Most everyone uses some kind of Multi-factor or '2 Factor Authentication". But our guest this week (who is going by "Matt" @infosec_meme)... Wanted to discuss some gotchas with regard to 2FA or MFA, the issues that come from over-reliance on 2FA, including some who believe it's the best thing ever, and we finally discuss other methods of 2FA that don't just require a PIN from a mobile device or token.
We also discuss it's use with concepts like "beyondCorp", which is google's concept of "Software Defined Perimeter" that we talked about a few weeks ago with @jasonGarbis (http://traffic.libsyn.com/brakeingsecurity/2017-011-Software_Defined_Perimeter.mp3)
This is a great discussion for people looking to implement 2FA at their organization, or need ammunition if your boss thinks that all security is solved by using Google Auth.
Youtube Channel: https://www.youtube.com/channel/UCZFjAqFb4A60M1TMa0t1KXw
Jay Beale’s Class “aikido on the command line: hardening and containment”
JULY 22-23 & JULY 24-25 AT BlackHat 2017
Join our #Slack Channel! Sign up at https://brakesec.signup.team
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/
Comments, Questions, Feedback: email@example.com
Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
What does MFA try to solve:
MFA / Bad things happening with that:
Internal training / is this actually working?
Australia Post didn't think so
It's irritating and does break at times ( https://twitter.com/dguido/status/842448889697447938 )
C: I don’t like running some silly app on my phone
C: I also don’t like running around with a physical token
C: Embedding a Yubico nano in my usb slot leaves me with one usb port left
Also doesn’t solve when someone just steals that token
Does any of it matter:
Beyondcorp / "Lets make the machines state be part of the credential"
Is there some way we (not google) can make it so a credential is worthless?
Duo / “There's an app on my phone and it has context about what wants to do something right now”
Probably a step in the right direction
Kind of like some Aus banks which SMS you before transferring $X to Y account
Okta - (grab links to spec)
META // Does this actually solve it?
OAUTH - (grab links to spec)
Attacking OAUTH - https://dhavalkapil.com/blogs/Attacking-the-OAuth-Protocol/
META // It’s not MFA, but it makes the cost of unrelated compromise significantly lower
META // Engineering things to short lived secrets is a better idea
I think one of the better ideas being put out was by google in 2014, the ‘beyondcorp’ project (https://research.google.com/pubs/pub43231.html), simply put:
Obviously this is a massive undertaking and would require massive overhaul of everything, but it did look like Google were able to pull it off in the end. (https://research.google.com/pubs/pub44860.html).
Tavis is banging on LastPass again… https://www.ghacks.net/2017/03/21/full-last-pass-4-1-42-exploit-discovered/
Duo Security // Beyondcorp
More info on Beyondcorp
Misc// Hey google wrote a paper on U2F a while back
Touched on briefly / “Secure Boot Stack and Machine Identity” at Google - Servers which need to boot up into a given state (Sounds like U/EFI except ‘ Google-designed security chip’)
META // Patrick Gray (sic) interviewed Duo last week and talked about the same thing