Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution for Your Users

132 views

Published on

Two-factor authentication (2FA) is the most straightforward way for companies to drastically improve the security of their user authentication process. However, not all 2FA implementations are created equal. Thinking of quickly throwing together a workflow using SMS and calling it a day? Think again! Though popular, 2FA via SMS has many security issues and was actually deprecated by NIST in 2017. In this presentation, I dive into the technical details of the most common 2FA implementations and highlight security and usability trade-offs. You will learn how to develop a 2FA implementation strategy that will best serve your users.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution for Your Users

  1. 1. Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution for Your Users Conor Gilsenan Editor in Chief, All Things Auth Founder, Two Factor Buddy (2FB)
  2. 2. Audio & Slides available at: AllThingsAuth.com/talks conor@twofactorbuddy.com @conorgil linkedin.com/in/conorgilsenan
  3. 3. Why is 2FA important?
  4. 4. The three authentication factors 1. Knowledge (something you know) 2. Possession (something you have) 3. Inherence (something you are)
  5. 5. The three authentication factors 1. Knowledge (something you know) 2. Possession (something you have) 3. Inherence (something you are)
  6. 6. The three authentication factors 1. Knowledge (something you know) 2. Possession (something you have) 3. Inherence (something you are)
  7. 7. Two factor authentication (2FA) 1. Knowledge (something you know) 2. Possession (something you have)
  8. 8. 2FA methods 1. SMS 2. Time-based One-time Passwords ■ e.g. Google Authenticator 3. Push notifications ■ e.g. Google Prompt 4. Universal 2nd Factor (U2F) ■ e.g. USB security keys
  9. 9. My goal: convince you of this tweet
  10. 10. My goal: convince you of this tweet
  11. 11. My goal: convince you of this tweet
  12. 12. My goal: convince you of this tweet
  13. 13. SMS: the most popular and least secure 2FA
  14. 14. SMS: registration flow
  15. 15. SMS: registration flow
  16. 16. SMS: registration flow
  17. 17. SMS: registration flow
  18. 18. SMS: authentication flow
  19. 19. SMS: phone company === problems
  20. 20. SMS: people problems “People are always the weakest link in any security solution” - Conor, right now
  21. 21. SMS: social engineering
  22. 22. SMS: social engineering
  23. 23. SMS: social engineering
  24. 24. SMS: social engineering
  25. 25. SMS: social engineering
  26. 26. SMS: social engineering June, 2016
  27. 27. SMS: social engineering December, 2016 August, 2017
  28. 28. SMS: social engineering Phone company, do better at verifying identities! Yes! But also...
  29. 29. SMS: social engineering September, 2017
  30. 30. SMS: social engineering February, 2018
  31. 31. SMS: social engineering
  32. 32. SMS: social engineering “...our industry is experiencing a phone number port out scam that could impact you…” “...consider checking with your bank to see if there is an alternative to using text-for-PIN authentication…”
  33. 33. SMS: technical problems
  34. 34. SMS: Signal System 7 (SS7)
  35. 35. SMS: Signal System 7 (SS7)
  36. 36. SMS: Signal System 7 (SS7)
  37. 37. SMS: Signal System 7 (SS7)
  38. 38. SMS: SS7 vulnerabilities May, 2016 May, 2016
  39. 39. SMS: SS7 vulnerabilities May, 2017
  40. 40. SMS: SS7 vulnerabilities May, 2017
  41. 41. “Victims of phishing are 400x more likely to be successfully hijacked compared to a random Google user.” 2017 - https://research.google.com/pubs/pub46437.html
  42. 42. SMS: vulnerable to phishing attacks
  43. 43. SMS: vulnerable to phishing attacks
  44. 44. SMS: vulnerable to phishing attacks
  45. 45. SMS: vulnerable to phishing attacks
  46. 46. SMS: vulnerable to phishing attacks
  47. 47. SMS: vulnerable to phishing attacks
  48. 48. SMS: the most popular and least secure 2FA
  49. 49. TOTP: way more secure than SMS, more annoying than Push
  50. 50. TOTP: First ever registration flow
  51. 51. TOTP: First ever registration flow
  52. 52. TOTP: First ever registration flow
  53. 53. TOTP: First ever registration flow
  54. 54. TOTP: First ever registration flow
  55. 55. TOTP: example authenticator app
  56. 56. TOTP: the same app works for all TOTP sites
  57. 57. TOTP: registration flow with app installed
  58. 58. TOTP: authentication is even easier
  59. 59. TOTP: authentication flow
  60. 60. TOTP: how is the OTP generated and verified? HMAC-SHA-1 (shared secret + time) ≈ OTP
  61. 61. TOTP: vulnerabilities
  62. 62. TOTP: service provider compromise
  63. 63. TOTP: trusted device compromise
  64. 64. TOTP: vulnerable to phishing attacks
  65. 65. TOTP: vulnerable to phishing attacks
  66. 66. TOTP: vulnerable to phishing attacks
  67. 67. TOTP: vulnerable to phishing attacks
  68. 68. TOTP: usability challenges
  69. 69. TOTP: what if I lose my trusted device?!
  70. 70. TOTP: what if I lose my trusted device?! https://unsplash.com/photos/2-1wvS-jZZQ
  71. 71. TOTP: lots of accounts? locating just one sucks Page 3Page 1 Page 2 scroll scroll
  72. 72. TOTP: the OTP rotates while you are entering it...
  73. 73. TOTP: the OTP rotates while you are entering it...
  74. 74. TOTP: the OTP rotates while you are entering it...
  75. 75. TOTP: the OTP rotates while you are entering it...
  76. 76. TOTP: the OTP rotates while you are entering it...
  77. 77. TOTP: the OTP rotates while you are entering it...
  78. 78. TOTP: way more secure than SMS, more annoying than Push
  79. 79. Push: more secure than TOTP & very convenient
  80. 80. Push: authentication prompt
  81. 81. Push: registration flow
  82. 82. Push: registration flow
  83. 83. Push: registration flow
  84. 84. Push: registration flow
  85. 85. Push: registration flow
  86. 86. Push: authentication flow
  87. 87. Push: authentication flow
  88. 88. Push: authentication flow
  89. 89. Push: authentication flow
  90. 90. Push: authentication flow
  91. 91. Push: vulnerabilities
  92. 92. Push: vulnerable to phishing attacks
  93. 93. Push: vulnerable to phishing attacks
  94. 94. Push: vulnerable to phishing attacks
  95. 95. Push: vulnerable to phishing attacks
  96. 96. Push: usability challenges
  97. 97. Push: need a different app for each service
  98. 98. Push: what if I lose my trusted device?!
  99. 99. Push: more secure than TOTP & very convenient
  100. 100. U2F: Secure? Yup! Realistic for avg user? Nope!
  101. 101. U2F: gotta get that hardware!
  102. 102. U2F: registration flow - user
  103. 103. U2F: registration flow - technical Key pair generated and bound to origin
  104. 104. U2F: authentication flow - user
  105. 105. U2F: authentication flow - technical
  106. 106. U2F: authentication flow - technical
  107. 107. U2F: authentication flow - technical
  108. 108. U2F: authentication flow - technical
  109. 109. U2F: authentication flow - technical
  110. 110. U2F: authentication flow - technical
  111. 111. U2F: usability challenges
  112. 112. U2F: what if I lose my security key?!
  113. 113. U2F: what if I lose my security key?!
  114. 114. U2F: Secure? Yup! Realistic for avg user? Nope!
  115. 115. Least common denominator
  116. 116. Questions! Slides: AllThingsAuth.com/talks conor@twofactorbuddy.com @conorgil linkedin.com/in/conorgilsenan

×