Mohammad Shahbaz Alam
Full Stack Developer, Developer Advocate @ Magic Labs, GDG-Ranchi Organizer, and Mozilla Representative. Loves speaking on Serverless, Authentication & Authorization, Security, Web Extensions and VR at meet-ups and conferences.
Authentication
Luxury or Necessity?
About Me
Mohammad Shahbaz Alam
Director, Alfaaz Lingua
Full Stack Developer
Auth0 Ambassador
Mozilla Representative
GDG Ranchi Organizer
@mdsbzalam
Agenda
1. Biggest Data Breaches of 2020 (So far)
2. Developers and Users
3. Users - Password
4. Developers -
JWT, WebAuthn, Auth as Service
Biggest Data Breaches
So far in 2020
1. Marriott Suffers Another Credential-Based Breach
The Story
On March 31, 2020, Marriott posted an announcement that "an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property." That "unexpected amount" turned out to be the data of 5.2 million guests.
This news is particularly unfortunate for Marriott since it's only been two years since it discovered another massive breach, stemming from its acquisition of Starwood Hotels.
Marriott Suffers Another Credential-Based Breach
How the Breach Happened
We know that a hacker obtained the credentials of two employees at a Marriott property and used them to siphon data for roughly a month before being discovered. We don't know how that hacker obtained employee credentials, but credential stuffing and phishing are both likely culprits.
What Data Was Exposed
Help Net Security reports that the attacker accessed a wide range of personal data, including contact information, personal details like gender and birthday, and linked account data like airline loyalty programs.
Marriott Suffers Another Credential-Based Breach
The Lesson for Businesses
To protect customer data, you have to control how employees access data rigorously.
Marriott could have avoided this breach by implementing multi-factor authentication for employees attempting to access sensitive data. That way, it would have taken more than a password for the attacker to sneak into their systems.
In addition, Marriott could have gotten wise to the hacker's presence much sooner if their IAM system had monitored for suspicious behavior. Such a system would have flagged the situation —two employees at a franchise location accessing millions of guest records— as an anomaly that merited investigation.
2. Nintendo Is the Latest Victim of Credential Stuffing in Media
The Story
In April 2020, Nintendo announced that 160,000 accounts had been breached in a presumptive credential stuffing attack. Hackers had apparently been using the hijacked accounts to buy coveted digital items.
As a result of the breach, Nintendo discontinued the practice of letting users log in with their Nintendo Network ID (NNID). The company also recommended that users enable two-factor authentication to protect their data.
Nintendo is only the most recent victim of credential stuffing attacks targeting digital media. Netflix, Spotify, and Disney+ have all had similar issues in recent months and years.
Nintendo Is the Latest Victim of Credential Stuffing in Media
What Data Was Exposed
Once hackers gained access to Nintendo accounts, they could make purchases and view sensitive data like email address, birth date, and country.
How the Breach Happened
Nintendo said the compromised credentials were "obtained illegally by some means other than our service." That strongly suggests that the affected users weren't using unique IDs and passwords. So when their credentials were breached in another attack, hackers could use them to break into their Nintendo accounts.
Nintendo Is the Latest Victim of Credential Stuffing in Media
The Lesson for Businesses
Require multi-factor authentication.
Your users will thank you in the long term.
3. Slickwraps and the Case of the "White Hat" Hacker
4. Antheus Tecnologia Biometric Data Breach
5. LiveJournal Data Breach Comes Back to Haunt Users
6. LifeLabs Breach Exposes Almost Half of Canada
7. Wishbone Data Breach Puts Young Users at Risk
8. Shocking Revelations From an Australian Football Data Breach
9. CAM4 Exposes 10.88 Billion Records
10. ExecuPharm Data Stolen and Published in a Ransomware Attack
11. EasyJet Customers Hit Hard
.
.
.
USER
Awareness
PASSWORDS
Passwords should be like Joey
WHAT'S A PASSWORD?
ANYTHING THAT'S A SHARED SECRET!
PASSWORD1234
A string
RKYLHWK8@YB&YTI!8UKZH#TY?
A string
CAN BE HARD TO REMEMBER
IF COMPLEX!
A PASSWORD MANAGER CAN HELP!
CAN BE HARD TO GUESS( BY SOMEONE) IF COMPLEX!
BUT DO USE PASSWORD MANAGER SO YOU DON'T FORGET!
credit
1234
A pincode
NOT SO HARD TO GUESS
OFTEN COMBINED WITH THE MAXIMUM ALLOWED NUMBER OF ATTEMPTS!
FAIRLY EASY TO REMEMBER
USUALLY USED ONLY WITH ACCESS TO A PHYSICAL THING
(CARDS, PHONES, KEYPADS, ...)
A pattern
Passwordless ✨
ONE TIME PASSWORDS
Valid for one-time use
Often expire after a certain time
Sent directly to the user
SENT IN SMS
iOS and Android let you fill in the OTP with the press of a button
NOT ALL TELECOM OPERATORS TAKE SECURITY SERIOUS, SMS MESSAGES CAN BE INTERCEBTED
You need your cellphone on hand
SENT IN AN EMAIL
You don't need a second device
EMAILS CAN BE INTERCEPTED
AUTHENTICATOR APP
SOCIAL
ONE LESS PASSWORD TO REMEMBER
ONLY GIVE PASSWORDS TO A SERVICE YOU TRUST
YOU RELY ON ANOTHER SERVICE FOR YOUR AUTHENTICATION
OFTEN USED AS A SECOND FACTOR
HOW'S YOUR PASSWORD SHOULD BE?
So The Question for Users would be,
LIKE JOEY
LIKE JOEY
LIKE JOEY
SO DON'T SHARE IT WITH ANYONE
LIKE JOEY
LIKE JOEY
USE UPPERCASE AND LOWERCASE CHARACTER
LIKE THIS?
KXnCTowPLjkTIwQ
LIKE JOEY
Joey doesn't know French, he makes it up,
So, make your Passwords randomly
LIKE JOEY
Joey has One Chandler
Your Password should only be used on one account.
Tips for a good password
-
Use a complex password
-
Don’t use personal data
-
Don’t reuse passwords
-
Change passwords frequently
xkcd: Password Strength
So how about this?
DrTdMeToEtAeBtILePe
Easy to remember!
DrTdMeToEtAeBtILePe
Doctor told be to eat Apple but I like Pineapple
DEVELOPER
Awareness
1. JSON Web Tokens ( JWT )
2. WebAuthn
3. Authentication as a Service
JSON Web Tokens
JWT
JWT
What is JSON Web Tokens?
- Based on Web Standard ( RFC 7519 )
- securely communicate JSON Objects
- A way to encode information
- Allow shared parties to verify information is legit
- Secret-based Verification
- When secret changes then information is no more legit
- Consists of a header, payload and signature
- Self-contained
JWT
JSON Web Token
JWT
The JWT Header
The header is a JSON Object usually consisting of the type( typ ) , which is JWT, and the algorithm used for encrypting the JWT (alg ):
{
"alg": "HS256",
"typ": "JWT"
}JWT
The JWT Payload
The Payload is a JSON object that consists of user defined attributes ( called public claims ) . Some attributes are defined in the standard ( these are called reserved claims ).
{
// reserved claim
"iss": "https://myapi.com",
// public claim
"user": "mdsbzalam"
}JWT
The JWT Signature
The Signature is the encoded header and payload, signed with a secret.
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret
)
This accomplishes several tasks at once, including:
- Proves the identity of the sender
- Ensures the message has not changed
JWT
The JWT Token
A finished token looks like [encoded header].[encoded payload].[signature] :
JWT
The JWT Token
WEB AUTHENTICATION API 🤩
WEBAUTHN 🤩
KEY BASE AUTHENTICATION
HARDWARE AUTHENTICATION
DEMO
navigator.credentials
.create({
publicKey: {
// random, cryptographically secure, at least 16 bytes
challenge: base64url.decode("<%= challenge %>"),
// relying party
rp: {
name: "Awesome Corp" // sample relying party
},
user: {
id: base64url.decode("<%= id %>"),
name: "<%= name %>",
displayName: "<%= displayName %>"
},
authenticatorSelection: { userVerification: "preferred" },
attestation: "direct",
pubKeyCredParams: [
{
type: "public-key",
alg: -7 // "ES256" IANA COSE Algorithms registry
}
]
}
})
.then(res => {
var json = publicKeyCredentialToJSON(res);
// Send data to relying party's servers
post("/webauthn/register", {
state: "<%= state %>",
provider: "<%= provider %>",
res: JSON.stringify(json)
});
})
.catch(console.error);navigator.credentials.create
navigator.credentials
.get({
publicKey: {
// random, cryptographically secure, at least 16 bytes
challenge: base64url.decode("<%= challenge %>"),
allowCredentials: [
{
id: base64url.decode("<%= id %>"),
type: "public-key"
}
],
timeout: 15000,
authenticatorSelection: { userVerification: "preferred" }
}
})
.then(res => {
var json = publicKeyCredentialToJSON(res);
// Send data to relying party's servers
post("/webauthn/authenticate", {
state: "<%= state %>",
provider: "<%= provider %>",
res: JSON.stringify(json)
});
})
.catch(err => {
alert("Invalid FIDO device");
});navigator.credentials.get
Authentication as a Service
Authentication as a Service
1. Auth0
2. Firebase
3. Okta
.
.
.
Why choose them?
1. One Stop Solution to all your Authentication needs
2. Single Sign-On
3. Enterprise Connections
4. Passwordless email and SMS
5. Multi-factor Authentication
6. Brute Force Protection
7. Breached Password detection
Authentication
Is
Luxury?
or
Necessity?
So the Question is,
Resources
General JWT Resources
jwt.io
JWT Handbook
http://bit.ly/jwt-book
WebAuthn
Connect with me
Youtube
mdsbzalam@gmail.com
@mdsbzalam
Slide
@mdsbzalam
Thank you
@mdsbzalam
Authentication - Luxury or Necessity?
By Mohammad Shahbaz Alam
Authentication - Luxury or Necessity?
MozNUV
