2FA, WTF?

Everyone is hacking everything. Everything is vulnerable. Your site, your users, even you. Are you worried about this? You should be! Don’t worry, I’m not trying to scare you (that much). We have plenty of safeguards against attempts on our applications’ user data. We all (hopefully) recognise Two Factor Auth as one of those safeguards, but what actually goes on under the hood of 2FA?

We’ll take a look into generating one time passwords, implementing 2FA in web applications and the only real life compelling use case for QR codes. Together, we’ll make the web a more secure place.

(upbeat electronic music) – Well, I wanna start quickly with a bit of a warning, ’cause I’m sure you’re aware that hackers are everywhere and you know who I’m talking about, I’m talking about guys like this, who are hacking into your databases, destroying your user accounts, stealing their details, their money, everything, people like this woman, who is such a good hacker, she has managed to find herself a laptop in jail, people like this guy in a darkened room with sunglasses on, gloves, fingerprints obviously, I don’t know what he’s doing, but it’s working, because there is money pouring out of this keyboard. Good afternoon, everyone, my name’s Phil Nash, I’m a developer evangelist for a company called Twilio, we are a communications API, that allow you to connect or communicate with your users via voice video messaging and all sorts of other ways and I am here to talk to you about two-factor authentication, but I want to start firstly with the horrifying reality of password security, now I’m sure you’re aware the passwords are awful, but I need to reiterate this first.

I’ll start with my own story, my first password I ever made was to log into my school computer system at the age of 11, back when it looked, I think a bit like this, I can’t really remember, that’s too long ago now and I learned a very quick lesson about password security, because I used this as my first password, (laughs) I’m sorry, I really shouldn’t be allowed to talk about this after that and obviously I was hacked by my friends, who I don’t think wore suits or balaclavas at the time, they didn’t get much, it was the school computer system before they were even really that useful, but it was a good lesson, terrible passwords mean that your account is only as secure as your weakest password, so this accounts for security questions as well. So we have to make stronger passwords, right, we need, (laughs) this is one of my favourite Tweets ever, I really must thank Jake Lawrence for this, we must make stronger passwords, but stronger passwords have a problem, because they are harder to remember, of course, I started making up passwords out of my hi-fi kit, that I actually bought for myself, which was great, ’cause technically I actually had my passwords on display in my living room the entire time, but there are more accounts than I could have bits of hi-fi kit, so I would start to reuse passwords of course and join me if you’ve ever reused a password on a different account, yes, is that everyone? Cool, alright.

So we become, we end up in trouble with that, right and I want to talk about a first actual hack, a couple of years ago, you may remember the Ashley Madison site was hacked and then all the account details leaked publicly, now, I’m not here to judge people for using Ashley Madison for whatever reason, I am willing to judge them for their passwords though, because a security firm managed to crack 11 million of them and so today I want to give you a rundown of the top five passwords used on AshleyMadison.com, any guesses, before we start on this, anything? Lots of passwords, numbers, yeah, in five was 123456789, a whole nine-character password is actually pretty secure, unless you realise there’s just not that many ways you can do that, in number four was DEFAULT, I don’t really understand this one, (laughs) perhaps this was actually many of the robots, that were signing up as women, I don’t know, (laughs) number three was password, so well done if you guessed that, number two was a very easy 12345 and the slightly more secure 123456 came in at number one, (laughs) but what’s terrifying about this is the actual numbers of people using this and this is actually the top 10, 120,000 of those 11 million passwords were 123456, notably number nine was not the characters NSFW, they were just not safe for this slide, (laughs) but this happens and people are using these terrible passwords all over the place, but you might think, you know, you might be judging those users of Ashley Madison and you know, maybe they’re not the smartest of people, but perhaps really smart people do use terrible passwords and last year Mark Zuckerburg, who’s got to be pretty smart or at least very rich and able to pay people to come up with better passwords for him lost control of his Pinterest and Twitter accounts for using the same password on both and the password was dadada, (laughs) which let the tech press get all interested in whether that was his child’s first word, but really it’s just a terrible password and so he got hacked as well, everybody’s getting hacked. I was hacked again, password reuse really got me, I lost my Skype account and my Spotify account on the same day, I don’t know what the hackers did with the Spotify account, apart from check out some of my sweet, hidden playlists, the Skype account was used to, in text propositioning of men in French for marriage, (laughs) this seemed to go quite well, ’cause actually there was some quite positive responses, I found when I opened up the account after I’d got in, don’t know what was going on there, sadly, I actually then deleted them all, ’cause I was, I just didn’t want anything to do with it, I’d have loved to have shown a screenshot of that, but that was hacked, I lost both of those for one reason and that was Adobe, because they got hacked a long time ago and leaked all their account credentials, 152 million or so of them, but it’s not just Adobe that this has happened to, it’s everybody else that you’ve ever used on the internet, you know, Yahoo, LinkedIn, Tumblr, MySpace, DropBox, Bitly, Disqus, the list goes on, the good thing is you can find out if you’ve been on one of these lists too and I encourage you to do so, go to HaveIBeenPwned.com, pop your email address in there and see how many people do know your password, I can’t take too long over that, they also have great lists of who else has been hacked and where else you might find this as gone. So now I use a password manager, I use Bitwarden, which is the shield there, but you might use 1Password or LastPass, this is a good idea and if you’ve got to this stage of using passwords and using different ones everywhere and not even knowing them, you’re doing well, but most Americans, as discovered in a PEW research study in 2016 don’t, 86% of them remember their passwords and probably reuse them, only 12%, according to this use a password management programme and then only 3% of those people use that password management programme most often, which I thought was really kind of strange, not nearly as strange as the fact that the Used most often bit here actually only adds up to 95% as well, (laughs) which presumably that’s just 5% of people most often don’t log in, terrifying.

So your users in all of your applications are only as secure as their weakest password, which could be out there on somebody else’s app, so let’s get on to how to fix this, all the acronyms, all the abbreviations in the world are here to save us now, so this is Part two, SMS, SS7, OTP and 2FA, now 2FA of course is two-factor authentication and a definition of that is simply that it’s a security process in which you provide two different forms of identification, in order to authenticate yourself, those factors must be different, normally it’s something you have and something you know, you can use something that you are, like a biometric kind of thing, but that’s a bit harder for most of us.

Three ways that we can do this in applications are via SMS, Tokens or Push and I’ll just tell you a bit about all of those right now. SMS is of course the easiest really, we have plenty of APIs available to send SMS to people, Twilio is one of them and all you need to do really is just come up with a random number, save it to your database, send the SMS to the user and then ask them to enter that number back in again, it’s fairly straightforward, you probably want to put in some checks for trying too many times and things like that, but this is basically all you need to do, the best thing about this is that SMS can be basically received by almost everybody on the planet and you can absolutely secure most people’s accounts this way, it has some cons as well, it costs money, it requires the person receiving that text message to be within signal, within range of being able to receive a text message, I’ve been in basements many times and very annoyed and having to go upstairs, (laughs) but the real problem with this one is actually the horrific way that SMS is actually horribly broken, in terms of security, so this is actually Part 2.1, the horrifying reality of SMS security, there are two well known ways to get somebody else’s text messages, one of them is just social engineering, call up their network, pretend to be them and get them to redirect their number to your new SIM card, this, you know, takes some challenge, some work to do the social engineering, but it happened most famously I think to DeRay Mckesson, one of the leaders of the Black Lives movement in the US, when he lost his Twitter account, because some people phoned Verizon and told them they were him and what they did actually, they then used the text messages to unlock his password, to change his password, so there’s a second point on this, if you can change one factor with the other, you still have one factor authentication, (laughs) that’s important, then there’s SS7, SS7 stands for Signalling System seven and it’s how the networks all tell each other where the people, where their SIM cards are, normally, you know, if you’re at home, if you’re in your own country, you’re on the network, that you actually pay money to get that SIM card from, but if you are roaming, then that network needs to know to send the messages to another network, this was all set up in about the ’80s, when all of the networks actually knew each other, they were large companies or governments and so when they built Signalling System seven, they did not put in any authentication, nowadays you can pay a couple of hundred bucks, set up a server, instal some stuff and tell the whole world that you’re a network, this means that because there’s no authentication, you can then tell a network that their user is now currently on your network and so if they want to send a message to you, then send them to us, we’ll send it on, that’s fine, this has been known about in SMS for a long time terrifyingly, but it was all very theoretical up until, I think it was February this year, when in Germany, a bank reported eventually that some user accounts had been lost due to SS7 based hacks on their two-factor authentication, so in a particularly, in an expensive kind of issue like banking, SMS is probably not the best idea, having said that, it is still better than just having a password, so don’t rule it out because it’s so accessible to everybody and if you’re not securing banking transactions, then you’re probably safe with something like SMS, it’s still better than just passwords, but better than SMS and more secure than SMS is the Token approach and this is more abbreviations for you, HOTP and TOTP, OTP is a One Time Password, HOTP meaning HMAC-based One Time Password and TOTP the Time-based One Time Password, you’ve probably seen these in your authenticator apps, like Orthi or Google Authenticator, where it generates a code for you and this is how it generates that code, this is what I’ve been quite interested in, like how does it do that? Because you have an app on a website on a server somewhere and they can agree on something and it’s done like this, you take a key, which is a long, secret, random characters and a counter, you HMAC sign the key with the counter and then run it through a truncation algorithm, which is a set of bit-shifting operations, that deterministically pick four bytes from the middle of that digest, run it through a positive bitmask, in case you need to ensure it’s a positive number and then you mod it by 10 to the d, where d is the number of characters that you want, normally six and there’s a great node library for this, which I actually recommend like just checking out, because it’s really well written and takes you through the process of doing it, but this is what it would actually look like on your server, calling HTTP with a counter of one gives you a number, calling it with a counter of two gives you a completely different number and then you can verify those and what’s useful about this library and what you might find useful in general is to know that if you verify them and you’re off by one, it will tell you you’re off by one and if you’re off by 10 or 50 or 100, it will also know that and so you can give a sliding window of availability for these, if you’re maintaining counters on both clients and a server, then you can sync those counters back up and then if you’re doing it by time, which really is just the number of periods, normally 30 seconds since the epoch, that has passed, then you can align your clocks that way as well and so that’s just how that works, if you verify the number, verify it later, it runs out of that window, go check that library out, it’s very good just to read through and really understand that stuff, if you’re interested in that.

The next part of this is called sharing those secrets, you have a long, random code that you need to get to the users and this is where the beautiful QR code comes into fashion, thank you QR codes, aren’t you all wonderful. We just make up a URL just to tell the app what is actually going on here and it follows this kind of pattern, with the OTP or scheme, a type, HOTP or TOTP, a label so you can tell what app it is inside your authenticator app and some parameters and this is, it might be a bit small, but this is what that would look like for my two-factor authentication app, it’s also good as you can see here to include the user account in the label, so that people can use different accounts and the same authentication device for the same app. So the pros for Tokens, they are free to use, you just have to you know, you just have to write this code and it will work offline, once you’ve shared that secret, the code can be generated wherever and whenever, against it, it requires a smartphone, not everybody in the world has one and that’s a shame, there are backup codes, that you can generate, normally this is how people will provide this to users, backup codes in case you lose the authentication app, of course, backup codes are really just passwords and we’re back to a single factor, although they are harder to guess and then unlikely, but QR codes can of course be intercepted, we live in quite a world of surveillance and if you happen to be signing up anywhere in public, somebody could potentially take that QR code, again it’s probably people who are higher profile or larger scale transactions, that are at risk to that. But finally, I think right now, we’re just talking about like copying numbers from devices, from one thing to another and that’s a bit of a shame, because it’s an awkward user experience and normally security and user experience are fighting with each other, but I want to see more of this method, Push notifications, I actually have a quick demo, well, it’s a demo video to show you of how this works, this is a fake bank, that we’ve built, when you try to log in on this bank, it send you a push notification saying, “Hey, you’re trying to log into this thing, right?” and stop this in the middle, it then sends some details as well and these details are actually, what you do here is beforehand you would share a secret between the app and the client and then you cryptographically sign these details, so that the user can absolutely trust that what they are seeing on screen has been sent by the application and it says stuff like, you know, where you are, what you’re trying to do, in this case, log in from Firefox, ’cause that’s what I’m using and then the experience just is a nice one, because we can, all you have to do is approve or deny, that will notify, that notifies the website and then moves on into actually logging in. Hopefully you agree with me, that this is a much nicer experience and given the fact that we’ve not had to show a QR code, we’re not transmitting any codes over any particularly open networks, this is a more secure way of securing the count as well, yes, that’s what I’ve said, (laughs) its cons of course are that it requires a smartphone, as we’ve seen, it requires a native app, in order to do this process, it requires more work on the backend as well, but as developers, we should do the work we can to make our users and our accounts more safe and again it requires you to be online, in order to receive that push notification, receive the data about the login or transaction attempt. Yes, this was my favourite idea for the next level of security, x-factor authentication, (laughs) I promise I won’t sing right now, further updates to this included, if you wanted to share accounts with people, you could all do your own song, just a different cover of it. (laughs) In summary, I want to see more of this two-factor authentication in the world, I absolutely try and enable it on any of my accounts, purely because I know even though I’ve started using password managers, even though I’ve tried to use better passwords in time, I’m still at risk every single place I go and log in, so users are bad with passwords and we’ve seen that, 120,000 people used 123456, other websites are bad with passwords, HaveIBeenPwned lists 248 different publicly available lists of usernames and passwords available online. Two-factor authentication, it can be just Push, Token or SMS, in fact it should be any one of those three, because they each have different facets about them, I see them working a bit more like progressive enhancement in the frontend, if the user can only receive SMS, then it’s still better to secure their account that way, if they are offline, then using a generated token still works, but if we can manage it, then pushing details to them and allowing them to go through and approve or deny is a much better experience. Two-factor authentication at the end of the day is for your users, it keeps them safe and it keeps your site safe as well, mainly from this guy, (laughs) I think he’s got that from the URL Bar. (laughs) So that’s two-factor authentication, I hope I’ve helped at least a little bit in this time to change it from WTF to FTW, let’s go out and make our users more secure, more safe, thank you very much.

(audience applauding) (upbeat electronic music)