Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Effective 2FA - Part 1: the technical stuff

56 views

Published on

Two-factor authentication (2FA) is the most straightforward way for companies to drastically improve the security of their user authentication process. However, not all 2FA implementations are created equal. Thinking of quickly throwing together a workflow using SMS and calling it a day? Think again! Though popular, 2FA via SMS has many security issues and was actually deprecated by NIST in 2017. In this presentation, I dive into the technical details of the most common 2FA implementations and highlight security and usability trade-offs. You will learn how to develop a 2FA implementation strategy that will best serve your users.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Effective 2FA - Part 1: the technical stuff

  1. 1. Effective 2FA Part 1: the technical stuff Conor Gilsenan Editor in Chief, All Things Auth Founder, Two Factor Buddy (2FB)
  2. 2. Audience participation to avoid afternoon naps
  3. 3. If you are a service provider. Hint: people log into your service/application
  4. 4. If your service supports 2FA.
  5. 5. If you know your 2FA adoption rate. Hint: What percentage of users enable 2FA?
  6. 6. If your 2FA adoption rate is above 1%
  7. 7. If your 2FA adoption rate is above 10%
  8. 8. If your 2FA adoption rate is above 28%
  9. 9. If your 2FA adoption rate is above 40%
  10. 10. Thank you for participating! Please, take a seat.
  11. 11. Why do you support 2FA?
  12. 12. Compliance
  13. 13. https://www.reddit.com/r/CrappyDesign/comments/2ucutv/this_drawer_doesnt_open_because_the_oven_handle/
  14. 14. Business goal
  15. 15. Quick recap: What is 2FA?
  16. 16. The three authentication factors 1. Knowledge (something you know) 2. Possession (something you have) 3. Inherence (something you are)
  17. 17. The three authentication factors 1. Knowledge (something you know) 2. Possession (something you have) 3. Inherence (something you are)
  18. 18. The three authentication factors 1. Knowledge (something you know) 2. Possession (something you have) 3. Inherence (something you are)
  19. 19. Two factor authentication (2FA) 1. Knowledge (something you know) 2. Possession (something you have)
  20. 20. 2FA methods 1. SMS 2. Time-based One-time Passwords ■ e.g. Google Authenticator 3. Push notifications ■ e.g. Google Prompt 4. Universal 2nd Factor (U2F) ■ e.g. USB security keys
  21. 21. My goal: convince you of this tweet
  22. 22. My goal: convince you of this tweet
  23. 23. My goal: convince you of this tweet
  24. 24. My goal: convince you of this tweet
  25. 25. SMS: the most popular and least secure 2FA
  26. 26. SMS: registration flow
  27. 27. SMS: registration flow
  28. 28. SMS: registration flow
  29. 29. SMS: registration flow
  30. 30. SMS: authentication flow
  31. 31. SMS: phone company === problems
  32. 32. SMS: people problems “People are always the weakest link in any security solution” - Conor, right now
  33. 33. SMS: social engineering
  34. 34. SMS: social engineering
  35. 35. SMS: social engineering
  36. 36. SMS: social engineering
  37. 37. SMS: social engineering
  38. 38. SMS: social engineering June, 2016
  39. 39. SMS: social engineering December, 2016 August, 2017
  40. 40. SMS: social engineering Phone company, do better at verifying identities! Yes! But also...
  41. 41. SMS: social engineering September, 2017
  42. 42. SMS: social engineering February, 2018
  43. 43. SMS: social engineering
  44. 44. SMS: social engineering “...our industry is experiencing a phone number port out scam that could impact you…” “...consider checking with your bank to see if there is an alternative to using text-for-PIN authentication…”
  45. 45. SMS: technical problems
  46. 46. SMS: Signal System 7 (SS7)
  47. 47. SMS: Signal System 7 (SS7)
  48. 48. SMS: Signal System 7 (SS7)
  49. 49. SMS: Signal System 7 (SS7)
  50. 50. SMS: SS7 vulnerabilities May, 2016 May, 2016
  51. 51. SMS: SS7 vulnerabilities May, 2017 May, 2017
  52. 52. “Victims of phishing are 400x more likely to be successfully hijacked compared to a random Google user.” 2017 - https://research.google.com/pubs/pub46437.html
  53. 53. SMS: vulnerable to phishing attacks
  54. 54. SMS: vulnerable to phishing attacks
  55. 55. SMS: vulnerable to phishing attacks
  56. 56. SMS: vulnerable to phishing attacks
  57. 57. SMS: vulnerable to phishing attacks
  58. 58. SMS: vulnerable to phishing attacks
  59. 59. SMS: the most popular and least secure 2FA
  60. 60. TOTP: way more secure than SMS, more annoying than Push
  61. 61. TOTP: First ever registration flow
  62. 62. TOTP: First ever registration flow
  63. 63. TOTP: First ever registration flow
  64. 64. TOTP: First ever registration flow
  65. 65. TOTP: First ever registration flow
  66. 66. TOTP: example authenticator app
  67. 67. TOTP: the same app works for all TOTP sites
  68. 68. TOTP: registration flow with app installed
  69. 69. TOTP: authentication is even easier
  70. 70. TOTP: authentication flow
  71. 71. TOTP: how is the OTP generated and verified? HMAC-SHA-1 (shared secret + time) ≈ OTP
  72. 72. TOTP: vulnerabilities
  73. 73. TOTP: service provider compromise
  74. 74. TOTP: trusted device compromise
  75. 75. TOTP: vulnerable to phishing attacks
  76. 76. TOTP: vulnerable to phishing attacks
  77. 77. TOTP: vulnerable to phishing attacks
  78. 78. TOTP: vulnerable to phishing attacks
  79. 79. TOTP: usability challenges
  80. 80. TOTP: what if I lose my trusted device?!
  81. 81. TOTP: what if I lose my trusted device?! https://unsplash.com/photos/2-1wvS-jZZQ
  82. 82. TOTP: lots of accounts? locating just one sucks Page 3Page 1 Page 2 scroll scroll
  83. 83. TOTP: the OTP rotates while you are entering it...
  84. 84. TOTP: the OTP rotates while you are entering it...
  85. 85. TOTP: the OTP rotates while you are entering it...
  86. 86. TOTP: the OTP rotates while you are entering it...
  87. 87. TOTP: the OTP rotates while you are entering it...
  88. 88. TOTP: the OTP rotates while you are entering it...
  89. 89. TOTP: way more secure than SMS, more annoying than Push
  90. 90. Push: more secure than TOTP & very convenient
  91. 91. Push: authentication prompt
  92. 92. Push: registration flow
  93. 93. Push: registration flow
  94. 94. Push: registration flow
  95. 95. Push: registration flow
  96. 96. Push: registration flow
  97. 97. Push: authentication flow
  98. 98. Push: authentication flow
  99. 99. Push: authentication flow
  100. 100. Push: authentication flow
  101. 101. Push: authentication flow
  102. 102. Push: vulnerabilities
  103. 103. Push: vulnerable to phishing attacks
  104. 104. Push: vulnerable to phishing attacks
  105. 105. Push: vulnerable to phishing attacks
  106. 106. Push: vulnerable to phishing attacks
  107. 107. Push: usability challenges
  108. 108. Push: need a different app for each service
  109. 109. Push: what if I lose my trusted device?!
  110. 110. Push: more secure than TOTP & very convenient
  111. 111. U2F: Secure? Yup! Realistic for consumers? Nope!
  112. 112. U2F: gotta get that hardware!
  113. 113. U2F: registration flow - user
  114. 114. U2F: registration flow - technical Key pair generated and bound to origin
  115. 115. U2F: authentication flow - user
  116. 116. U2F: authentication flow - technical
  117. 117. U2F: authentication flow - technical
  118. 118. U2F: authentication flow - technical
  119. 119. U2F: authentication flow - technical
  120. 120. U2F: authentication flow - technical
  121. 121. U2F: authentication flow - technical
  122. 122. U2F: usability challenges
  123. 123. U2F: what if I lose my security key?!
  124. 124. U2F: what if I lose my security key?!
  125. 125. U2F: Secure? Yup! Realistic for consumers? Nope!
  126. 126. Least common denominator
  127. 127. Effective 2FA Part 2: everything else Coming soon to a conference near you!
  128. 128. Questions! Slides: AllThingsAuth.com/talks conor@allthingsauth.com @conorgil linkedin.com/in/conorgilsenan

×