fear and loathing of 2fa
TRANSCRIPT
Fear and Loathing of 2fa
Igor Bulatenko
• Social engineering
• Online-bruteforce
• Server compromise
• Client compromise
How they steal your pass
• https://twofactorauth.org/providers/ (Use web.archive.org)
• Auth methods
• Flexibility
• System cover
• API (auth + admin)
How to choose
• Interactive• SMS code• Token code• Phone call code• App code
• Non-interactive• Mobile app push• Phone call confirmation
Auth methods
• *nix
• Windows
• Databases
• Web apps
• All others
System coverage
• Native 2fa since OpenSSH 6.2 (https://lwn.net/Articles/544640/)
• Password/keyboard interactive
• Force command
• Non native support via pam_radius
• Bulk actions
• Server-level switch
*nix auth
• Authentication provider
• Protected methods (local/RDP/winrm/…)
• Server-level switch
Windows
• Oracle DB• Radius auth• DB Links• IDE multiple sessions• Bulk actions• User-level switch
• Postgresql• pam_auth
Databases
• LDAP/Radius
• Interactive/non-interactive
• Splitter in password
Auth proxy
• Non android/iOS devices
• Non smartphone devices
• Bulk actions
Common cases
• RSA SecureID like
• HOTP
• Yubikey
Tokens
Q&A