Passwords get pwned. SMS 2FA gets compromised. We spend time clicking stop signs to convince computers we’re human. Is there a better way?

1. Threat Modeling Authentication
Kelley Robinson | BSides PDX 2018

3. Vertex-based
Elliptic Cryptography
on N-way
Bojangle SpacesPasswords
🤷
Simple Complex

4. @kelleyrobinson
“How can we help users avoid harm?
This begins with a clear understanding
of the actual harms they face, and a
realistic understanding of their
constraints.
”Cormac Herley, The Rational Rejection of Security Advice by Users (2009)

5. Threat Modeling Authentication
Kelley Robinson

6. @kelleyrobinson
☎🔐👋 %

7. @kelleyrobinson
https://www.owasp.org/index.php/Application_Threat_Modeling
🔐 What are we going to do about that?
✅ Did we do a good job?
🚩 What can go wrong?
Application Threat Modeling
🏗 What are we building?

8. @kelleyrobinson
🏗 What are we building?

9. 💰
💰
💰
@kelleyrobinson
1. Your users have
something of value
connected to an
account
*
+
,
Assumptions

10. @kelleyrobinson
*
+
,
2. A user can only
access the value
once they are
authenticated
Assumptions
💰
💰
💰

11. @kelleyrobinson
💰
💰
💰
*
+
,
3. A successful
impersonator could
also access that
value
Assumptions

12. How
common
is this?
@kelleyrobinson

13. 💰$5.1B💰
In 2017
@kelleyrobinson

14. @kelleyrobinson
https://xkcd.com/1121/

15. Physical Identities
• Face
• Voice
• Fingerprints
Contextual Identities
• Email address
• Phone number
• Names and usernames
Government Identities
• Driver license
• Social security card
• Birth certificate
@kelleyrobinson

16. @kelleyrobinson
Physical Identities
• Most trustworthy
• Practically impossible to change

17. @kelleyrobinson
Government Identities
• Very trustworthy
• Usually physical
• Difficult to change

18. @kelleyrobinson
Contextual Identities
• Not 1:1 relationship
• Easier to change

19. Why is identity
management hard?
• Imperfect systems
• We may never know if we
got it right
• Trust waterfalls

20. @kelleyrobinson
🚩 What can go wrong?

21. @kelleyrobinson
“It is mainly time, and not money, that
users risk losing when attacked. It is also
time that security advice asks of them.
”Cormac Herley, The Rational Rejection of Security Advice by Users (2009)

22. @kelleyrobinson
Think about average case
instead of worst case.

23. @kelleyrobinson
1. Compromised factors
(hacked, guessed, or brute forced)
2. Phishing or vishing
🚩 What can go wrong?
https://www.nds.rub.de/media/ei/veroeffentlichungen/2017/01/13/OIDCSecurity_1.pdf
https://tools.ietf.org/html/rfc6819

24. @kelleyrobinson
☎ Requests via contact center
Authentication: known weak points
↩ Account recovery

25. @kelleyrobinson
☎ Requests via contact center
• Vishing
• Humans are fallible

26. @kelleyrobinson
↩ Account recovery
• How strict do you want to make it?
• Password resets, security questions,
backup codes...

27. @kelleyrobinson
Account value
Likelihoodofbeingatarget
Very Official
Risk Assessment

28. @kelleyrobinson
Money
Information
Control
Power
Account value*
Likelihoodofbeingatarget

29. @kelleyrobinson
🔐 What are we going to do?

30. @kelleyrobinson
“We must prioritize advice...Since users
cannot do everything, they must select
which advice they will follow and will
ignore.
”Cormac Herley, The Rational Rejection of Security Advice by Users (2009)

31. @kelleyrobinson
Single Sign-on 🤷

32. Authentication Factors
• Something you know
• Something you have
• Something you are
@kelleyrobinson

33. @kelleyrobinson

34. @kelleyrobinson
Something you know: Passwords
https://blog.github.com/2018-07-31-new-improvements-and-best-practices-for-account-security-and-recoverability/
https://www.twilio.com/blog/2018/06/round-up-libraries-for-checking-pwned-passwords-in-your-7-favorite-languages.html

35. @kelleyrobinson
Multi Factor Authentication
• SMS / Voice
• TOTP
• Push
• Yubikey

36. @kelleyrobinson
How to drive adoption of MFA
• Profile settings
• Prompt during onboarding
• Have an ICO
40% adoption
100% adoption
2% adoption

37. SMS 2FA is still
better than
no 2FA
@kelleyrobinson

38. “When we exaggerate all dangers we
simply train users to ignore us.
@kelleyrobinson
Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
”

39. Employees*
Moderators
Everyone else
Potential Reddit 2FA Model
Required token
based 2FA
Required 2FA
Optional 2FA
*might be managed by IT, not dev

40. Balance over $250k
Balance over $10k
Everyone else
Potential Banking 2FA Model
Required token
based 2FA
Required 2FA
Optional 2FA

41. Verified accounts
Over 1,000 followers
Everyone else
Potential Twitter 2FA Model
Required token
based 2FA
Required 2FA
Optional 2FA

42. @kelleyrobinson
☎ Requests via contact center
Authentication: known weak points
↩ Account recovery

43. @kelleyrobinson
https://twitter.com/patio11/status/1053205207964823552
☎
Requests
via contact
center

44. @kelleyrobinson
↩ Account recovery
• Use authentication factors instead of identity
(i.e. pin code instead of SSN)
• Use security questions that aren't fact based
(unavailable via OSINT)
http://goodsecurityquestions.com/examples/

45. @kelleyrobinson
✅ Did we do a good job?

46. @kelleyrobinson
ℹ Support costs relative to losses ⬇
💰 Losses due to account takeover ⬇
😈 Number of compromised accounts ⬇
😃 Customer satisfaction ⬆

47. @kelleyrobinson
“Security people are full of morbid and
detailed monologues about the pervasive
catastrophes that surround us.
”James Mickens, This World of Ours

48. @kelleyrobinson
"I dared two expert hackers to destroy my life. Here's what happened."

49. @kelleyrobinson
Don't blame users
for bad passwords.
It's our responsibility to protect them.

50. @kelleyrobinson
THANK YOU!
@kelleyrobinson