Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
WTF, 2FA!? Y U NO PROTECT ME?
Search
Christine
April 05, 2019
Technology
0
94
WTF, 2FA!? Y U NO PROTECT ME?
Two factor authentication the worst, the best, and everything in-between.
Christine
April 05, 2019
Tweet
Share
More Decks by Christine
See All by Christine
Thoughtful AI for the Rubyist - Rocky Mountain Ruby
tech_christine
0
9
Thoughtful AI for the Rubyist
tech_christine
0
21
One does not simply add MFA
tech_christine
0
86
Listening - Your Communication Superpower
tech_christine
0
240
Hanami 2.0 and You
tech_christine
1
320
ONE DOES NOT SIMPLY ADD MFA
tech_christine
0
390
One does not simply add MFA
tech_christine
0
220
MFA_Petfriendly.pdf
tech_christine
0
230
Hack Your Brain - Improve yourself and your work
tech_christine
0
650
Other Decks in Technology
See All in Technology
E2Eテスト設計_自動化のリアル___Playwrightでの実践とMCPの試み__AIによるテスト観点作成_.pdf
findy_eventslides
0
120
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
11
77k
SoccerNet GSRの紹介と技術応用:選手視点映像を提供するサッカー作戦盤ツール
mixi_engineers
PRO
1
170
GopherCon Tour 概略
logica0419
2
190
ZOZOのAI活用実践〜社内基盤からサービス応用まで〜
zozotech
PRO
0
170
英語は話せません!それでも海外チームと信頼関係を作るため、対話を重ねた2ヶ月間のまなび
niioka_97
0
120
OCI Network Firewall 概要
oracle4engineer
PRO
1
7.8k
Findy Team+のSOC2取得までの道のり
rvirus0817
0
330
GA technologiesでのAI-Readyの取り組み@DataOps Night
yuto16
0
270
stupid jj tricks
indirect
0
7.9k
後進育成のしくじり〜任せるスキルとリーダーシップの両立〜
matsu0228
7
2.3k
AWSにおけるTrend Vision Oneの効果について
shimak
0
120
Featured
See All Featured
A Tale of Four Properties
chriscoyier
160
23k
Gamification - CAS2011
davidbonilla
81
5.5k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
51k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
23
1.5k
How to Ace a Technical Interview
jacobian
280
24k
Building Applications with DynamoDB
mza
96
6.6k
Building Better People: How to give real-time feedback that sticks.
wjessup
368
20k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
358
30k
Scaling GitHub
holman
463
140k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
Transcript
@tech_christine WTF, 2FA!? Y U NO PROTECT ME? Two factor
authentication the worst, the best, and everything in-between
None
@tech_christine
None
@tech_christine Back to the beginning
@tech_christine What was the hacker up to? Calling your mobile
provider
@tech_christine Still on the phone with your mobile provider... Using
social engineering
@tech_christine And now they have all the access... Sim swap/sim
hijacking
@tech_christine
“ @tech_christine We learned that SMS-based authentication is not nearly
as secure as we would hope, and the main attack was via SMS intercept Christopher Slowe Reddit chief technology officer and founding engineer August 2018
@tech_christine What is authentication? The process of verifying that someone
or something is the actual entity that they claim to be. - OWASP.org (these people know what they are talking about when it comes to security)
@tech_christine ... but what are the different factors of auth?
1 factor is knowledge (i.e. your password) 2 is the other method choice - Possession (token/soft token) - Identity (biometrics)
@tech_christine 2FA == 2SV == MFA 2FA = Two factor
authentication 2SV = Two Step verification MFA = Multi-factor authentication What about all those other acronyms...
@tech_christine Why didn't 2FA help? •SMS was used •2FA wasn't
even enabled
@tech_christine •Most common method •Most compromised •Not recommended by NIST
since 2016 SMS
@tech_christine Let's figure out all the ways SMS can be
hacked... 1. Sim-swap (aka what just happened to us) 2. Port-out scam 3. Brute force on the application itself
@tech_christine Time-based One Time Password aka App based aka soft
token •Authy •Google Authenticator •1Password TOTP
@tech_christine •Associated with the certain authorized devices •Not visible on
a locked phone screen Push Based Authentication
@tech_christine Token based Physical keys that can auth •USB drive
•near-field communication •Many use U2F (Universal 2nd Factor)
What would you change now?
@tech_christine So what could you have changed? •Setting up with
a VOIP number •Secure with alternate authentication method •Pin/password protect phone provider Keep on being @awesome
@tech_christine ...wait I lost my phone/app access/token Use a recovery
code Allows you access to application
@tech_christine More on recovery codes •Stored as hashes •One time
use •Shown only once
@tech_christine 2FA Implementation Best Practices • Rate limiting prevents brute
force attacks • Use a truncated exponential back-off algorithm
@tech_christine What is an exponential back-off algorithm?
@tech_christine Example in Ruby login_request if retries <= max_retries retries
+= 1 sleep (retries + rand(100)/1000) retry else raise "You've hit your max retries!" end
@tech_christine Get user buy-in Enforce authentication on all pages Users
with the most amount of privilege, 2FA is a requirement not optional
@tech_christine Now you are the info sec professional
None
@tech_christine Thank you Kernelcon and all the staff Tyson Reeder
for the final graphic(@tysondreeder) For references and further reading checkout https://christine-seeman.com/talks/