Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
WTF, 2FA!? Y U NO PROTECT ME?
Search
Christine
April 05, 2019
Technology
0
94
WTF, 2FA!? Y U NO PROTECT ME?
Two factor authentication the worst, the best, and everything in-between.
Christine
April 05, 2019
Tweet
Share
More Decks by Christine
See All by Christine
One does not simply add MFA
tech_christine
0
82
Listening - Your Communication Superpower
tech_christine
0
240
Hanami 2.0 and You
tech_christine
1
310
ONE DOES NOT SIMPLY ADD MFA
tech_christine
0
390
One does not simply add MFA
tech_christine
0
220
MFA_Petfriendly.pdf
tech_christine
0
230
Hack Your Brain - Improve yourself and your work
tech_christine
0
650
A tale of two sides of 2FA
tech_christine
0
560
A tale of two sides of 2FA
tech_christine
0
600
Other Decks in Technology
See All in Technology
Generative AI Japan 第一回生成AI実践研究会「AI駆動開発の現在地──ブレイクスルーの鍵を握るのはデータ領域」
shisyu_gaku
0
290
ハードウェアとソフトウェアをつなぐ全てを内製している企業の E2E テストの作り方 / How to create E2E tests for a company that builds everything connecting hardware and software in-house
bitkey
PRO
1
150
バイブスに「型」を!Kent Beckに学ぶ、AI時代のテスト駆動開発
amixedcolor
2
570
品質視点から考える組織デザイン/Organizational Design from Quality
mii3king
0
210
スマートファクトリーの第一歩 〜AWSマネージドサービスで 実現する予知保全と生成AI活用まで
ganota
2
220
Automating Web Accessibility Testing with AI Agents
maminami373
0
1.3k
dbt開発 with Claude Codeのためのガードレール設計
10xinc
2
1.2k
5年目から始める Vue3 サイト改善 #frontendo
tacck
PRO
3
220
現場で効くClaude Code ─ 最新動向と企業導入
takaakikakei
1
250
開発者を支える Internal Developer Portal のイマとコレカラ / To-day and To-morrow of Internal Developer Portals: Supporting Developers
aoto
PRO
1
460
テストを軸にした生き残り術
kworkdev
PRO
0
210
20250910_障害注入から効率的復旧へ_カオスエンジニアリング_生成AIで考えるAWS障害対応.pdf
sh_fk2
3
260
Featured
See All Featured
The World Runs on Bad Software
bkeepers
PRO
70
11k
We Have a Design System, Now What?
morganepeng
53
7.8k
Unsuck your backbone
ammeep
671
58k
The Language of Interfaces
destraynor
161
25k
Writing Fast Ruby
sferik
628
62k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.5k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
358
30k
Bash Introduction
62gerente
615
210k
Visualization
eitanlees
148
16k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.9k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.7k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Transcript
@tech_christine WTF, 2FA!? Y U NO PROTECT ME? Two factor
authentication the worst, the best, and everything in-between
None
@tech_christine
None
@tech_christine Back to the beginning
@tech_christine What was the hacker up to? Calling your mobile
provider
@tech_christine Still on the phone with your mobile provider... Using
social engineering
@tech_christine And now they have all the access... Sim swap/sim
hijacking
@tech_christine
“ @tech_christine We learned that SMS-based authentication is not nearly
as secure as we would hope, and the main attack was via SMS intercept Christopher Slowe Reddit chief technology officer and founding engineer August 2018
@tech_christine What is authentication? The process of verifying that someone
or something is the actual entity that they claim to be. - OWASP.org (these people know what they are talking about when it comes to security)
@tech_christine ... but what are the different factors of auth?
1 factor is knowledge (i.e. your password) 2 is the other method choice - Possession (token/soft token) - Identity (biometrics)
@tech_christine 2FA == 2SV == MFA 2FA = Two factor
authentication 2SV = Two Step verification MFA = Multi-factor authentication What about all those other acronyms...
@tech_christine Why didn't 2FA help? •SMS was used •2FA wasn't
even enabled
@tech_christine •Most common method •Most compromised •Not recommended by NIST
since 2016 SMS
@tech_christine Let's figure out all the ways SMS can be
hacked... 1. Sim-swap (aka what just happened to us) 2. Port-out scam 3. Brute force on the application itself
@tech_christine Time-based One Time Password aka App based aka soft
token •Authy •Google Authenticator •1Password TOTP
@tech_christine •Associated with the certain authorized devices •Not visible on
a locked phone screen Push Based Authentication
@tech_christine Token based Physical keys that can auth •USB drive
•near-field communication •Many use U2F (Universal 2nd Factor)
What would you change now?
@tech_christine So what could you have changed? •Setting up with
a VOIP number •Secure with alternate authentication method •Pin/password protect phone provider Keep on being @awesome
@tech_christine ...wait I lost my phone/app access/token Use a recovery
code Allows you access to application
@tech_christine More on recovery codes •Stored as hashes •One time
use •Shown only once
@tech_christine 2FA Implementation Best Practices • Rate limiting prevents brute
force attacks • Use a truncated exponential back-off algorithm
@tech_christine What is an exponential back-off algorithm?
@tech_christine Example in Ruby login_request if retries <= max_retries retries
+= 1 sleep (retries + rand(100)/1000) retry else raise "You've hit your max retries!" end
@tech_christine Get user buy-in Enforce authentication on all pages Users
with the most amount of privilege, 2FA is a requirement not optional
@tech_christine Now you are the info sec professional
None
@tech_christine Thank you Kernelcon and all the staff Tyson Reeder
for the final graphic(@tysondreeder) For references and further reading checkout https://christine-seeman.com/talks/