$30 off During Our Annual Pro Sale. View Details »

Implementing Multi-factor Auth (dotSecurity 2016)

Implementing Multi-factor Auth (dotSecurity 2016)

Jacob Kaplan-Moss

April 22, 2016
Tweet

More Decks by Jacob Kaplan-Moss

Other Decks in Technology

Transcript

  1. Implementing 

    multi-factor authentication
    Jacob Kaplan-Moss
    [email protected]
    Photo by Jordan Wiseman - https://unsplash.com/photos/AsQs1AziQD4

    View Slide

  2. @jacobian
    I MFA

    View Slide

  3. @jacobian https://twofactorauth.org/

    View Slide

  4. @jacobian

    View Slide

  5. @jacobian
    “Oh , I need to add

    multi-factor auth.”

    View Slide

  6. @jacobian
    Why “multi-factor”
    instead of “two-factor”?

    View Slide

  7. @jacobian
    Why “multi-factor”
    instead of “two-factor”?
    Password
    IP address
    User-Agent
    User behavior
    User location
    “Challenges”
    ...

    View Slide

  8. “Possession factors”
    Photo by #WOCinTech/#WOCinTech Chat - https://flic.kr/p/EFQHok

    View Slide

  9. @jacobian
    1. Possession factor options
    2. Implementation questions
    3. Two recommendations:
    a. MFA for public-facing services
    b. MFA for internal systems

    View Slide

  10. @jacobian
    1. Possession factor options
    2. Implementation questions
    3. Two recommendations:
    a. MFA for public-facing services
    b. MFA for internal systems

    View Slide

  11. @jacobian
    Possession factor options:
    1. Out-of-band communications
    2. Soft Tokens
    3. Hard Tokens

    View Slide

  12. @jacobian
    Out-of-band
    communication
    e.g. phone calls, emails, SMS, …

    View Slide

  13. @jacobian
    Soft tokens
    e.g. Google Authenticator,
    Authy, SecureAuth, RSA...

    View Slide

  14. https://www.flickr.com/photos/digitalart/2836613675/
    Hard tokens
    e.g. U2F, RSA keys,
    YubiKeys, PIV cards, …

    View Slide

  15. @jacobian
    Criteria for comparing
    possession factors:
    1. Risks
    2. User Experience
    3. Cost

    View Slide

  16. @jacobian
    Risks
    Can codes be intercepted? Re-used? Brute-forced?
    Would a token theft/re-use be noticed?
    How secure against malware is the factor?

    View Slide

  17. @jacobian
    User Experience
    Multi-factor authentication is useless
    if your users won’t use it!

    View Slide

  18. @jacobian
    Cost
    What’s the implementation cost?
    What’s the per-user cost?

    View Slide

  19. @jacobian
    Comparison:

    View Slide

  20. @jacobian
    Out-of-band communication:
    Risks
    Communications can be intercepted
    Users will set up forwarding schemes
    Can be compromised by device malware
    Delivery is usually to the same device being used
    UX
    users are familiar with with SMS
    easy setup for users
    re-uses devices users already have
    typing codes is error-prone, not suitable for frequent auths
    delays in delivery can cause timeouts, frustrating users
    Cost Typically free for users.
    Minimal delivery cost for providers (~ $0.01/message)

    View Slide

  21. @jacobian
    Soft tokens
    Risks
    Can be compromised by device malware.
    Typically based around a shared secret, which can be silently stolen.
    Time-based tokens are vulnerable to theft, brute-forcing, and re-use.
    Delivery is usually to the same device being used.
    UX
    re-uses devices users already have
    relatively familiar (to experienced users, at least)
    enrollment can be confusing (TOTP)
    time skew on devices can make implementation difficult
    Cost Free to users.
    Provider costs range from free (e.g. TOTP) to several $/user.

    View Slide

  22. @jacobian
    Hard tokens
    Risks “Master keys” can be stolen
    UX
    “just press the button”; can be suitable for frequent auths
    some tokens can also be used for encryption, signing
    lost tokens can mean long lockouts
    no real standards mean token proliferation
    Cost At least $20 per user

    View Slide

  23. @jacobian
    1. Possession factor options
    2. Implementation questions
    3. Two recommendations:
    a. MFA for public-facing services
    b. MFA for internal systems

    View Slide

  24. @jacobian

    View Slide

  25. @jacobian
    When should you require a 

    possession factor?

    View Slide

  26. @jacobian
    When should you require a 

    possession factor?
    Good: upon every login

    View Slide

  27. @jacobian
    When should you require a 

    possession factor?
    Good: upon every login
    Better: ... and when performing sensitive actions

    View Slide

  28. @jacobian
    When should you require a 

    possession factor?
    Good: upon every login
    Better: ... and when performing sensitive actions
    Best: ... and based on behavioral analysis

    View Slide

  29. @jacobian
    How should we handle lost tokens?

    View Slide

  30. @jacobian
    Backup codes?
    How should we handle lost tokens?

    View Slide

  31. @jacobian
    Backup codes? (users don’t save them)
    How should we handle lost tokens?

    View Slide

  32. @jacobian
    Backup codes? (users don’t save them)
    Backup phone/emails?
    How should we handle lost tokens?

    View Slide

  33. @jacobian
    Backup codes? (users don’t save them)
    Backup phone/emails? (expands attack surface)
    How should we handle lost tokens?

    View Slide

  34. @jacobian
    Backup codes? (users don’t save them)
    Backup phone/emails? (expands attack surface)
    “Contact support”?
    How should we handle lost tokens?

    View Slide

  35. @jacobian
    Backup codes? (users don’t save them)
    Backup phone/emails? (expands attack surface)
    “Contact support”? (vulnerable to social engineering)
    How should we handle lost tokens?

    View Slide

  36. @jacobian
    Backup codes? (users don’t save them)
    Backup phone/emails? (expands attack surface)
    “Contact support”? (vulnerable to social engineering)
    “sorry; deal with it ”?
    How should we handle lost tokens?

    View Slide

  37. @jacobian
    Backup codes? (users don’t save them)
    Backup phone/emails? (expands attack surface)
    “Contact support”? (vulnerable to social engineering)
    “sorry; deal with it ”? (not very user-friendly)
    How should we handle lost tokens?

    View Slide

  38. @jacobian
    1. Possession factor options
    2. Implementation questions
    3. Two recommendations:
    a. MFA for public-facing services
    b. MFA for internal systems

    View Slide

  39. @jacobian
    MFA for public-facing systems:
    Factor:
    Require MFA:
    Lost tokens:

    View Slide

  40. @jacobian
    MFA for public-facing systems:
    Factor:
    Require MFA:
    Lost tokens:
    Out-of-band communication,
    or good soft token implementation (Authy)

    View Slide

  41. @jacobian
    MFA for public-facing systems:
    Factor:
    Require MFA:
    Lost tokens:
    Out-of-band communication,
    or good soft token implementation (Authy)
    at login, and when performing sensitive actions

    View Slide

  42. @jacobian
    MFA for public-facing systems:
    Factor:
    Require MFA:
    Lost tokens:
    Out-of-band communication,
    or good soft token implementation (Authy)
    at login, and when performing sensitive actions
    backups codes & phone/email backup;
    don’t allow support to reset MFA

    View Slide

  43. @jacobian
    MFA for internal systems:
    Factor:
    Require MFA:
    Lost tokens:

    View Slide

  44. @jacobian
    MFA for internal systems:
    Factor:
    Require MFA:
    Lost tokens:
    hard tokens (U2F or Yubikey)

    View Slide

  45. @jacobian
    MFA for internal systems:
    Factor:
    Require MFA:
    Lost tokens:
    hard tokens (U2F or Yubikey)
    based on behavior analysis

    View Slide

  46. @jacobian
    MFA for internal systems:
    Factor:
    Require MFA:
    Lost tokens:
    hard tokens (U2F or Yubikey)
    based on behavior analysis
    until real-life identity verification

    View Slide

  47. @jacobian
    “Oh , I need to add

    multi-factor auth.”

    View Slide

  48. @jacobian
    “, I get to add

    multi-factor auth!”

    View Slide

  49. Thank you!
    [email protected]
    Photo by Hello Goodbye - https://unsplash.com/photos/uGtdjBMK28s

    View Slide

  50. Credits:
    Slide deck based on a template by Alice Bartlett:
    http://alicebartlett.co.uk/blog/how-to-do-ok-at-slides.
    Font: Roboto, by Christian Robertson
    https://www.fontsquirrel.com/fonts/roboto.
    Photos by:
    - Unsplash, https://unsplash.com/
    - #WOCinTech/#WOCinTech Chat, http://www.wocintechchat.com/
    (see slides for individual credits).

    View Slide