User Identity and Authentication WordPress, 2FA, and Single Sign-On Isaac Potoczny-Jones ijones@tozny.com http://tozny.com
About the Speaker Galois, Inc. - @galoisinc. Research & Development for computer science and security. 55 employees. Founded 1999. Tozny - @tozny. Startup focused on the Tozny mobile authentication factor. Isaac Potoczny-Jones - @SyntaxPolice. Tozny CEO. BS Computer Science, MS Cybersecurity.
Authentication: Proving who you are Something you know. Passwords, PINs, screen patterns, first pet. Something you have. Physical keys, secure tokens, mobile phones. Something you are. Biometrics, facial recognition fingerprints. To guard against inappropriate access to electronic health records, what type of authentication does your organization require for users to gain access while they are on the job at one of your facilities? http://docs.ismgcorp.com/files/handbooks/his-survey-2012/his_survey_report_2012.pdf
Single and Multi-Factor Single factor: One authentication method. Classics: Password, keys, keyfobs, keycards. Multi-factor: More than one factor. Get more security by mixing methods. Multi-factor classics. Debit card & PIN. Password & Random # token. The overall Multifactor Authentication Market is increasing with a CAGR of 19.98% from 2014 to 2020. In MFA market, two-factor authentications contribute for the largest percentage share, whereas banking & finance is the major application; followed by government and defense. In geographic analysis, North America is the market leader followed by Europe and APAC. http://www.marketsandmarkets.com/market-reports/multi-factor-authenticationmarket-877.html
Threat Landscape Passwords
The Password Conundrum Good passwords are hard to remember. Bad passwords are easy to guess. What s a good password?
Massive Database Spills Causing acceleration in understanding of passwords Russian hackers : 1.2B (2014) LinkedIn: 6.5M (2012) Yahoo: 340K (2012) RSA: SecurID token seed-keys stolen (2011) Gawker: 740K (2011) Sony: (2011, 2014) Stratfor: 800K (2011) RockYou: 32M (2009) http://thepasswordproject.com/leaked_password_lists_and_dictionaries
Brute Force Attacks source: Rob Graham, Errata Security
Password Cracking ocl-hashcat Performance benchmarks 1GPU NTLM: 16701 Mh/s (~17 Billion) hashes / second) MD5: 8511 Mh/s The old default in WordPress; the current fallback. SHA1: 2722 Mh/s SHA256: 1120 Mh/s Blowfish: 4,000 hash/sec (approx) This is the default hash that WordPress uses under phpass Sources: http://hashcat.net/oclhashcat/ https://gist.github.com/epixoip/8171031
So what s a good password? Long enough Maybe 9+ characters. Complex enough Pretty much random & large character set. Not reused Or risk the wrath of database spills. But: Average user has 26 accounts* (I have 300) Source: Experian & Deloitte: http://goo.gl/4jrnha
With 26 passwords, it s impossible Let's just admit it: we're asking the impossible. Users can never remember random passwords. Users manage the problem: Reuse is most common users have 5 passwords. Email reset - I forgot my password. Password managers Firefox, KeePass, etc.
Password exploitation cycle is getting faster Custom hardware Huge password database spills New attack heuristics Analysis of how people pick passwords
Password exploitation cycle is getting faster Custom hardware Huge password database spills LinkedIn: Yahoo: RockYou: 6.5M 340k 32M New attack heuristics Analysis of how people pick passwords Password1 123456 Iloveyou qwerty
Password exploitation cycle is getting faster Custom hardware Huge password database spills LinkedIn: Yahoo: RockYou: 6.5M 340k 32M Person s name Place name Add 1 to the end Dictionary word New attack heuristics Analysis of how people pick passwords Password1 123456 Iloveyou qwerty
Result: 2 Factor is taking off Major Internet players offer it: Google, Facebook, Twitter, DropBox, etc. It's a good way to protect yourself from: Password reuse by users. Other sites getting hacked. Remote brute force against you or your clients.
Solutions
Single Sign-on / Identity Federation Service provider (SP): The site you log into. Also called Relying Party or RP. Identity Provider (IdP): The site you log in with. Typical workflow: Visit Yahoo, click login. Get redirected to Google with a session token. Log into Google. Get redirected to Yahoo with proof of login.
OpenID 2, OAuth, OpenID Connect OpenID was going to be the SSO of the open web. But not enough relying parties adopted it. Now we have Social Sign-in like Facebook & Google. These use OpenID Connect and are deprecating OpenID 2. OpenID Connect is part of the OAuth 2 standard. OAuth 2 has its problems: It s complex and under-specified.
Security Assertion Markup Language (SAML) Seems to be gaining momentum. Federation & SSO InCommon, Education, Enterprise. Also used to share attributes groups, etc. Accepted by Google Apps, Dropbox, Salesforce, etc. Major implementations: Shibboleth (Java), SimpleSamlPHP, Ping Plugins for lots of platforms I audited plugins for Drupal & WordPress. they were very insecure.
Cloud SSO Services (IdP) Largely based on SAML. Mostly subscription SAAS. Instead of operating your own IdP. They work to integrate service providers. Ping Identity, OneLogin, Okta, Centrify, Symplified, etc. JanRain Social login & user management.
Physical Tokens YubiKey Small, uses one-time or fixed passwords. pretends to be a USB keyboard. Implements FIDO. Random number tokens. RSA SecurID. Google Authenticator (soft token App). Lots of similar tokens. Hardware benefits & drawbacks: Benefits: Tamper-proof & can't get viruses. Drawbacks: Can't put 100 of them on your keychain.
Mobile Phone Factors Mobile phone factors are a great trade-off! Google Authenticator random number (app). Text message random number. used by Facebook, Twitter, Telesign. In-app push-based notifications. Twitter, DuoSecurity, others. PhoneFactor (Microsoft) Text, Voice, Push. And of course: Tozny!! Focused on ease of use and security.
Summary: Each factor has drawbacks Something you know: Basically passwords. Doesn't scale beyond a handful of secure passwords. Something you have: Physical token: Doesn't scale beyond size of your keyring. Mobile phone: Seems most promising to me. Something you are: biometrics are not secret. Federation / SSO: If only we could agree to agree.
Options for WordPress
Remote brute force attacks Admin is often the root user; you can use something different. WordPress does not enforce strong passwords by default. Security features are usually an ad-on plugin. Tricks with.htaccess (extra passwords, IP address limits, etc.) Fail2ban adds a firewall rule when there are too many attacks. Blacklisting entire countries. Summary: Most of these solutions are pretty bad. http://codex.wordpress.org/brute_force_attacks
Integrating with corporate login LDAP: A standard centralized password and attribute system. Used to log in, get user permissions, names, etc. LDAP has sensitive information and is always behind the firewall. WordPress (Service Provider) 2. Username / Password 3. Login & Attributes LDAP 1. Username / Password User & Browser
Identity Federation: SAML Workflow A few can make WordPress into a SAML Relying Party (RP). You ll need a SAML IdP, or the company needs to operate one. SAML is just the SSO mechanism! You still need a way to log in (e.g. LDAP, passwords, Tozny). WordPress (Service Provider) 2. Ask SAML 5. Login & Attributes SAML Identity Provider e.g. Simple SAML PHP 3. Username / Password 4. Login & Attributes 1. Let me in User & Browser
SAML & LDAP Combined - Typical SAML is for SSO, meaning you have multiple SPs. Still use LDAP for central identity management. WordPress (Service Provider) Other SPs 2. Ask SAML 7. Login & Attributes SAML Identity Provider e.g. Simple SAML PHP 4. Username / Password 5. Login & Attributes LDAP 3. Username / Password 6. Login & Attributes 1. Let me in User & Browser
Social Login: Google, Facebook, Twitter Ties the user s WordPress account to their social profile. Good for the user: They don t need a new username & password. Good for the operator: You can get extra user information. Does your site naturally tie to one social site? A web site about books would naturally tie into Amazon. With multiple buttons, how do users decide which to use? How do they remember which one they used? There are lots of plugins available for social login.
Two Factor Auth Something you have in addition to something you know. Prevent lots of types of attacks Brute force, password reuse, database spills, etc. Most 2FA solutions are not highly usable, low user adoption. Also, not much in it for the user; it protects your site. Plugins available for e.g. Google Authenticator free & open source.
So you want to replace password login? What to look for in a plugin Let s say you re deploying LDAP, social login, 2FA, etc How does it handle existing users? Do they get locked out? Do they need to use a different PW? How does it handle API / app access? If the password is replaced, can users still access via the app? How does it handle groups? Admin, Editor, Author, Contributor Can these be mapped from e.g. LDAP roles? How does it prevent password login? E.g. replacing the password w/ a random password Has the plugin been security reviewed? Is it recently updated? Does it have a history? Is it used by others in your industry?
Summary of login alternatives Internal corporate sites: LDAP, Active Directory, RADIUS, and SAML are typical standards. End-user facing sites: Social login is more the norm. Two-factor authentication: Can prevent brute-force and many other attacks. Seriously consider for admin / author access to important sites. Evaluate plugins carefully: Many do not consider real use cases.
Tozny Demo: http://tozny.com
Tozny Summary Easier and more secure than passwords. Your phone is the key. Replace passwords, use after passwords, has a built-in 2 nd factor. WordPress plugin available. Also integrates with: SAML, PHP, Node, Scala, Java, PAM, Rust,
Thank You! Isaac Potoczny-Jones ijones@tozny.com http://tozny.com