Embed Size (px)
Citation preview
2FA, WTF?
HACKERS
ARE
EVERYWHERE
Phil Nash@philnashh�p://[email protected]
2FA, WTF?
TWO FACTORAUTHENTICATION
Two Factor Authen�ca�on
2FA is a security process in which a user providestwo different forms of iden�fica�on in order toauthen�cate themself with a system.
The two forms must come from different categories.Normally something you know and something youhave.
WHY?
MAT HONAN
Mat Honan's Hackers' Timeline
1. Found Gmail address on his personal site2. Entered address in Gmail and found his @me.comback up email
3. Called Amazon to add a credit card to file4. Called Amazon again to reset password and gotaccess
5. 4:33pm: called Apple to reset password6. 4:50pm: reset AppleID password and gained accessto email
Mat Honan's Hackers' Timeline
7. 4:52pm: reset Gmail account password8. 5:01pm: wiped iPhone9. 5:02pm: reset Twi�er password10. 5:05pm: wiped MacBook and deleted Google
account11. 5:12pm: posted to Twi�er taking credit for the hack
@MAT
WHY?
ASHLEY MADISON
Ashley Madison Top 10 Passwords1. 1234562. 123453. password4. DEFAULT5. 1234567896. qwerty7. 123456788. abc1239. NSFW10. 1234567
Ashley Madison Top 10 Passwords1. 123456 ‐ 120,511 users2. 12345 ‐ 48,452 users3. password ‐ 39,448 users4. DEFAULT ‐ 34,275 users5. 123456789 ‐ 26,620 users6. qwerty ‐ 20,778 users7. 12345678 ‐ 14,172 users8. abc123 ‐ 10,869 users9. NSFW ‐ 10,683 users10. 1234567 ‐ 9,468 users
Source: h�p://qz.com/501073/the‐top‐100‐passwords‐on‐ashley‐madison/
HOW?
User Registra�on Flow
1. Visit registra�on page2. Sign up with username and password3. User is logged in
User Log In Flow
1. Visit login page2. Enter username and password3. System verifies details4. User is logged in
SMS
User Registra�on Flow
1. Visit registra�on page2. Sign up with username, password and phone nunber3. User is logged in
User Log In Flow
1. Visit login page2. Enter username and password3. System verifies details4. Verifica�on code sent to user by SMS5. User enters verifica�on code6. System verifies code7. User is logged in
PROS/CONS
SOFT TOKEN
User Registra�on Flow
1. Visit registra�on page2. Sign up with username, password3. Generate a secret for the user4. Share the secret somehow5. User is logged in
User Log In Flow
1. Visit login page2. Enter username and password3. System verifies details4. User opens auth app5. User finds app verifica�on code and enters on site6. System verifies code7. User is logged in
SECRETS
HOTP/TOTP
HOTP
HOTP(K,C) = Truncate(HMAC(K,C)) & 0x7FFFFFFF
HOTP-Value = HOTP(K,C) mod 10d
TOTP
DEMO
SHARING SECRETS
QR code
otpauth://TYPE/LABEL?PARAMETERS
otpauth://totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example
PROS/CONS
CAN IT BEBETTER?
FRIENDS DON'T LETFRIENDS WRITE THEIROWN AUTHENTICATION
FRAMEWORKS
FRIENDS DON'T LETFRIENDS WRITE THEIROWN TWO FACTOR
AUTHENTICATIONFRAMEWORKS
User Registra�on Flow
1. Visit registra�on page2. Sign up with username, password and phone nunber3. System registers User with Authy4. User is logged in
User Log In Flow
1. Visit login page2. Enter username and password3. System verifies details4. Authy prompts user5. User finds app verifica�on code and enters on site6. System verifies code with Authy7. User is logged in
THE FUTURE
PUSHNOTIFICATIONS
0:21
PROS/CONS
SUMMARY
USERS AREBAD WITHPASSWORDS
OTHERWEBSITES AREBAD WITHPASSWORDS
2FA CAN BEPUSH, TOKEN
OR SMS
2FA IS FORYOUR USERS
THANKS!
Use code PNASH20 for 20% off �ckets
Thanks!@philnashh�p://[email protected]
