"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook
-
Upload
yandex -
Category
Technology
-
view
2.047 -
download
1
description
Transcript of "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook
![Page 1: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/1.jpg)
Tuesday, October 1, 13
![Page 2: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/2.jpg)
2FAC: Facebook’s internal multi-factor auth platform
C O N F I D E N T I A L
Facebook Security
Tuesday, October 1, 13
![Page 3: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/3.jpg)
Agenda
Attacks - A Force for Change
2FAC Authentication
Questions?
Tuesday, October 1, 13
![Page 4: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/4.jpg)
Facebook - Big Numbers
1.15B monthly active users
699M daily active users (80+% outside US)
5K+ employees
Tuesday, October 1, 13
![Page 5: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/5.jpg)
Identifying weakest points
Red Teams
Incident 1: Spear phishing OWA
Incident 2: Breach identified in January
Tuesday, October 1, 13
![Page 6: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/6.jpg)
Red Team Drills - Identify weak points
Tuesday, October 1, 13
![Page 7: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/7.jpg)
Incident: Spear Phishing OWA
Tuesday, October 1, 13
![Page 8: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/8.jpg)
Incident: Spear Phishing OWA
Tuesday, October 1, 13
![Page 9: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/9.jpg)
Incident: Breach discovered in Jan 2013
digitalinsight-ltd
Tuesday, October 1, 13
![Page 10: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/10.jpg)
Incident: Breach discovered in Jan 2013
Tuesday, October 1, 13
![Page 11: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/11.jpg)
Goal: Protect against remote attackers•Disrupt Lateral Movement phase
•Ensure local user is at keyboard
•Limit origin of illegitimate SSH access
Non-goal: Protect against local attackers
Why 2Fac for SSH?
Tuesday, October 1, 13
![Page 12: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/12.jpg)
•Facebook culture: Move Fast
•Intolerant of slowdown
•Highly skilled at finding workarounds
•Primarily work via SSH on dev servers
Engineering @ FB
Tuesday, October 1, 13
![Page 13: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/13.jpg)
•Facebook culture: Move Fast
•Intolerant of slowdown
•Highly skilled at finding workarounds
•Primarily work via SSH on dev servers
Goal: Make being secure effortless
Engineering @ FB
Tuesday, October 1, 13
![Page 14: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/14.jpg)
State of Multi-Factor
Tuesday, October 1, 13
![Page 15: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/15.jpg)
•Easy to use
•Good interoperability
•Synchronization is easy
•Time windows of acceptance
•Only good for infrequent use
Time-based
Tuesday, October 1, 13
![Page 16: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/16.jpg)
•Easy to use
•Good interoperability
•Gets out of sync
•Most tokens designed for infrequent use
OTP
Tuesday, October 1, 13
![Page 17: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/17.jpg)
•Limited device support
•Security limitations
• False acceptance
• Replay
•Practical Problems: How to biometric auth to remote machine?
•Poor usability
Biometrics
Tuesday, October 1, 13
![Page 18: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/18.jpg)
PKI
•Limited device support
•Enrollment is painful
•Management is painful
•Smart Card Proxy attack
PKI
Tuesday, October 1, 13
![Page 19: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/19.jpg)
•Easy to setup
•Easy to use
•Push (only on some devices)
•Requires fast, reliable online channel
•Usability is good only for infrequent use
OOB / Mobile
Tuesday, October 1, 13
![Page 20: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/20.jpg)
Tuesday, October 1, 13
![Page 21: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/21.jpg)
•Usability
• Support Very Frequent use
• Flexible options
•Security
• Require stronger authentication for every session
•Fast Deployment
•Minimal support overhead
Building it Better
Tuesday, October 1, 13
![Page 22: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/22.jpg)
•Duo Security + Yubikey Nano
•Flexible Options
•Low operational overhead
•Provisioning process out of the box
•Yubikey is awesome for frequent use
•Bonus: Backup tokens from the start
The Solution
Tuesday, October 1, 13
![Page 23: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/23.jpg)
Deployment: Planning
Tuesday, October 1, 13
![Page 24: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/24.jpg)
•How is SSH being used?
•Thousands of engineers
•Tens of thousands of sessions per day
•Peak users with >3000 sessions
•Using all authentication mechanisms
Deployment: Planning
Tuesday, October 1, 13
![Page 25: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/25.jpg)
•How is SSH being used?
•Thousands of engineers
•Tens of thousands of sessions per day
•Peak users with >3000 sessions
•Using all authentication mechanisms
•What are they doing?
Deployment: Planning
Tuesday, October 1, 13
![Page 26: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/26.jpg)
•How is SSH being used?
•Thousands of engineers
•Tens of thousands of sessions per day
•Peak users with >3000 sessions
•Using all authentication mechanisms
•What are they doing?
sshd[87820]: Accepted keyboard-interactive/pam for twt from ::1 port 51317 ssh2sshd[87820]: User child is on pid 87825sshd[87825]: Received disconnect from ::1: 11: disconnected by user
Deployment: Planning
Tuesday, October 1, 13
![Page 27: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/27.jpg)
•Add details about what the user is doing
sshd[27587]: Accepted publickey for ::1 port 61447 ssh2sshd[27587]: User child is on pid 27589sshd[27589]: Exec Request for user twt with command uname -a
sshd[8540]: Accepted publickey for twt from ::1 port 50654 ssh2sshd[8540]: User child is on pid 8548sshd[8548]: Allocated pty /dev/pts/18 for user twt session 0sshd[8548]: Shell Request for user twtsshd[8548]: Received disconnect from ::1: 11: disconnected by user
Improving SSH Logs: First Attempt
Tuesday, October 1, 13
![Page 28: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/28.jpg)
•Add details about what the user is doing
sshd[27587]: Accepted publickey for ::1 port 61447 ssh2sshd[27587]: User child is on pid 27589sshd[27589]: Exec Request for user twt with command uname -a
sshd[8540]: Accepted publickey for twt from ::1 port 50654 ssh2sshd[8540]: User child is on pid 8548sshd[8548]: Allocated pty /dev/pts/18 for user twt session 0sshd[8548]: Shell Request for user twtsshd[8548]: Received disconnect from ::1: 11: disconnected by user
•Problem: requires multiple log lines with different PIDs for analysis
Improving SSH Logs: First Attempt
Tuesday, October 1, 13
![Page 29: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/29.jpg)
•Add sessionization data to SSH logs
sshd[27587]: Accepted publickey for ::1 port 61447 ssh2 session=dev123:52369e5a.c6786sshd[27587]: User child is on pid 27589 session=dev123:52369e5a.c6786sshd[27589]: Exec Request for user twt with command uname -a session=dev123:52369e5a.c6786
sshd[8540]: Accepted publickey for twt from ::1 port 50654 ssh2 session=dev123:5236a24d.3f32sshd[8540]: User child is on pid 8548 session=dev123:5236a24d.3f32sshd[8548]: Allocated pty /dev/pts/18 for user twt session 0 session=dev123:5236a24d.3f32sshd[8548]: Shell Request for user twt session=dev123:5236a24d.3f32sshd[8548]: Received disconnect from ::1: 11: disconnected by user session=dev123:5236a24d.3f32
Sesssionizing SSH Logs
Tuesday, October 1, 13
![Page 30: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/30.jpg)
•What are they doing?
• SFTP
• Random scripts
• TRAMP mode
• Lots of shells
• Using every authentication mechanism
SSH Usage Analysis
Tuesday, October 1, 13
![Page 31: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/31.jpg)
Deployment: Implementation
Tuesday, October 1, 13
![Page 32: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/32.jpg)
•OpenSSH 6.2 - support for multiple Auth Methods
• Public key, kerberos, password are first factors
• Duo is second factor
Deployment: Implementation
Tuesday, October 1, 13
![Page 33: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/33.jpg)
•OpenSSH 6.2 - support for multiple Auth Methods
• Public key, kerberos, password are first factors
• Duo is second factor
•Problem: password and Duo are both handled by keyboard-interactive auth method
Deployment: Implementation
Tuesday, October 1, 13
![Page 34: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/34.jpg)
•OpenSSH 6.2 - support for multiple Auth Methods
• Public key, kerberos, password are first factors
• Duo is second factor
•Problem: password and Duo are both handled by keyboard-interactive auth method
•Solutions:
• Submethods for keyboard-interactive/{pam,duo} in OpenSSH 6.2p1
• KerberosAuthentication yes
Deployment: Implementation
Tuesday, October 1, 13
![Page 35: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/35.jpg)
Handling SFTP
Tuesday, October 1, 13
![Page 36: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/36.jpg)
•Clients don’t support multiple auth mechanisms
Handling SFTP
Tuesday, October 1, 13
![Page 37: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/37.jpg)
•Clients don’t support multiple auth mechanisms
•Primary security concern:
• Single factor command execution
Handling SFTP
Tuesday, October 1, 13
![Page 38: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/38.jpg)
•Clients don’t support multiple auth mechanisms
•Primary security concern:
• Single factor command execution
•Solution:
• Single factor SFTP chroot
Handling SFTP
Tuesday, October 1, 13
![Page 39: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/39.jpg)
Handling scripts + TRAMP mode
Tuesday, October 1, 13
![Page 40: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/40.jpg)
•Switch to use SFTP solution?
Handling scripts + TRAMP mode
Tuesday, October 1, 13
![Page 41: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/41.jpg)
•Switch to use SFTP solution?
•Primary security concern:
• Single factor command execution
Handling scripts + TRAMP mode
Tuesday, October 1, 13
![Page 42: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/42.jpg)
•Switch to use SFTP solution?
•Primary security concern:
• Single factor command execution
•Solution:
• SSH whitelists
Handling scripts + TRAMP mode
Tuesday, October 1, 13
![Page 43: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/43.jpg)
•Switch to use SFTP solution?
•Primary security concern:
• Single factor command execution
•Solution:
• SSH whitelists
•New problem:• REGEX:sh -‐c "cd (~/|\w)(((?<!\.\.)/)|((?<!/)\.)|[\w_-‐])+ && grep -‐P '[^']+\\t' tags | head -‐n 10"
Handling scripts + TRAMP mode
Tuesday, October 1, 13
![Page 44: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/44.jpg)
•Keyboard layouts
•Exploding computers
•Possessed yubikeys
•Accidental discharge
•Client ssh config problems
•Need moar USB ports
•Enrollment issues
Unexpected Issues
Tuesday, October 1, 13
![Page 45: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/45.jpg)
•more 2Fac:
• sudo
• SSH alternatives: mosh, VNC, NX
• priv esc points
• replace/supplement other multi-factor solutions
• 2Fac everywhere
•Get rid of command whitelists
•Make SFTP clients support multi-factor
Ongoing Work
Tuesday, October 1, 13
![Page 46: "2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Greene, Facebook](https://reader033.fdocuments.in/reader033/viewer/2022051311/5453e086af79597c338b49aa/html5/thumbnails/46.jpg)
Facebook Security
Tuesday, October 1, 13