ìSecond Factor Authentication (2FA)
Fall2017SecureSoftwareSystems
1
Second Factor Authentication (2FA)
ì SMSverification
ì Time-basedOneTimePassword(TOTP)
ì Universal2nd Factor(U2F)
Fall2017SecureSoftwareSystems
2
SMS Messaging
ì Serviceprovidertextsclientacodetoenterafterusername/passwordstage
ì Advantageì Simple!Convenientforallusers!
ì Disadvantageì SIMswapping– attackerconvincesphonecompanythey
areyou andpurchasedanewphoneì Yourphonenumbergoestotheirphonenowì Discouragedin2017NIST guidelines
https://pages.nist.gov/800-63-3/
Fall2017SecureSoftwareSystems
3
L
Time-based One Time Password (TOTP)
Fall2017SecureSoftwareSystems
4
Time-based One Time Password (TOTP)
Fall2017SecureSoftwareSystems
5
https://blog.trezor.io/why-you-should-never-use-google-authenticator-again-e166d09d4324(Writtenbyvendorofhardwarekeys…)
Time-based One Time Password (TOTP)
ì Strengthsì Betterthanonlyonefactor(password)ì Resistanttoreplayattacksifpasswordisstolenorguessedì Resistanttoattackersstealingyourphonenumberì Simple/implementableinsoftwareapps
ì Weaknessesì Userandserviceprovidersharethesamesecretì Secretmustbeaccessibleinplaintexttocombinewithtime
andcomputehashì Serviceproviderhacked?
ì Secretlostì Secondfactorforalluserslost
Fall2017SecureSoftwareSystems
6
FIDO Alliance
ì FIDOAllianceì FastIDentity Online(FIDO)ì Industryconsortium
ì Interoperabilityforstrongauthenticationdevices
Fall2017SecureSoftwareSystems
7
FIDO Alliance
Fall2017SecureSoftwareSystems
8
Universal 2nd Factor (U2F)
ì OpenstandardforUSBorNFCsecuritydevicesì DevelopedbyGoogleandYubicoì Multiplevendorsofhardwaredevices
ì Usecasesì Computerlogin(Windows,OSX,Linux)ì Secondfactorloginforonlineservicessupporting
U2Fprotocolì Websites:Google,Dropbox,GitHub,Bitbucket,
Facebook,Salesforceì Browsers:Chrome,Firefox,Opera
Fall2017SecureSoftwareSystems
9
Universal 2nd Factor (U2F)
Fall2017SecureSoftwareSystems
10
https://blog.trezor.io/why-you-should-never-use-google-authenticator-again-e166d09d4324(Writtenbyvendorofhardwarekeys…)
Universal 2nd Factor (U2F)
Fall2017SecureSoftwareSystems
11
🙋 💻Browser
🖥Server
UsernameandPassword
VerifyLogin
GenerateChallengeChallenge
Challenge
ResponseResponse
VerifyResponse
AlicePressesButton
User
Universal 2nd Factor (U2F)
ì Nosharedsecret– Privatekeyislockedinhardware
ì Automated– notypingofone-timecodes
ì Hardwarestoresprivatekeywhichcansignchallengemessage(randomnumber)fromserviceprovider,whichvalidatessigningwithmatchingpublickey
Fall2017SecureSoftwareSystems
12
U2F Example: YubiKey
Fall2017SecureSoftwareSystems
13
U2F Risks
ì WhatifIlosemyU2Fkey?ì You’velostyoursecondfactorLì Accountrecoveryuptoyourserviceprovider
ì Recommendationsì RegistertwoU2Fdeviceswitheachserviceprovider
soyouhaveabackupì Savebackupcodes(ifany)fromproviderinsecure
location
Fall2017SecureSoftwareSystems
14
YubiKey 4
ì Multiplestandardssupportedì Touchtotrigger FIDOU2Fì HMAC-SHA1ì Smartcard(PIV)ì Yubico OTPì CodeSigningì OpenPGPì Challenge-Responseì OATH(TOTP andHOTP)ì Securestaticpassword
Fall2017SecureSoftwareSystems
15
ìGoogle Advanced Protection Program
Fall2017SecureSoftwareSystems
16
Targeted Attacks on Public Figures
Fall2017SecureSoftwareSystems
17
Revealed:TopHillaryaideJohnPodesta'sopenedhimselftomassiveRussianhackingeffortbyusingGmailinsteadofsecureofficialserver
http://www.dailymail.co.uk/news/article-5047471/Inside-story-How-Russians-
hacked-Democrats-emails.htmlNov32017
HackingCoinbase:TheGreatBitcoinBankRobbery
http://fortune.com/2017/08/22/bitcoin-coinbase-hack/
Aug222017
Targetedattackonpublicfigure• SIMswitchviaT-Mobile• ResetGooglepassword• Two-factorSMScodegoestoattacker• ChangeGooglepassword• ResetCoinbase password– emailgoesto
Gmail• Profit!
Security v Convenience
ì GoogleAdvancedProtectionProgramì LaunchedOctober2017ì Free(afterbuyinghardware)ì Favorssecurityover
convenience
ì 2nd factorì NoSMSì NoTOTP /Google
Authenticatorappì Musthave twoFIDO/U2F
hardwarekeys
ì Softwareì Nonon-Googlesoftwareì OnlyChromeandfirst-party
appsì Nothird-partysitethat
authenticatesviaGoogleaccount
ì Passwordresetsì Nobackupcodesì Noresetviaemail/SMSì Onlymanualaccountreview
- “coolingoff”periodwilltakeafewdays
Fall2017SecureSoftwareSystems
18
Google Advanced Protection Program
ì Targetaudienceì Campaignstafferspreparingforanupcomingelectionì Journalistswhoneedtoprotecttheconfidentialityof
theirsourcesì Peopleinabusiverelationshipsseekingsafetyì Humanrightsdefenders,environmentcampaignersand
civilsocietyactivistsworkingonanynumberofsensitiveissues
ì Highnet-worthindividualsì VIPsì Perhapspoliticiansandcompanymanagementusinga
Googleaccountinapersonalcapacity
Fall2017SecureSoftwareSystems
19