Your SlideShare is downloading. ×
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook

1,852
views

Published on

An in-depth look at Facebook's easy-to-use internal multi-factor authentication deployment. We will discuss our motivations, how our solution works, technical and security trade-offs, deployment …

An in-depth look at Facebook's easy-to-use internal multi-factor authentication deployment. We will discuss our motivations, how our solution works, technical and security trade-offs, deployment problems, and outstanding issues.

Bio Chad Greene:
A security manager at Facebook, Chad Greene focuses on security engineering, intrusion detection and incident response at scale. Protecting user data for over 1 billion active users of the social network, his teams are responsible for building creative security solutions that balance rapid growth and innovation with a strong security posture. Prior to Facebook, for more than seven years Chad worked at eBay, where he worked on solving product security and security operations challenges. Chad holds a Bachelor's degree in Management Information Systems from The University of Notre Dame.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,852
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Tuesday, October 1, 13
  • 2. 2FAC:Facebook’sinternalmulti- factorauthplatform C O N F I D E N T I A L FacebookSecurity Tuesday, October 1, 13
  • 3. Agenda Attacks-AForceforChange 2FACAuthentication Questions? Tuesday, October 1, 13
  • 4. Facebook - Big Numbers 1.15B monthly active users 699M daily active users (80+% outside US) 5K+ employees Tuesday, October 1, 13
  • 5. Identifying weakest points Red Teams Incident 1: Spear phishing OWA Incident 2: Breach identified in January Tuesday, October 1, 13
  • 6. Red Team Drills - Identify weak points Tuesday, October 1, 13
  • 7. Incident: Spear Phishing OWA Tuesday, October 1, 13
  • 8. Incident: Spear Phishing OWA Tuesday, October 1, 13
  • 9. Incident: Breach discovered in Jan 2013 digitalinsight-ltd Tuesday, October 1, 13
  • 10. Incident: Breach discovered in Jan 2013 Tuesday, October 1, 13
  • 11. Goal: Protect against remote attackers •DisruptLateralMovementphase •Ensurelocaluserisatkeyboard •LimitoriginofillegitimateSSHaccess Non-goal: Protect against local attackers Why 2Fac for SSH? Tuesday, October 1, 13
  • 12. •Facebookculture:MoveFast •Intolerantofslowdown •Highlyskilledatfindingworkarounds •PrimarilyworkviaSSHondevservers Engineering @ FB Tuesday, October 1, 13
  • 13. •Facebookculture:MoveFast •Intolerantofslowdown •Highlyskilledatfindingworkarounds •PrimarilyworkviaSSHondevservers Goal:Makebeingsecureeffortless Engineering @ FB Tuesday, October 1, 13
  • 14. State of Multi-Factor Tuesday, October 1, 13
  • 15. •Easytouse •Goodinteroperability •Synchronizationiseasy •Timewindowsofacceptance •Onlygoodforinfrequentuse Time-based Tuesday, October 1, 13
  • 16. •Easytouse •Goodinteroperability •Getsoutofsync •Mosttokensdesignedforinfrequentuse OTP Tuesday, October 1, 13
  • 17. •Limiteddevicesupport •Securitylimitations •Falseacceptance •Replay •PracticalProblems:Howtobiometricauthtoremotemachine? •Poorusability Biometrics Tuesday, October 1, 13
  • 18. PKI •Limiteddevicesupport •Enrollmentispainful •Managementispainful •SmartCardProxyattack PKI Tuesday, October 1, 13
  • 19. •Easytosetup •Easytouse •Push(onlyonsomedevices) •Requiresfast,reliableonlinechannel •Usabilityisgoodonlyforinfrequentuse OOB / Mobile Tuesday, October 1, 13
  • 20. Tuesday, October 1, 13
  • 21. •Usability •SupportVeryFrequentuse •Flexibleoptions •Security •Requirestrongerauthenticationforeverysession •FastDeployment •Minimalsupportoverhead Building it Better Tuesday, October 1, 13
  • 22. •DuoSecurity+YubikeyNano •FlexibleOptions •Lowoperationaloverhead •Provisioningprocessoutofthebox •Yubikeyisawesomeforfrequentuse •Bonus:Backuptokensfromthestart The Solution Tuesday, October 1, 13
  • 23. Deployment: Planning Tuesday, October 1, 13
  • 24. •HowisSSHbeingused? •Thousandsofengineers •Tensofthousandsofsessionsperday •Peakuserswith>3000sessions •Usingallauthenticationmechanisms Deployment: Planning Tuesday, October 1, 13
  • 25. •HowisSSHbeingused? •Thousandsofengineers •Tensofthousandsofsessionsperday •Peakuserswith>3000sessions •Usingallauthenticationmechanisms •Whataretheydoing? Deployment: Planning Tuesday, October 1, 13
  • 26. •HowisSSHbeingused? •Thousandsofengineers •Tensofthousandsofsessionsperday •Peakuserswith>3000sessions •Usingallauthenticationmechanisms •Whataretheydoing? sshd[87820]: Accepted keyboard-interactive/pam for twt from ::1 port 51317 ssh2 sshd[87820]: User child is on pid 87825 sshd[87825]: Received disconnect from ::1: 11: disconnected by user Deployment: Planning Tuesday, October 1, 13
  • 27. •Adddetailsaboutwhattheuserisdoing sshd[27587]: Accepted publickey for ::1 port 61447 ssh2 sshd[27587]: User child is on pid 27589 sshd[27589]: Exec Request for user twt with command uname -a sshd[8540]: Accepted publickey for twt from ::1 port 50654 ssh2 sshd[8540]: User child is on pid 8548 sshd[8548]: Allocated pty /dev/pts/18 for user twt session 0 sshd[8548]: Shell Request for user twt sshd[8548]: Received disconnect from ::1: 11: disconnected by user Improving SSH Logs: First Attempt Tuesday, October 1, 13
  • 28. •Adddetailsaboutwhattheuserisdoing sshd[27587]: Accepted publickey for ::1 port 61447 ssh2 sshd[27587]: User child is on pid 27589 sshd[27589]: Exec Request for user twt with command uname -a sshd[8540]: Accepted publickey for twt from ::1 port 50654 ssh2 sshd[8540]: User child is on pid 8548 sshd[8548]: Allocated pty /dev/pts/18 for user twt session 0 sshd[8548]: Shell Request for user twt sshd[8548]: Received disconnect from ::1: 11: disconnected by user •Problem:requiresmultipleloglineswithdifferentPIDsforanalysis Improving SSH Logs: First Attempt Tuesday, October 1, 13
  • 29. •AddsessionizationdatatoSSHlogs sshd[27587]: Accepted publickey for ::1 port 61447 ssh2 session=dev123:52369e5a.c6786 sshd[27587]: User child is on pid 27589 session=dev123:52369e5a.c6786 sshd[27589]: Exec Request for user twt with command uname -a session=dev123:52369e5a.c6786 sshd[8540]: Accepted publickey for twt from ::1 port 50654 ssh2 session=dev123:5236a24d.3f32 sshd[8540]: User child is on pid 8548 session=dev123:5236a24d.3f32 sshd[8548]: Allocated pty /dev/pts/18 for user twt session 0 session=dev123:5236a24d.3f32 sshd[8548]: Shell Request for user twt session=dev123:5236a24d.3f32 sshd[8548]: Received disconnect from ::1: 11: disconnected by user session=dev123:5236a24d.3f32 Sesssionizing SSH Logs Tuesday, October 1, 13
  • 30. •Whataretheydoing? •SFTP •Randomscripts •TRAMPmode •Lotsofshells •Usingeveryauthenticationmechanism SSH Usage Analysis Tuesday, October 1, 13
  • 31. Deployment: Implementation Tuesday, October 1, 13
  • 32. •OpenSSH6.2-supportformultipleAuthMethods •Publickey,kerberos,passwordarefirstfactors •Duoissecondfactor Deployment: Implementation Tuesday, October 1, 13
  • 33. •OpenSSH6.2-supportformultipleAuthMethods •Publickey,kerberos,passwordarefirstfactors •Duoissecondfactor •Problem:passwordandDuoarebothhandledbykeyboard-interactiveauth method Deployment: Implementation Tuesday, October 1, 13
  • 34. •OpenSSH6.2-supportformultipleAuthMethods •Publickey,kerberos,passwordarefirstfactors •Duoissecondfactor •Problem:passwordandDuoarebothhandledbykeyboard-interactiveauth method •Solutions: •Submethodsforkeyboard-interactive/{pam,duo}inOpenSSH6.2p1 •KerberosAuthenticationyes Deployment: Implementation Tuesday, October 1, 13
  • 35. Handling SFTP Tuesday, October 1, 13
  • 36. •Clientsdon’tsupportmultipleauthmechanisms Handling SFTP Tuesday, October 1, 13
  • 37. •Clientsdon’tsupportmultipleauthmechanisms •Primarysecurityconcern: •Singlefactorcommandexecution Handling SFTP Tuesday, October 1, 13
  • 38. •Clientsdon’tsupportmultipleauthmechanisms •Primarysecurityconcern: •Singlefactorcommandexecution •Solution: •SinglefactorSFTPchroot Handling SFTP Tuesday, October 1, 13
  • 39. Handling scripts + TRAMP mode Tuesday, October 1, 13
  • 40. •SwitchtouseSFTPsolution? Handling scripts + TRAMP mode Tuesday, October 1, 13
  • 41. •SwitchtouseSFTPsolution? •Primarysecurityconcern: •Singlefactorcommandexecution Handling scripts + TRAMP mode Tuesday, October 1, 13
  • 42. •SwitchtouseSFTPsolution? •Primarysecurityconcern: •Singlefactorcommandexecution •Solution: •SSHwhitelists Handling scripts + TRAMP mode Tuesday, October 1, 13
  • 43. •SwitchtouseSFTPsolution? •Primarysecurityconcern: •Singlefactorcommandexecution •Solution: •SSHwhitelists •Newproblem: • REGEX:sh  -­‐c  "cd  (~/|w)(((?<!..)/)|((?<!/).)|[w_-­‐])+  &&  grep  -­‐P  '[^']+t'  tags  |  head  -­‐n  10" Handling scripts + TRAMP mode Tuesday, October 1, 13
  • 44. •Keyboardlayouts •Explodingcomputers •Possessedyubikeys •Accidentaldischarge •Clientsshconfigproblems •NeedmoarUSBports •Enrollmentissues Unexpected Issues Tuesday, October 1, 13
  • 45. •more2Fac: •sudo •SSHalternatives:mosh,VNC,NX •privescpoints •replace/supplementothermulti-factorsolutions •2Faceverywhere •Getridofcommandwhitelists •MakeSFTPclients supportmulti-factor Ongoing Work Tuesday, October 1, 13
  • 46. FacebookSecurity Tuesday, October 1, 13