September’s Manchester Java Community Meetup was 2FA 2Furious, with Matthew Gilliard hosted by Autotrader and sponsored by Codurance. I’m not going to reproduce the entire talk in a blog post, but I would like to touch on some interesting and fun points from the talk.
Hacking Doesn’t Always Require a Great Deal of Tech Knowledge
As illustrated by the story of how Mat Honan got hacked, company process is just as exploitable, if not more, than a decently written tech stack. In Mat’s article, he explains how many of the steps taken in getting into his Apple, Amazon and Twitter accounts took advantage of human, customer care, processes. The fact is that the vast majority of successful hacks are the result of the application of very simple steps.
People Love Their Bad Passwords
The Cooperative have a headquarters in Greater Manchester, and employ a large quantity of IT employees in a number of offices around the region. They have recently pushed out integration with haveibeenpwned that will alert users if they are attempting to sign-up with a password that has been found to be hacked. Troy Hunt (creator of haveibeenpwned) applauded this with his tweet, which comes with a nice picture illustrating how it works. Now this is cool enough on its own, but it also allowed Coop to capture some terrifying statistics! By chance or design Paul Dambra, a Principal Engineer who worked on this functionality, was in attendance at the Meetup and able to confirm these statistics.
- About 10% of users tried to use a hacked password.
- Much more shocking is the fact that about 25% of those who were told they were about to register with a hacked password chose to go ahead with that password!
The takeaway here is that if you wish to create a truly secure public facing app, a high level of strong password validation is a must.
Alternative Factors That Can be Used For 2FA
A very quick word on MFA (Multi-Factor Authentication); Any form of authentication is a method of proving that you are yourself. Passwords do so by showing something you know, but there are other ways of proving who you are based on something you own, your location, your DNA, etc. Each of these are referred to as factors, so 2FA tries to validate who you are based on 2 of these factors, most often, something you know (password) and something you own (mobile phone or Yubikey). Matthew listed a few factors and his thoughts on each of them:
- SMS Message – Despite the day and age we live in SMS is not entirely secure as anyone can put up their own mast to read network traffic and get your messages.
- Ambient Sound – Your phone can be used to attempt to match the sound at its location to where you say you are. Obviously, this will only work for locations that are already rigged with microphones for such authentication, but still, that’s cool!
- Biometrics – Very accurate until someone finds a way to replicate them. Then you can’t change your fingerprints/irises/face/whatever. You are hacked for life!
Everyone who put together the event deserves a huge thanks. The talks that the Manchester Java Community put on are always hugely interesting. I have to say Matthew Gilliard is an extremely fun and absorbing speaker. I’d listen to him talking about the latest in potato technology!