BSides PDX - Threat Modeling Authentication
- 1. Threat Modeling Authentication Kelley Robinson | BSides PDX 2018
- 3. Vertex-based Elliptic Cryptography on N-way Bojangle SpacesPasswords 🤷 Simple Complex
- 4. @kelleyrobinson “How can we help users avoid harm? This begins with a clear understanding of the actual harms they face, and a realistic understanding of their constraints. ”Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
- 5. Threat Modeling Authentication Kelley Robinson
- 7. @kelleyrobinson https://www.owasp.org/index.php/Application_Threat_Modeling 🔐 What are we going to do about that? ✅ Did we do a good job? 🚩 What can go wrong? Application Threat Modeling 🏗 What are we building?
- 8. @kelleyrobinson 🏗 What are we building?
- 9. 💰 💰 💰 @kelleyrobinson 1. Your users have something of value connected to an account * + , Assumptions
- 10. @kelleyrobinson * + , 2. A user can only access the value once they are authenticated Assumptions 💰 💰 💰
- 11. @kelleyrobinson 💰 💰 💰 * + , 3. A successful impersonator could also access that value Assumptions
- 15. Physical Identities • Face • Voice • Fingerprints Contextual Identities • Email address • Phone number • Names and usernames Government Identities • Driver license • Social security card • Birth certificate @kelleyrobinson
- 16. @kelleyrobinson Physical Identities • Most trustworthy • Practically impossible to change
- 17. @kelleyrobinson Government Identities • Very trustworthy • Usually physical • Difficult to change
- 18. @kelleyrobinson Contextual Identities • Not 1:1 relationship • Easier to change
- 19. Why is identity management hard? • Imperfect systems • We may never know if we got it right • Trust waterfalls
- 20. @kelleyrobinson 🚩 What can go wrong?
- 21. @kelleyrobinson “It is mainly time, and not money, that users risk losing when attacked. It is also time that security advice asks of them. ”Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
- 22. @kelleyrobinson Think about average case instead of worst case.
- 23. @kelleyrobinson 1. Compromised factors (hacked, guessed, or brute forced) 2. Phishing or vishing 🚩 What can go wrong? https://www.nds.rub.de/media/ei/veroeffentlichungen/2017/01/13/OIDCSecurity_1.pdf https://tools.ietf.org/html/rfc6819
- 24. @kelleyrobinson ☎ Requests via contact center Authentication: known weak points ↩ Account recovery
- 25. @kelleyrobinson ☎ Requests via contact center • Vishing • Humans are fallible
- 26. @kelleyrobinson ↩ Account recovery • How strict do you want to make it? • Password resets, security questions, backup codes...
- 29. @kelleyrobinson 🔐 What are we going to do?
- 30. @kelleyrobinson “We must prioritize advice...Since users cannot do everything, they must select which advice they will follow and will ignore. ”Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
- 32. Authentication Factors • Something you know • Something you have • Something you are @kelleyrobinson
- 33. @kelleyrobinson
- 34. @kelleyrobinson Something you know: Passwords https://blog.github.com/2018-07-31-new-improvements-and-best-practices-for-account-security-and-recoverability/ https://www.twilio.com/blog/2018/06/round-up-libraries-for-checking-pwned-passwords-in-your-7-favorite-languages.html
- 35. @kelleyrobinson Multi Factor Authentication • SMS / Voice • TOTP • Push • Yubikey
- 36. @kelleyrobinson How to drive adoption of MFA • Profile settings • Prompt during onboarding • Have an ICO 40% adoption 100% adoption 2% adoption
- 37. SMS 2FA is still better than no 2FA @kelleyrobinson
- 38. “When we exaggerate all dangers we simply train users to ignore us. @kelleyrobinson Cormac Herley, The Rational Rejection of Security Advice by Users (2009) ”
- 39. Employees* Moderators Everyone else Potential Reddit 2FA Model Required token based 2FA Required 2FA Optional 2FA *might be managed by IT, not dev
- 40. Balance over $250k Balance over $10k Everyone else Potential Banking 2FA Model Required token based 2FA Required 2FA Optional 2FA
- 41. Verified accounts Over 1,000 followers Everyone else Potential Twitter 2FA Model Required token based 2FA Required 2FA Optional 2FA
- 42. @kelleyrobinson ☎ Requests via contact center Authentication: known weak points ↩ Account recovery
- 44. @kelleyrobinson ↩ Account recovery • Use authentication factors instead of identity (i.e. pin code instead of SSN) • Use security questions that aren't fact based (unavailable via OSINT) http://goodsecurityquestions.com/examples/
- 45. @kelleyrobinson ✅ Did we do a good job?
- 46. @kelleyrobinson ℹ Support costs relative to losses ⬇ 💰 Losses due to account takeover ⬇ 😈 Number of compromised accounts ⬇ 😃 Customer satisfaction ⬆
- 47. @kelleyrobinson “Security people are full of morbid and detailed monologues about the pervasive catastrophes that surround us. ”James Mickens, This World of Ours
- 48. @kelleyrobinson "I dared two expert hackers to destroy my life. Here's what happened."
- 49. @kelleyrobinson Don't blame users for bad passwords. It's our responsibility to protect them.