$30 off During Our Annual Pro Sale. View Details »

WTF, 2FA!? Y U NO PROTECT ME? - Omaha Ruby Meetup

WTF, 2FA!? Y U NO PROTECT ME? - Omaha Ruby Meetup

Here are my slides from my 2FA presentation at the 4/11/2019 Omaha Ruby Meetup

Christine

April 11, 2019
Tweet

More Decks by Christine

Other Decks in Technology

Transcript

  1. @tech_christine WTF, 2FA!? Y U NO PROTECT ME? Two factor

    authentication the worst, the best, and everything in-between
  2. None
  3. @tech_christine

  4. None
  5. @tech_christine Back to the beginning

  6. @tech_christine What was the hacker up to? Calling your mobile

    provider
  7. @tech_christine Still on the phone with your mobile provider... Using

    social engineering
  8. @tech_christine And now they have all the access... Sim swap/sim

    hijacking
  9. @tech_christine

  10. “ @tech_christine We learned that SMS-based authentication is not nearly

    as secure as we would hope, and the main attack was via SMS intercept Christopher Slowe Reddit chief technology officer and founding engineer August 2018
  11. @tech_christine What is authentication? The process of verifying that someone

    or something is the actual entity that they claim to be. - OWASP.org (these people know what they are talking about when it comes to security)
  12. @tech_christine ... but what are the different factors of auth?

    1 factor is knowledge (i.e. your password) 2 is the other method choice - Possession (token/soft token) - Identity (biometrics)
  13. @tech_christine 2FA == 2SV == MFA 2FA = Two factor

    authentication 2SV = Two Step verification MFA = Multi-factor authentication What about all those other acronyms...
  14. @tech_christine Why didn't 2FA help? •SMS was used •2FA wasn't

    even enabled
  15. @tech_christine •Most common •Most compromised •Not recommended by NIST since

    2016 SMS
  16. @tech_christine Twilio API Example

  17. @tech_christine Let's figure out all the ways SMS can be

    hacked... 1. Sim-swap (aka what just happened to us) 2. Port-out scam 3. Brute force on the application itself
  18. @tech_christine Time-based One Time Password aka app based aka soft

    token •Authy •Google Authenticator •1Password TOTP
  19. @tech_christine The Ruby One Time Password Library Example

  20. @tech_christine

  21. @tech_christine But you need to get this code to your

    user...
  22. @tech_christine •Associated with certain authorized devices •Not visible on a

    locked phone screen Push Based
  23. @tech_christine Authy One Touch API Example

  24. @tech_christine Token based Physical keys that can auth •USB drive

    •near-field communication •Many use U2F (Universal 2nd Factor)
  25. @tech_christine OTP vs U2F

  26. @tech_christine OTP U2F •User has physical device •Strong security from

    public key cryptography •No personal information is associated with a key •Users type in codes •Set up and provision required •Secrets stored, providing a single point of attack
  27. What would you change now?

  28. @tech_christine So what could you have changed? •Setting up with

    a VOIP number •Secure with alternate authentication method •Pin/password protect phone provider Keep on being @awesome
  29. @tech_christine ...wait I lost my phone/app access/token Use a recovery

    code Allows you access to application
  30. @tech_christine More on recovery codes •Stored as hashes •One time

    use •Shown only once
  31. @tech_christine 2FA Implementation Best Practices •Rate limiting prevents brute force

    attacks •Use truncated exponential back-off algorithm
  32. @tech_christine What is an exponential back-off algorithm?

  33. @tech_christine Example in Ruby login_request if retries <= max_retries retries

    += 1 sleep (retries + rand(100)/1000) retry else raise "You've hit your max retries!" end
  34. @tech_christine Get user buy-in Enforce authentication on all pages Users

    with the most amount of privilege 2FA is a requirement not optional
  35. @tech_christine QR Code Rendering https://github.com/whomwah/rqrcode ROTP: TOTP https://github.com/mdp/rotp Twilio Ruby

    API https://www.twilio.com/docs/libraries/ruby Auth Ruby API https://github.com/twilio/authy-ruby
  36. @tech_christine What questions can I answer?

  37. None
  38. @tech_christine Thanks for having me Ruby and Open Source Meetup!

    Tyson Reeder for the final graphic(@tysondreeder) For references and further reading checkout https://christine-seeman.com/talks/