"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook
0 likes2,949 views
The document outlines Facebook's strategy for improving security through a multi-factor authentication platform, aimed at protecting against remote attackers while maintaining usability for its large user base. It discusses past security incidents, the challenges of various authentication methods, and proposed solutions, including the use of Duo Security and YubiKey. The focus is on balancing security with the need for rapid engineering workflows within Facebook's culture.
![•HowisSSHbeingused?
•Thousandsofengineers
•Tensofthousandsofsessionsperday
•Peakuserswith>3000sessions
•Usingallauthenticationmechanisms
•Whataretheydoing?
sshd[87820]: Accepted keyboard-interactive/pam for twt from ::1 port 51317 ssh2
sshd[87820]: User child is on pid 87825
sshd[87825]: Received disconnect from ::1: 11: disconnected by user
Deployment: Planning
Tuesday, October 1, 13](https://image.slidesharecdn.com/004-timtickelchadgreene-2fac-131001135109-phpapp01/85/2Fac-Facebook-s-internal-multi-factor-authentication-Tim-Tickel-Chad-Greene-Facebook-26-320.jpg)
![•Adddetailsaboutwhattheuserisdoing
sshd[27587]: Accepted publickey for ::1 port 61447 ssh2
sshd[27587]: User child is on pid 27589
sshd[27589]: Exec Request for user twt with command uname -a
sshd[8540]: Accepted publickey for twt from ::1 port 50654 ssh2
sshd[8540]: User child is on pid 8548
sshd[8548]: Allocated pty /dev/pts/18 for user twt session 0
sshd[8548]: Shell Request for user twt
sshd[8548]: Received disconnect from ::1: 11: disconnected by user
Improving SSH Logs: First Attempt
Tuesday, October 1, 13](https://image.slidesharecdn.com/004-timtickelchadgreene-2fac-131001135109-phpapp01/85/2Fac-Facebook-s-internal-multi-factor-authentication-Tim-Tickel-Chad-Greene-Facebook-27-320.jpg)
![•Adddetailsaboutwhattheuserisdoing
sshd[27587]: Accepted publickey for ::1 port 61447 ssh2
sshd[27587]: User child is on pid 27589
sshd[27589]: Exec Request for user twt with command uname -a
sshd[8540]: Accepted publickey for twt from ::1 port 50654 ssh2
sshd[8540]: User child is on pid 8548
sshd[8548]: Allocated pty /dev/pts/18 for user twt session 0
sshd[8548]: Shell Request for user twt
sshd[8548]: Received disconnect from ::1: 11: disconnected by user
•Problem:requiresmultipleloglineswithdifferentPIDsforanalysis
Improving SSH Logs: First Attempt
Tuesday, October 1, 13](https://image.slidesharecdn.com/004-timtickelchadgreene-2fac-131001135109-phpapp01/85/2Fac-Facebook-s-internal-multi-factor-authentication-Tim-Tickel-Chad-Greene-Facebook-28-320.jpg)
![•AddsessionizationdatatoSSHlogs
sshd[27587]: Accepted publickey for ::1 port 61447 ssh2 session=dev123:52369e5a.c6786
sshd[27587]: User child is on pid 27589 session=dev123:52369e5a.c6786
sshd[27589]: Exec Request for user twt with command uname -a session=dev123:52369e5a.c6786
sshd[8540]: Accepted publickey for twt from ::1 port 50654 ssh2 session=dev123:5236a24d.3f32
sshd[8540]: User child is on pid 8548 session=dev123:5236a24d.3f32
sshd[8548]: Allocated pty /dev/pts/18 for user twt session 0 session=dev123:5236a24d.3f32
sshd[8548]: Shell Request for user twt session=dev123:5236a24d.3f32
sshd[8548]: Received disconnect from ::1: 11: disconnected by user session=dev123:5236a24d.3f32
Sesssionizing SSH Logs
Tuesday, October 1, 13](https://image.slidesharecdn.com/004-timtickelchadgreene-2fac-131001135109-phpapp01/85/2Fac-Facebook-s-internal-multi-factor-authentication-Tim-Tickel-Chad-Greene-Facebook-29-320.jpg)
![•SwitchtouseSFTPsolution?
•Primarysecurityconcern:
•Singlefactorcommandexecution
•Solution:
•SSHwhitelists
•Newproblem:
• REGEX:sh
-‐c
"cd
(~/|w)(((?<!..)/)|((?<!/).)|[w_-‐])+
&&
grep
-‐P
'[^']+t'
tags
|
head
-‐n
10"
Handling scripts + TRAMP mode
Tuesday, October 1, 13](https://image.slidesharecdn.com/004-timtickelchadgreene-2fac-131001135109-phpapp01/85/2Fac-Facebook-s-internal-multi-factor-authentication-Tim-Tickel-Chad-Greene-Facebook-43-320.jpg)
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook
- 1. Tuesday, October 1, 13
- 2. 2FAC:Facebook’sinternalmulti- factorauthplatform C O N F I D E N T I A L FacebookSecurity Tuesday, October 1, 13
- 4. Facebook - Big Numbers 1.15B monthly active users 699M daily active users (80+% outside US) 5K+ employees Tuesday, October 1, 13
- 5. Identifying weakest points Red Teams Incident 1: Spear phishing OWA Incident 2: Breach identified in January Tuesday, October 1, 13
- 6. Red Team Drills - Identify weak points Tuesday, October 1, 13
- 7. Incident: Spear Phishing OWA Tuesday, October 1, 13
- 8. Incident: Spear Phishing OWA Tuesday, October 1, 13
- 9. Incident: Breach discovered in Jan 2013 digitalinsight-ltd Tuesday, October 1, 13
- 10. Incident: Breach discovered in Jan 2013 Tuesday, October 1, 13
- 11. Goal: Protect against remote attackers •DisruptLateralMovementphase •Ensurelocaluserisatkeyboard •LimitoriginofillegitimateSSHaccess Non-goal: Protect against local attackers Why 2Fac for SSH? Tuesday, October 1, 13
- 12. •Facebookculture:MoveFast •Intolerantofslowdown •Highlyskilledatfindingworkarounds •PrimarilyworkviaSSHondevservers Engineering @ FB Tuesday, October 1, 13
- 14. State of Multi-Factor Tuesday, October 1, 13
- 19. •Easytosetup •Easytouse •Push(onlyonsomedevices) •Requiresfast,reliableonlinechannel •Usabilityisgoodonlyforinfrequentuse OOB / Mobile Tuesday, October 1, 13
- 20. Tuesday, October 1, 13
- 23. Deployment: Planning Tuesday, October 1, 13
- 26. •HowisSSHbeingused? •Thousandsofengineers •Tensofthousandsofsessionsperday •Peakuserswith>3000sessions •Usingallauthenticationmechanisms •Whataretheydoing? sshd[87820]: Accepted keyboard-interactive/pam for twt from ::1 port 51317 ssh2 sshd[87820]: User child is on pid 87825 sshd[87825]: Received disconnect from ::1: 11: disconnected by user Deployment: Planning Tuesday, October 1, 13
- 27. •Adddetailsaboutwhattheuserisdoing sshd[27587]: Accepted publickey for ::1 port 61447 ssh2 sshd[27587]: User child is on pid 27589 sshd[27589]: Exec Request for user twt with command uname -a sshd[8540]: Accepted publickey for twt from ::1 port 50654 ssh2 sshd[8540]: User child is on pid 8548 sshd[8548]: Allocated pty /dev/pts/18 for user twt session 0 sshd[8548]: Shell Request for user twt sshd[8548]: Received disconnect from ::1: 11: disconnected by user Improving SSH Logs: First Attempt Tuesday, October 1, 13
- 28. •Adddetailsaboutwhattheuserisdoing sshd[27587]: Accepted publickey for ::1 port 61447 ssh2 sshd[27587]: User child is on pid 27589 sshd[27589]: Exec Request for user twt with command uname -a sshd[8540]: Accepted publickey for twt from ::1 port 50654 ssh2 sshd[8540]: User child is on pid 8548 sshd[8548]: Allocated pty /dev/pts/18 for user twt session 0 sshd[8548]: Shell Request for user twt sshd[8548]: Received disconnect from ::1: 11: disconnected by user •Problem:requiresmultipleloglineswithdifferentPIDsforanalysis Improving SSH Logs: First Attempt Tuesday, October 1, 13
- 29. •AddsessionizationdatatoSSHlogs sshd[27587]: Accepted publickey for ::1 port 61447 ssh2 session=dev123:52369e5a.c6786 sshd[27587]: User child is on pid 27589 session=dev123:52369e5a.c6786 sshd[27589]: Exec Request for user twt with command uname -a session=dev123:52369e5a.c6786 sshd[8540]: Accepted publickey for twt from ::1 port 50654 ssh2 session=dev123:5236a24d.3f32 sshd[8540]: User child is on pid 8548 session=dev123:5236a24d.3f32 sshd[8548]: Allocated pty /dev/pts/18 for user twt session 0 session=dev123:5236a24d.3f32 sshd[8548]: Shell Request for user twt session=dev123:5236a24d.3f32 sshd[8548]: Received disconnect from ::1: 11: disconnected by user session=dev123:5236a24d.3f32 Sesssionizing SSH Logs Tuesday, October 1, 13
- 30. •Whataretheydoing? •SFTP •Randomscripts •TRAMPmode •Lotsofshells •Usingeveryauthenticationmechanism SSH Usage Analysis Tuesday, October 1, 13
- 35. Handling SFTP Tuesday, October 1, 13
- 39. Handling scripts + TRAMP mode Tuesday, October 1, 13
- 40. •SwitchtouseSFTPsolution? Handling scripts + TRAMP mode Tuesday, October 1, 13
- 41. •SwitchtouseSFTPsolution? •Primarysecurityconcern: •Singlefactorcommandexecution Handling scripts + TRAMP mode Tuesday, October 1, 13
- 42. •SwitchtouseSFTPsolution? •Primarysecurityconcern: •Singlefactorcommandexecution •Solution: •SSHwhitelists Handling scripts + TRAMP mode Tuesday, October 1, 13
- 43. •SwitchtouseSFTPsolution? •Primarysecurityconcern: •Singlefactorcommandexecution •Solution: •SSHwhitelists •Newproblem: • REGEX:sh -‐c "cd (~/|w)(((?<!..)/)|((?<!/).)|[w_-‐])+ && grep -‐P '[^']+t' tags | head -‐n 10" Handling scripts + TRAMP mode Tuesday, October 1, 13