Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

BSides PDX - Threat Modeling Authentication

227 vues

Publié le

Passwords get pwned. SMS 2FA gets compromised. We spend time clicking stop signs to convince computers we’re human. Is there a better way?

Publié dans : Ingénierie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

BSides PDX - Threat Modeling Authentication

  1. 1. Threat Modeling Authentication Kelley Robinson | BSides PDX 2018
  2. 2. Vertex-based Elliptic Cryptography on N-way Bojangle SpacesPasswords 🤷 Simple Complex
  3. 3. @kelleyrobinson “How can we help users avoid harm? This begins with a clear understanding of the actual harms they face, and a realistic understanding of their constraints. ”Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
  4. 4. Threat Modeling Authentication Kelley Robinson
  5. 5. @kelleyrobinson ☎🔐👋 %
  6. 6. @kelleyrobinson https://www.owasp.org/index.php/Application_Threat_Modeling 🔐 What are we going to do about that? ✅ Did we do a good job? 🚩 What can go wrong? Application Threat Modeling 🏗 What are we building?
  7. 7. @kelleyrobinson 🏗 What are we building?
  8. 8. 💰 💰 💰 @kelleyrobinson 1. Your users have something of value connected to an account * + , Assumptions
  9. 9. @kelleyrobinson * + , 2. A user can only access the value once they are authenticated Assumptions 💰 💰 💰
  10. 10. @kelleyrobinson 💰 💰 💰 * + , 3. A successful impersonator could also access that value Assumptions
  11. 11. How common is this? @kelleyrobinson
  12. 12. 💰$5.1B💰 In 2017 @kelleyrobinson
  13. 13. @kelleyrobinson https://xkcd.com/1121/
  14. 14. Physical Identities • Face • Voice • Fingerprints Contextual Identities • Email address • Phone number • Names and usernames Government Identities • Driver license • Social security card • Birth certificate @kelleyrobinson
  15. 15. @kelleyrobinson Physical Identities • Most trustworthy • Practically impossible to change
  16. 16. @kelleyrobinson Government Identities • Very trustworthy • Usually physical • Difficult to change
  17. 17. @kelleyrobinson Contextual Identities • Not 1:1 relationship • Easier to change
  18. 18. Why is identity management hard? • Imperfect systems • We may never know if we got it right • Trust waterfalls
  19. 19. @kelleyrobinson 🚩 What can go wrong?
  20. 20. @kelleyrobinson “It is mainly time, and not money, that users risk losing when attacked. It is also time that security advice asks of them. ”Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
  21. 21. @kelleyrobinson Think about average case instead of worst case.
  22. 22. @kelleyrobinson 1. Compromised factors (hacked, guessed, or brute forced) 2. Phishing or vishing 🚩 What can go wrong? https://www.nds.rub.de/media/ei/veroeffentlichungen/2017/01/13/OIDCSecurity_1.pdf https://tools.ietf.org/html/rfc6819
  23. 23. @kelleyrobinson ☎ Requests via contact center Authentication: known weak points ↩ Account recovery
  24. 24. @kelleyrobinson ☎ Requests via contact center • Vishing • Humans are fallible
  25. 25. @kelleyrobinson ↩ Account recovery • How strict do you want to make it? • Password resets, security questions, backup codes...
  26. 26. @kelleyrobinson Account value Likelihoodofbeingatarget Very Official Risk Assessment
  27. 27. @kelleyrobinson Money Information Control Power Account value* Likelihoodofbeingatarget
  28. 28. @kelleyrobinson 🔐 What are we going to do?
  29. 29. @kelleyrobinson “We must prioritize advice...Since users cannot do everything, they must select which advice they will follow and will ignore. ”Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
  30. 30. @kelleyrobinson Single Sign-on 🤷
  31. 31. Authentication Factors • Something you know • Something you have • Something you are @kelleyrobinson
  32. 32. @kelleyrobinson
  33. 33. @kelleyrobinson Something you know: Passwords https://blog.github.com/2018-07-31-new-improvements-and-best-practices-for-account-security-and-recoverability/ https://www.twilio.com/blog/2018/06/round-up-libraries-for-checking-pwned-passwords-in-your-7-favorite-languages.html
  34. 34. @kelleyrobinson Multi Factor Authentication • SMS / Voice • TOTP • Push • Yubikey
  35. 35. @kelleyrobinson How to drive adoption of MFA • Profile settings • Prompt during onboarding • Have an ICO 40% adoption 100% adoption 2% adoption
  36. 36. SMS 2FA is still better than no 2FA @kelleyrobinson
  37. 37. “When we exaggerate all dangers we simply train users to ignore us. @kelleyrobinson Cormac Herley, The Rational Rejection of Security Advice by Users (2009) ”
  38. 38. Employees* Moderators Everyone else Potential Reddit 2FA Model Required token based 2FA Required 2FA Optional 2FA *might be managed by IT, not dev
  39. 39. Balance over $250k Balance over $10k Everyone else Potential Banking 2FA Model Required token based 2FA Required 2FA Optional 2FA
  40. 40. Verified accounts Over 1,000 followers Everyone else Potential Twitter 2FA Model Required token based 2FA Required 2FA Optional 2FA
  41. 41. @kelleyrobinson ☎ Requests via contact center Authentication: known weak points ↩ Account recovery
  42. 42. @kelleyrobinson https://twitter.com/patio11/status/1053205207964823552 ☎ Requests via contact center
  43. 43. @kelleyrobinson ↩ Account recovery • Use authentication factors instead of identity (i.e. pin code instead of SSN) • Use security questions that aren't fact based (unavailable via OSINT) http://goodsecurityquestions.com/examples/
  44. 44. @kelleyrobinson ✅ Did we do a good job?
  45. 45. @kelleyrobinson ℹ Support costs relative to losses ⬇ 💰 Losses due to account takeover ⬇ 😈 Number of compromised accounts ⬇ 😃 Customer satisfaction ⬆
  46. 46. @kelleyrobinson “Security people are full of morbid and detailed monologues about the pervasive catastrophes that surround us. ”James Mickens, This World of Ours
  47. 47. @kelleyrobinson "I dared two expert hackers to destroy my life. Here's what happened."
  48. 48. @kelleyrobinson Don't blame users for bad passwords. It's our responsibility to protect them.
  49. 49. @kelleyrobinson THANK YOU! @kelleyrobinson

×