Tuesday, October 1, 13
2FAC:Facebook’sinternalmulti-
factorauthplatform
C O N F I D E N T I A L
FacebookSecurity
Tuesday, October 1, 13
Agenda
Attacks-AForceforChange
2FACAuthentication
Questions?
Tuesday, October 1, 13
Facebook - Big Numbers
1.15B monthly active users
699M daily active users (80+% outside US)
5K+ employees
Tuesday, October...
Identifying weakest points
Red Teams
Incident 1: Spear phishing OWA
Incident 2: Breach identified in January
Tuesday, Octob...
Red Team Drills - Identify weak points
Tuesday, October 1, 13
Incident: Spear Phishing OWA
Tuesday, October 1, 13
Incident: Spear Phishing OWA
Tuesday, October 1, 13
Incident: Breach discovered in Jan 2013
digitalinsight-ltd
Tuesday, October 1, 13
Incident: Breach discovered in Jan 2013
Tuesday, October 1, 13
Goal: Protect against remote attackers
•DisruptLateralMovementphase
•Ensurelocaluserisatkeyboard
•Limitoriginofillegitimat...
•Facebookculture:MoveFast
•Intolerantofslowdown
•Highlyskilledatfindingworkarounds
•PrimarilyworkviaSSHondevservers
Engine...
•Facebookculture:MoveFast
•Intolerantofslowdown
•Highlyskilledatfindingworkarounds
•PrimarilyworkviaSSHondevservers
Goal:M...
State of Multi-Factor
Tuesday, October 1, 13
•Easytouse
•Goodinteroperability
•Synchronizationiseasy
•Timewindowsofacceptance
•Onlygoodforinfrequentuse
Time-based
Tues...
•Easytouse
•Goodinteroperability
•Getsoutofsync
•Mosttokensdesignedforinfrequentuse
OTP
Tuesday, October 1, 13
•Limiteddevicesupport
•Securitylimitations
•Falseacceptance
•Replay
•PracticalProblems:Howtobiometricauthtoremotemachine?
...
PKI
•Limiteddevicesupport
•Enrollmentispainful
•Managementispainful
•SmartCardProxyattack
PKI
Tuesday, October 1, 13
•Easytosetup
•Easytouse
•Push(onlyonsomedevices)
•Requiresfast,reliableonlinechannel
•Usabilityisgoodonlyforinfrequentuse
...
Tuesday, October 1, 13
•Usability
•SupportVeryFrequentuse
•Flexibleoptions
•Security
•Requirestrongerauthenticationforeverysession
•FastDeploymen...
•DuoSecurity+YubikeyNano
•FlexibleOptions
•Lowoperationaloverhead
•Provisioningprocessoutofthebox
•Yubikeyisawesomeforfreq...
Deployment: Planning
Tuesday, October 1, 13
•HowisSSHbeingused?
•Thousandsofengineers
•Tensofthousandsofsessionsperday
•Peakuserswith>3000sessions
•Usingallauthentica...
•HowisSSHbeingused?
•Thousandsofengineers
•Tensofthousandsofsessionsperday
•Peakuserswith>3000sessions
•Usingallauthentica...
•HowisSSHbeingused?
•Thousandsofengineers
•Tensofthousandsofsessionsperday
•Peakuserswith>3000sessions
•Usingallauthentica...
•Adddetailsaboutwhattheuserisdoing
sshd[27587]: Accepted publickey for ::1 port 61447 ssh2
sshd[27587]: User child is on p...
•Adddetailsaboutwhattheuserisdoing
sshd[27587]: Accepted publickey for ::1 port 61447 ssh2
sshd[27587]: User child is on p...
•AddsessionizationdatatoSSHlogs
sshd[27587]: Accepted publickey for ::1 port 61447 ssh2 session=dev123:52369e5a.c6786
sshd...
•Whataretheydoing?
•SFTP
•Randomscripts
•TRAMPmode
•Lotsofshells
•Usingeveryauthenticationmechanism
SSH Usage Analysis
Tue...
Deployment: Implementation
Tuesday, October 1, 13
•OpenSSH6.2-supportformultipleAuthMethods
•Publickey,kerberos,passwordarefirstfactors
•Duoissecondfactor
Deployment: Imple...
•OpenSSH6.2-supportformultipleAuthMethods
•Publickey,kerberos,passwordarefirstfactors
•Duoissecondfactor
•Problem:password...
•OpenSSH6.2-supportformultipleAuthMethods
•Publickey,kerberos,passwordarefirstfactors
•Duoissecondfactor
•Problem:password...
Handling SFTP
Tuesday, October 1, 13
•Clientsdon’tsupportmultipleauthmechanisms
Handling SFTP
Tuesday, October 1, 13
•Clientsdon’tsupportmultipleauthmechanisms
•Primarysecurityconcern:
•Singlefactorcommandexecution
Handling SFTP
Tuesday, O...
•Clientsdon’tsupportmultipleauthmechanisms
•Primarysecurityconcern:
•Singlefactorcommandexecution
•Solution:
•Singlefactor...
Handling scripts + TRAMP mode
Tuesday, October 1, 13
•SwitchtouseSFTPsolution?
Handling scripts + TRAMP mode
Tuesday, October 1, 13
•SwitchtouseSFTPsolution?
•Primarysecurityconcern:
•Singlefactorcommandexecution
Handling scripts + TRAMP mode
Tuesday, Oc...
•SwitchtouseSFTPsolution?
•Primarysecurityconcern:
•Singlefactorcommandexecution
•Solution:
•SSHwhitelists
Handling script...
•SwitchtouseSFTPsolution?
•Primarysecurityconcern:
•Singlefactorcommandexecution
•Solution:
•SSHwhitelists
•Newproblem:
• ...
•Keyboardlayouts
•Explodingcomputers
•Possessedyubikeys
•Accidentaldischarge
•Clientsshconfigproblems
•NeedmoarUSBports
•E...
•more2Fac:
•sudo
•SSHalternatives:mosh,VNC,NX
•privescpoints
•replace/supplementothermulti-factorsolutions
•2Faceverywhere...
FacebookSecurity
Tuesday, October 1, 13
Upcoming SlideShare
Loading in …5
×

"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook

2,368 views
2,253 views

Published on

An in-depth look at Facebook's easy-to-use internal multi-factor authentication deployment. We will discuss our motivations, how our solution works, technical and security trade-offs, deployment problems, and outstanding issues.

Bio Chad Greene:
A security manager at Facebook, Chad Greene focuses on security engineering, intrusion detection and incident response at scale. Protecting user data for over 1 billion active users of the social network, his teams are responsible for building creative security solutions that balance rapid growth and innovation with a strong security posture. Prior to Facebook, for more than seven years Chad worked at eBay, where he worked on solving product security and security operations challenges. Chad holds a Bachelor's degree in Management Information Systems from The University of Notre Dame.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,368
On SlideShare
0
From Embeds
0
Number of Embeds
1,686
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook

  1. 1. Tuesday, October 1, 13
  2. 2. 2FAC:Facebook’sinternalmulti- factorauthplatform C O N F I D E N T I A L FacebookSecurity Tuesday, October 1, 13
  3. 3. Agenda Attacks-AForceforChange 2FACAuthentication Questions? Tuesday, October 1, 13
  4. 4. Facebook - Big Numbers 1.15B monthly active users 699M daily active users (80+% outside US) 5K+ employees Tuesday, October 1, 13
  5. 5. Identifying weakest points Red Teams Incident 1: Spear phishing OWA Incident 2: Breach identified in January Tuesday, October 1, 13
  6. 6. Red Team Drills - Identify weak points Tuesday, October 1, 13
  7. 7. Incident: Spear Phishing OWA Tuesday, October 1, 13
  8. 8. Incident: Spear Phishing OWA Tuesday, October 1, 13
  9. 9. Incident: Breach discovered in Jan 2013 digitalinsight-ltd Tuesday, October 1, 13
  10. 10. Incident: Breach discovered in Jan 2013 Tuesday, October 1, 13
  11. 11. Goal: Protect against remote attackers •DisruptLateralMovementphase •Ensurelocaluserisatkeyboard •LimitoriginofillegitimateSSHaccess Non-goal: Protect against local attackers Why 2Fac for SSH? Tuesday, October 1, 13
  12. 12. •Facebookculture:MoveFast •Intolerantofslowdown •Highlyskilledatfindingworkarounds •PrimarilyworkviaSSHondevservers Engineering @ FB Tuesday, October 1, 13
  13. 13. •Facebookculture:MoveFast •Intolerantofslowdown •Highlyskilledatfindingworkarounds •PrimarilyworkviaSSHondevservers Goal:Makebeingsecureeffortless Engineering @ FB Tuesday, October 1, 13
  14. 14. State of Multi-Factor Tuesday, October 1, 13
  15. 15. •Easytouse •Goodinteroperability •Synchronizationiseasy •Timewindowsofacceptance •Onlygoodforinfrequentuse Time-based Tuesday, October 1, 13
  16. 16. •Easytouse •Goodinteroperability •Getsoutofsync •Mosttokensdesignedforinfrequentuse OTP Tuesday, October 1, 13
  17. 17. •Limiteddevicesupport •Securitylimitations •Falseacceptance •Replay •PracticalProblems:Howtobiometricauthtoremotemachine? •Poorusability Biometrics Tuesday, October 1, 13
  18. 18. PKI •Limiteddevicesupport •Enrollmentispainful •Managementispainful •SmartCardProxyattack PKI Tuesday, October 1, 13
  19. 19. •Easytosetup •Easytouse •Push(onlyonsomedevices) •Requiresfast,reliableonlinechannel •Usabilityisgoodonlyforinfrequentuse OOB / Mobile Tuesday, October 1, 13
  20. 20. Tuesday, October 1, 13
  21. 21. •Usability •SupportVeryFrequentuse •Flexibleoptions •Security •Requirestrongerauthenticationforeverysession •FastDeployment •Minimalsupportoverhead Building it Better Tuesday, October 1, 13
  22. 22. •DuoSecurity+YubikeyNano •FlexibleOptions •Lowoperationaloverhead •Provisioningprocessoutofthebox •Yubikeyisawesomeforfrequentuse •Bonus:Backuptokensfromthestart The Solution Tuesday, October 1, 13
  23. 23. Deployment: Planning Tuesday, October 1, 13
  24. 24. •HowisSSHbeingused? •Thousandsofengineers •Tensofthousandsofsessionsperday •Peakuserswith>3000sessions •Usingallauthenticationmechanisms Deployment: Planning Tuesday, October 1, 13
  25. 25. •HowisSSHbeingused? •Thousandsofengineers •Tensofthousandsofsessionsperday •Peakuserswith>3000sessions •Usingallauthenticationmechanisms •Whataretheydoing? Deployment: Planning Tuesday, October 1, 13
  26. 26. •HowisSSHbeingused? •Thousandsofengineers •Tensofthousandsofsessionsperday •Peakuserswith>3000sessions •Usingallauthenticationmechanisms •Whataretheydoing? sshd[87820]: Accepted keyboard-interactive/pam for twt from ::1 port 51317 ssh2 sshd[87820]: User child is on pid 87825 sshd[87825]: Received disconnect from ::1: 11: disconnected by user Deployment: Planning Tuesday, October 1, 13
  27. 27. •Adddetailsaboutwhattheuserisdoing sshd[27587]: Accepted publickey for ::1 port 61447 ssh2 sshd[27587]: User child is on pid 27589 sshd[27589]: Exec Request for user twt with command uname -a sshd[8540]: Accepted publickey for twt from ::1 port 50654 ssh2 sshd[8540]: User child is on pid 8548 sshd[8548]: Allocated pty /dev/pts/18 for user twt session 0 sshd[8548]: Shell Request for user twt sshd[8548]: Received disconnect from ::1: 11: disconnected by user Improving SSH Logs: First Attempt Tuesday, October 1, 13
  28. 28. •Adddetailsaboutwhattheuserisdoing sshd[27587]: Accepted publickey for ::1 port 61447 ssh2 sshd[27587]: User child is on pid 27589 sshd[27589]: Exec Request for user twt with command uname -a sshd[8540]: Accepted publickey for twt from ::1 port 50654 ssh2 sshd[8540]: User child is on pid 8548 sshd[8548]: Allocated pty /dev/pts/18 for user twt session 0 sshd[8548]: Shell Request for user twt sshd[8548]: Received disconnect from ::1: 11: disconnected by user •Problem:requiresmultipleloglineswithdifferentPIDsforanalysis Improving SSH Logs: First Attempt Tuesday, October 1, 13
  29. 29. •AddsessionizationdatatoSSHlogs sshd[27587]: Accepted publickey for ::1 port 61447 ssh2 session=dev123:52369e5a.c6786 sshd[27587]: User child is on pid 27589 session=dev123:52369e5a.c6786 sshd[27589]: Exec Request for user twt with command uname -a session=dev123:52369e5a.c6786 sshd[8540]: Accepted publickey for twt from ::1 port 50654 ssh2 session=dev123:5236a24d.3f32 sshd[8540]: User child is on pid 8548 session=dev123:5236a24d.3f32 sshd[8548]: Allocated pty /dev/pts/18 for user twt session 0 session=dev123:5236a24d.3f32 sshd[8548]: Shell Request for user twt session=dev123:5236a24d.3f32 sshd[8548]: Received disconnect from ::1: 11: disconnected by user session=dev123:5236a24d.3f32 Sesssionizing SSH Logs Tuesday, October 1, 13
  30. 30. •Whataretheydoing? •SFTP •Randomscripts •TRAMPmode •Lotsofshells •Usingeveryauthenticationmechanism SSH Usage Analysis Tuesday, October 1, 13
  31. 31. Deployment: Implementation Tuesday, October 1, 13
  32. 32. •OpenSSH6.2-supportformultipleAuthMethods •Publickey,kerberos,passwordarefirstfactors •Duoissecondfactor Deployment: Implementation Tuesday, October 1, 13
  33. 33. •OpenSSH6.2-supportformultipleAuthMethods •Publickey,kerberos,passwordarefirstfactors •Duoissecondfactor •Problem:passwordandDuoarebothhandledbykeyboard-interactiveauth method Deployment: Implementation Tuesday, October 1, 13
  34. 34. •OpenSSH6.2-supportformultipleAuthMethods •Publickey,kerberos,passwordarefirstfactors •Duoissecondfactor •Problem:passwordandDuoarebothhandledbykeyboard-interactiveauth method •Solutions: •Submethodsforkeyboard-interactive/{pam,duo}inOpenSSH6.2p1 •KerberosAuthenticationyes Deployment: Implementation Tuesday, October 1, 13
  35. 35. Handling SFTP Tuesday, October 1, 13
  36. 36. •Clientsdon’tsupportmultipleauthmechanisms Handling SFTP Tuesday, October 1, 13
  37. 37. •Clientsdon’tsupportmultipleauthmechanisms •Primarysecurityconcern: •Singlefactorcommandexecution Handling SFTP Tuesday, October 1, 13
  38. 38. •Clientsdon’tsupportmultipleauthmechanisms •Primarysecurityconcern: •Singlefactorcommandexecution •Solution: •SinglefactorSFTPchroot Handling SFTP Tuesday, October 1, 13
  39. 39. Handling scripts + TRAMP mode Tuesday, October 1, 13
  40. 40. •SwitchtouseSFTPsolution? Handling scripts + TRAMP mode Tuesday, October 1, 13
  41. 41. •SwitchtouseSFTPsolution? •Primarysecurityconcern: •Singlefactorcommandexecution Handling scripts + TRAMP mode Tuesday, October 1, 13
  42. 42. •SwitchtouseSFTPsolution? •Primarysecurityconcern: •Singlefactorcommandexecution •Solution: •SSHwhitelists Handling scripts + TRAMP mode Tuesday, October 1, 13
  43. 43. •SwitchtouseSFTPsolution? •Primarysecurityconcern: •Singlefactorcommandexecution •Solution: •SSHwhitelists •Newproblem: • REGEX:sh  -­‐c  "cd  (~/|w)(((?<!..)/)|((?<!/).)|[w_-­‐])+  &&  grep  -­‐P  '[^']+t'  tags  |  head  -­‐n  10" Handling scripts + TRAMP mode Tuesday, October 1, 13
  44. 44. •Keyboardlayouts •Explodingcomputers •Possessedyubikeys •Accidentaldischarge •Clientsshconfigproblems •NeedmoarUSBports •Enrollmentissues Unexpected Issues Tuesday, October 1, 13
  45. 45. •more2Fac: •sudo •SSHalternatives:mosh,VNC,NX •privescpoints •replace/supplementothermulti-factorsolutions •2Faceverywhere •Getridofcommandwhitelists •MakeSFTPclients supportmulti-factor Ongoing Work Tuesday, October 1, 13
  46. 46. FacebookSecurity Tuesday, October 1, 13

×