Security is hard. Using the same password for everything is easy.
Over the years, we’ve made it easier for users to do ths right thing, from email-based verification to one-time passwords via email and security tokens. But nearly all these solutions require you to have your mobile phone, or security device with you. And if you’re overseas, you might have additional problems.
Let’s look at mechanisms for biometric authentication with web applications. There are a few out here, and this talk will help you understand the options and implementation, together with a live demo.
Biometric security? Because you rarely leave your face and voice at home!
(bright upbeat music) (clapping) (smooth jazz music) (dramatic music) – My voice is my passport verify (dramatic music) (door unlocking) (printer clicking) – Who remembers that movie? ‘Sneakers right? Was it 92? 1992 it’s pretty old.
But that’s the state of biometric security today. Thanks all for coming.
It’s been great to have you if you got any questions, I’ll be in the corridor.
Now what I want to talk to you today about, I know that it’s about biometrics and about voice, and I can see why I was scheduled in this slot, but for those of you expecting, talk about machine learning and artificial intelligence and that side of things, that’s not what this is gonna be.
It’s going to be more about authentication, authorization, the different factors that we have.
So I’ll start by just revisiting what hopefully most of us are aware of when we talk about multi factor authentication. How many main factors of authentication do we generally consider? Any numbers? Have a guess? Two, three? Three Sounds like a good number.
Let’s go with three.
So we’ve got something you know, something you have, something you are within web development and web application security. we’ve pretty much got the first two covered. Mostly, it’s the third one that we’ve gotta Worry about a little bit at the moment or the third one that perhaps can help us a bit more at the moment.
So let’s have a look at something, you know. I’ll go through these quickly because A, we’ve got 25 minutes, and B, some of these things are going to be obvious, but I just wanna retouch on them so that they’re grounded in our thoughts.
So the kind of things that we know are things like passwords, pin numbers, side patents, and secret knocks.
Who’s a member of a secret cult group? (audience laughing) Just me then.
Okay so secret, lots of things that, you know, generally any of these things are going to be something you’ve got to remember.
And we do have password managers that help us with secret knocks.
No, no, that’s the old way.
It’s the one that helps with the passwords. We have secret knock managers for the…
No we don’t.
But a lot of people will write them down.
It’s hard to remember things.
How many people can remember the password before the password before the password they currently use for Gmail.
It was password 12 because now your password 14. It’s really hard to do this stuff.
We don’t remember things.
And also things that we know are things that are subject to interception through surveillance, they are also subject to attack through social engineering. If you’re talking to somebody face-to-face, it’s quite easy as in the the opening video example to get somebody to divulge information, whether that’s their swipe card or passphrase, or even say certain words.
These are things that we know.
But in an interesting, we will come to the point that there was an example of biometric authentication in the video.
But we’ll question whether or not it actually was biometric authentication.
They’re also easily digitised.
Hands up whose heard of ‘Have I been pwned’? Most of you, that’s good.
Have I been pwned is a website that Troy hunt runs. And basically, it’s like a whole database of leaked passwords, and they’re in plain text because they’ve been leaked, so that’s fine.
But if somebody knows your password, they can send it to somebody else in an email. So suddenly, it’s really easy to distribute things that you know.
So in order to overcome this cause things that you know, using some passwords are the primary way that we do web authentication nowadays. So in order to overcome this, we started looking at things that you have. Oh, I forgot that final point there.
The other problems we have with this is they’re often reused, hands up who has never reused a password.
(audience laughing) Okay, we can all walk out of here in shame but knowing that we’re all together on this one. Alright, so something you have these kind of mechanisms are intended to help us reassure systems that the things that we know actually belong to the people who know them, and haven’t been used by somebody who have come to know them who shouldn’t know them, Make sense? Good, great, and moving on.
So building access card things that you have, it’s not something you know, you can give it to anybody.
They can open the door, SMS verification, something you have, it’s not actually the phone. It’s the SIM card.
If I take your phone and you’ve got a swipe card, I can’t unlock it.
But if I take the SIM card and put in my phone, then I can log into any system that uses SMS based two factor authentication, because I now have access to your Sim.
How many people have got a SIM lock code, not a phone lock code, but SIM lock code, no exactly.
So while using these as multi factors, they’re enhancing security at every layer.
They’re not not necessarily by themselves something we should trust 100% by themselves, security fobs those things that you press that have got like six numbers, or the the apps that you have, the one time password, hardware authenticator type things, these are also things that you have, you can give them to anybody as long as somebody has them they can use those.
They prove physical ownership.
That’s all they prove.
They don’t prove who has it just that somebody has it. The person who’s trying to login, they are harder to clone, not impossible to clone but harder to clone with a one time password applications.
For example, if anybody here runs Free OTP you’ll know that there’s a unique string that’s used that’s to put into the application usually via a QR code, but you can manually put it in as well.
If you reformat your phone, you can reinstate all of the settings in your one time password application by having this information to reinsert, so there is information that you can technically know at some point that can be digitised sent somewhere else. And anybody can then start creating those one time passwords on a whole different app at the same time as you are on your app.
So again, not hundred percent security, but another layer on top.
Often, we can…
So the third point there is basically that we’re assuring authentication and identity. We’re not using it as a primary form of identity. One of the most interesting things, Does anybody know what SS7 is other than Phil. Phil works with so Twilio, by the way, he works with SMS every day.
SS7 is the protocol that’s used for transmitting SMSs. Predominantly the issue here is whether the SMSs gets sent between carriers.
So if you’re with Telstra, and you’re sending an SMS to somebody who’s on Optus, Telstra and Optus will talk to each other via this SS7 protocol.
I have to take a breather here cause this is really disappointing to me.
Step back when you take your phone out and it connects to a cell tower, the cell tower will verify that your phone is a phone, that’s supposed to connect to it.
How many people think that your phone will make sure the cell tower is a cell tower it’s supposed to connect to? Correct.
This is how the stingrays work, which are the devices that the US government, use in large places to be able to intercept phone calls, because the phone will connect to anything that says, “hey, I’m a cell tower.” and It’ll go,” Okay, cool, that’s fine, I trust you.” There’s no authentication.
So similarly, the SS7 protocol doesn’t have much of an authentication, because they’re run by RSPs they all trust each other.
So if you’re able to intercept a message via SS7, or even send your own message on the SS7 network, and this was through research done as a proof of concept, you can send a message essentially to your provider as long as you are trying to attack somebody via a network that either the sender or the receiver is on you can send a message saying any message for Phil’s phone should come to mine. And then also send it to Phil’s, or even better change the number first before it goes to Phil.
I’m gonna so hack your account.
So SS7 was broken, it still is.
So this is why when you hear people talking about two factor authentication using SMS short, it’s a good extra step.
But if you’re going to be looking at any kind of mobile authentication based second factor, use something like push notification instead, because that’s a one-to-one communication.
It’s more secure than than SS7 Something you are: So this is what you actually came here for right? Body measurements, characteristics.
This is the fun part.
So we all familiar with fingerprints, facial recognition. We’ve heard a little bit earlier today already about voice as well.
Hands up who works with retinal scans has any kind of system that does retinal scans. I think that’s just still in the movies, right? Unless you’re in The Defence.
But we’re familiar with it.
We’ve seen it on’ Terminator’.
So it must be true.
For us, we’ve already seen handprints as well even individually like without even focusing on the fingerprint the handprint itself is is quite unique. And so we can use these mechanisms to do biometric characteristic measurement of people. Or rather, these are more body measurements. There’s some interesting characteristics as well. keystroke timing.
That’s a really fun one.
If we have time, Remind me in the Q and A to tell you the story about World War Two.
Handwriting’s Good one, so we often have signatures everybody signature is unique.
And even if I tried to sign your signature cause I haven’t done it often enough, it’s not gonna be the same.
But your general handwriting also has characteristics around it, that can add a level of extra level of assurance that you are who you say you are.
Again, I wouldn’t trust handwriting by itself as a single factor.
But you can use that again to layer and increase your security model.
Gait: Gait is a fun one.
Gait is what I do all the time on stage and piss off the person at the back of the camera walking around.
So if you have a limp, that’s particular to you, not a temporary limp, but like a permanent limp, if you shake your hips more than somebody else if you have a strut, these are all characteristics or about you that we can collect and measure and profile and use again to add that extra layer of assurance that who we’re looking at is the person who was actually supposed to be authenticating to our system.
There are some vulnerabilities.
And these are fun ones.
So chopping off fingers is the primary one. This is one we kind of wake up every morning worrying about this actually came up in the news, I think it was like seven years ago when BMW brought up the you can unlock your car with your thumbprint.
And everyone said,”Oh, my fingers.” I don’t think there’s been a single record of somebody having their finger chopped off, because the carjacker wanted to steal a car. Which suggests one of two things to me carjackers as a squeamish, or, it’s easier to steal a Toyota, possibly, both. It’s much easier to lift prints.
I say that almost too authoritatively.
I hear it’s much easier to lift prints.
(audience laughing) Voice Generators and 3D Face Generation kind of software. Has anybody seen these tools where you can speak and you put up a static photo of, I don’t know, Barack Obama.
And out comes a video of Barack Obama moving his lips to your voice but actually sounding like him. That’s a bit concerning.
That’s done in real time.
That’s a bit concerning when we look at voice and facial recognition as being factors of authentication, can we even trust them? Scared yet? High resolution photos have actually been used as well to 3D print fingerprints.
That’s how good photographic technology and 3D printing technology is getting.
That’s one and 3D printing faces.
The iPhone uses infrared to do a 3D model of your face ID or whatever is called.
It doesn’t actually use the image, doesn’t use a camera uses infrared modelling, in a 3D space, you can actually 3D print a face. It takes 17 hours, which for most of us is probably going to be out of question.
I’m not going to get into your phone because in 17 hours, I’m probably going to be in Melbourne again. But for a certain level of attack, if I wanted to get Barack Obama’s phone, I would make the time to print his face.
So these are still threat models that we need to consider Is the the type of user in your system, the kind of person who’s just like everybody in this room? Anybody in here as famous as Barack Obama? Excellent, so you have a high threat model. Come see me afterwards, we’ll work out ways to solve that. For the rest of us, we don’t need to care.
Alright, multiple factors of authentication. MFA, we’re all happy with this.
This is basically layering things on top of each other. In order to make sure that, you have a higher level of assurance of who the person is trying to access your system. But whenever we look at any of these authentication factors, we have to look at whether or not it’s identifying or just authenticating.
And there’s a difference here, if we’re identifying, the piece of information that you’ve just given us is unique.
Alf The Alien is real, and this is his driver’s licence. And he’s the only person, only alien with that driver’s licence.
However, the password that I used to log into Facebook is the same password as everybody in this room uses to log into Facebook, I’m sure. So we can’t use passwords as an identifying factor of authentication. The username becomes the identifying factor of the authentication. Username is really easy to know though, my username has been Mendehere.
I don’t have a Facebook account.
You’ll be hacking for a long time.
So what we need to do is make sure that we’ve got at least one identifying factor, which in most cases we have, right.
(smooth jazz music) So Robert Redford comes along, and he says, ” I want to break into this building.” He’s already managed to get the voice out of Mr. Werner. (dramatic music) So and he’s also got the swipe card.
It’s not something you have.
And he walks up to this device here that listens to the voice.
– My voice is my passport verify – something you are maybe in this case, it’s something you have because he has a recording. So is that something you are? (door unlocking) (printer clicking) And the swipe card again, something you have. So we’ve got nothing, that’s something you know to make that a lot more secure.
You could have simply put like a four digit PIN code pad in, and he would have been discovered.
For anybody seen the movie, they steal a swipe card, well there’s a group of four or five of them. One token female, it’s 1992.
I hate it as much as everybody else in this room. But this token female is voluntold to go and seduce this man in order to get this information out of him.
I know the storyline sucks.
(audience laughing) But let’s go with it just for the sake of looking at authentication.
So she manages to get the swipe card out of his wallet and pass it out of the window and they clone it because something you have can be cloned.
And then she has a conversation with him while recording him and tries to elicit all the words ‘my voice is my passport verify me’ the hardest one is passport.
So she says,” you know what I really find sexy. The way people say passport.” (audience laughter) I know terrible storyline.
I keep saying that.
Can you imagine if she’d said, “you know what I really find sexy.
When people tell me the four digit number to get into their office,” it’s not gonna work. So I would have to kill the storyline completely. Securing the web: I’m gonna move quite quickly on this I have 10, eight minutes left now.
Securing the web: How can we use this…
so let’s have a look at something you know and something you have.
We already know that we can use passwords for login in to websites, can we use swipe patterns? We could.
Should we is the question No, we shouldn’t.
Secret knocks moving on Access Cards: So we’ve already got devices that you can have an NFC card reader or something and using something like web often you can connect to external hardware authenticators that’ll allow you to authenticate your web application to something you have. SMS verification, not totally secure, but it’s better than nothing.
And then security fob the same kind of thing. The six digit codes, we can use those.
What do we do when it comes to biometric stuff? My fingerprint, my phone’s got a fingerprint reader. So that’s biometric, right? Facial Recognition: Can we use the face ID to do biometric security? All right, retinal…
let’s not do retinal scans.
Voices: Voice is a good one.
We’ve already had Mandy have issues in a talk just about an hour ago, with the acoustics in this room. And I have a demo, which I won’t have time for. But come find me in the corridor F cause I’m happy to show it to you.
It’s a product called Voice It and it’s really cool technology.
It does facial recognition and voice.
And there’s a whole blog post on how to integrate it into Auth0 So you can actually use that to authenticate people into your website.
But the demos that I’ve given, I’ve had to reprogram my voice every time I do it cause the rooms are different shape.
So that’s not gonna work.
So we still have issues around that.
And gait, I dont think using a webcam to work out whether or not I’m walking normally.
As I strut up to my laptop, “I’m sorry, you don’t have a limp, no access for you.” So well, we’ll just leave that one out.
So biometrics in mainstream technology I’ve already covered that.
We’re familiar with the fingerprints on the devices that we have in our pockets, biometric security for the win. And we’ve also got the 3D facial face ID for the latest iPhones.
But as I’ve alluded to, are they something you have, or something you are? I would suggest they’re actually something you have, cause they’re just hardware authenticators. The fingerprint unlocks my phone in order to enable it to become a hardware authenticator, your face unlocks your phone in order to enable it to become hardware authenticator So while Voice It or any of these technologies out there are using biometrics in order to authenticate you what’s actually happening in the communication between that and your application is it something you have It’s a hardware authentication or your hardware authenticator confirmation coming back. So what we are doing…
we are doing biometrics sort of, it’s a grey area, but we’re We’re outsourcing the trust of whether or not that biometric test has passed to a third party.
Not saying that’s wrong, but we just need to consider that when we’re piecing together all of the factors and working out which factors are we covering? They just reveal, present, So WebAuthn does make these available to your web app, You can get the information out through that. But again, remember that that is then essentially doing a public private key confirmation in a hardware authentication factor, space, something you have.
So disabilities, how much time do I have? Nobody knows.
Six minutes, we can do this.
There’s always a downside to everything One of the disabilities some you have is forgetfulness. We all suffer from that one.
I did mean to start the talk by saying I don’t have any pretty graphics in mind.
I only have one animated GIF But my kilt matches my slides.
(audience laughing) Permanent disabilities.
If you can’t speak, you can’t use (murmurs) that’s a great word.
I’m going to use that in future.
You can’t use voice recognition or voice confirmation of who you are.
You’ve also got issues with temporary disabilities if you happen to be this poor person in an iStock photo who happened to get, some kind of corrosive into his eye, you’re probably going to be wearing a patch, you’ll look spiffing, but facial recognition is not gonna work anymore.
If you take the patch off, people will squirm either way, you’re buggered.
And then there’s environmental ones.
The most typical one that you’ll hear when everyone talks about environmental disability is you have your shopping and you can’t open your front door.
But what about biometrics? What if you’re…
it doesn’t look like it’s snowing there.
But I don’t know why they’re wearing gloves. It’s the first photo I found I apologise.
But what if you’re skiing and you want to use your ski app and it says, “I will need you to verify who you are,” because it’s a highly secured skiing App.
Don’t ask me why it does But you’ve got gloves on.
So suddenly you can’t unlock it, you can’t verify who you are.
So consider the use cases that people are going to be using your applications in when you decide which factors you want to allow people to use.
Now, one thing you could do is to say, Well, I’m also I’m always going to need something you know your username and password. And within your application, if it’s like a native app on a phone, you can store those so that you’re automatically logged in, in the way that most applications do nowadays. And then you’ve got the fingerprints to confirm. But you can have maybe two different kinds of factors so you can have three factor authentication, but only two have to pass and just have a look at which ones are likely to be impacted by an environmental disability.
In terms of the permanent and temporary disabilities, you can have to work out some kind of support mechanism so that if somebody can’t log in anymore, how do they get in? Somebody loses a leg, their gait changes and your webcam detects that the way they walked to the laptop is not quite the way you’re expecting them to. You’re gonna have to be able to reset their password or something, verify their identity.
So I want to give you a bonus factor.
We’ve talked about something you know, something you have something you are What’s another one? It’s actually two.
I’ve got three minutes and two factors.
Any takers? There’s somewhere you are, I said you are.
That should be somewhere you are So one really common thing that you might want to do is make sure that when people are accessing your systems, they’re in a location that you want them to be in. Maybe they can only access it from the office. The other thing you might want to do is make sure they are not where you don’t expect them to be. They are with the…
double negatives always confuse me.
Imagine I log into a service from Sydney.
And then 12 minutes later, I log into a service from New York.
Does that seem legit? Anyone say yes? I use the VPN a lot, so yes, but the fact is that for a lot of people that won’t be in the industry that’s called impossible travel.
I think that’s like the travelling salesman problem and the impossible Travelling Salesman Problem. I think that that’s how it works.
So there is there are times where you want to have a look at the somewhere you are to work out whether or not the person is is supposed to be logging in. In Mr. Warner’s case, you could have had a GPS tracking device on his leg.
And because he wasn’t at the door, you don’t let Robert Redford in.
That would work right.
So come find me in booth, Auth0 at the back there. If you don’t have a T shirt already…
A quick joke for you.
I don’t know if I have time.
What’s the difference between…
My marketing team are back there, by the way, so Hi, everyone.
What’s the difference between a developer advocate and marketing person? I can wear the T shirts for free.
(audience laughing) Quick go before they get back to the store. No, seriously.
It’s been great to be here.
If you’ve got any questions come out.
I’m happy to show you the demos as well And I don’t have time for the world war two story. Sorry.
Thank you very much.
(applause) (bright upbeat music)