$30 off During Our Annual Pro Sale. View Details »

WTF, 2FA!? Y U NO PROTECT ME? - Omaha Ruby Meetup

WTF, 2FA!? Y U NO PROTECT ME? - Omaha Ruby Meetup

Here are my slides from my 2FA presentation at the 4/11/2019 Omaha Ruby Meetup

Christine

April 11, 2019
Tweet

More Decks by Christine

Other Decks in Technology

Transcript

  1. @tech_christine
    WTF, 2FA!? Y U NO PROTECT ME?
    Two factor authentication the worst, the best, and everything in-between

    View Slide

  2. View Slide

  3. @tech_christine

    View Slide

  4. View Slide

  5. @tech_christine
    Back to the beginning

    View Slide

  6. @tech_christine
    What was the
    hacker up to?
    Calling your mobile provider

    View Slide

  7. @tech_christine
    Still on the
    phone with your
    mobile
    provider...
    Using social engineering

    View Slide

  8. @tech_christine
    And now they
    have all the
    access...
    Sim swap/sim hijacking

    View Slide

  9. @tech_christine

    View Slide


  10. @tech_christine
    We learned that SMS-based
    authentication is not nearly as
    secure as we would hope, and the
    main attack was via SMS intercept
    Christopher Slowe
    Reddit chief technology officer and founding engineer
    August 2018

    View Slide

  11. @tech_christine
    What is authentication?
    The process of verifying that someone or
    something is the actual entity that they claim
    to be.
    - OWASP.org
    (these people know what they are talking about when it comes to security)

    View Slide

  12. @tech_christine
    ... but what are the different factors of auth?
    1 factor is knowledge (i.e. your password)
    2 is the other method choice
    - Possession (token/soft token)
    - Identity (biometrics)

    View Slide

  13. @tech_christine
    2FA == 2SV == MFA
    2FA = Two factor authentication
    2SV = Two Step verification
    MFA = Multi-factor authentication
    What about all those other acronyms...

    View Slide

  14. @tech_christine
    Why didn't 2FA help?
    •SMS was used
    •2FA wasn't even enabled

    View Slide

  15. @tech_christine
    •Most common
    •Most compromised
    •Not recommended by
    NIST since 2016
    SMS

    View Slide

  16. @tech_christine
    Twilio API Example

    View Slide

  17. @tech_christine
    Let's figure out
    all the ways SMS
    can be hacked...
    1. Sim-swap (aka what just
    happened to us)
    2. Port-out scam
    3. Brute force on the
    application itself

    View Slide

  18. @tech_christine
    Time-based One Time Password
    aka app based
    aka soft token
    •Authy
    •Google Authenticator
    •1Password
    TOTP

    View Slide

  19. @tech_christine
    The Ruby One Time Password Library Example

    View Slide

  20. @tech_christine

    View Slide

  21. @tech_christine
    But you need to
    get this code to
    your user...

    View Slide

  22. @tech_christine
    •Associated with certain
    authorized devices
    •Not visible on a locked
    phone screen
    Push Based

    View Slide

  23. @tech_christine
    Authy One Touch API Example

    View Slide

  24. @tech_christine
    Token based
    Physical keys that can auth
    •USB drive
    •near-field communication
    •Many use U2F
    (Universal 2nd Factor)

    View Slide

  25. @tech_christine
    OTP vs U2F

    View Slide

  26. @tech_christine
    OTP U2F
    •User has physical device
    •Strong security from
    public key cryptography
    •No personal
    information is associated
    with a key
    •Users type in codes
    •Set up and provision
    required
    •Secrets stored, providing
    a single point of attack

    View Slide

  27. What would you change now?

    View Slide

  28. @tech_christine
    So what could you have changed?
    •Setting up with a VOIP number
    •Secure with alternate authentication method
    •Pin/password protect phone provider
    Keep on being @awesome

    View Slide

  29. @tech_christine
    ...wait I lost my phone/app access/token
    Use a recovery code
    Allows you access to
    application

    View Slide

  30. @tech_christine
    More on recovery codes
    •Stored as hashes
    •One time use
    •Shown only once

    View Slide

  31. @tech_christine
    2FA Implementation Best Practices
    •Rate limiting prevents brute force attacks
    •Use truncated exponential back-off algorithm

    View Slide

  32. @tech_christine
    What is an exponential back-off algorithm?

    View Slide

  33. @tech_christine
    Example in Ruby
    login_request
    if retries <= max_retries
    retries += 1
    sleep (retries + rand(100)/1000)
    retry
    else
    raise "You've hit your max retries!"
    end

    View Slide

  34. @tech_christine
    Get user buy-in
    Enforce authentication on all pages
    Users with the most amount of privilege
    2FA is a requirement not optional

    View Slide

  35. @tech_christine
    QR Code Rendering
    https://github.com/whomwah/rqrcode
    ROTP: TOTP
    https://github.com/mdp/rotp
    Twilio Ruby API
    https://www.twilio.com/docs/libraries/ruby
    Auth Ruby API
    https://github.com/twilio/authy-ruby

    View Slide

  36. @tech_christine
    What questions can I answer?

    View Slide

  37. View Slide

  38. @tech_christine
    Thanks for having me Ruby and Open Source
    Meetup!
    Tyson Reeder for the final graphic(@tysondreeder)
    For references and further reading checkout
    https://christine-seeman.com/talks/

    View Slide