SMS 2FA

Takedown

A primer into authentication schemes, known vulnerabilities of said schemes and methods to improve authentication (and authorization!) for end-users.

Hey. I'm Jacky

I'm a software engineer at Lyft, formerly at Clef, Shutterstock and a few other places.

 

I enjoy video games, books and teaching my people what I've learned. I talk more about myself on my site at jacky.wtf.

Me acting a fool in front of the building where both the Crime Bill and Net Neutrality Act were passed.

Personal Goals

  • Decolonization of computer science
  • Establishment of generational wealth
  • Liberation for all oppressed people
  • Proper recognition of all Latinx countries

Story time!

A Series of Social Engineering Events

Spoofed as account holder

Move SIM data to new IMEI

Reset social media credentials

pwnd city

Spoofing IRL

Spoofing, or the act of impersonating as another person for malice is a common practice for taking over accounts digitally or physically.

 

It's the equivalent of copying your house door key - both of y'all got access now.

With the Keys...

...Come the Door

With control of the recovery mechanism sites might require one to use to recover your account in the event you've forgotten your password (or in conjunction to signing in), everything is possible.

This can get ugly.

Your Accounts At This Point

End Result

What Went Wrong?

  • Potential lack of use of pre-shared pin (PSK) with telecom
  • Weak passwords used on T0 accounts
  • Shared passwords used on T0 and other accounts
  • all of the above

A Tier 0 (T0) account would be an account that, if compromised, can be used to take down other accounts as well. Protect your email.

Enable Your Telecom PSK

(When You Leave)

Pardon my Jargon

2FA/MFA

  • 2FA === MFA
  • Alternative form of authentication
  • *FA = * Factor Authentication

MFAaaS(?)

SMS is easy to use.

You probably already use it for messaging with your users.

But NIST is like "NAH"

"If the out of band verification is to be made using an SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB [Out of band verification] using SMS is deprecated, and will no longer be allowed in future releases of this guidance."

Secure Tokens

A hardware device that can emulate a keyboard that generates codes and keys usable for authentication and authorization purposes.

Imagine if your house key changed every second, couldn't be changed and only worked at a particular time with the lock for your home.

 

That's a small ability of hardware tokens.

I'm a Developer

Invest in adding 2FA support for your product/project.

I'm a Designer

Invest in communicating how users can transition to a MFA setup.

Darrell Jones of Clef wrote about getting teams on board with 2FA as well as when the best time to integrate 2FA is (hint: NOW)

I'm a User

Contact your service's support and determine + add pressure for 2FA support.

I Speak as a Developer

That's because security, in the realm of UX, should be seamless and invisible.

How to Implement?

Easiest Way?

A service named Instant2FA by Clef that allows you to make use of TOTP/HOTP approaches with other services and "upgrade" to secure tokens.

Or...

How Does OTP Work?

HOTP

TOTP

OATH (not OAUTH)

TOTP

More popular and resilient implementation of OTP.

HOTP

Commonly used in secure token devices like the RSA device.

Thank You

SMS 2FA Take Down: Investigating 2FA and Its Ramifications

By Jacky Alciné

SMS 2FA Take Down: Investigating 2FA and Its Ramifications

This talk was presented at Github on January 17, 2017 as part of a presentation series for Latinxs in Tech in San Francisco, CA.

  • 2,191