“ @tech_christine We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept Christopher Slowe Reddit chief technology officer and founding engineer August 2018
@tech_christine What is authentication? The process of verifying that someone or something is the actual entity that they claim to be. - OWASP.org (these people know what they are talking about when it comes to security)
@tech_christine ... but what are the different factors of auth? 1 factor is knowledge (i.e. your password) 2 is the other method choice - Possession (token/soft token) - Identity (biometrics)
@tech_christine 2FA == 2SV == MFA 2FA = Two factor authentication 2SV = Two Step verification MFA = Multi-factor authentication What about all those other acronyms...
@tech_christine Let's figure out all the ways SMS can be hacked... 1. Sim-swap (aka what just happened to us) 2. Port-out scam 3. Brute force on the application itself
@tech_christine OTP U2F •User has physical device •Strong security from public key cryptography •No personal information is associated with a key •Users type in codes •Set up and provision required •Secrets stored, providing a single point of attack
@tech_christine So what could you have changed? •Setting up with a VOIP number •Secure with alternate authentication method •Pin/password protect phone provider Keep on being @awesome
@tech_christine Example in Ruby login_request if retries <= max_retries retries += 1 sleep (retries + rand(100)/1000) retry else raise "You've hit your max retries!" end
@tech_christine Thanks for having me Ruby and Open Source Meetup! Tyson Reeder for the final graphic(@tysondreeder) For references and further reading checkout https://christine-seeman.com/talks/
tech_christine
yokawasa
minorun365
kenchan
joker1007
masasuzu
dahatake
tkikuchi1002
cybozuinsideout
optimisuke
ufried
onlinesalon
wakamsha
lynnandtonic
reverentgeek
bluesmoon
kneath
eitanlees
holman
mongodb
matthewcrist
tanoku
soudai
orderedlist
eileencodes