Evaluating 2FA in the Era of Security Panic Theater

(note: this is a writeup of a talk that I gave at DerbyCon 2019 and at UNCC’s CyberSecurity Symposium in 2020. Thought it would be useful to get it in blog form, especially with the Solar Winds event unfolding.)

It seems like today’s world offers constant reminders of how insecure our digital lives can be. As a security professional, part of my job is to monitor for threats to my company and the organizations with which I have a relationship. A significant part of that effort lies in assessing how likely or realistic those threats are. If you believed every infosec vulnerability headline you see come across twitter, it would be easy to feel somewhat like chicken little, with the sky ever falling. I’ve actually coined a term for this phenomenon (though I’m not sure if I actually originated it, but Google seems to think so): Security Panic Theater.

If this term sounds mildly familiar, it is because of its proximity to the phrase ‘security theater’. We experience this pretty regularly whenever we attend a major sporting event like the World Series and we have to go through long lines where people wave a wand over us to ensure my keychain knife doesn’t get admitted to the stadium. This takes place even though the track record of seizing weapons that would matter is pretty poor. But the mere act of this experience makes patrons feel safer. This is even worse when we travel and pass through TSA’s gauntlet of screeners. Consistent penetration tests reveal a woeful rate of actually detecting items that could cause us harm while we are in flight. To add to the insult of this process, there is a comic reality with what actually is seized. I’ll let comedian Steve Hofstetter explain:

If you bring too much liquid, the TSA confiscates it and throws it away, in case it’s a bomb. So they throw it away. In case it’s a bomb. In the garbage can, right next to them. With all the other possible bombs. In the area with the most amount of people.

In case it’s a bomb.

Steve Hofstetter

Security Panic Theater (SPT) is a bit of a different experience. The process for SPT goes something like this:

Vulnerability/breach announced regarding a product or control (x) [Security]

+ Inflammatory internet headline(s) regarding (x) [Panic], which leads to the conclusion:

Product or Control (x) is useless/defeated [Theater]

A relatively recent example of this was the release of a penetration testing toolkit by Polish researcher Piotr Duszyński named Modlishka, which loosely translates in English to Mantis. The central feature of this toolkit was the use of a reverse proxy that could accelerate a phishing flow by sending a user to a spoofed URL, but the rest of the web experience was as the user expected. This enabled a man-in-the-middle (MITM) attack to capture both the credential and the SMS code being used by the user.

The significance of this new framework didn’t lie with the fact that you could now phish any two-factor authentication (2FA) method that used one time passwords (OTP). What made this release notable was that it was now significantly easier to accelerate the phishing flow because you didn’t have to spin up a fake site. A reverse proxy would do the work for you. To be clear, that is certainly noteworthy, but also not new.

However, to hear the twitterverse and online media outlets talk about it, you’d think all our credentials, even if protected by 2FA, were suddenly moments away from being captured by hackers. Now, to be fair, there are some responsible journalists who try to treat these topics fairly, but even a sane article can often be overridden by a clickbait title like “Is 2FA Dead?”

Let’s get a few basics clear for the sake of sanity & clarity:

2FA can’t be killed

2FA represents a combination of factors for authentication, not a single technology or pattern. The last few years alone have had a litany of episodes where a particular technology may be at risk (often temporarily, or misleadingly so), such as:

RSA tokens were allegedly cracked (mostly not true)

SS7 flaw will drain all your bank accounts (true, but hard to implement)

NIST Killed SMS 2FA (sort of, but not really)

Modlishka makes SMS useless (sort of, but not really) 

Google Security keys have Bluetooth flaw (recall for some, not all)

Yubikey FIPS keys flawed (recall for some, not all) 

Apple promoted modifications to SMS 2FA for improved anti-phishing strength & joined FIDO’s board. 

2FA implementation in 2020 Iowa Caucus renders app nearly unusable

And even today as I update this, the SolarWinds hackers bypassed OWA’s 2FA because they compromised the server hosting the private key.

That last one hasn’t had enough oxygen yet for the 2FA headlines to blaze, and they will, but both the company analyzing the hack and Bruce Schneier emphasize:

It should be noted this is not a vulnerability with the MFA provider and underscores the need to ensure that all secrets associated with key integrations, such as those with an MFA provider, should be changed following a breach.

Notice the trend here? While there is some truth for most of these from a vulnerability perspective, the reality is that these technologies still work to protect your credentials. Apple’s recent announcement has its own debate worth talking about (and has been on IDPro’s Slack site) and the debacle in Iowa shows that any technology is a dumpster fire waiting to happen if its implementation is designed poorly.

The diversity of the 2FA landscape makes it stronger, not more vulnerable. 

Let’s take a look at the following categories of authentication: 

Pretty diverse to be killed with a single vulnerability, I would think! Now let’s overlay which ones have at least one known vulnerability:

If we look at all the ones in red, that would be pretty disheartening to the casual observer. That’s where journalists and analysts need to take special care in talking about vulnerabilities. The real story doesn’t fit neatly into a simple headline regarding the vitality of the authentication landscape.

All methods of 2FA are still incredibly effective (some more than others) 

Google published a study of some internal findings on various methods used to secure their public credentials. Yes, SMS should be the low hanging fruit of 2FA but guess what, even this well-beaten pinata of 2FA stopped 76% of targeted attacks and nearly 100% of automated & bulk phishing attacks!

Microsoft recently published some numbers to similar effect, that the risk of account compromise is reduced by 99% using multi-factor authentication (MFA). I’d say 2FA is far from dead in that context.

Yes, we should get rid of the 2 in 2FA, long live MFA*

The biggest reason for this is that users can be more secure, and less inconvenienced when they have access to multiple ways of authenticating instead of one token combined with a password that can be lost, or a phone that can be upgraded and lock a user out. Without promoting one vendor, I can say thoughtfully that I have several methods to secure my key accounts and that diversity of options, I believe, is the key to giving our users the power of choice as to how they want to login. That power is how we eventually do reduce passwords to an edge use case. The key is that more sites need to support those methods to incentivize adoption. We’re not there yet, but the last few years show a lot of promise in eventually achieving that goal.

The reality is, even the coolest methods of authentication will eventually find a vulnerability. History proves this. But we don’t throw the baby out with the bathwater when those are discovered. We fix it, learn from it, and stay secure. Let’s leave the theater to the actors, where it belongs.

* For another blog post, but I’m wondering if MFA needs to be retired as a concept and we simply focus on the strength of authentication. To be continued…

Vague Signals & Behavioral Analytics

Gartner Analyst Anton Chuvakin shreds the myth that excelling in detection of threats means you should be at the same level or higher of preventing them. For some (including myself), this should be obvious. Preventing, detecting, and responding to security threats should be treated and evaluated as independent disciplines. Excellence in one doesn’t guarantee a level of maturity in either of the others. Unfortunately, given that some security vendors insist on perpetuating this myth, Chuvakin by necessity eviscerates this false premise with several good arguments. I’m only going to focus on one because of its impact in identity or user behavior analytics.

One of the points that Chuvakin makes regarding prevention is that signals in this area are often vague, making prevention with this level of data impossible, unless you want angry users storming your gates for being denied access. This is particularly true when evaluating the activity or behavior of a user. While some machines are capable of measuring the risk score of a given activity, do we really want a block on a connection when it barely crosses a threshold that may or may not be valid? The smarter approach would be escalate the user’s request to another level of authentication. Even if the challenge succeeds, it might make sense to flag the activity for human review.

If I login from a London based IP address 6 hours after my last known activity (from the US), it might be prudent to have the system in question challenge me for another factor of authentication to ensure the credentials have not been compromised. If no response is given or the session is terminated, flagging the account for review would be prudent. Even better, if the analytics engine has access to my travel & badging data (both viable points of integration), the signal to noise ratio on the event could be reduced (or escalated) quickly. Human intervention may still be useful here but automation becomes at least feasible based on our ability to raise or lower the risk score of the event based on the user’s response.

This level of sophistication for behavioral analytics as a  prevention protocol is fairly mature, but still pretty nascent for most enterprises. I see this as one of the early challenges in developing a behavioral analytics program. The use case I described is pretty straightforward, but establishing baselines for user behavior, especially in large enterprises, is far more daunting. Integrating that knowledge with your access management tools & policies is another level of challenge. That doesn’t mean we shouldn’t attempt to do so, however.

As a side note, this is an area where the concept of Shared Signals intrigues me. As our identity fabric becomes more and more decentralized/federated, adding external events to our behavioral analytics engine only seems to make sense. Further, we still hold control over how to interpret those events vs. relying on a machine interpretation of an external event that raises a higher level of vagueness on what took place.

It stands to reason that detection activities would mature at a faster rate than prevention. Arguably response activities can mature even faster, given appropriate resources. All three are worth investing in to protect company assets. But in the end reality has to intervene in our expectations with respect to achievements in one bearing any relationship to maturity in the other two.

 

MacID and Apple Watch Update

I know, its been awhile. Teaching in addition to my day job seems to have robbed me of blogging bandwidth.

First, I want to brag on a pretty nifty use case for the Apple Watch (and iPhone, obviously) MacID. This is an extension of TouchID for authenticating with OS X based systems.

There have been some other tools in this space, but by far this is the most elegant. You can unlock your OS X based system (Yosemite and higher, I believe) either from your iPhone or Apple Watch. Additionally, privilege elevation is handled nicely by the app. That alone is a nice addition vs. normal unlock apps.

My only real complaint about the app is consistent with other unlock apps: bluetooth flakiness. Sometimes the app just decides it isn’t connected to the Mac and requires that I reopen the app on my iphone to get them on speaking terms again. Otherwise, its a great product.

Second, an update on my Apple Watch experience. Overall, I still love it. Its a great extension of my iPhone and works very nicely as a fitness wearable. I have been using Apple Pay on the watch pretty regularly and that has been a really enjoyable experience.

One notable application that I want to call out is MyBivy (short for bivouac, you’ll get why in a moment). This clever kid at HackDC unveiled a wearable app that could potentially help people with PTSD and/or night terrors using haptic feedback in response to certain conditions that the watch could track, like elevated heart rate and sudden movements. To be clear, right now its only available on Pebble, but they are looking to port it to Apple Watch as well. I just think its a brilliant concept and hope it has the success that is so needed for people suffering from PTSD and night terrors. They have a kickstarter project if you’re interested in contributing.

The Watch OS2 release was mostly a success, with one glaring issue. After upgrading, my calendar events wouldn’t show up on the watch. I opened a ticket with Apple and it was resolved within a few days. I suspect it had something to do with the fact that my iPhone is managed by MobileIron, but I don’t know that for certain. I’ve communicated with a few people on twitter about it and some were resolved and some are still outstanding. The calendar is one of my favorite features because it keeps my phone in my pocket and keeps me on track during busier days.

Finally, a minor note on battery life. Most days, the watch performs like a champ, with me dropping it in the charger at 50-60% battery remaining. However, and this only started post OS2, I have had a fair number of days in the past month where the battery life just heads south quickly. Today I was at 1% before 4pm. My unconfirmed suspicion is there is likely a rogue process chewing it up, but I don’t use a ton of apps on the device, so its hard to pin down. Needless to say, I’m buying a charger to keep in my bag for the odd time that this happens. To be clear, in general the watch performs well on battery life. I think I may start tracking this, though, just to see if I can identify a pattern. Perhaps I should build a battery tracking app, hah.

I’ve been jotting a few thoughts down regarding the identity implications of the EU Safe Harbor decision, but not sure if I feel qualified to comment overall. We’ll see if research can help me out on that. Cheers.

Nymi Band – Loads of Potential

When this video first launched, the identity geek in me had a nerdgasm. The idea of continuous, contextual, biometric authentication in a low profile wearable has undeniable appeal. in a world in which users routinely have to navigate countless sets of credentials as part of their daily lives, could this really be ‘one band to rule them all’? Ok, after the eyeroll for the pun, the potential is extreme for this device to be a game changer.

Realizing the potential is always the struggle, and Nymi has experienced that like most startups. They’ve pivoted from consumer to enterprise use cases recently, and I think that will serve them well.

Anyway, the emphasis of this post is on my experience with the developer version of the band to date.  Thus far, it has been positive, but not without some bumps. Being that the band still isn’t RTM for public consumption, that’s almost expected.

Unboxing

I didn’t take photos or do a silly youtube of this, but Nymi clearly took notes from Apple on the unboxing experience and meticulous design. You can see the package near the end of the video above. The package was elegant and very well presented. I think that experience is a little underrated when we’re talking new technology. They did a very nice job here, even for a dev kit experience.

The Windows Experience

I hate to start with the bad, but this is how it was experienced when I first received the band late last year. Part of the dev kit comes with a usb bluetooth adapter. This is understandable, because not all devices support Bluetooth 4/BLE, windows especially. So now the band and related software is at the mercy of the Windows API’s.

The first test was on my corp laptop, a Lenovo T400 Thinkpad running Windows 7. The software installation required a separate install for the bluetooth hardware, but that’s expected. The companion software (required to enroll/identify you, bio-metrically) installed successfully and I was able to enroll my band pretty easily. The key here is to just ‘be still’ and let it read your ECG for about 90 seconds. I did get a few false rejections initially, but the software easily allows you to ‘condition’ your profile by doing more reads. Eventually, the FRR (false rejection rate) diminished considerably. This did raise a question: will consumers be this patient?

The 2nd piece is the unlock software. In effect, this is what you install to get the OS to recognize the device as a means of authentication. The windows implementation (compared to OS X, more on that in a moment) is a little clumsier, because the ‘login’ is presented as a secondary user from your primary login. I don’t really blame Nymi for this, because I believe some of this is a limitation of Windows Authentication API unless you implement this as part of the GINA (Graphical Identification and Authentication library). Especially for enterprise use cases, this might raise a CIO’s blood pressure (pardon the pun). If your PC stays persistently on, the unlock works pretty consistently (64-bit windows only, for now).

The challenge comes in for windows systems coming out of sleep. Sleep is always Windows nemesis, at least for my experience. And when you’re relying on a bluetooth service and adapter to authenticate you to come out of sleep mode well, it doesn’t always behave. The experience here thus far has been pretty inconsistent. My devices sleep unless they are in use, so this is a hurdle. In my conversations with Nymi support staff, they are aware of the issue and are actively working to tune that process. With Windows being the dominant desktop platform, I have little doubt they will smooth those issues out.

Still, waking up and unlocking my windows PC and Macbook without typing in a password is a pretty nice experience. Here’s my process:

  1. Fasten NymiBand
  2. Open iPhone 6 with TouchId
  3. Open Nymi Companion on iPhone
  4. Activate band (already enrolled) either via HeartID or TouchId (more on this in a moment)
  5. Login to MacBook by raising lid and pressing enter (<10 seconds)
  6. Login to Windows PC by bringing out of sleep (keyboard) and select Nymi user profile (30-60 secs)

Pretty cool, huh?

iOS Companion

Previously, I had to use a PC to activate my band. That won’t be the average user’s experience. So adding the iOS companion was a huge leap forward. The iOS companion works flawlessly and really was the first user experience that, in my opinion, showed Nymi starting to realize their vision for the ideal user experience. Registration & enrollment were flawless. I could either register my heart rhythm for the enrollment or allow the band to be a proxy for TouchId, yet another well executed biometric implementation. I’ve played with both, but currently use TouchId for activation in the morning.

OS X Experience

This started out rocky due to some installation issues, but eventually both the companion (pre iOS) and the unlock installed well. Now the experience goes up a level. Not only does unlock work seamlessly coming out of sleep, the re-lock feature (if enabled) can detect when your band is out of proximity of your MacBook and automatically lock your device. I found this to be a really nice feature at work. This was another case where the developers really began to show up how the vision could be realized.

Wearable Aesthetics

In this area, I struggle a bit. When I first received the band, I already wore a Fitbit Surge on my non-dominant wrist. Two bands on one wrist is a little too goth for my liking, so I went with my dominant wrist. That was ok, but definitely took some getting used to with respect to keyboards. Now I own an Apple Watch and the dynamic is the same.  I have to wonder, however, if this aspect of wearables will be a barrier to adoption for some. I honestly don’t know the answer to this.

Summary & Leftover Questions

Overall, I’d call the beta experience a success, especially once the iOS companion was released. its easy to see some of the promise in this technology helping reduce our reliance on something as insecure and unreliable as passwords.

Extending this beyond the desktop, and realizing some of the novel use cases in the video are where questions emerge. Could I pair my NymiBand with my 2015 Prius to unlock it? I have a feeling this will be easy given the advances Toyota has already implemented in keyless entry. My 2007 Tundra…not so much but I’m being unfair on that one.

The key challenge I see for the band will be enrollment on the target system, especially for those looking for configuration vs. security experiences. For me, given that I own the PC, MacBook, iPhone, and the Prius, enrollment is easy. What about public systems like the hotel, payment systems, retail chains, airport security, etc? Also, where does privacy play? The upside of the NymiBand is that you could theoretically ‘disappear’ by disconnecting the band. This is unlike Tom Cruise’s character when he walks into the next generation Gap with someone else’s eyes in Minority Report. These are open questions and not meant to infer an indictment of the technology or their approach. There is a ton of potential here, and I look forward to seeing how Nymi’s delivery and, perhaps more importantly, their partnerships help realize the vision of this platform as a next generation in digital identity.

30+ Days with the Apple Watch

Originally, I had planned a review (thus far) of an emerging authentication technology, and that is still on the horizon. But, it hasn’t gone gold yet so I feel like I have time. Instead, I thought I would post my mostly unedited thoughts on the Apple Watch.

At launch, I hadn’t planned to buy one. As intrigued as I was by the platform, I had intended to take a ‘wait and see’ approach. I used the same approach with the iPhone (my first wasn’t until the 3GS came out), and that worked well for me.

Another reason I was reluctant was that I already had a top notch fitness wearable in the Fitbit Charge HR and was pretty happy with it.

So why did I stray? The short answer is simply that I was reading some very exciting reviews and, more importantly, I came into a little unexpected money that would allow me to acquire the Sport version mostly guilt free.

I’ve been using the watch now for a little over a month. It arrived shortly after I left for San Diego to speak and attend a conference. I would have loved to have had the watch with me, but in many respects I was thankful that I didn’t have the distraction. That proved to be wise, as the first day with it was a bit of a loss in productivity as I explored this new platform.

Design

Out of the box you can see this is highly consistent with Apple’s unwavering design standards. This is a highly elegant watch. I was pleased that the weight wasn’t too cumbersome (have the 42mm sport model). Attaching the band takes a little getting used to, but I find it superior to my Fitbit in its security on my wrist.

Unpacking and Startup

Again, Apple shines here as people have come to expect a certain experience from even just opening the box and unpacking your new device. This one was no different for me. I immediately pluged the charger and set the watch to finish charging fully. A pleasant surprise is that this battery does not take long to charge at all. One to two hours is all I’ve needed on most days.

The startup is fairly easy, with some caveats. This is a new platform, much like unboxing your very first VCR or DVD player. Reading the manual helps and Apple does a very nice job of sending you an email in advance to let you watch a series of videos to pair, setup, configure, and use your new watch. You can even schedule an appointment to have someone walk you through some of this. I chose not to, as I wanted to explore this on my own time. The videos are a huge help to get used to to the interface and to get up to speed quickly. If someone flies into this blindly, I could see them getting frustrated. This isn’t just like operating an iPhone, though there are certainly parallels. Overall I got up to speed quickly and felt comfortable using it.

One complaint I have it that Apple loads EVERY app from your phone that has a watch companion app. I happen to have a ton of apps on my phone and this proved cumbersome. It isn’t terribly difficult to uninstall a phone app, it just takes time and I personally would have liked to be selective in what apps were installed on my watch.

(I just got notified by my watch that I need to stand for a few minutes, a feature that I truly enjoy)

Notifications

In my opinion, this is one of the early potential killer apps. Any application can be configured for notifications on your watch. This is an early example of where you have to figure out what is useful to you. Text messages, twitter notifications, and fitness feedback are my early key notifications, but I see potential for a lot more. The watch is simply less obtrusive than powering up your phone and allows me to keep my focus on my interactions with other people.

I can see this area being one of the early development frontiers. How do we get a user the key information they need in a context that is useful? Application and use of medication is one area where I could see this being highly useful. (disclosure: I work for a pharmaceutical company where compliance (or lack of) is a top reason where therapies can fail).

Phone Calls

This area is novel. I was a huge Get Smart fan growing up, so the ability to take a call on my watch is pretty cool to me. That said, I love knowing quickly on my watch who is calling and how I want to handle the caller. Like notifications, this makes for a less disruptive experience than reaching into my pocket to handle my phone. I have taken a few calls on the watch, and the audio is pretty solid. In private settings I could see me using it for brief chats (your car is ready, for example), but not as an extended conversation mode. Overall, I’d say this feature is delivered pretty well.

Apps

This is always the big question: what are the killer apps? Here’s a few I’ve found handy thus far:

CPI Security – Simply put, I can arm and disarm my home alarm system from the watch. It uses the phone interface, but I’ve found it pretty handy. CPI did a nice job of not trying to do too much here. This is another area where I think notifications could be handy.

Authy & 1Password – I lump these together because the use case is the same. The ability to easily pull up my code for two factor authentication on sites is highly useful to me. Because this is my field of focus, naturally I’m looking forward to seeing how the watch can be securely leveraged as a factor of authentication. I see a lot of potential in this area.

Map My Fitness – I’m conflicted on this app. I like the interface with my phone, but I’m also enjoyed the basic activity app as well. This is still a comparison in progress. The biggest different to date is I get the map data from MMF, and I do not with the activity app. How important is that? We’ll see. I do like being able to manage this from my watch instead of my phone when I’m at the gym, hiking, or riding my horse. This is another area I see developing rapidly from both Apple and other fitness manufacturers.

Calendar – during the work week, this is a really nice app. The form factor is so much more convenient over the phone or iPad for quick glances.

Note that I haven’t used the word ‘killer’ with any of these apps. I don’t view them that way, at least not yet. Tim Cook was pretty clear when the platform launched that the applications would drive the success of this platform, and I’m pretty much in that corner. I also think the ‘killer app’ metaphor gets overused. The app that delivers the biggest value will vary by user, in my opinion.

Battery

Of course, one of the early knocks on the Apple Watch, even pre-launch, was the battery life. Maybe it was due to the low expectations, but I haven’t had an issue at all. I get 1.5-2 days of life and haven’t had that be really an inconvenience. Generally, I just slap it on the charger when I go to bed and have yet to run out of juice. I did test a few days going to a 2nd day and didn’t have an issue.

Verdict

Overall, I love the new platform and am very excited for its potential as developers sink their teeth into the new SDK. That said, this device isn’t a ‘must have’ for everyone. By that, I mean its more of a luxury item that can enhance your life depending on how you choose to use it. That is partly why I don’t think this category will explode like smartphones have just yet. It will, eventually, and there’s little doubt in my mind that Apple is a pioneer in this category and will continue to do so in the future.