Security For The PeopleEnd-User Authentication Security On The Internet
Mark Stanislav [email protected]
Security Is A Process, Not A Product.
A Few Notes on Research Methodology•Worked “backwards” by establishing a list of services that provide
users with availability of two-factor authentication
•Provides us with a more security-forward data set to begin with
•Gathered additional details per service regarding not just 2FA details but also TLS usage, browser headers, and cookie security !
•Focus on data completeness and accuracy as much as reasonably possible but this is *not* a scientific study !
•Does not include software packages with two factor
Primary Data Points Utilized
Two-Factor Authentication
When was it first offered to users?How do users enroll to enable it?What method(s) are available?
Browser Security Features
HTTP Strict Transport SecurityContent Security PolicyX-Frame-OptionsX-XSS-Protection
Session Cookie HttpOnlyTransport Security
Do they utilize SSL/TLS for logins?What is their SSL Labs score?
Session Cookie Secure
X-Content-Type-OptionsWhat do companies even call it?
Gathering Data Can Be Really, Really Annoying
Two Factor Deployments Per Year Since 2005N
umbe
r of D
eplo
ymen
ts
0
9
18
27
36
45
Year of Deployment2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
30471813754332
* Note, data is only through June 2014
*
•Google Authenticator’s presence in 2011 has likely led to the mass adoption of TOTP
•Many services that support TOTP just say they use Authenticator
•Facebook also enabled 2FA for users in 2011
•Allows SMS + TOTP
How Does A User Actually Enroll In Two Factor?N
umbe
r of S
ervi
ces
0
26
53
79
106
132
Method of Two Factor EnrollmentPhone Call E-Mail Mixed Self Enroll
132432
•Ease of enrollment is crucial for adoption of security controls
•Having to call, fax, or even e-mail may be enough for a user to go “this seems like too much effort…”
!
•It’s great to see such a high percent of services allowing users to self enroll (94%)
Collective Method Availability Across ServicesN
umbe
r of S
ervi
ces
Offe
ring
0
14
29
43
58
72
MethodE-Mail SMS Call Card Token Yubikey TOTP HOTP Mobile Duo Authy Rublon
112625
2
74
1315714
62
14
•12 of the 74 services that support TOTP are Bitcoin related
•92% of all Bitcoin services offer TOTP, 62% only offer it to use
•73% of hardware token-enabled services are financial or gaming
Companies Should Point Out Two Factor Availability
Shown upon first login… nice work, Zoho!
2%4%
11%
33%
51%
1 2 3 4 5+
•Of services that offer only a single method, 51% provide TOTP and 14% provide SMS !
•62% of services that offer two methods pair TOTP with SMS !
•MailChimp and OneLogin offer five methods for users to leverage
Number Of Methods Per Service By Percentage
Two Factor Moniker Usage Since 2005D
eplo
ymen
t Yea
r
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
Moniker Usage Per Year0 9 19 28 38 47
34
34
21
1
1
510
52
2
12
11
11
2033
126
22322
2FAMFA2SVOther
* Note, data is only through July 2014
*
Google Deploys 2SV
•2-Step Verification as a moniker seems to be going away…
•2011: 15%
•2012: 28%
•2013: 21%
•2014: 17%
•“Other” is usually for custom branding of the service’s feature
Built-In Two Factor Bypass? Recovery Gone Wrong.
Can’t 2FA? No Problem! Just replace it with more 1-factor :)
A Bit Of A GlossaryHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents are to interact with it using only secure HTTPS connections.Content Security Policy (CSP) provides a header that allows websites to declare approved sources of content that browsers should be allowed to load on that page.X-Frame-Options can prevent any framing, prevent framing by external sites, or allow framing only by the specified site.X-XSS-Protection enables the XSS filter built into most web browsers — IE8, for instance, already has this on by default.X-Content-Type-Options reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable/dynamic HTML.
Mostly a copy/paste from Wikipedia and OWASP <3
‘Secure’ Cookie makes supported browsers only send cookies with the secure flag when the request is going to a HTTPS page.
‘HttpOnly’ Cookie mitigates cross-site scripting (XSS) attacks by not allowing supported browsers to access cookies client-side
Browser Security Features For Service Logins
Total Sites HSTS CSP X-FRAME X-XSS X-Content Cookie!
SecureCookie!
HttpOnlyAll Sectors 141 38% 7% 56% 22% 22% 75% 78%Technology 83 40% 10% 49% 20% 20% 73% 78%
Financial 36 33% 8% 50% 14% 8% 69% 64%Gaming 12 17% 0% 25% 8% 0% 58% 67%Retail 4 50% 0% 75% 50% 50% 75% 100%Social 6 50% 17% 83% 17% 33% 100% 83%
•Gaming is far behind versus other sectors for browser security
•Likely because most users spend little time in the browser
•Social media organizations have more of a focus on browser security due to the common nature of client-side attacks against
Browser Security All-Stars
4 of 141 services utilized all of tested browser security features
12 more had all security features except Content Security Policy
Unexpected Headers During Research
If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.
WordPress.com: x-hacker
REKEYED: 2014-04-08; see http://heartbleedheader.comApp.net: heartbleed
We’re hiring! Apply at [email protected], use this header in your subjectDirectnic: X-Hackers
SSL/TLS Implementation for Service LoginsTo
tal O
ccur
renc
es
0
7
14
21
28
35
ScoreA+ A A- B C F
17
3
343432
21
•14 of the ‘F’ ratings were because of the OpenSSL CCS vulnerability (CVE-2014-0224)
•Star Wars: The Old Republic actually supported SSL v2! !
•Amazingly enough, SSLTrust of all people received a ‘C’ rating for their allowance of both 40-bit and 56-bit cipher suites
We Take Security Seriously, Erm…
Browser Security + SSL Security All-Stars2 of 141 services utilized all of tested browser security features and managed to receive an ‘A+’ SSL implementation rating
The Weirdest Thing I Saw During Research
They don’t use SSL at all and do JS crypto for logins
Security Pages — Yes, Really :)Many companies dedicate an entire page (or at least a big section of a page) to how they protect you and how you can protect yourself
…and others definitely do not…
Seems legit.
Example #1
Example #2
Example #3
Security Pages Across Two Factor-enabled ServicesC
ount
0
18
36
54
72
90
Security PageYes No
51
90 •15 of 51 sites (29%) that do not have a security page are in the domain registration/DNS space
•…including GoDaddy, NameCheap, and Hover
!
•Some of these pages even have a bug bounty and/or responsible disclosure section which is fantastic for further helping to protect users
•…including Google, Facebook, and Coinkite !
•These pages show real concern for security
So What Does This All Mean?
•Consider the data points we now have:
•Browser security (HTTP headers and cookie security)
•Transport security (SSL/TLS implementation)
•Strong authentication (two factor deployments)
•Corporate security focus (company security page) !
•What if we could assign a point-scale to those data points and create a composite value of authentication security per service?
•…and what if you had no idea what the hell you were doing?
Mark’s Authentication Security Scoring Algorithm — Crudely Realized Edition
MASSACRE
How Do We Get a Composite MASSACRE Score?SSL Implementation
Score PointsA+, A, A-!B+, B, B- 15
C+, C, C-!D+, D, D- 10
F!No SSL/TLS 0
Security PageExists? Points
Yes 5
Browser Security FeaturesFeature Points
HTTP Strict Transport Security 10Content Security Policy 15
X-Frame-Options 10X-XSS-Protection 5
X-Content-Type-Options 5Secure Session Cookie 10
HttpOnly Session Cookie 10
100 point scale… add up values to get a score!
Two FactorEnabled? Points
Yes 15
Professional MASSACRE Scale
81-100
61-80
41-60
21-40
0-20 5
Score Count
27
53
41
15
Keep in mind, everyone “starts” with 15 points
MASSACRE Scoring Outcomes — Best and Worst!
Company ScoreGitHub 100Kraken 100
LastPass 100FastMail 95
Facebook 90
Best Scores
Company ScoreeasyDNS 15Frostbox 15Sendloop 15Fabulous 20
Pobox 20
Worst Scores
Sector Company ScoreTechnology Github, LastPass 100
Financial Kraken 100Gaming Elder Scrolls Online 65Retail Etsy 85Social Facebook 90
Best Per Sector
Worst Per SectorSector Company Score
Technology easyDNS, Frostbox, Sendloop 15Financial WeMineLTC 30Gaming Guild Wars 2, Star Wars: Old Republic, Wildstar 35Retail Humble Bundle 50Social HootSuite 45
Further Parsing MASSACRE Scores
Mean Median Mode
57 55 55
Mean Median Mode
57 55 75
TechnologyMean Median Mode
57 55 55
Financial
Overall Values
Mean Median Mode
47 48 N/A
Gaming
Mean Median Mode
68 68 N/A
RetailMean Median Mode
72 73 N/A
Social
How Do Security Features Increase MASSACRE Scores?
Mean Median Mode
57 55 55
Overall Values
Mean Median Mode
87 93 100
CSP EnabledMean Median Mode
63 65 55
Security Page?Mean Median Mode
75 75 75
HSTS Enabled
Mean Median Mode
60 55 55
SSL ~(A|B)Mean Median Mode
40 40 N/A
SSL ~(C|D)Mean Median Mode
37 35 N/A
SSL ~(F/None)
MASSACRE FAQ, #1
MASSACRE FAQ, #2
MASSACRE FAQ, #3
Have A Crappy Algorithm? Make A Crappy Extension!
Breaches Of Service Security (Data Loss, Especially)
•A breach does not include DDoS attacks, direct phishing against customers, dumb users, etc.
•28% of services had a public corporate breach
•Breached services had an average MASSACRE score of 64 while unbreached had a worse, 54
•So, moot point. Everyone can get hacked :)
Cou
nt
0
18
36
54
72
90
Corporate BreachYes No
102
39Sector Total # Breached % Breached
Technology 83 19 23%Financial 36 11 31%Gaming 12 3 25%Retail 4 2 50%Social 6 4 67%
Two Factor Deployments After A Breach
•Of 37 services that had a deployment date and a breach data, 54% already offered some form of two-factor authentication !
•Of the 19 services that added 2FA after a breach, it took an average of 255 days to deploy with a median of 128 days
•It took Linode, Dropbox, MaxCDN, and Buffer < 1 month to deploy
•74% offer TOTP (52% offer it across all services)
SaaS 2FA Service Provider Shoot-Out!
•Includes 2FA providers with a customer login on their web site
•Sorry if I missed your company, it was definitely not on purpose!
Company HSTS CSP X-Frame X-XSS X-Content Cookie Secure
Cookie!HttpOnly
SSL Score
Security Page MASSACRE
Authy ✓ ✗ ✓ ✓ ✓ ✗ ✓ F ✓ 60Duo Security ✓ ✓ ✓ ✗ ✗ ✓ ✓ A+ ✓ 90LaunchKey ✓ ✗ ✓ ✓ ✓ ✓ ✓ A+ ✓ 85
MePIN ✗ ✗ ✗ ✗ ✗ ✗ ✓ B ✗ 40Rublon ✗ ✗ ✗ ✗ ✗ ✓ ✓ A- ✓ 55
SAASPASS ✗ ✗ ✗ ✗ ✗ ✓ ✓ A ✗ 50TeleSign ✗ ✗ ✗ ✗ ✗ ✗ ✗ A- ✗ 30
TextPower ✗ ✗ ✗ ✗ ✗ ✓ ✗ F ✗ 25
*phew* glad Duo didn’t lose :P
Random Thoughts On Lessons Learned
•Scouring the Internet to find release dates and documentation for service features is way harder than it should be
•Authentication security still ultimately comes down to the security of your operations and your codebase
•Bug in your authentication code? None of this other stuff really matters
Data research is tiring, let’s just break stuff.
Thanks Go Out To…
•Vikas Kumar and Domenic Rizzolo, two of the amazing interns at Duo Security for doing a ton of data gathering and organization !
•http://twofactorauth.org for being a hugely helpful resource for trying to aggregate 2FA-enabled sites/services to get started with
•https://www.ssllabs.com/ssltest/ from Qualys for SSL Scoring
•Steve Werby did similar research on a grander scale last year — http://www.slideshare.net/stevewerby/crunching-the-
All Done! Questions?
E-Mail:[email protected] !
Twitter: @markstanislav Presentations:speakerdeck.com/mstanislav