BSides LV 2023 - PasswordsCon - Tuesday

foreign [Music] [Music] [Music] thank you [Music] foreign [Music] [Music] Hallelujah [Music] oh yeah [Music] thank you [Music] thank you thank you [Music] foreign foreign [Music] thank you [Music] thank you [Music] foreign [Music] thank you [Music] foreign [Music] foreign [Music] foreign [Music] foreign [Music] foreign [Music] [Music] [Music] [Music] foreign [Music] laughs [Music] [Music] foreign [Music] [Music] foreign [Music] foreign [Music] thank you [Music] [Music] foreign [Music] foreign [Music] [Applause] [Music] [Music] foreign [Music] thank you [Applause] [Music] foreign [Music] foreign [Music] [Music] myself [Music] [Music] giving me Wind and Rain some kind of butterfly baby [Music] don't leave me [Music] but I don't wanna jinx it baby [Music] [Music] [Music] foreign [Music] don't leave me alone baby you'll get me in the rain [Music] baby [Music] [Music] oh oh [Music] [Music] [Music] I don't know [Music] [Music] foreign [Music] [Music] move it up [Music] foreign [Music] foreign [Music] [Music] [Music] [Music] foreign [Music] [Music] [Music] thank you [Music] [Music] foreign [Music] thank you [Music] [Music] thank you [Music] thank you [Music] thank you [Music] foreign [Music] foreign [Music] foreign [Music] [Music] thank you [Music] [Music] foreign [Music] thank you [Music] thank you foreign [Music] thank you [Music] foreign [Music] foreign [Music] foreign [Music] [Music] [Music] thank you [Music] foreign [Music] thank you [Music] foreign [Music] [Music] [Music] thank you [Music] foreign [Music] [Music] foreign [Music] thank you [Music] foreign [Music] [Applause] [Music] what's up [Music] [Applause] thank you [Music] [Music] baby you'll kill me [Music] even some kind of butterfly baby [Music] dream between myself [Music] don't wanna overthink it baby [Music] some kind of butterfly baby [Music] appetite [Music] but I don't wanna jinx it baby [Music] [Music] [Music] thank you foreign [Music] don't leave me alone baby [Music] [Music] [Music] oh oh oh [Music] [Music] [Music] thank you [Music] foreign [Music] [Music] [Music] [Music] foreign [Music] [Music] [Music] [Music] foreign [Music] [Music] [Music] [Music] move it up moving up [Music] [Music] thank you [Music] [Music] thank you foreign [Music] [Music] [Music] thank you [Music] foreign [Music] foreign [Music] oh yeah [Music] thank you [Music] foreign [Music] wow [Music] foreign [Music] foreign [Music] thank you [Music] factions foreign [Music] all right [Music] thank you [Music] [Music] foreign [Music] foreign [Music] foreign [Music] [Music] [Music] [Music] thank you foreign [Music] all right [Music] foreign [Music] [Music] [Music] thank you [Music] foreign [Music] foreign [Music] [Music] thank you [Music] foreign [Music] [Applause] [Music] foreign [Music] [Applause] foreign [Music] [Music] you're giving me wind away some kind of butterfly baby [Music] [Music] I don't wanna overthink it baby [Music] [Music] don't leave me [Music] but I don't wanna jinx it baby again [Music] but I don't wanna miss you baby [Music] oh [Music] foreign [Music] don't leave me alone baby [Music] foreign [Music] [Music] [Music] oh oh [Music] [Music] let's go [Music] foreign [Music] [Music] foreign [Music] [Music] move it up [Music] come on [Music] foreign [Music] [Music] [Music] [Music] [Music] [Music] thank you [Music] [Music] thank you [Music] thank you [Music] thank you [Music] foreign [Music] [Music] thank you foreign [Music] foreign [Music] foreign [Music] foreign [Music] welcome [Music] thank you [Music] good morning everyone um I want to get started a little bit early because I want to make sure that I don't cut into any of the time uh for Aldo here because I'm really looking forward to this talk so I just want to go ahead and at the behalf of the password con staff and b-sides welcome everyone here to Vegas you know this is a really cool thing to be doing this again here okay um so um just to take the the energy down a notch here it's got a few announcements just to start off things here uh so first of all um I guess we're contractually uh you know I really want to thank our sponsors because we wouldn't have this here you know uh if it wasn't for them so thank you Adobe you know our gold our Diamond sponsor here as well as Toyota uh semgrap and blue cat so thank you we really appreciate this I love doing this here you make this possible so I really appreciate this a lot also for cell phones uh these talks are being streamed on live here so please you know uh don't have any side conversations on your cell phones or something like that there you know this is a passwords contract so I'm sure we can go ahead and figure some way to be able to deal with that if it happens here uh so also kind of really real quick here you know we've been doing passwords con for a long time you know haven't we solved this problem or something like that there um and the answer is obviously no but uh one thing I kind of want to you know get a little bit of an audience q a uh starting to start it off here but who here has had their password stolen I certainly have you know I've almost getting bored of this now you know it's like oh my password got stolen again I guess it's a Tuesday um so let me go ahead and tell you probably the worst data breach I've ever been a part of so when I first graduated college I loaded up literally everything I own into my car and I was going you know job searching and stuff like that and one day I woke up you know came down from my hotel room and the back window of my car was broken and I found out I owned significantly less stuff so like some of it was really kind of annoying like I had disassembled all my furniture so they stoled a bag of all the bolts which is just mean um but you know they also stole all my important documents because I left them in my car so they got my birth certificate they got my social security card they got my passport they got blank checks like literally if you can think of something that's physical uh that you don't want to get stolen that got stolen from me so you know I might not actually be you know Matt weird I might not be you know I might be the person who broke into the car as far as you know um but you know I was able to recover from that I was able to go ahead and get new credit cards I was able to get new checks I was able to get new IDs and I think that's really speaks to kind of the resiliency of this authentication of the fact that I can suffer the worst possible breach that you can even imagine and I was able to still be able to recover from that and that's where I think you know passwords are really a big role of this too because we have so many different promises passwords you know we get them stolen all the time yet we can still book plane tickets we can still show up at Vegas we can still you know have the hotel you know except for credit cards and I think that really speaks to you know the value of all the hard work that everyone here has been putting into this type of field so you know an obvious question though is you know why are we still using passwords they get stolen all the time that you know can't we move to more of a passwordless type of an option here and that's why I'm really excited to go ahead and introduce Aldo here uh because he's going to tell us about some of the challenges that occur when we go ahead and move to this is here as well so can we all go ahead and give a hands here to Aldo all right thank you uh thanks for that introduction uh well my name is Aldo and I'm here today to talk about passwordless and passwordless security uh so it's actually an honor to be here in passwordcon and you know uh I was a little bit nervous to be the first one to be speaking today uh but actually uh quite the opposite because that actually takes the pressure off because if this stock sucks uh then the bar is gonna be so low for everybody else so uh if I if anybody here is a speaker uh you're welcome so let's let's try to make this talk uh suck a lot for you for all of you all right so so uh yeah who am I right so I've been doing abstract for about 15 years a little bit more uh you know from doing pen test so calls review to everything in between I am also an ovas chapter leader in my city and right now I am running the application security program for hyper which it is a password let's start it's kind of ironic that I'm talking about passwordless vulnerabilities but it's gonna make sense trust me so before I begin uh can you just let me know how many people here are Developers all right uh what about pen testers nice and is anybody here already using passwordless either at work or in your personal devices awesome cool thank you all right so let's get started so uh let's begin by answering this question uh does anybody here think that you've seen a password solution is actually worse or is actually less secure than having a password can anybody think that right I feel you all right well the answer to that question uh actually no is not the less secure uh yeah sorry about that uh yeah well and actually that is that is my whole talk uh thanks for coming here today uh thank you no no no uh sorry that was a terrible joke I'm sorry about that now this is the agenda that we're gonna be talking about today uh first of all some background on why am I giving this talk uh what is passwordless for those of you who are not familiar with this Paradigm and then we're gonna deep uh dive into what are the actual issues with passwords implementations and at the end we're gonna have some recommendations for all of you uh developers pen testers and Enterprises uh so to set up the expectations uh this talk is about uh you know this is a brief introduction into passwordless uh this is not a full token passwordless uh we're gonna be talking about vulnerabilities in a passwordless implementation uh specifically a web application uh you know passwords can be used in other types of applications but these vulnerabilities are related to passwordless in web applications uh and this Pro these issues were identified in a particular passwordless product uh that shall remain nameless but no it's actually my employer so uh so but this vulnerabilities applied to any application that is using passwordless so this is not specific to a product it applies to any application that is used in passwordless so what this talk is not about uh we're not going to be disclosing any new attacks I'm not dropping any old days today uh I'm not doing a new a full token password Here uh we're not going to be talking about how to break cryptography uh you know passwordless one of the implementations uses uh public key cryptography so we're now going to be talking about that today and uh yeah why am I doing this today right so basically uh I think that nobody's talking about passwordless vulnerabilities uh you know the vendors right now and the whole industry is moving away from passwords slowly but it's moving away from passwords to the uh passwordless Paradigm but uh nobody's actually talking about it and you know uh a lot of big players such as Microsoft Google Apple they all are pushing for passwordless but they are not talking about their issues right I actually went to balldb.com and searched for passwordless and I get several results none none of it uh some of the stuff that I'm gonna be talking about today is already public and they are not there uh out of curiosity not to throw shade to any of the competitors but I went ahead and I went to their websites looking for some advisory page some something related to vulnerabilities and I didn't find anything so in in short uh nobody's talking about this uh just a couple of weeks ago when I was getting ready for this talk I went ahead and looked for uh baskets on Google and as you can see here we have many examples of companies already implementing passwords we have well they are implementing pastkis which is a way of doing passwordless and we're gonna be talking about that so uh we have one password we have Tick Tock that is now using pass Keys we have GitHub we have PayPal we have Apple ID and this was just a couple weeks ago and I view those right now and search for passkeys you're probably gonna find more examples like this so a lot of companies are going passwordless and uh but how secure are they that is the question so what is passwordless for those of you who are not familiar with this Paradigm and Paradigm or are not really sure what I'm talking about password list essentially means uh not using a password in short that's that's that's that's it basically uh and no that's really not a job that is actually what it means one of the most traditional implementations uh is using public key cryptography but there are more uh and essentially well if you are not familiar with public key cryptography essentially it creates a keeper one public key and one private key the public key station the server the private key essays with you or your device and then the application sends a challenge that you have to sign with your private key and only you can sign the challenge it's very secure a lot of cryptography works that way nowadays so uh this is how uh the most common ways of implementing passwordless nowadays a couple of quick mentions uh when you are using a password manager that is not passwordless and I mentioned this because I saw a post the other day about somebody telling oh go passwordless use a password manager and uh that is obviously not passwordless they're just well you're restoring your password somewhere else so that is not passwordless when you have two-factor authentication that is also not passwordless because you are providing your username and password and then you are providing an additional Factor uh and lastly when you have one time password or obviously the name suggests you have a password that is valid only once but it's still a password so in short passwordless means using no passwords and uh these are some of the ways that you can actually Implement passwordless uh let's let's talk about them real quick uh one of the simplest ways to implement passwordless is using a magic link uh for those of you who are not familiar with magic links essentially a website sends you a link to your email you click it and you authenticate to that website that's it and uh I think that's why it's called Magic link because it looks like magic you don't have to provide a username you don't have to write a password you simply click on a link and you're in uh that is actually very practical but uh it has some disadvantages such as if the attacker knows you're uh well if the attacker has access to your email well they own your accounts right uh these magic links can be delivered using email SMS and basically uh any way that you can reach your user the second part of the uh way to implement uh password is using security Keys uh such as these ones so these are UB Keys these are physical security Keys uh anybody here already uses duplicates or security Keys oh perfect that's amazing so the uh this is actually my preferred way to implement passwordless uh but as you know this is this could be quite expensive especially if you are a big company uh for instance let's say that you are Facebook and you want to deploy passwordless to all of your users uh I don't know how many users they have probably a billion I don't know so can you imagine just trying to purchase UV keys for your million users uh that's not gonna scale and lastly we have Biometrics which work in the same way uh well very similar to security keys they create a public key pair and you have your own private key and that is unlock using your Biometrics so this is a very good alternative to security Keys uh everybody has a smartphone nowadays and they can use that smartphone as a way to provide passwordless access using your Biometrics this is just an example of how is lack those passwordless essentially you go to the login to provide your email and they are going to send you a limit an email with a code and you provide that code and you don't have to provide any passwords at all that is another way to implement passwordless all right but now we have Fido I mean uh we we see that we have several ways to implement passwordless but we really didn't have a standard until recently so uh everybody was doing it on the wrong way so this is why the fight or light and Fido Alliance success the fighter Alliance basically is an organization that uh is in charge of maintaining a specification for the fighter protocol uh Fido means fast identity online so essentially it has two main components one of them is web Autumn which is uh short for web authentication it's a set of apis that browsers can use to communicate between uh these authenticators and web applications and the other component is the client Authentication Protocol which we're not going to be talking about today we're going to be talking heavily about web button today so again this is a set of apis that the browser used to communicate between uh the authenticators which can be uh security keys or fingerprint and web applications also I wanted to mention passkeys uh when I say baskets when I say security Keys when I say uh passwordless and when I say biometrics I am referring to the same thing they are not the same thing I am simplifying things but for the purposes of this talk uh it's all the same and uh all these vulnerabilities are gonna apply to pass Keys security Keys uh Biometrics and any other Authenticator and just to double down on web button again uh this is a set of apis JavaScript apis that allow your browser to communicate with authenticators and um web application or relying party authentic errors can be anything such as physical security key uh Touch ID on your Mac Windows hello and your Windows computer and Biometrics on your mobile devices so this is an example of what using web Orton looks like on the left you have a UV key in the middle you have fingerprinting Chrome and lastly a fingerprint in uh on an iPhone so if you previously have seen something like this you are already using well not passwordless but web attempt all right so why why going passwordless uh I found this fine gentleman online which uh probably hates passwords as much as we do uh so well we are in a password right uh probably a lot of you know that everything about password suck so uh you know storing them protecting them hashing them uh yeah you have to use an algorithm that is slow enough to stop attackers but not slow enough to bother users uh well it is a it is a problem right when you've got passwordless you don't have any more passwords to remember you don't have any more passwords to protect uh you don't have to worry about ineffective complexity factors and you don't have to worry about people don't know in their own passwords uh you know the last time that I got my wife a phone I was helping her trying to set up her phone right and I asked her hey can you log into your Gmail account so we can set up your phone and she was like uh I don't know my password like what do you mean you don't know your password and she doesn't uh you know she'll log into the Gmail account once and she forgot about it and the same thing happened with my parents when I got them new phones they didn't know their passwords so uh well they were all able to reset them but I mean this is an issue nobody well a lot of people don't know their own passwords uh passwordless is traditional then uh is faster than traditional MFA it protects against phishing for those of you who are not familiar with this essentially when you register a security key that security key is registered to a specific website so if somebody was trying to fish me and they sent me a fake link for my Microsoft account even if I were able to uh fall for that trick and I plug in my jubikey it's not going to work because that security key or that fighter credential is only linked to a specif