$30 off During Our Annual Pro Sale. View Details »

WTF, 2FA!? Y U NO PROTECT ME?

WTF, 2FA!? Y U NO PROTECT ME?

Two factor authentication the worst, the best, and everything in-between.

Christine

April 05, 2019
Tweet

More Decks by Christine

Other Decks in Technology

Transcript

  1. @tech_christine
    WTF, 2FA!? Y U NO PROTECT ME?
    Two factor authentication the worst, the best, and everything in-between

    View Slide

  2. View Slide

  3. @tech_christine

    View Slide

  4. View Slide

  5. @tech_christine
    Back to the beginning

    View Slide

  6. @tech_christine
    What was the
    hacker up to?
    Calling your mobile provider

    View Slide

  7. @tech_christine
    Still on the phone
    with your mobile
    provider...
    Using social engineering

    View Slide

  8. @tech_christine
    And now they
    have all the
    access...
    Sim swap/sim hijacking

    View Slide

  9. @tech_christine

    View Slide


  10. @tech_christine
    We learned that SMS-based authentication
    is not nearly as secure as we would hope,
    and the main attack was via SMS intercept
    Christopher Slowe
    Reddit chief technology officer and founding engineer
    August 2018

    View Slide

  11. @tech_christine
    What is authentication?
    The process of verifying that someone or
    something is the actual entity that they claim to
    be.
    - OWASP.org
    (these people know what they are talking about when it comes to security)

    View Slide

  12. @tech_christine
    ... but what are the different factors of auth?
    1 factor is knowledge (i.e. your password)
    2 is the other method choice
    - Possession (token/soft token)
    - Identity (biometrics)

    View Slide

  13. @tech_christine
    2FA == 2SV == MFA
    2FA = Two factor authentication
    2SV = Two Step verification
    MFA = Multi-factor authentication
    What about all those other acronyms...

    View Slide

  14. @tech_christine
    Why didn't 2FA help?
    •SMS was used
    •2FA wasn't even enabled

    View Slide

  15. @tech_christine
    •Most common method
    •Most compromised
    •Not recommended by
    NIST since 2016
    SMS

    View Slide

  16. @tech_christine
    Let's figure out all
    the ways SMS can
    be hacked...
    1. Sim-swap (aka what just
    happened to us)
    2. Port-out scam
    3. Brute force on the
    application itself

    View Slide

  17. @tech_christine
    Time-based One Time Password
    aka App based
    aka soft token
    •Authy
    •Google Authenticator
    •1Password
    TOTP

    View Slide

  18. @tech_christine
    •Associated with the certain
    authorized devices
    •Not visible on a locked phone
    screen
    Push Based Authentication

    View Slide

  19. @tech_christine
    Token based
    Physical keys that can auth
    •USB drive
    •near-field communication
    •Many use U2F (Universal
    2nd Factor)

    View Slide

  20. What would you change now?

    View Slide

  21. @tech_christine
    So what could you have changed?
    •Setting up with a VOIP number
    •Secure with alternate authentication method
    •Pin/password protect phone provider
    Keep on being @awesome

    View Slide

  22. @tech_christine
    ...wait I lost my phone/app access/token
    Use a recovery code
    Allows you access to
    application

    View Slide

  23. @tech_christine
    More on recovery codes
    •Stored as hashes
    •One time use
    •Shown only once

    View Slide

  24. @tech_christine
    2FA Implementation Best Practices
    • Rate limiting prevents brute force attacks
    • Use a truncated exponential back-off algorithm

    View Slide

  25. @tech_christine
    What is an exponential back-off algorithm?

    View Slide

  26. @tech_christine
    Example in Ruby
    login_request
    if retries <= max_retries
    retries += 1
    sleep (retries + rand(100)/1000)
    retry
    else
    raise "You've hit your max retries!"
    end

    View Slide

  27. @tech_christine
    Get user buy-in
    Enforce authentication on all pages
    Users with the most amount of privilege,
    2FA is a requirement not optional

    View Slide

  28. @tech_christine
    Now you are the info sec professional

    View Slide

  29. View Slide

  30. @tech_christine
    Thank you Kernelcon and all the staff
    Tyson Reeder for the final graphic(@tysondreeder)
    For references and further reading checkout
    https://christine-seeman.com/talks/

    View Slide