Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Authentication Beyond SMS

397 vues

Publié le

Passwords get pwned. SMS 2FA gets compromised. We spend time clicking stop signs just to convince computers we're human. All of this in an attempt to identify a user we will probably never personally know. It's a fascinating challenge and we're up to the task!

This talk will walk through new channels for identity management beyond email and SMS. Encrypted messaging apps like WhatsApp broaden our options for delivering tokens and secure communications but lack the seamless user experience of Push Authentication or the offline benefits of TOTP. We'll dive into the tradeoffs for these approaches and help you choose the approach that will best protect you and your customers from signup to account recovery.

Publié dans : Ingénierie
  • Soyez le premier à commenter

Authentication Beyond SMS

  1. 1. Authentication Beyond SMS Kelley Robinson | PasswordsCon 2018
  2. 2. Vertex-based Elliptic Cryptography on N-way Bojangle SpacesPasswords 🤷 Simple Complex
  3. 3. Kelley Robinson Authentication Beyond SMS
  4. 4. @kelleyrobinson ☎ 🔐👋 %
  5. 5. How common is this? @kelleyrobinson
  6. 6. 💰$5.1B💰 In 2017 @kelleyrobinson
  7. 7. @kelleyrobinson https://xkcd.com/1121/
  8. 8. @kelleyrobinson ⚓ Trust Anchors
  9. 9. ⚓ Trust Anchors @kelleyrobinson "An established point of trust from which an entity begins the validation of an authorized process" NIST Computer Security Resource Center Glossary
  10. 10. Physical Identities • Face • Voice • Fingerprints Contextual Identities • Email address • Phone number • Usernames Government Identities • Passport • Social security card (USA) • Birth certificate @kelleyrobinson
  11. 11. @kelleyrobinson Physical Identities • Trust anchor • Very trustworthy • Practically impossible to change
  12. 12. @kelleyrobinson Government Identities • Also a trust anchor? • Usually physical • Difficult to change
  13. 13. @kelleyrobinson Contextual Identities • ...also treated like a trust anchor? • Not 1:1 relationship • Easier to change
  14. 14. Why is identity verification hard? • Imperfect systems • We may never know if we got it right
  15. 15. @kelleyrobinson 🔐 What are we going to do?
  16. 16. @kelleyrobinson
  17. 17. @kelleyrobinson No. It's not. https://www.troyhunt.com/heres-why-insert-thing-here-is-not-a-password-killer/
  18. 18. @kelleyrobinson Multi Factor Authentication • SMS / Voice • TOTP • Push • Yubikey • ...and more
  19. 19. 📱 SMS 2FA • Most popular • Easy to use and getting easier • Low barrier to entry @kelleyrobinson
  20. 20. 📱 Why is SMS for MFA "Bad"? • SS7 vulnerabilities • SIM swapping (social engineering) • Not E2E encrypted Link: The Post SS7 Future of 2FA @kelleyrobinson
  21. 21. SMS 2FA is still better than no 2FA @kelleyrobinson
  22. 22. “When we exaggerate all dangers we simply train users to ignore us. @kelleyrobinson Cormac Herley, The Rational Rejection of Security Advice by Users (2009) ”
  23. 23. U2F
  24. 24. Push @kelleyrobinson
  25. 25. TOTP (Time-based One Time Passwords) @kelleyrobinson
  26. 26. WhatsApp Or other encrypted messaging @kelleyrobinson
  27. 27. @kelleyrobinson
  28. 28. “We learned that SMS-based authentication is not nearly as secure as we would hope. ”Reddit Security Incident Disclosure - 2018-08-01 @kelleyrobinson
  29. 29. @kelleyrobinson Account value Likelihoodofbeingatarget Very Official Risk Assessment
  30. 30. @kelleyrobinson Money Information Control Power Account value* Likelihoodofbeingatarget
  31. 31. Employees* Moderators Everyone else Potential Reddit 2FA Model Required token based 2FA Required 2FA Optional 2FA *might be managed by IT, not dev
  32. 32. Balance over $250k Balance over $10k Everyone else Potential Banking 2FA Model Required token based 2FA Required 2FA Optional 2FA
  33. 33. Verified accounts Over 1,000 followers Everyone else Potential Twitter 2FA Model Required token based 2FA Required 2FA Optional 2FA
  34. 34. @kelleyrobinson ☎ Known authentication weak point: Requests via contact center
  35. 35. @kelleyrobinson https://twitter.com/patio11/status/1053205207964823552 ☎ Requests via contact center
  36. 36. @kelleyrobinson ☎ Requests via contact center
  37. 37. @kelleyrobinson 📈 Measuring effectiveness
  38. 38. @kelleyrobinson ℹ Support costs *relative to* losses ⬇ 💰 Losses due to account takeover ⬇ 😈 Number of compromised accounts ⬇ 😃 Customer satisfaction ⬆
  39. 39. @kelleyrobinson “Security people are full of morbid and detailed monologues about the pervasive catastrophes that surround us. ”James Mickens, This World of Ours
  40. 40. @kelleyrobinson Don't blame users. It's our responsibility to protect them.
  41. 41. @kelleyrobinson THANK YOU! @kelleyrobinson

×