Turning the Page with IDPro

If you’re a member of IDPro, you already know part of this story, at least the professional version. Today marks the last day of my 3rd term as a member of the Board of Directors with IDPro. 5 years!

Per the bylaws of this terrific organization, a board member is limited to no more than 3 consecutive terms. It is a good rule, one that ensures that the leadership of this org does not become stale. Honestly, even if the rule wasn’t in place, this likely would have ended my time on the board regardless. To be clear, this is not out of any sense of dissatisfaction with our status or direction, quite the opposite. I could not be prouder of where we are today and where we are headed. That’s the best time for some of us to hand the reins to a new set of leaders to carry that charge forward, and I couldn’t be more excited to see Joni Brennan from DIACC and Bill Nelson from Identity Fusion step in tomorrow. This organization is in fantastic hands. But this post is more of a look back than forward.

First, I can’t thank Ian Glazer & Sarah Ceccetti enough for inviting me to join the board for its maiden voyage. I had joined the new organization as a founding member the day before during their keynote. This part was a no-brainer. What a perfect mission to support! I was deeply honored to be asked and, if I’m honest, there was a full-tilt case of imposter syndrome going on. Who the heck was I to be part of this team? How in the heck do I make this work personally given that, at the time, I had a full-time job at Merck, and had just two years prior started my dream of teaching college part-time?

When Ian asked on that day after the keynote/launch, I couldn’t in good faith answer on the spot, but 95% of me wanted to yell right there in the Sheraton Lobby, “Hell yeah I will!” Adulting is hard, however, so naturally I had to talk to my incredible wife who is steadfast in helping me realize my dreams, and of course with my employers, Merck and the University of North Carolina at Charlotte, who didn’t even blink in their support of this mission. Everyone was unequivocal in their encouragement. This likely doesn’t happen for me without their support, so part of this is a note of thanks to everyone.

I can talk about digital identity challenges until I’m blue in the face, but how in the heck do I help 6 other people (at the time) run a non-profit organization? Well, the search engine is your friend and, as Pat Haggerty, one of the founders of Texas Instruments once said, “It’s a tremendously stimulating thing for each person who has learned that a small group of individuals can change the world if they really want to.” So we learned and rolled up our sleeves.

There are four things I’m proud of about my time on the board. First, though I think I drew the shortest straw on that first conference call, I was nominated to become the organization’s first treasurer. Now it’s time for another crash course on non-profit dynamics as a fiduciary! More learning!

Second, as part of that role, I’m proud to have been the architect of our enterprise tier of membership. IDPro had an obvious appeal for organizations that did identity as one of their means of business and saw value in corporate sponsorship, but we didn’t have a clear path for companies that did identity as a necessary function of their enterprise but it wasn’t their central business. Balancing between the vendor and practitioner sides of the organization was a natural tension for the org, and Ian & Sarah deftly balanced that from the outset. Adding the enterprise membership tiers furthered that path towards balance.

I’m also proud to have served as President/Board Chair of IDPro from June 2020 thru June 2021. I don’t have to tell anyone what a crazy year that was. I think my only real accomplishment during that term was keeping my hands on the steering wheel and staying on the road. And sometimes, that’s an achievement.

Finally, I couldn’t be prouder of being able to contribute to our industry’s first-ever vendor-neutral certification, the CIDPRO. That process was arguably the most grueling time I’ve spent in the organization, and likely the most rewarding for me, personally. I learned a lot during those question-building sessions. I also learned that most of the exams I had written to measure my student’s learning progress in college needed a lot of work to measure up to the quality we were exacting from this certification. In the end, I think we got it right by doing it right and I’m excited to see where this certification program goes in the future.

When I started this journey, I originally thought my challenge was going to be balancing all 3 of my professional worlds: My day job, teaching, and IDPro. And, to be sure, that was definitely part. What surprised me was how often these worlds looked more like a Venn diagram (hard not to invoke Eve Maler here). In the end, I think my pursuits in each made me better in the others. I know for a fact I’m happier for it. In spite of the hard work and the tough sledding at times, I’ve never been more joyful as a professional than I am now.

To be clear, as I indicated in this month’s installment of the IDPro newsletter, I’m not leaving IDPro, not even close. In many ways, shedding my board duties will allow me the benefit of narrowing my focus, to see if I can work with some motivated people to change the world by helping turn out more digital identity professionals by preaching the gospel in higher education. Most colleges have a serious gap in their curriculums (curriculii, Andi Hindle?) for digital identity content and I’m on a mission to civilize (and educate). I’ll succeed where Don Quixote fell short because I know I won’t be doing it alone. The overwhelming response to my talk at Identiverse regarding this subject taught me that there are many that are willing to contribute time and support to this mission, which is squarely in the wheelhouse of the mission of IDPro. From our very first press release on June 28, 2017:

“IDPro is an open, global non-profit industry association created to define, support and improve the digital identity profession through knowledge sharing, mentoring, education and certification.”

So this isn’t farewell, just an incredibly grateful note of thanks and reflection. The page turns, and the next chapter begins shortly.

Evaluating 2FA in the Era of Security Panic Theater

(note: this is a writeup of a talk that I gave at DerbyCon 2019 and at UNCC’s CyberSecurity Symposium in 2020. Thought it would be useful to get it in blog form, especially with the Solar Winds event unfolding.)

It seems like today’s world offers constant reminders of how insecure our digital lives can be. As a security professional, part of my job is to monitor for threats to my company and the organizations with which I have a relationship. A significant part of that effort lies in assessing how likely or realistic those threats are. If you believed every infosec vulnerability headline you see come across twitter, it would be easy to feel somewhat like chicken little, with the sky ever falling. I’ve actually coined a term for this phenomenon (though I’m not sure if I actually originated it, but Google seems to think so): Security Panic Theater.

If this term sounds mildly familiar, it is because of its proximity to the phrase ‘security theater’. We experience this pretty regularly whenever we attend a major sporting event like the World Series and we have to go through long lines where people wave a wand over us to ensure my keychain knife doesn’t get admitted to the stadium. This takes place even though the track record of seizing weapons that would matter is pretty poor. But the mere act of this experience makes patrons feel safer. This is even worse when we travel and pass through TSA’s gauntlet of screeners. Consistent penetration tests reveal a woeful rate of actually detecting items that could cause us harm while we are in flight. To add to the insult of this process, there is a comic reality with what actually is seized. I’ll let comedian Steve Hofstetter explain:

If you bring too much liquid, the TSA confiscates it and throws it away, in case it’s a bomb. So they throw it away. In case it’s a bomb. In the garbage can, right next to them. With all the other possible bombs. In the area with the most amount of people.

In case it’s a bomb.

Steve Hofstetter

Security Panic Theater (SPT) is a bit of a different experience. The process for SPT goes something like this:

Vulnerability/breach announced regarding a product or control (x) [Security]

+ Inflammatory internet headline(s) regarding (x) [Panic], which leads to the conclusion:

Product or Control (x) is useless/defeated [Theater]

A relatively recent example of this was the release of a penetration testing toolkit by Polish researcher Piotr Duszyński named Modlishka, which loosely translates in English to Mantis. The central feature of this toolkit was the use of a reverse proxy that could accelerate a phishing flow by sending a user to a spoofed URL, but the rest of the web experience was as the user expected. This enabled a man-in-the-middle (MITM) attack to capture both the credential and the SMS code being used by the user.

The significance of this new framework didn’t lie with the fact that you could now phish any two-factor authentication (2FA) method that used one time passwords (OTP). What made this release notable was that it was now significantly easier to accelerate the phishing flow because you didn’t have to spin up a fake site. A reverse proxy would do the work for you. To be clear, that is certainly noteworthy, but also not new.

However, to hear the twitterverse and online media outlets talk about it, you’d think all our credentials, even if protected by 2FA, were suddenly moments away from being captured by hackers. Now, to be fair, there are some responsible journalists who try to treat these topics fairly, but even a sane article can often be overridden by a clickbait title like “Is 2FA Dead?”

Let’s get a few basics clear for the sake of sanity & clarity:

2FA can’t be killed

2FA represents a combination of factors for authentication, not a single technology or pattern. The last few years alone have had a litany of episodes where a particular technology may be at risk (often temporarily, or misleadingly so), such as:

RSA tokens were allegedly cracked (mostly not true)

SS7 flaw will drain all your bank accounts (true, but hard to implement)

NIST Killed SMS 2FA (sort of, but not really)

Modlishka makes SMS useless (sort of, but not really) 

Google Security keys have Bluetooth flaw (recall for some, not all)

Yubikey FIPS keys flawed (recall for some, not all) 

Apple promoted modifications to SMS 2FA for improved anti-phishing strength & joined FIDO’s board. 

2FA implementation in 2020 Iowa Caucus renders app nearly unusable

And even today as I update this, the SolarWinds hackers bypassed OWA’s 2FA because they compromised the server hosting the private key.

That last one hasn’t had enough oxygen yet for the 2FA headlines to blaze, and they will, but both the company analyzing the hack and Bruce Schneier emphasize:

It should be noted this is not a vulnerability with the MFA provider and underscores the need to ensure that all secrets associated with key integrations, such as those with an MFA provider, should be changed following a breach.

Notice the trend here? While there is some truth for most of these from a vulnerability perspective, the reality is that these technologies still work to protect your credentials. Apple’s recent announcement has its own debate worth talking about (and has been on IDPro’s Slack site) and the debacle in Iowa shows that any technology is a dumpster fire waiting to happen if its implementation is designed poorly.

The diversity of the 2FA landscape makes it stronger, not more vulnerable. 

Let’s take a look at the following categories of authentication: 

Pretty diverse to be killed with a single vulnerability, I would think! Now let’s overlay which ones have at least one known vulnerability:

If we look at all the ones in red, that would be pretty disheartening to the casual observer. That’s where journalists and analysts need to take special care in talking about vulnerabilities. The real story doesn’t fit neatly into a simple headline regarding the vitality of the authentication landscape.

All methods of 2FA are still incredibly effective (some more than others) 

Google published a study of some internal findings on various methods used to secure their public credentials. Yes, SMS should be the low hanging fruit of 2FA but guess what, even this well-beaten pinata of 2FA stopped 76% of targeted attacks and nearly 100% of automated & bulk phishing attacks!

Microsoft recently published some numbers to similar effect, that the risk of account compromise is reduced by 99% using multi-factor authentication (MFA). I’d say 2FA is far from dead in that context.

Yes, we should get rid of the 2 in 2FA, long live MFA*

The biggest reason for this is that users can be more secure, and less inconvenienced when they have access to multiple ways of authenticating instead of one token combined with a password that can be lost, or a phone that can be upgraded and lock a user out. Without promoting one vendor, I can say thoughtfully that I have several methods to secure my key accounts and that diversity of options, I believe, is the key to giving our users the power of choice as to how they want to login. That power is how we eventually do reduce passwords to an edge use case. The key is that more sites need to support those methods to incentivize adoption. We’re not there yet, but the last few years show a lot of promise in eventually achieving that goal.

The reality is, even the coolest methods of authentication will eventually find a vulnerability. History proves this. But we don’t throw the baby out with the bathwater when those are discovered. We fix it, learn from it, and stay secure. Let’s leave the theater to the actors, where it belongs.

* For another blog post, but I’m wondering if MFA needs to be retired as a concept and we simply focus on the strength of authentication. To be continued…

SMS as a 2FA Method

I’ll be the first one to admit that I jumped the gun a little when Twitter announced that their founder, Jack Dorsey, had his account hijacked.

Initially, no one (including yours truly) had details as to how his account was taken over. However, all fingers pointed at a SMS jacking, which wasn’t terribly far from the truth. The assumption was that this allowed them to use SMS combined with some knowledge of Jack’s password to access the account. That turned out to be inaccurate:

So, yeah, it wasn’t a 2FA hack, but it did show how fragile an account can be when SMS is involved. There’s a reason NIST deprecated SMS as an out-of-band factor of authentication when they updated their 800-63-3 standard.

SMS is still dominant as a method of two-factor authentication because it is one of the lowest barriers to entry, both for the identity provider (IdP) and the user. It is also arguably the least secure method, as Jack Dorsey’s case proved.

That said, if SMS is your only option for 2FA, use it. In the case of Twitter, it is not (much to their credit). You can use both an application based method (such as Microsoft Authenticator, Google, or Authy) and/or a Security Key leveraging FIDO’s Universal 2-Factor protocol (U2F). For account recovery, you can store a backup code in your password manager (or somewhere else).

A key can cost as cheap as $20 and can be used to secure a number of your critical accounts.

Twitter caught a lot of flack on this case, somewhat unfairly. That being said, I do think they should remove SMS as a method for 2FA. Mobile apps for 2FA are pretty ubiquitous and a low barrier to entry for all users. So help your user base out, and turn it off. That wouldn’t have saved Jack, but that is a post for another day.

Slides from Recent PAM Talk

This talk was originally given at RSA, but I was able to do an expanded version recently at IT Hot Topics. A few have asked for the slides, so here they are. I actually hope to write out the talk in full at some point as a blog post, but I have two more talks to write so probably not soon.

Welcome to Identity Bytes!

This is the next generation of my attempt at blogging more often (like, more than once a year) about digital identity and events in information security. This has been a pretty eventful year in this space so there is a lot to talk about! My first real post (coming soon, I promise) will be about my experience with next generation authentication technologies.

I even have a 2nd post in the hopper surrounding my experience at the, in my humble opinion, best digital identity conference of the year, the Cloud Identity Summit. That was my first segue into speaking at a national (global?) conference and to say the experience was memorable would be an understatement.

Thanks for reading!

Lance