Breaking Bad Multifactor: MFA Bypasses And How To Assess The Risks
Show transcript [en]
thank you so much for your patience um and thank you to the AV folks for figuring this out for me good morning I oh no now well there we [Music] go okay so what audio computer audio is not working but um this this is a test of whether YouTube's content ID is going to take this offline even though I took all these clips from YouTube but uh I'm Chester wisneski and I'm uh here I'm not here officially representing sofos but I did use our slide deck because they my company was kind enough to pay for me to be here with you today and I've been doing a lot of work um with customers of ours around
helping Shore up some of their multiactor and looking at ways that criminals have been continuously compromising them and sometimes bypassing multiactor so a lot of the information I'm presenting here today is you know based on uh information from our customers and from my experiences working with them part of our incident response teams part of our uh managed detection response teams Etc I've been at sofas for about 20 years um so I'm a bit of a lifer here and I think I presented here at bsides in 2019 so hopefully uh all of you can understand my crazy Canadian accent and uh we'll do our best to get through all my content uh on time T this
morning let's try the audio again no so maybe Walter White's not going to co-present with me today but um maybe that'll stop YouTube from taking me down so a quick agenda uh I'm going to go through the most popular MFA methods and some of their weaknesses I know some of you may already be familiar with a lot of the details but I'm going to kind of quickly go through the basics that make most of them work and then we'll talk about some of the more famous examples of how they've been bypassed that you may have seen some of the stories in the news around and then I'm going try to provide some advice based on my
experience that if nothing else will make it more difficult to compromise or bypass multiactor Solutions you may be implementing to protect your information so obviously uh hopefully if you're at security bsides you know what multiactor is Right where're we're trying to add something to authentication that includes physicality So that obviously um it makes it much more difficult for somebody to impersonate you because it's not just a secret that can be stolen and I'm not going to spend too much time on that but we do have a lot of different approaches that we can take and depending how old you are um I mean there's few folks in the room that probably are young enough that they may not have been born when I
started working at sofos so you might not recognize all of these but um You probably started out by seeing one of these RSA tokens in your pocket or perhaps that the Nokia phone where you got your SMS uh six-digit code texted to you back in the late late 1990s or early 2000s of course we've got a lot of other Technologies now right we've got you know push notifications we've got Google Authenticator kind of apps we've got smart cards we've got phyto tokens um and of course most of us have some sort of biometric device in our pockets whether it's uh a face ID on an iPhone or a fingerprint reader on your Samsung or whatever you might be using to
authenticate to your phone that can also be deployed as another method of multiactor and if we look at how these things work under the basic hood of most of them are a few essential things anytime we're entering in these six-digit codes in essence we're relying on a pseudo random number generator right and most of us that want to do cryptography are not big fans of pseudo Randomness we want real Randomness but it turns out to be an advantage when we're using these applications and whether it's an RSA token or whether it's that Google Authenticator app most of the time in essence what you're getting is some sort of seed and that seed is seeding the
pseudo random number generator to give a predictable set of seemingly random numbers and because they're predictable both sides can match them up and determine that they are in agreement about what that code is um people I saw somebody must have taken probably took a picture of my QR code here so you now know one of my Gmail accounts that will not work that is not the current authenticator on that account but knock yourself out I'll get the notifications later it's fine um and a lot of folks of course want to back these up as well right cuz like oh I'm going to get a new phone or I drop my phone in the toilet all of a sudden I
can don't have my two-factor codes anymore so a lot of people will take a screenshot of those QR codes and back them up so that they can restore them later personally I I I prefer to go into the text mode and grab the you know the 16 characters and put them into an encrypted file somewhere that I can store in my cloud storage so I make sure I've got them handy for myself but in essence all that is is the seed for that pseudo random number generator the one wild card here of course is we don't really um know how the SMS codes are being generated you would hope that it works on a similar concept that when it
texts you that number it is truly some sort of Randomness on the end of the company providing that through twilio or whatever service they're using to send you the text messages um but my colleague and I actually uh that were I think it might have been at bides 2019 we both presented here and uh we were playing with some of the SMS stuff and it turns out one of our providers that smsed us texts uh was using sequential numbers from what we could tell I would get a code and it would be like 13 3121 and then he would do at the same time I get 1331 124 and it's like oh three people between us must have just got a
text message um so it this is another downfall right so clearly if somebody can compromise the seed they know exactly what's going to be on your display so if they get access to your copies of the QR codes or the the backed up letters because you store them in securely anybody can see what would have been there but we also are relying on the providers of these services like an SMS texting service to actually securely generate the codes to begin with and it's opaque to us we have no idea how those codes May uh may have been generated so it's not the best thing in the world and that's ignoring Sim swapping and you know lots of other
things uh Biometrics um I I don't know how many of you studied the way Biometrics are stored in our phones but the good news is your fingerprint or your face is not actually copied up to the cloud somewhere apple does not have your face uh and and your Android phone has not uploaded your fingerprint for Google for Easy Storage at the NSA um generally they're sort of hash based right they're trying to measure different things hash those things and store those hashes securely usually those hashes are going to be stored in the secure element chip in your phone itself so those those hashes are not transmitted to the authentication provider themselves and the secure element has a shared set of keys so it
can securely communicate with the the authentication authority to say I verified that this fingerprint was read by me and I'm now authenticating that this device and this fingerprint that belongs to this identity is in fact here if we look at this the accuracy of this stuff in general in perfect conditions it's about 99.97% accuracy against false negatives right so that means it it most the time will recognize your face unless you've had some sometimes horrible accident uh and the same with your fingerprints of which I did cut part of my thumb off chopping stuff right before I left here um so you know those things can happen uh in the real world it's around 87%
because way all have a bit of grease on our fingertips and different things happen or we get cold in the bad weather and that can throw off the accuracy a little bit of things like fingerprint readers makeup can mess with face reading these things happen um and if you were to take there's quite a few of you in the room actually and if I guess that there's 256 of you in here one of you probably could unlock my phone um because that's about the accuracy they're intentionally fuzzy inaccurate because if they're too accurate every time it snows and your fingerprint shrunk you'd never unlock your phone so they're intentionally a bit fuzzy and uh one of the benefits of using a
fingerprint biometric is that your fingerprints have no relationship genetically to any of your family members or anybody else unlike your face so if you do use Face Unlock in your devices it's much more likely that your child or your cousin or your brother perhaps might be able to unlock your device if you think that's a security threat to you uh whereas your fingerprints that's not true you know even twins have completely unique fingerprints that um uh there's no matching of them at all so the truly paranoid if you're going to use Biometrics you might prefer fingerprints over face if you're worried about your kid unlocking your phone and buying $99 worth of things in the app
store and then of course we have push notifications and I think the the vast majority of companies now have started moving this direction whether you're using something like Duo authenticator Microsoft authenticator uh Google offers it Apple has it built into their products as well for some of their services and this is where you get the push notification there's very variations of it of course sometimes it shows you a wildly inaccurate map because uh the IP address where you're at is not actually associated with the correct thing in their goip database um more and more things are moving toward making you enter those digits in addition to the push notification so that uh it it's a little bit more
difficult for somebody to impersonate uh or do a man- in the- Middle attack or a person in the middle attack that kind of thing but in essence they're trying to make it convenient as opposed to you have to memorize six digits and enter them in and that type of thing and of course for the truly uh secure we are using tokens a lot these days whether of course UB key probably the most common popular ones but you know Google makes the Titan Keys uh if you work for the government certainly in the United States you might have a smart card with a actual chip on it that's the same chip that you're using your credit cards if
you're he from my 2019 talk on a safer way to pay you learn all about how those chips work you can see it on YouTube um and most of this you know that's the most secure way we would refer to this ideally when we're talking about web oan or u2f as a fishing resistant method of authentication and that's part of what I'm here to talk about this morning so uh clearly uh Sim swapping is the biggest risk for the things being texted to you and we've seen this and it it amazes me that people who are um smart enough to have millions of dollars worth of crypto also rely on text messages to secure their crypto wallets and have them
repeatedly empty by the North Koreans um shocking that people that thought nfts were a good idea would make a mistake like that uh but it's still a thing and it is something to be aware of uh all forms of multiactor are better than no form of multiactor so I would never discourage someone if it's the only method available to them because maybe they are not wealthy enough to have a fancy smartphone um my parents are not very sophisticated they don't know how to really use apps on their phone and it's a very easy accessible method to them it's also an accessibility issue sometimes where um you know a lot of these services will call you on the
phone and read you the six digits for example and and that's um just as it's just as problematic from a SIM swapping perspective as anything else but it is an accessibility thing for people that are visually impaired that's a way that they can interact with these systems and the other tools may not be available to them so we shouldn't dismiss the six digits and especially SMS necessarily because for some people it's an accessibility issue and it's good to provide it but most of us are probably going to want to step up from that if we have another option available to us um you know you have the RSA problem which of course is if the Chinese hack
you and steal all the seeds for all the tokens you've ever made you might question why a company that makes secure tokens would keep the seeds for all the tokens they've ever manufactured but I'll leave that up to them to describe to you why they did that um but it kind of was a problem um and if you were like me you might have a couple extra RSA tokens in your drawer at home now now because I had to get replacements for all of mine um due to that incident but more than that the other thing we've seen and that's an actual screenshot I I don't have in my notes Here I think it was in 2006 I ran across this story of
the guy who had outsourced his job to a a a laborer in Southeast Asia for pennies per hour and because they had multiactor he set up his webcam on his RSA token so that the person doing his job for him could authenticate um so without picking on say the company this is another vulnerability of using this kind of method anybody that can see the digits can enter them and in no way actually verifies your identity in any meaningful way it just means you found some way of getting the codes and that could be the Sim swapping it could be the webcam it could be lots of different things so it's less than ideal um it's also vulnerable to proxy
you know machine in-the-middle attacks let's call them right and Microsoft reported uh a a couple summers ago that they had over 10,000 companies using Office 365 that were compromised between September of uh 21 and July of 2022 and it was you know less than 5 minutes for them to conduct a complete account takeover and the way they did it was using a a tool called evil Gen X if you're if you run the web server Eng Gen X there's a version of it on GitHub called evil Gen X that is specifically designed to be a proxy for multiactor authentication so they would send you the fishing email that you can see there that pretended to have an MP3 that was
your voicemail but thank you windows in 2023 for still hiding file extensions they send it to you as a mpp3 HTML and when you open the HTML file of course it would take you to the fishing site run on an evil Gen X instance that the the attacker controled but send you the genuine Microsoft authentication for your corporate login you would get the push notification to your phone you'd enter 67 like you're supposed to and you're by you know you're completely compromised and and they would do that by stealing the cookies by being in the machine in the middle attack so that they would no longer need to have you authenticate with whatever authentication method you were using
ever again because once they have the cookie until its lifetime has expired they can now impersonate you on your 0365 instance so um Microsoft documented this really well if you're interested in the details of kind of how that attack unplayed you know these fantastic Graphics are from their sort of root cause analysis that they lished and uh these attacks are becoming a lot more common I um I originally developed this presentation to present at besides Las Vegas uh this summer and then I got covid and couldn't go um and at that time when I was developing it uh we we started seeing a dramatic increase um since uh June and July when I originally created this content um of evil Genex
being used in the wild in more and more attacks because um more and more of us are starting to deploy multifactor and it bypasses all types of multiactor with the exception of fishing resistant because it just it you just Pat the six digits through or you get the push notification I mean it's a legit login of course there's um Uber's thirdd hack I I want I can't map them all out for you there's too many to to recollect always but in in in this particular case a contractor's laptop was infected with a everyday Trojan uh that you might get from a alvertis or we don't really know what the source of that Trojan was that
got on there but in they were put up on a Marketplace for sale that contractor's laptop and lapsus just purchased that employees credential off the marketplace and then um tried to log into VPN and of course there was a push notification set up through Duo for that contractor and I I think in the report it said that they sent 320 successive push notifications until the person hit accept because they got so sick of getting push notifications they just wanted them to stop and but unfortunately um for Uber they also happen to store their thic password for their entire credential database uh in a plain text script in a public directory in a file share and
that kind of unlocked the entire network so there's several lessons to be learned here that are not multiactor involved um but it it shows that just having the push notification is still susceptible to this kind of Nag attack right like how many times during dinner are you going to get Dingle Dingle Dingle Dingle Dingle Dingle before you just like make this stop and unfortunately making it stop uh granted lapsis access to the network and um I'm going to skip Walter because hopefully this won't get taken down from YouTube that way now it will because I took the cookie monster um so that's where we're starting to see things moving in a new direction right um the criminals are
realizing that as we're developing better multiactor and as more of us are starting to use fishing resistant multiactor like webn or u2f or PH2 or UB key whatever name you want to use for that technology um that you know ultimately HTTP is a protocol without a state right like that's why we have to set cookies or otherwise we don't know who you are cuz every request could be you know there's 700 of us behind the Novatel IP address right now which one of us is logged into Gmail um there's no way for HTTP to know me from you when we're just looking at P so we have to have cookies to track those session IDs and that of
course uh if you acquire it bypasses multiactor entirely because once I have the session ID the whole point is to not make me type my password and fingerprint for every single page load as I'm going through my workday when I'm logging into the website and that's our vulnerability now and the the first really public example of that was um I believe in the summer of uh 2022 Electronic Arts had an employee PC that was in fact Ed the criminals were able to Hoover up all the cookies on that machine which included their slack cookie and that allowed them to impersonate that employee in the internal slack Channel at Electronic Arts and contact the tech support team
and asked them to reset the credential for him and because it was on an internal slack and the user was logged in tech support didn't question that person being who they said they were happily reset the password which resulted in the FIFA 21 source code being stolen and when I started looking at this I'm like I wonder how like how long does criminal have from the day that they steal my cookie until that cookie expires right cuz if the expir is low enough then it's less marketable to steal the cookie from me and it turns out the default slack cookie is good for 10 years so if you're using corporate slack make a note to go change the
policy because if you're using free slack you're screwed it's 10 years if you're us paid slack it is a policy in your Enterprise policies for slack that you can change that and I would strongly advise you not to set it to 10 years uh there have been a lot of Market selling stolen cookies fortunately Genesis Market is no longer with us but it was a great example and I put a couple example screenshots up there where you could shop for cookies by like what kind of thing you wanted to steal and and Genesis primarily was actually marketing themselves to teenagers who wanted to buy other people's cookies for games so they can impersonate them or
screw with them they wanted to steal their um their steam cookies so they could download all somebody else's Steam games so they didn't have to buy them um it was largely oriented toward Gamers but we did see criminals using it to acquire corporate and Enterprise cookies as well to do attacks like we saw in Electronic Arts um this is you know as an industry this hasn't gone away Genesis has gone away but there's a lot of other ones out there here's a more recent one I had found called broker and again um you can see by industry you can shop and say I'm un interested in stealing cookies for schools I'm interested in cookies for people that
are in Brazil or Ghana or Canada or wherever uh to to kind of Target um different environments and different kind of cookies you want to buy pretty much every info stealer out there these days will take all the cookies off your machine uh once they get on I I mean fortunately all of the major browsers do make an effort to encrypt the cookie jar if you want to call it that the cookie storage but of course the key is there otherwise the browser can't read the cookies and if you've got the key it kind of doesn't do any good to encrypt it so um they do that is pretty much a standard thing in addition to taking
stored passwords they pretty much always take the cookies and of course if you're using a password manager um um let's say I I'll I'll say bit Warden because that's one of the ones I happen to like and respect uh it stores things very safely but it can't control my cookies so even if my passwords are safely secured you can still Hoover them up from Firefox or Chrome or Edge or Brave or whatever you're using um YouTube has had a lot of problems with this Google's really clamping down on this um Google Google's block they say over 1.6 million different fishes people want to take over YouTubers channels uh to do promote crypto scam and all kinds of random
stuff um the criminals realize that Google's monitoring the communications really tightly now so the first thing they do as a lure is move you into an encrypted side channel that can't be scanned so they move you into WhatsApp or telegram or Discord where it's impossibly filtered if it's end to end encrypted and therefore the provider can't Snoop into it and of course well Discord isn't but discord's too competent to filter them out and Google is very carefully looking at gmail to make sure that the scam messages aren't coming through so they try to migrate you to something else we've seen them also using signal and other things as well anything that's encrypted end to end so that the service provider
themselves can't tell that there's a malicious link that's going to take you to the Trojan that's going to steal the cookie off your machine uh again Google's published a pretty extensive uh root cause analysis of some of the attacks they've been thwarting um these stolen Google accounts were going for between three and $4,000 depending on how many followers your YouTube account has and that's why now any High follower YouTube account has mandatory multiactor authentication Google forces uh Google accounts to have MFA now if they have more than a certain number of YouTube followers because they've been such a target of criminals um wanting access to those audiences and as I mentioned this is just a a brief listing of the most
common Trojans that are hoovering up cookies uh the list continues to grow and grow and grow but these are the ones we most commonly see in suus labs when we're doing analysis of U you know the malare samples coming into the lab and um all of them are malware there with the exception of evil Genex which is an open source project that's on GitHub um but we are seeing I I inserted it in here because we are seeing it rise in prominence uh for bypassing multiactor as well so um what do we do now I mean Walter had some Sage advice but he's a bit quiet today uh I the the future clearly for most of us is to move toward
webo n and and that's that's really the best way and and this is just a brief kind of description of what it looks like but the idea here is when I want to log into Gmail and I want to use my fishing resistant token whether that is Pass key that's stored in my iPhone whether that's a UB key I haveen to keep on my keychain or a smart card or whatever I'm using all I'm going to do is send a challenge with my username to Gmail and say I want to register and all they get from me is my email address or my username and then they go okay we're going to create a new credential for
this person he's registering an account they send back my username with a challenge I sign that I create a new set of keys just to talk to Google I store it in a little database called google.com I use that new set of keys I generated to sign that challenge with my response so that they know now have my public key and now theyve ke the only thing they store is my public key I store my private key in my credential store if it's a pass key it's stored in your secure element on your phone if it's your UB key there's a little HSM in your U key that it stores it in this is dumbing it down a bit please don't pick
on me but I'm trying to make it accessible uh and then all that Google stores is my public key and then every time I want to authenticate I just have to sign their challenge to prove I have the private key and I'm in and this is fishing resistant because I can only I will only use that key for the domain I stored it for so somebody would have to take over google.com to to get me to sign a challenge from google.com and impersonating Google's I I think it's pretty difficult um now it may not be true for all things you're authenticating to but that's largely why it's fishing resistant if you can take over the domain name system and you can
get Google's private key to send the challenge to me for the public key that I stored when they signed it I guess it's possible to bypass but it's difficult it increases the bar quite high and and for future visits to my Gmail account um it's a very similar flow except of course I'm not creating a new account they just send me a challenge I sign the challenge to prove I'm who I who I am and then they know that and and because it's stored with the domain name again you can't trick me into giving it to the wrong website very similar to your password manager right if you store your your password in a password manager
it's not going to offer to autofill it for the wrong website and that's another security measure and this just takes it to an extreme by using digital signatures as part of that process um things another thing we can look at right like as we know evil genix is getting more popular if you're not using webn well how many people are authenticating from the same IP because when we see evil Genex targeted at a given Enterprise they're not typically fishing one employee they're sending these out to tens hundreds of employees and because they're going through a proxy they generally are all going to come from one IP address suddenly all of my staff are in Central Kansas or also known as
geolocation 0 comma 0 in the United States um and that's awful suspicious right like yesterday they were in Seattle and London and Tokyo and today they're all in Kansas so this is one of the things we can start to watch for in our authentication systems if we're not able to use fishing resistant authentication we can spot these proxies being deployed in a fishing attack by having an anomalous Behavior like that which is why are all these people suddenly somewhere else now it could be that you're just now that we all have worked from home and stuff could be we're all having a corporate offsite in Paris and that's why we're all showing up at the or the Novatel in London
perhaps um so you're going to get false positives but at least it gives you a head up that heads up that an attack is underway it's also an early detection mechanism so that if it is a large scale fishing attack you may get this as a way of spotting that it's the beginning of the attack faster than you might get fishing reports from very aware employees who are like I got this weird email I'm going to report it um those processes have a tendency to be somewhat lengthy this is a very fast way of detecting early stages of an attack um I'm a big fan of the traffic light system uh we we don't want to put
too much friction in place let's you know like back to the cookie Lifetime right maybe I want my cook maybe I want my staff to have to log in once a day so I'll set my cookie expiry to 24 hours but I don't want them to have to pull out their authentication token every hour even if a 1hour cookie is probably more secure than a 24-hour cookie cuz back to what's going to happen with that cookie in all likelihood the person stealing it is not the person who's going to abuse it the person stealing is probably going to put it in a Marketplace it's probably some teenager somewhere um trying to figure out if you've got a steam cookie they can steal
and so you've got some time right so maybe 2 days on your cookies less than 10 years more than 2 hours somewhere in that range probably right but but we can also dynamically adjust those policies based on the sensitivity of that application that we're using right so doing an inventory of all your applications especially as you move towards ztna and that kind of thing where you now have um granular control of different applications very easily as a Security administrator professional you can start looking at them and going you know what for the wiki I'll just let the key you know the cookies can be a week for the wiki I I'm not as worried about somebody stealing my Wiki cookie
but for the HR System maybe it really is an hour maybe every hour I'm willing to force people that are going into the HR System to do things like changing people's salaries or you know sensitive things where there's really sensitive information I want to keep that very low and I'm willing to take the penalty of a very large amount of friction but in the you know in maybe for committing source code I'm in the middle somewhere right maybe I want people to do it twice a day instead of once a week um and so by by allocating things kind of to a category you can have some policies and doesn't have to be red yellow and green you
could have seven colors if you really like it but complexity is not the friend of security typically I'd recommend trying to keep it simple go out there inventory or apps decide on what risk threshold is is appropriate for those apps and then you can Implement a staggered policy maybe you don't even use U multiactor at all for green apps maybe it's fine to just have a username and a password and you're okay with people logging in that way um but it's it's a good way of not imposing too much pain for everything but enough pain to protect protect the asset that you're looking after and lastly some other smart checks I mean one of the things that we do
internally and I know a lot of other organizations do for highly sensitive things it can only be done from a corporate device that has a corporate certificate on it in addition to me doing multiactor with a third device like my UB key or my phone and that's just that really Narrows down and makes that cookie theft thing go away like if I can't commit source code to GitHub unless I'm on a device that has a certificate and you've authenticated as me with multiactor um you've really raised the bar pretty darn High not impossible but really pretty good um device health can of course be a part of this as well because cookie theft is usually done by commodity malware which
likely means that device is either unpatched or not protected to your corporate standards whatever sort of endpoint security you're using is and in that case you may want to automatically force that user to use the highest level of security every time they authenticate Until That device health returns to normal because clearly that device is at higher risk of having the cookie stolen if it's if it's in a diminished State um trusted IP ranges can reduce fatigue if you you know want to eliminate your office IPS from having stricter standards but uh for unknown IPS um things like impossible travel all these have false positives right it's it's back to thresholds of how much pain you're willing to take um I'm a I'm a
frequent impossible traveler because I do research from my hotel rooms so I'm like logged in from London but I'm also in Vietnam and Sydney at the same time and I forget and I it locks my account because they figure I can't be in London and Vietnam at the same time which isn't wrong I mean Steph Hawking kind of proved that to us but it's it can have false positives but uh for the right for the right level of uh security of certain systems it may be something you're willing to um impose I know a lot of companies have decided that they just will Blacklist China and Russia and that's going to solve all their problems
we know that that's not true but I guess it couldn't hurt in some circumstances um but those those those cookie life uh shortening those ttls on those cookies and when you're using Enterprise Cloud apps be looking all of your Cloud apps have these settings and if you haven't reviewed them go look at your your Office 365 go look at your your G uh Google Suite or your slack or all these types of services because many of them have generously High cookie lifetimes because they want to be a frictionless experience and um friction is not always bad um and of course modern endpoint security so those are my thoughts on multifactor and how we're seeing it
compromised and bypassed and these are the best ideas I could come up with on how to try to look after your multiactor and if there's any questions I don't know if I have time but I think I think we're doing
okay I think the microphone is coming up there was somebody over here right there in the middle um so most of the cases of multiactor authentication bypasses I've seen have been email compromises through M365 and a good portion of those come from conditional access policies so um have you got any common conditional access policy pitfalls you've seen that have been used to get rounds that is not something I've looked at so I don't really have an answer for that but that's a great question that if you want to follow up at lunch I might reach out to my colleagues internally and see if they've got any advice cuz I um I'm familiar with the risk there but
I don't have any good [Laughter] advice thanks for the question is there anybody else with any questions hopefully this man's I'll have an answer I
know um so what's your opinion on SSO and whether would you choose to have your entire organization using one set of credentials but then that prevents writing down passwords and stuff or would you rather have your your organization um be tackled with MFA for every platform they end up signing up to sorry I didn't hear the last part um like would you choose rather using MFA for every single platform that they are signing up during their working hours or would you rather go for SSO and one of credentials yeah s SSO is uh SSO is like a a a it's a blessing and a curse right like it it it's how most of us are going to
force MFA into our processes by having a centralized identity store that we can have policies on right but obviously it is the steel one key to unlock the entire org problem and um I mean ideally you can back to these you know cookie lifetimes I mean you're going to have a separate cookie even if it's single sign on for most things so you could set conditional access policies that are different even if you're using single sign on for different Services I mean in the end it has to be users will out stupid anything you do the webcam and the RSA token right like we have to make things easy enough and just accept the risk so I think SSO is probably the
answer and you just have to put more of your eggs in the um monitoring for compromise basket with the understanding that that's a risk right cuz tools have to be usable I mean that's we Norm normies just aren't going to do things the way we want them to do them if if we make it too hard they will they will out Dum it thank you anyone else there's a gentleman up here um thank you for a really good talk um what's your prediction on when we'll finally be able to passwords and do you think 52 is kind of the coola magic answer to that as somebody um clumsy with my keys and phone often I don't
think it is uh I think pass Keys might be our savior if we can just get everyone to adopt them and and it seems like Google and apple in particular are going to bully all of us into using them whether we want to or not and and that might help and you know pass keys are not a Panacea of course cuz the the the way we make pass Keys usable if you're not familiar with pass keys in essence it's a software version of a phto a phto token that uses your phone biometric as the second Factor as opposed to carrying a USB drive or a Bluetooth thing or a a smart card or this kind of thing and to
make them usable Apple and Google and Microsoft back up your private keys to the cloud so that when you drop your iPhone in the toilet you're not locked out of your accounts and that obviously presents a vulnerability because then if somebody can authenticate to your cloud provider that you're using to store your pass keys they can impersonate you but it's a heck of a lot better than any password anybody has ever used so uh and it's very very usable right and it's the kind of thing that you know back to you know my parents cannot use most multifactors too complicated for them but if it's as easy as the login page saying unlock your iPhone to log into
Gmail they know how to do that and so it's about usability again versus security and I think pass keys are going to be the answer the problem is of course um all of us have seen the ridiculous password policies even on sites that shouldn't have them there's no good unifying it's not like we're all going to suddenly adopt it right like Google and apple and Facebook and meta and um X and whatever are all going to have it you know this year and we all a to use pass keys but unfortunately your bank and your retirement account and a million other things aren't going to have it or won't have it for 5 years or
maybe they'll have it in um it'll still let you bypass it by telling them the name of your first car um we have a lot of issues to deal with here but I I think the passwordless future at least seems real to me like pass Keys is the most usable the most secure way for a regular person to safely use their accounts that has existed yet and it's the only one that I think the friction is low enough that normal people are like yeah this is all right so now that we have the technology we all just need to be evangelists and uh Lobby our own companies to implement it in our Web Solutions if you're a developer you're a
company that provides software applications perpetually ask your financial institutions why they don't have it yet and you know like be an advocate for it because I think it's the most usable sensible answer we're going to have and for those of you that do have tokens the great thing about pass Keys is it uses the same web offend backend of as every other um part of the u2f ecosystem which means when I go to a pass key site I can actually use my UB key as an authentication to a site that supports pass keys but somebody who doesn't have a u key can just use their phone and so like it's it's great right because I can use the more secure
Hardware that I want to use to secure my account but you can fall back to your phone if that's okay for you do you not worry about personal users having to say use their personal iCloud to manage their pass Keys perhaps misconfigured that and say sharing an iCloud account with their child for example oh yeah that's going to happen I mean this is the this is the vulnerability of pass keys right like the the private keys are stored somewhere that somebody can access them whether it's the child or the criminal um but it's still better than um the I mean I just I I can't even come up with a password absurd enough to explain what most people are using today
right like it's just it's their sports team it's like anything is better than what we're doing so I I would still take that risk I will wrap up at that point thank you if any of you want to chat I'll be here most of the day come see me at lunch
Related talks
42:44
45:23
30:22
28:37
33:48
49:41