User Identity and Authentication

User Identity and Authentication

WordPress, 2FA, and Single Sign-On

Isaac Potoczny-Jones

[email protected]

About the Speaker

•  Galois, Inc. - @galoisinc.

•  Research & Development for computer science and security.

•  55 employees.

•  Founded 1999.

•  Tozny - @tozny.

•  Startup focused on the Tozny mobile authentication factor.

•  Isaac Potoczny-Jones - @SyntaxPolice.

•  Tozny CEO.

Authentication: Proving who you are

•  Something you know.

•  Passwords, PINs, screen

patterns, first pet.

•  Something you have.

•  Physical keys, secure

tokens, mobile phones.

•  Something you are.

•  Biometrics, facial

recognition fingerprints.

To guard against inappropriate access to electronic health records, what type of authentication does your organization require for users to gain access while they are on the job at one of your facilities? http://docs.ismgcorp.com/files/handbooks/HIS-Survey-2012/HIS_Survey_Report_2012.pdf

Single and Multi-Factor

•  Single factor: One authentication method.

•  Classics: Password, keys, keyfobs, keycards.

•  Multi-factor: More than one factor.

•  Get more security by mixing methods.

•  Multi-factor classics.

•  Debit card & PIN.

•  Password & Random # token.

The overall Multifactor Authentication Market is increasing with a CAGR of 19.98% from 2014 to 2020. In MFA market, two-factor authentications contribute for the largest percentage share, whereas “banking & finance” is the major application; followed by government and defense. In geographic analysis, North America is the market leader followed by Europe and APAC.

http://www.marketsandmarkets.com/Market-Reports/multi-factor-authentication-market-877.html

Threat Landscape

The Password Conundrum

Good passwords are hard to remember.

Bad passwords are easy to guess.

Massive Database Spills

Causing acceleration in understanding of passwords

•  “Russian hackers”: 1.2B (2014)

•  LinkedIn: 6.5M (2012)

•  Yahoo: 340K (2012)

•  RSA: SecurID token seed-keys stolen (2011)

•  Gawker: 740K (2011)

•  Sony: (2011, 2014)

•  Stratfor: 800K (2011)

•  RockYou: 32M (2009)

Brute Force Attacks

Password Cracking

ocl-hashcat Performance benchmarks – 1GPU

•  NTLM: 16701 Mh/s (~17 Billion) hashes / second)

•  MD5: 8511 Mh/s

•  The old default in WordPress; the current fallback.

•  SHA1: 2722 Mh/s

•  SHA256: 1120 Mh/s

•  Blowfish: 4,000 hash/sec (approx)

•  This is the default hash that WordPress uses under phpass

Sources:

http://hashcat.net/oclhashcat/

So what’s a good password?

•  Long enough

•  Maybe 9+ characters.

•  Complex enough

•  Pretty much random & large character set.

•  Not reused

•  Or risk the wrath of database spills.

•  But: Average user has 26 accounts* (I have 300)

With 26 passwords, it’s impossible

•  Let's just admit it: we're asking the impossible.

•  Users can never remember random passwords.

•  Users manage the problem:

•  Reuse is most common – users have 5 passwords.

•  Email reset - “I forgot my password”.

Huge password database spills Analysis of how people pick passwords New attack heuristics Custom hardware

Password exploitation cycle is getting

faster

Password1 123456 Iloveyou qwerty Huge password database spills Analysis of how people pick passwords New attack heuristics Custom hardware

Password exploitation cycle is getting

faster

6.5M LinkedIn:

Yahoo: 340k RockYou: 32M

Person’s name Place name

Add “1” to the end Dictionary word Password1 123456 Iloveyou qwerty Huge password database spills Analysis of how people pick passwords New attack heuristics Custom hardware

Password exploitation cycle is getting

faster

6.5M LinkedIn:

Yahoo: 340k RockYou: 32M

Result: 2 Factor is taking off

•  Major Internet players offer it:

•  Google, Facebook, Twitter, DropBox, etc.

•  It's a good way to protect yourself from:

•  Password reuse by users.

•  Other sites getting hacked.

Single Sign-on / Identity Federation

•  Service provider (SP): The site you log into.

•  Also called “Relying Party” or RP.

•  Identity Provider (IdP): The site you log in with.

•  Typical workflow:

•  Visit Yahoo, click “login”.

•  Get redirected to Google with a session token.

•  Log into Google.

OpenID 2, OAuth, OpenID Connect

•  OpenID was going to be the SSO of the open web.

•  But not enough relying parties adopted it.

•  Now we have “Social Sign-in” like Facebook & Google.

•  These use OpenID Connect and are deprecating OpenID 2.

•  OpenID Connect is part of the OAuth 2 standard.

Security Assertion Markup Language (SAML)

•  Seems to be gaining momentum.

•  Federation & SSO – InCommon, Education, Enterprise.

•  Also used to share attributes – groups, etc.

•  Accepted by Google Apps, Dropbox, Salesforce, etc.

•  Major implementations:

•  Shibboleth (Java), SimpleSamlPHP, Ping

•  Plugins for lots of platforms

•  I audited plugins for Drupal & WordPress.

Cloud SSO Services (IdP)

•  Largely based on SAML.

•  Mostly subscription SAAS.

•  Instead of operating your own IdP.

•  They work to integrate service providers.

•  Ping Identity, OneLogin, Okta, Centrify, Symplified, etc.

Physical Tokens

•  YubiKey – Small, uses one-time or fixed passwords.

•  pretends to be a USB keyboard.

•  Implements FIDO.

•  Random number tokens.

•  RSA SecurID.

•  Google Authenticator (soft token App).

•  Lots of similar tokens.

•  Hardware benefits & drawbacks:

•  Benefits: Tamper-proof & can't get viruses.

Mobile Phone Factors

•  Mobile phone factors are a great trade-off!

•  Google Authenticator random number (app).

•  Text message random number.

•  used by Facebook, Twitter, Telesign.

•  In-app push-based notifications.

•  Twitter, DuoSecurity, others.

•  PhoneFactor (Microsoft) – Text, Voice, Push.

•  And of course: Tozny!!

Summary: Each factor has drawbacks

•  Something you know: Basically passwords.

•  Doesn't scale beyond a handful of secure passwords.

•  Something you have:

•  Physical token: Doesn't scale beyond size of your keyring.

•  Mobile phone: Seems most promising to me.

•  Something you are: biometrics are not secret.

Remote brute force attacks

•  Admin is often the “root” user; you can use something different.

•  WordPress does not enforce strong passwords by default.

•  Security features are usually an ad-on plugin.

•  Tricks with .htaccess (extra passwords, IP address limits, etc.)

•  Fail2ban – adds a firewall rule when there are too many attacks.

•  Blacklisting entire countries.

Summary: Most of these solutions are pretty bad.

Integrating with corporate login

•  LDAP: A standard centralized password and attribute system.

•  Used to log in, get user permissions, names, etc.

•  LDAP has sensitive information and is always behind the firewall.

LDAP WordPress

(Service Provider)

User & Browser 1. Username / Password 3. Login & Attributes 2. Username / Password

Identity Federation: SAML Workflow

SAML

Identity Provider e.g. Simple SAML PHP WordPress

(Service Provider)

User & Browser 1. Let me in 2. Ask SAML 3. Username / Password 4. Login & Attributes 5. Login & Attributes

•  A few can make WordPress into a SAML Relying Party (RP).

•  You’ll need a SAML IdP, or the company needs to operate one.

•  SAML is just the SSO mechanism!

SAML & LDAP Combined - Typical

SAML

Identity Provider e.g. Simple SAML PHP Other SPs

User & Browser 1. Let me in 2. Ask SAML 3. Username / Password 6. Login & Attributes 7. Login & Attributes

•  SAML is for SSO, meaning you have multiple SPs.

•  Still use LDAP for central identity management.

LDAP 4. Username / Password 5. Login & Attributes WordPress (Service Provider)

Social Login: Google, Facebook, Twitter…

•  Ties the user’s WordPress account to their social profile.

•  Good for the user: They don’t need a new username & password.

•  Good for the operator: You can get extra user information.

•  Does your site “naturally” tie to one social site?

•  A web site about books would naturally tie into Amazon.

•  With multiple buttons, how do users decide which to use?

•  How do they remember which one they used?

Two Factor Auth

•  Something you have in addition to something you know.

•  Prevent lots of types of attacks

•  Brute force, password reuse, database spills, etc.

•  Most 2FA solutions are not highly usable, low user adoption.

•  Also, not much in it for the user; it protects your site.

So you want to replace password login?

What to look for in a plugin

Let’s say you’re deploying LDAP, social login, 2FA, etc…

•  How does it handle existing users?

•  Do they get locked out? Do they need to use a different PW?

•  How does it handle API / app access?

•  If the password is replaced, can users still access via the app?

•  How does it handle groups? Admin, Editor, Author, Contributor…

•  Can these be mapped from e.g. LDAP roles?

•  How does it prevent password login?

•  E.g. replacing the password w/ a random password

•  Has the plugin been security reviewed? Is it recently updated? Does it

Summary of login alternatives

•  Internal corporate sites:

•  LDAP, Active Directory, RADIUS, and SAML are typical standards.

•  End-user facing sites:

•  Social login is more the norm.

•  Two-factor authentication:

•  Can prevent brute-force and many other attacks.

•  Seriously consider for admin / author access to important sites.

•  Evaluate plugins carefully:

Tozny Demo

Tozny Summary

•  Easier and more secure than passwords.

•  Your phone is the key.

•  Replace passwords, use after passwords, has a built-in 2nd factor.

•  WordPress plugin available.

Thank You!

Isaac Potoczny-Jones

[email protected]