Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
WTF, 2FA!? Y U NO PROTECT ME?
Search
Christine
April 05, 2019
Technology
0
85
WTF, 2FA!? Y U NO PROTECT ME?
Two factor authentication the worst, the best, and everything in-between.
Christine
April 05, 2019
Tweet
Share
More Decks by Christine
See All by Christine
One does not simply add MFA
tech_christine
0
66
Listening - Your Communication Superpower
tech_christine
0
220
Hanami 2.0 and You
tech_christine
1
280
ONE DOES NOT SIMPLY ADD MFA
tech_christine
0
380
One does not simply add MFA
tech_christine
0
210
MFA_Petfriendly.pdf
tech_christine
0
220
Hack Your Brain - Improve yourself and your work
tech_christine
0
600
A tale of two sides of 2FA
tech_christine
0
540
A tale of two sides of 2FA
tech_christine
0
580
Other Decks in Technology
See All in Technology
JPOUG Tech Talk #12 UNDO Tablespace Reintroduction
nori_shinoda
2
140
Creating Awesome Change in SmartNews
martin_lover
1
290
ここはMCPの夜明けまえ
nwiizo
23
8.9k
AIコーディングの最前線 〜活用のコツと課題〜
pharma_x_tech
3
1.6k
DuckDB MCPサーバーを使ってAWSコストを分析させてみた / AWS cost analysis with DuckDB MCP server
masahirokawahara
0
1.3k
React ABC Questions
hirotomoyamada
0
390
AWSの新機能検証をやる時こそ、Amazon Qでプロンプトエンジニアリングを駆使しよう
duelist2020jp
1
250
生成AIによるCloud Native基盤構築の可能性と実践的ガードレールの敷設について
nwiizo
7
890
Goの組織でバックエンドTypeScriptを採用してどうだったか / How was adopting backend TypeScript in a Golang company
kaminashi
6
6k
The Tale of Leo: Brave Lion and Curious Little Bug
canalun
1
120
品質文化を支える小さいクロスファンクショナルなチーム / Cross-functional teams fostering quality culture
toma_sm
0
120
更新系と状態
uhyo
7
1.6k
Featured
See All Featured
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
9
760
Faster Mobile Websites
deanohume
306
31k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
StorybookのUI Testing Handbookを読んだ
zakiyama
29
5.6k
Reflections from 52 weeks, 52 projects
jeffersonlam
349
20k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
19
1.1k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
135
33k
Designing for humans not robots
tammielis
252
25k
A Modern Web Designer's Workflow
chriscoyier
693
190k
YesSQL, Process and Tooling at Scale
rocio
172
14k
RailsConf 2023
tenderlove
30
1.1k
Transcript
@tech_christine WTF, 2FA!? Y U NO PROTECT ME? Two factor
authentication the worst, the best, and everything in-between
None
@tech_christine
None
@tech_christine Back to the beginning
@tech_christine What was the hacker up to? Calling your mobile
provider
@tech_christine Still on the phone with your mobile provider... Using
social engineering
@tech_christine And now they have all the access... Sim swap/sim
hijacking
@tech_christine
“ @tech_christine We learned that SMS-based authentication is not nearly
as secure as we would hope, and the main attack was via SMS intercept Christopher Slowe Reddit chief technology officer and founding engineer August 2018
@tech_christine What is authentication? The process of verifying that someone
or something is the actual entity that they claim to be. - OWASP.org (these people know what they are talking about when it comes to security)
@tech_christine ... but what are the different factors of auth?
1 factor is knowledge (i.e. your password) 2 is the other method choice - Possession (token/soft token) - Identity (biometrics)
@tech_christine 2FA == 2SV == MFA 2FA = Two factor
authentication 2SV = Two Step verification MFA = Multi-factor authentication What about all those other acronyms...
@tech_christine Why didn't 2FA help? •SMS was used •2FA wasn't
even enabled
@tech_christine •Most common method •Most compromised •Not recommended by NIST
since 2016 SMS
@tech_christine Let's figure out all the ways SMS can be
hacked... 1. Sim-swap (aka what just happened to us) 2. Port-out scam 3. Brute force on the application itself
@tech_christine Time-based One Time Password aka App based aka soft
token •Authy •Google Authenticator •1Password TOTP
@tech_christine •Associated with the certain authorized devices •Not visible on
a locked phone screen Push Based Authentication
@tech_christine Token based Physical keys that can auth •USB drive
•near-field communication •Many use U2F (Universal 2nd Factor)
What would you change now?
@tech_christine So what could you have changed? •Setting up with
a VOIP number •Secure with alternate authentication method •Pin/password protect phone provider Keep on being @awesome
@tech_christine ...wait I lost my phone/app access/token Use a recovery
code Allows you access to application
@tech_christine More on recovery codes •Stored as hashes •One time
use •Shown only once
@tech_christine 2FA Implementation Best Practices • Rate limiting prevents brute
force attacks • Use a truncated exponential back-off algorithm
@tech_christine What is an exponential back-off algorithm?
@tech_christine Example in Ruby login_request if retries <= max_retries retries
+= 1 sleep (retries + rand(100)/1000) retry else raise "You've hit your max retries!" end
@tech_christine Get user buy-in Enforce authentication on all pages Users
with the most amount of privilege, 2FA is a requirement not optional
@tech_christine Now you are the info sec professional
None
@tech_christine Thank you Kernelcon and all the staff Tyson Reeder
for the final graphic(@tysondreeder) For references and further reading checkout https://christine-seeman.com/talks/