Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Shared responsibility model: Why and how to choose the right 2 fa method for your users

55 views

Published on

Service providers have a responsibility to provide two factor authentication (2FA) and help their users make informed decisions about which 2FA method(s) to enable.

In this talk, I discuss the AWS Shared Responsibility Model and highlight that implementing 2FA follows a similar pattern. I dive into the details of the 4 most common methods of 2FA and explain the security and usability tradeoffs of each. I cover SMS, time-based one-time passwords (TOTP), push notifications, and Universal 2nd Factor (U2F).

Audio and slides on YouTube: https://www.youtube.com/watch?v=ub7tU6ZLxAs

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Shared responsibility model: Why and how to choose the right 2 fa method for your users

  1. 1. Shared Responsibility Model: Why & how to choose the right 2FA method for your users Conor Gilsenan, Security UX Consultant conor@AllThingsAuth.com
  2. 2. 1. Slides available? a. Yes! 2. Time for Q&A? a. That’s the plan!
  3. 3. AWS shared responsibility model
  4. 4. https://aws.amazon.com/compliance/shared-responsibility-model/
  5. 5. AWS!!! FIX THIS
  6. 6. https://aws.amazon.com/blogs/aws/new-amazon-s3-encryption-security-features/
  7. 7. 2FA shared responsibility model
  8. 8. ● Service providers must provide 2FA ● End-users must enable it
  9. 9. Audience participation to avoid evening naps
  10. 10. If you are a service provider. Hint: people log into your service/application
  11. 11. If your service supports 2FA.
  12. 12. If you know your 2FA adoption rate. Hint: What percentage of users enable 2FA?
  13. 13. If your 2FA adoption rate is above 1%
  14. 14. If your 2FA adoption rate is above 10%
  15. 15. If your 2FA adoption rate is above 28%
  16. 16. If your 2FA adoption rate is above 40%
  17. 17. Thank you for participating! Please, take a seat.
  18. 18. Quick recap: What is 2FA?
  19. 19. The three authentication factors 1. Knowledge (something you know) 2. Possession (something you have) 3. Inherence (something you are)
  20. 20. The three authentication factors 1. Knowledge (something you know) 2. Possession (something you have) 3. Inherence (something you are)
  21. 21. The three authentication factors 1. Knowledge (something you know) 2. Possession (something you have) 3. Inherence (something you are)
  22. 22. Two factor authentication (2FA) 1. Knowledge (something you know) 2. Possession (something you have)
  23. 23. 2FA methods 1. SMS 2. Time-based One-time Passwords ■ e.g. Google Authenticator 3. Push notifications ■ e.g. Google Prompt 4. Universal 2nd Factor (U2F) ■ e.g. USB security keys
  24. 24. My goal: convince you of this tweet
  25. 25. My goal: convince you of this tweet
  26. 26. My goal: convince you of this tweet
  27. 27. My goal: convince you of this tweet
  28. 28. SMS: the most popular and least secure 2FA
  29. 29. SMS: registration flow
  30. 30. SMS: registration flow
  31. 31. SMS: registration flow
  32. 32. SMS: registration flow
  33. 33. SMS: authentication flow
  34. 34. SMS: phone company === problems
  35. 35. SMS: people problems “People are always the weakest link in any security solution” - Conor, right now
  36. 36. SMS: social engineering
  37. 37. SMS: social engineering
  38. 38. SMS: social engineering
  39. 39. SMS: social engineering
  40. 40. SMS: social engineering
  41. 41. SMS: social engineering June, 2016
  42. 42. SMS: social engineering December, 2016 August, 2017
  43. 43. SMS: social engineering Phone company, do better at verifying identities! Yes! But also...
  44. 44. SMS: social engineering September, 2017
  45. 45. SMS: social engineering February, 2018
  46. 46. SMS: social engineering
  47. 47. SMS: social engineering “...our industry is experiencing a phone number port out scam that could impact you…” “...consider checking with your bank to see if there is an alternative to using text-for-PIN authentication…”
  48. 48. SMS: technical problems
  49. 49. SMS: Signal System 7 (SS7)
  50. 50. SMS: Signal System 7 (SS7)
  51. 51. SMS: Signal System 7 (SS7)
  52. 52. SMS: Signal System 7 (SS7)
  53. 53. SMS: SS7 vulnerabilities May, 2016 May, 2016
  54. 54. SMS: SS7 vulnerabilities May, 2017 May, 2017
  55. 55. “Victims of phishing are 400x more likely to be successfully hijacked compared to a random Google user.” 2017 - https://research.google.com/pubs/pub46437.html
  56. 56. SMS: vulnerable to phishing attacks
  57. 57. SMS: vulnerable to phishing attacks
  58. 58. SMS: vulnerable to phishing attacks
  59. 59. SMS: vulnerable to phishing attacks
  60. 60. SMS: vulnerable to phishing attacks
  61. 61. SMS: vulnerable to phishing attacks
  62. 62. SMS: the most popular and least secure 2FA
  63. 63. TOTP: way more secure than SMS, more annoying than Push
  64. 64. TOTP: First ever registration flow
  65. 65. TOTP: First ever registration flow
  66. 66. TOTP: First ever registration flow
  67. 67. TOTP: First ever registration flow
  68. 68. TOTP: First ever registration flow
  69. 69. TOTP: example authenticator app
  70. 70. TOTP: the same app works for all TOTP sites
  71. 71. TOTP: registration flow with app installed
  72. 72. TOTP: authentication is even easier
  73. 73. TOTP: authentication flow
  74. 74. TOTP: how is the OTP generated and verified? HMAC-SHA-1 (shared secret + time) ≈ OTP
  75. 75. TOTP: vulnerabilities
  76. 76. TOTP: service provider compromise
  77. 77. TOTP: trusted device compromise
  78. 78. TOTP: vulnerable to phishing attacks
  79. 79. TOTP: vulnerable to phishing attacks
  80. 80. TOTP: vulnerable to phishing attacks
  81. 81. TOTP: vulnerable to phishing attacks
  82. 82. TOTP: usability challenges
  83. 83. TOTP: what if I lose my trusted device?!
  84. 84. TOTP: what if I lose my trusted device?! https://unsplash.com/photos/2-1wvS-jZZQ
  85. 85. TOTP: lots of accounts? locating just one sucks Page 3Page 1 Page 2 scroll scroll
  86. 86. TOTP: the OTP rotates while you are entering it...
  87. 87. TOTP: the OTP rotates while you are entering it...
  88. 88. TOTP: the OTP rotates while you are entering it...
  89. 89. TOTP: the OTP rotates while you are entering it...
  90. 90. TOTP: the OTP rotates while you are entering it...
  91. 91. TOTP: the OTP rotates while you are entering it...
  92. 92. TOTP: way more secure than SMS, more annoying than Push
  93. 93. Push: more secure than TOTP & very convenient
  94. 94. Push: authentication prompt
  95. 95. Push: registration flow
  96. 96. Push: registration flow
  97. 97. Push: registration flow
  98. 98. Push: registration flow
  99. 99. Push: registration flow
  100. 100. Push: authentication flow
  101. 101. Push: authentication flow
  102. 102. Push: authentication flow
  103. 103. Push: authentication flow
  104. 104. Push: authentication flow
  105. 105. Push: vulnerabilities
  106. 106. Push: vulnerable to phishing attacks
  107. 107. Push: vulnerable to phishing attacks
  108. 108. Push: vulnerable to phishing attacks
  109. 109. Push: vulnerable to phishing attacks
  110. 110. Push: usability challenges
  111. 111. Push: need a different app for each service
  112. 112. Push: what if I lose my trusted device?!
  113. 113. Push: more secure than TOTP & very convenient
  114. 114. U2F: Secure? Yup! Realistic for consumers? Nope!
  115. 115. U2F: gotta get that hardware!
  116. 116. U2F: registration flow - user
  117. 117. U2F: registration flow - technical Key pair generated and bound to origin
  118. 118. U2F: authentication flow - user
  119. 119. U2F: authentication flow - technical
  120. 120. U2F: authentication flow - technical
  121. 121. U2F: authentication flow - technical
  122. 122. U2F: authentication flow - technical
  123. 123. U2F: authentication flow - technical
  124. 124. U2F: authentication flow - technical
  125. 125. U2F: usability challenges
  126. 126. U2F: what if I lose my security key?!
  127. 127. U2F: what if I lose my security key?!
  128. 128. U2F: Secure? Yup! Realistic for consumers? Nope!
  129. 129. Least common denominator
  130. 130. WebAuthN
  131. 131. Effective 2FA Part 2: everything else Coming soon to a conference near you!
  132. 132. Questions! Slides: AllThingsAuth.com/talks conor@allthingsauth.com @conorgil linkedin.com/in/conorgilsenan

×