by Jacky Alcine
A primer into authentication schemes, known vulnerabilities of said schemes and methods to improve authentication (and authorization!) for end-users.
Hey. I'm Jacky
Me acting a fool in front of the building where both the Crime Bill and Net Neutrality Act were passed.
- Decolonization of computer science
- Establishment of generational wealth
- Liberation for all oppressed people
- Proper recognition of all Latinx countries
A Series of Social Engineering Events
Spoofed as account holder
Move SIM data to new IMEI
Reset social media credentials
Spoofing, or the act of impersonating as another person for malice is a common practice for taking over accounts digitally or physically.
It's the equivalent of copying your house door key - both of y'all got access now.
With the Keys...
...Come the Door
With control of the recovery mechanism sites might require one to use to recover your account in the event you've forgotten your password (or in conjunction to signing in), everything is possible.
This can get ugly.
Your Accounts At This Point
What Went Wrong?
- Potential lack of use of pre-shared pin (PSK) with telecom
- Weak passwords used on T0 accounts
- Shared passwords used on T0 and other accounts
- all of the above
A Tier 0 (T0) account would be an account that, if compromised, can be used to take down other accounts as well. Protect your email.
Enable Your Telecom PSK
(When You Leave)
Pardon my Jargon
- 2FA === MFA
- Alternative form of authentication
- *FA = * Factor Authentication
SMS is easy to use.
You probably already use it for messaging with your users.
But NIST is like "NAH"
"If the out of band verification is to be made using an SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB [Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance."
A hardware device that can emulate a keyboard that generates codes and keys usable for authentication and authorization purposes.
Imagine if your house key changed every second, couldn't be changed and only worked at a particular time with the lock for your home.
That's a small ability of hardware tokens.
I'm a Developer
Invest in adding 2FA support for your product/project.
I'm a Designer
Invest in communicating how users can transition to a MFA setup.
I'm a User
Contact your service's support and determine + add pressure for 2FA support.
I Speak as a Developer
That's because security, in the realm of UX, should be seamless and invisible.
How to Implement?
How Does OTP Work?
OATH (not OAUTH)
More popular and resilient implementation of OTP.
Commonly used in secure token devices like the RSA device.
SMS 2FA Take Down: Investigating 2FA and Its Ramifications
By Jacky Alciné