Shared responsibility model: Why and how to choose the right 2 fa method for your users

1. Shared Responsibility Model: Why & how to choose the right 2FA method for your users Conor Gilsenan, Security UX Consultant conor@AllThingsAuth.com

2. 1. Slides available? a. Yes! 2. Time for Q&A? a. That’s the plan!

3. AWS shared responsibility model

4. https://aws.amazon.com/compliance/shared-responsibility-model/

5. AWS!!! FIX THIS

6. https://aws.amazon.com/blogs/aws/new-amazon-s3-encryption-security-features/

7. 2FA shared responsibility model

8. ● Service providers must provide 2FA ● End-users must enable it

9. Audience participation to avoid evening naps

10. If you are a service provider. Hint: people log into your service/application

11. If your service supports 2FA.

12. If you know your 2FA adoption rate. Hint: What percentage of users enable 2FA?

13. If your 2FA adoption rate is above 1%

17. Thank you for participating! Please, take a seat.

18. Quick recap: What is 2FA?

19. The three authentication factors 1. Knowledge (something you know) 2. Possession (something you have) 3. Inherence (something you are)

22. Two factor authentication (2FA) 1. Knowledge (something you know) 2. Possession (something you have)

23. 2FA methods 1. SMS 2. Time-based One-time Passwords ■ e.g. Google Authenticator 3. Push notifications ■ e.g. Google Prompt 4. Universal 2nd Factor (U2F) ■ e.g. USB security keys

24. My goal: convince you of this tweet

28. SMS: the most popular and least secure 2FA

29. SMS: registration flow

33. SMS: authentication flow

34. SMS: phone company === problems

35. SMS: people problems “People are always the weakest link in any security solution” - Conor, right now

36. SMS: social engineering

41. SMS: social engineering June, 2016

42. SMS: social engineering December, 2016 August, 2017

43. SMS: social engineering Phone company, do better at verifying identities! Yes! But also...

44. SMS: social engineering September, 2017

45. SMS: social engineering February, 2018

47. SMS: social engineering “...our industry is experiencing a phone number port out scam that could impact you…” “...consider checking with your bank to see if there is an alternative to using text-for-PIN authentication…”

48. SMS: technical problems

49. SMS: Signal System 7 (SS7)

53. SMS: SS7 vulnerabilities May, 2016 May, 2016

54. SMS: SS7 vulnerabilities May, 2017 May, 2017

55. “Victims of phishing are 400x more likely to be successfully hijacked compared to a random Google user.” 2017 - https://research.google.com/pubs/pub46437.html

56. SMS: vulnerable to phishing attacks

62. SMS: the most popular and least secure 2FA

63. TOTP: way more secure than SMS, more annoying than Push

64. TOTP: First ever registration flow

69. TOTP: example authenticator app

70. TOTP: the same app works for all TOTP sites

71. TOTP: registration flow with app installed

72. TOTP: authentication is even easier

73. TOTP: authentication flow

74. TOTP: how is the OTP generated and verified? HMAC-SHA-1 (shared secret + time) ≈ OTP

75. TOTP: vulnerabilities

76. TOTP: service provider compromise

77. TOTP: trusted device compromise

78. TOTP: vulnerable to phishing attacks

82. TOTP: usability challenges

83. TOTP: what if I lose my trusted device?!

84. TOTP: what if I lose my trusted device?! https://unsplash.com/photos/2-1wvS-jZZQ

85. TOTP: lots of accounts? locating just one sucks Page 3Page 1 Page 2 scroll scroll

86. TOTP: the OTP rotates while you are entering it...

92. TOTP: way more secure than SMS, more annoying than Push

93. Push: more secure than TOTP & very convenient

94. Push: authentication prompt

95. Push: registration flow

100. Push: authentication flow

105. Push: vulnerabilities

106. Push: vulnerable to phishing attacks

110. Push: usability challenges

111. Push: need a different app for each service

112. Push: what if I lose my trusted device?!

113. Push: more secure than TOTP & very convenient

114. U2F: Secure? Yup! Realistic for consumers? Nope!

115. U2F: gotta get that hardware!

116. U2F: registration flow - user

117. U2F: registration flow - technical Key pair generated and bound to origin

118. U2F: authentication flow - user

119. U2F: authentication flow - technical

125. U2F: usability challenges

126. U2F: what if I lose my security key?!

127. U2F: what if I lose my security key?!

128. U2F: Secure? Yup! Realistic for consumers? Nope!

129. Least common denominator

130. WebAuthN

131. Effective 2FA Part 2: everything else Coming soon to a conference near you!

132. Questions! Slides: AllThingsAuth.com/talks conor@allthingsauth.com @conorgil linkedin.com/in/conorgilsenan

Shared responsibility model: Why and how to choose the right 2 fa method for your users

ConorGilsenan1

Shared responsibility model: Why and how to choose the right 2 fa method for your users