Hacking Multifactor Authentication

Protect your organization from scandalously easy-to-hack MFA security "solutions"

Multi-Factor Authentication (MFA) is spreading like wildfire across digital environments. However, hundreds of millions of dollars have been stolen from MFA-protected online accounts. How? Most people who use multifactor authentication (MFA) have been told that it is far less hackable than other types of authentication, or even that it is unhackable. You might be shocked to learn that all MFA solutions are actually easy to hack. That's right: there is no perfectly safe MFA solution. In fact, most can be hacked at least five different ways. Hacking Multifactor Authentication will show you how MFA works behind the scenes and how poorly linked multi-step authentication steps allows MFA to be hacked and compromised.

This book covers over two dozen ways that various MFA solutions can be hacked, including the methods (and defenses) common to all MFA solutions. You'll learn about the various types of MFA solutions, their strengthens and weaknesses, and how to pick the best, most defensible MFA solution for your (or your customers') needs. Finally, this book reveals a simple method for quickly evaluating your existing MFA solutions. If using or developing a secure MFA solution is important to you, you need this book.

• Learn how different types of multifactor authentication work behind the scenes
• See how easy it is to hack MFA security solutions--no matter how secure they seem
• Identify the strengths and weaknesses in your (or your customers') existing MFA security and how to mitigate
  Author Roger Grimes is an internationally known security expert whose work on hacking MFA has generated significant buzz in the security world. Read this book to learn what decisions and preparations your organization needs to take to prevent losses from MFA hacking.

Auteur

ROGER A. GRIMES is a computer security professional and penetration tester with over three decades of experience. He's an internationally renowned consultant and was the IDG/InfoWorld/CSO magazine weekly columnist for fifteen years. He's a sought-after speaker who has given talks at major security industry events, including RSA, Black Hat, and TechMentor.

Texte du rabat

Protect your organization from scandalously easy-to-hack MFA security "solutions" Multi-Factor Authentication (MFA) is spreading like wildfire across digital environments. However, hundreds of millions of dollars have been stolen from MFA-protected online accounts. How? Most people who use multifactor authentication (MFA) have been told that it is far less hackable than other types of authentication, or even that it is unhackable. You might be shocked to learn that all MFA solutions are actually easy to hack. That's right: there is no perfectly safe MFA solution. In fact, most can be hacked at least five different ways. Hacking Multifactor Authentication will show you how MFA works behind the scenes and how poorly linked multi-step authentication steps allows MFA to be hacked and compromised. This book covers over two dozen ways that various MFA solutions can be hacked, including the methods (and defenses) common to all MFA solutions. You'll learn about the various types of MFA solutions, their strengthens and weaknesses, and how to pick the best, most defensible MFA solution for your (or your customers') needs. Finally, this book reveals a simple method for quickly evaluating your existing MFA solutions. If using or developing a secure MFA solution is important to you, you need this book. Learn how different types of multifactor authentication work behind the scenes See how easy it is to hack MFA security solutions--no matter how secure they seem * Identify the strengths and weaknesses in your (or your customers') existing MFA security and how to mitigate Author Roger Grimes is an internationally known security expert whose work on hacking MFA has generated significant buzz in the security world. Read this book to learn what decisions and preparations your organization needs to take to prevent losses from MFA hacking.

Contenu

Introduction xxv

Who This Book is For xxvii

What is Covered in This Book? xxvii

MFA is Good xxx

How to Contact Wiley or the Author xxxi

Part I Introduction 1

1 Logon Problems 3

It's Bad Out There 3

The Problem with Passwords 5

Password Basics 9

Identity 9

The Password 10

Password Registration 11

Password Complexity 11

Password Storage 12

Password Authentication 13

Password Policies 15

Passwords Will Be with Us for a While 18

Password Problems and Attacks 18

Password Guessing 19

Password Hash Cracking 23

Password Stealing 27

Passwords in Plain View 28

Just Ask for It 29

Password Hacking Defenses 30

MFA Riding to the Rescue? 31

Summary 32

2 Authentication Basics 33

Authentication Life Cycle 34

Identity 35

Authentication 46

Authorization 54

Accounting/Auditing 54

Standards 56

Laws of Identity 56

Authentication Problems in the Real World 57

Summary 58

3 Types of Authentication 59

Personal Recognition 59

Knowledge-Based Authentication 60

Passwords 60

PINS 62

Solving Puzzles 64

Password Managers 69

Single Sign-Ons and Proxies 71

Cryptography 72

Encryption 73

Public Key Infrastructure 76

Hashing 79

Hardware Tokens 81

One-Time Password Devices 81

Physical Connection Devices 83

Wireless 87

Phone-Based 89

Voice Authentication 89

Phone Apps 89

SMS 92

Biometrics 92

FIDO 93

Federated Identities and APIs 94

OAuth 94

APIs 96

Contextual/Adaptive 96

Less Popular Methods 97

Voiceover Radio 97

Paper-Based 98

Summary 99

4 Usability vs Security 101

What Does Usability Mean? 101

We Don't Really Want the Best Security 103

Security Isn't Usually Binary 105

Too Secure 106

Seven-Factor MFA 106

Moving ATM Keypad Numbers 108

Not as Worried as You Think About Hacking 109

Unhackable Fallacy 110

Unbreakable Oracle 113

DJB 113

Unhackable Quantum Cryptography 114

We are Reactive Sheep 115

Security Theater r 116

Security by Obscurity 117

MFA Will Cause Slowdowns 117

MFA Will Cause Downtime 118

No MFA Solution Works Everywhere 118

Summary 119

Part II Hacking MFA 121

5 Hacking MFA in General 123

MFA Dependency Components 124

Enrollment 125

User 127

Devices/Hardware 127

Software 128

API 129

Authentication Factors 129

Authentication Secrets Store 129

Cryptography 130

Technology 130

Transmission/Network Channel 131

Namespace 131

Supporting Infrastructure 131

Relying Party 132

Federation/Proxies 132

Alternate Authentication Methods/Recovery 132

Migrations 133

Deprovision 133

MFA Component Conclusion 134

Main Hacking Methods 134

Technical Attacks 134

Human Element 135

Physical 137

Two or More Hacking Methods Used 137

"You Didn't Hack the MFA!" 137

How MFA Vulnerabilities are Found 138

Threat Modeling 138

Code Review 138

Fuzz Testing 138

Penetration Testing 139

Vulnerability Scanning 139

Human Testing 139

Accidents 140

Summary 140

6 Access Control Token Tricks 141

Access Token Basics 141

Access Control Token General Hacks142

Token Reproduction/Guessing 142

Token Theft 145

Reproducing Token Hack Examples 146

Network Session Hijacking Techniques and Examples 149

Firesheep 149

MitM Attacks 150

Access Control Token Attack Defenses 157

Generate Random, Unguessable Session IDs 157

Use Industry-Accepted Cryptography and Key Sizes 158

Developers Should Follow Secure Coding Practices 159

Use Secure Transmission Channels 159

Include Timeout Protections 159

Tie the Token to Specifi c Devices or Sites 159

Summary 161

**7…