authentication the worst, the best, and everything in-between
  2. @tech_christine Flywheel

  3. None
  4. @tech_christine

  5. None
  6. None
  7. @tech_christine Back to the beginning To when you signed up

    for
  8. @tech_christine

  9. @tech_christine What was the hacker up to? Calling your mobile

    provider
  10. @tech_christine Still on the phone with your mobile provider... Using

    social engineering
  11. @tech_christine And now they have all the access... Sim swap/sim

    hijacking
  12. @tech_christine

  13. “ @tech_christine We learned that SMS-based authentication is not nearly

    as secure as we would hope, and the main attack was via SMS intercept Christopher Slowe Reddit chief technology officer and founding engineer August 2018
  14. @tech_christine What is authentication? The process of verifying that someone

    or something is the actual entity that they claim to be. - OWASP.org (these people know what they are talking about when it comes to security)
  15. @tech_christine ... but what are the different factors of auth?

    1 factor is knowledge (i.e. your password) 2 is the other method choice - Possession (token/soft token) - Identity (biometrics)
  16. @tech_christine 2FA == 2SV == MFA 2FA = Two factor

    authentication 2SV = Two Step verification MFA = Multi-factor authentication What about all those other acronyms...
  17. @tech_christine Why didn't 2FA help? •SMS was used •2FA wasn't

    even enabled
  18. @tech_christine • Most common • Most compromised • Not recommended

    by NIST since 2016 SMS
  19. @tech_christine If SMS wasn't bad enough •SS7 (network shared by

    every telecom) has it's own vulnerabilities •Text messages that are sent can be intercepted
  20. @tech_christine Let's figure out all the ways SMS can be

    hacked... 1. Sim-swap (aka what just happened to us) 2. Port-out scam 3. Brute force on the application itself 4. Exploit SS7 weakness
  21. @tech_christine Time-based One Time Password aka app based aka soft

    token • Authy • Google Authenticator • 1Password TOTP
  22. @tech_christine • Associated with certain authorized devices • Not visible

    on a locked phone screen Push Based
  23. @tech_christine Token based Physical keys that can auth • USB

    drive • near-field communication • Many use U2F (Universal 2nd Factor)
  24. @tech_christine OTP vs U2F

  25. @tech_christine OTP U2F • User has physical device • Strong

    security from public key cryptography • No personal information associated with a key • Users type in codes • Set up and provision required • Secrets stored, providing a single point of attack
  26. What would you change now?

  27. @tech_christine Secure Your Account 1.Use a VOIP number 2.Don't reuse

    passwords 3.Use long password/passphrase 4.Secure with alternate authentication method 5.Pin/password protect phone provider Keep on being @awesome
  28. @tech_christine But wait... Now you are the developer at jiffygram

    (an insta rival) How do you secure your users from all the bad stuff out there?
  29. @tech_christine •Developers •Designers •Infrastructure •Managers •Not just info sec! Security

    is everyone's job
  30. @tech_christine Back to your security basics 1. Strong passwords/passphrase !

    2. Don't make them be rotated 3. Store the hash securely 4. Only store sensitive data that you need ⛔
  31. https://xkcd.com/936/ @tech_christine

  32. Do this @tech_christine

  33. ⬆ that is 6 a's Not this ☹ @tech_christine

  34. Definitely not this either @tech_christine

  35. @tech_christine Let's talk about password hash encryption • Just an

    algorithm that takes data and produces fixed-size output • Some hashes are stronger then others • MD5/SHA-1 = ) • SHA-256/DES = * • If possible with performance, use an adaptive one-way function
  36. @tech_christine Strong recommended adaptive functions 1. Argon2 - winner of

    the password hashing competition, should be considered first choice for new applications 2. PBKDF2 - when FIPS certification or enterprise support on many platforms is required 3. Scrypt - where resisting any/all hardware accelerated attacks is necessary but support isn’t 4. Bcrypt - where PBKDF2 or Scrypt support is not available Head on over to OWASP.org for more details
  37. @tech_christine ...a user lost their phone/app access/token • Recovery codes

    to the rescue! + • Allows access to application • Shown once, used once
  38. @tech_christine lessons learned 2FA Implementation @tech_christine

  39. @tech_christine Rate limiting prevents brute force attacks @tech_christine

  40. @tech_christine Rate limiting prevents brute force attacks @tech_christine

  41. @tech_christine Use a truncated exponential back-off algorithm @tech_christine

  42. @tech_christine What is an exponential back-off algorithm?

  43. @tech_christine Example in Ruby login_request if retries <= max_retries retries

    += 1 sleep (retries + rand(100)/1000) retry else raise "You've hit your max retries!" end
  44. @tech_christine Get user buy-in

  45. @tech_christine

  46. @tech_christine •Make it easy opt in •Make it easy to

    add •Make it visible
  47. @tech_christine Do this

  48. @tech_christine Not this American Express OpenShift Netflix Pandora Pinterest Spotify

    Target Best Buy Freshbooks State Farm AT&T 2FA
  49. @tech_christine Enforce authentication on all pages

  50. @tech_christine • For editing/removing of 2FA require credentials • If

    authentication does fail, be generic in error response Moar authentication
  51. Do this "Login failed - invalid user ID or password"

  52. Not this "Login for User foo: invalid password" "Login failed,

    invalid user ID" "Login failed; account disabled" "Login failed; this user is not active"
  53. @tech_christine Users with the most amount of privilege, 2FA is

    a requirement not optional
  54. The answer to the question The Hitchhiker's Guide to the

    Galaxy Douglas Adams
  55. @tech_christine Yes to 2FA but... •Can improve security if you

    are following secure password practices •Some 2FA methods are more secure then others
  56. None
  57. @tech_christine Thanks for having me Nebraska.code! All the organizers and

    volunteers deserve 0 0 0 Tyson Reeder for the final graphic @tysondreeder For references and further reading checkout https://christine-seeman.com/talks
  58. @tech_christine getflywheel.com/about/careers

  59. @tech_christine What questions can I answer?

  60. @tech_christine

  61. @tech_christine Twilio API Example

  62. @tech_christine The Ruby One Time Password Library Example

  63. @tech_christine

  64. @tech_christine But you need to get this code to your

    user...
  65. @tech_christine Authy One Touch API Example

  66. @tech_christine QR Code Rendering https://github.com/whomwah/rqrcode ROTP: TOTP https://github.com/mdp/rotp Twilio Ruby

    API https://www.twilio.com/docs/libraries/ruby Auth Ruby API https://github.com/twilio/authy-ruby