Speaker
William Woodruff
Material
Note
- PyPI now supports two factor authentication
- Two factor authentication
- First factor: your password or something you know
- Second Factor: something that you (and only you) have
- Why 2FA?
- Adding a second factor prevents/mitigates data leak
- but 2FA isn't panacea
- Adding a second factor prevents/mitigates data leak
- 2 FA methods
- SMS/voice Don't use it
- Problem: Nothing about the phone network is secure
- e.g., SS7 attacks, SIM ports & jacking, SMS interception
- do not use it in new service
- Problem: Nothing about the phone network is secure
- HOTP-based physical keys
- Special device
- high cost
- TOTP (Time-based one-time passwords ): your baseline 2FA
- Symmetric cryptography with a single shared secret
- design suggestion
- do:
- require users to enter a TOTP code
- provide both a provisioning URI and a QR code
- don't
- use uncommon TOTP parameters (bad client support)
- nag users for TOTP codes on every single action
- do:
- WebAuthn (U2F)
- Asymmetric, public-key crpyography
- Hardware agnostic
- Supported by most browser (W3C standard)
- design suggestion
- do
- allow anonymous attestation (ECDAA) (e.g., TouchID)
- support multiple WebAuthn keys per user
- force user to tag/label their keys
- don't
- make users choose between TOTP and WebAuthn → Let them do both
- use us2.js or any other pre-WebAuthn lib
- do
- SMS/voice Don't use it
- Conclusion
- You should add 2FA to your services and phasing out SMS 2FA
- TOTP
- WebAuthn
- Py_webauthn is a little rough, but production ready