When Usability Met 2FA - Hyunsu Kim, Junoh Lee, Kihong Heo, Sang Kil Cha and Myeong Geun Shin

just a simple password system but you have to think about all of the different ways that you can do multi-factor right you have hardware tokens you have apps on your phones you have actual sms but there are problems with that there's a definite usability issue and so today you're going to hear a story of how when usability met to fa and i'm going to have to read the list of the authors for this because it was a team effort for this so it's going to be hyun tsukim juno lee ki hong hao sanki ocha and gyonshin uh this is a group from kais which is the korean advanced institute of science and technology so sit back relax and

hear the story hey thanks for the great introductions [Applause] can you hear me can you hear me i see great thanks so again thanks for the introductions and this is sensu kim from christ in this talk i'll present about how hard it is to strike a balance between usability and security mainly in two-factor authentication the title is when usability meant to fa and this is a joint work with a group of our team and we are all from kaist and if you heard of kaist that's great otherwise let us begin with introducing ourselves so we're currently in korea far away from munich as shown on the map in korea and munich are about 13 hours

far away in a single hub flight so considering ourselves as a physically distant party we really appreciate having a chance to present in the event online and the picture is an overview of our campus where you can see many buildings and grasses and this is a picture of blossoms in full bloom in the campus last spring and this is the building that we are currently in with [Music] greenland yeah and caist is one of the leading research institute in korea so the name stands for korea advanced institute of science and technology the qs world ranking of kais is 41 which is moderately high and especially in computer security kaiser marks the fourth in asia and 35th

in the world so that being said one may imagine how tempting it is to launch a cyber attacks towards kaist as there are bunch of classified experimental results and leading as research in progress indeed there has been and still happening attempts to exploit the id service of cheist and some black hats hackers managed to leak the privacy information from libraries electronic research note system from the attack more than 30 000 members personal information were put in jeopardy the incident was considered to be serious security bridge and the kaiser administration decided to enhance the security overall through through the postmodern kai's decided to adopt two-factor authentication that is the well-known authentication mechanism that requires two proofs to identify a single user

i'm pretty sure that most of you have may have seen and already experienced how it works when you're using service from maybe google or github the authentication mechanism basically requires two distinct proofs where one is what the user knows such as password or pen number and the other proof shall be what the user physically possesses for example your mobile device bank card or even a usb stick while it seems quite trivial to adopt 2fa mechanism throughout the institute the problem was to consider the usability of 2fa at the same time since cast members include aged professors who usually are not familiar with complicated procedures to log into a certain simple service the fact is that they think toyfa comes

with no good and merely harms the usability the security team in kaist had to come up with a secure 2fa that is also convenient to use at the same time so here's how it works so here we demonstrate how the invented 2fa system works and they call it easy authentication as marked with red box and all you need to do is type your id which is for example b-side munich works with rocks which is obvious then click the button so the pop-up window shows up saying the authentication is in progress then a push alarm arrives to the user's mobile device saying attempt for the easy authentication is being detected if you click on the push alarm the

custom app is launched and asked for the face id or touch id immediately if success the user is authenticated and yeah that that is all for demonstrating how the system works and i'm pretty sure most of you may have already found out how sloppy the system is being designed then about several months after the suspicious 2fa was launched in kaist graduate school of information security there was an exciting course going on called binary code analysis and secure software systems as the name of the course indicates students were expected to learn binary level program analysis techniques to achieve the end goal which is secure software system and those pro hackers around the campus who usually solve hard ctf problems as a

hobby gathered to take the course and one day the instructor of the course professor cha sankocha announced to meet her midterm which was not simply testing one's knowledge and the students were asked to find the vulnerabilities in christ's easy authentication service at the same time he explicitly mentioned not to actually exploit the system at all for the midterm 24 hours were given to demonstrate the proof of concept and write a short report about it and one of the pro hacker who was taking the course managed to hacked hacking to professor's account and submitted a screenshot showing oneself successfully got into the keist academic system as part of the report and if he if he if he managed to do that to to do so he

could have manipulated the grades and so on so the professor got embarrassed by the student yet he was fairly satisfied with the performance of the students that they found many serious security threats of the system much more than he thought and here's the analysis of such vulnerabilities so first of all it is not even a proper 2fa it's a single factor authentication because it only requires the proof of having a device and the id itself cannot be a proof for the authentication and it's uh as you as you show as we have shown in the demonstration it's very vulnerable to human error one can accidentally authenticate unknown requests by mistake and it is impossible to review or

retrieve the given sessions and the other uh vulnerability that we found was the authentication the whole authentication procedure could be bypassed by circumventing entire authentication process and we found it being the most powerful attack and the reason why they had this vulnerability is they had to implement a new 2fa system over the deprecated authentication design and there was a misalignment between the two and this this huge and serious vulnerability was there and we can uh in later later uh this talk we will uh shortly demonstrate how this attack works and not only those two we were able to find other more serious vulnerabilities for example id leakage ddos which is distributed denial of service and idol

that stands for insecure direct object reference an id leakage is the use of the vulnerability that user id validity check api was public so that it can be abused as an oracle for valid ids by an attacker and by numer enumerating valid ids hackers can not arbitrarily select uh their target for target victim and that denial of service using botnet could be also be done by with ip spoofing that makes the tracking nearly impossible and also lastly idor is an access to an unauthorized resource and again this was the other vulnerability that comes with misalignment with i mean between the legacy system and the new newly implemented system so basically there were other vulnerabilities due to poorly

designed architecture of apis so here's a short demo that demonstrates the authentication bypass attack first you the attacker can enumerate enumerate user ids by going into the cast mail service where you type in some string there and it com it shows you the match of that string to certain kissed members for example here we find jungen's id basically email email address and the finding is that most users have the same id with the header head of the email address so you we just use the head of the email address as an id for the attack and then we try to authenticate the user in the in the browser and with proxy for example fiddler we intercept the login packet

and then replace the login packet with the custom string that we find that we manually find out and by replacing it we can we were one would successfully log in with um victims user victims uh authentication without any without knowing the password or having a device so here's our suggested solutions to the institute first we strongly mentioned that roll backing the password off would be the trivial and most definite solution and after that although it needs the further uh backup solutions but we highly we are strongly uh we were very clear to say that this must be done right away but they didn't but they rejected because of uh institute issue and then we tried to suggest i mean we

we also said the sys the original system itself is not a 2fa and we have to go with proper 2fa that has to come with a password and device check all together and it was funny that there were there there was already another service in kais which is vpn service that already comes with 2fa and it you it requires you to enter password and one-time password via device together to get yourself authenticated and then we also suggested to uh have sustained review and retrieval functionality in the system so if you have you i mean you may have seen this functionality in github or google so that you can review the currently activated sessions so so that you can list up all the

current sessions that is going on and then you can selectively retrieve those sessions which seems to be superior for example if you're in if you're in germany but you somehow find found that some sessions were in i mean said to be in korea you may think that it's very spurious right so that you can achieve that session and then we had several iterations iterated meetings with kaiser administration to get the system fixed but they uh strongly they were they rejected the they i mean they were not they were pretty against with our suggestions because the issue was usability i mean they agree with security issue but as we go with proper 2fa it kind of harms the entire usability so

that they cannot go for it so with the suggestions i mean with the we we kept on suggesting other measures to make it secure through the several meetings with the security administrations the only change they made was to pop the number up on the screen on both the browser and the mobile app and before so that the user before granting access with fade face id or touch id in the mobile app the user would hopefully check if the number shown on the app matches with that of a browser so that the user won't uh mess up with i mean mistakenly authenticate other requests or attack by a certain use certain hacker by mistake and it partially mitigates the

vulnerability as it helps to confirm which access is likely to be malicious or not and some may ask if is can can this be uh can this to be i mean understood to be fixed solution and definitely it's no so in conclusion our takeaway message is as follows first implementing easy to use 2fa without weakening the security is very tricky so as we have seen in the last slide the improved version is still not a proper 2fa and second software testing and informal verification should help in its proper design and the two methods are traditional yet effective ways to find bugs and guarantee desired software guarantee the desired software property and here's the references for our work

and thank you for listening if you have any questions please feel free to ask [Applause] so do we have any questions for our speaker today one in the back morton is going he's going testing testing seems to be working hi um on the the issue of usability versus security versus usability there's several systems that don't require user input but you just talked about just having proof of a usb stick you put in um what's your stance on fido 2 tokens and stuff like that where you don't have to input anything but it's just there and you just have to attach it

i sorry i cannot understand should i repeat i'll try um what's your opinion on passwordless login procedures through hardware tokens uh in the security versus usability issue security token i mean password itself is not a i mean it it it is a traditional way to authenticate but it is also traditionally known to be unsafe right because password only is is very error prone to humans human human errors and using usb stick is i mean together with your specific you you can achieve better security i guess i mean that for sure am i getting your question right or am i missing i think part of the question is so when you have a security token on a

usb for example um what role does usability play there is it easier is it less easy does it make it better for users if they just have to use one of these security tokens or is security token you mean the number shown on the screen nope we're talking about um there are usb devices that have basically set it up so that using cryptography you can plug it in and basically identify as yourself and so that's commonly used as a form of authentication and so um so in that case a person only has to have this hardware authentication and then their login and password of course oh i see and how does that come with usability

oh and i think that's a good question but i think if you have usb stick you you may not you may have hard time uh using uh logging into the cut the certain service to your mobile device where you cannot easily plug in the usb stick right so i think that kind of harms to use usability still if we go for usb stick will that answer your question yep did that answer okay we got a thumbs up very good so any other questions for our speaker i'm checking the time um i actually have a question for you and that was bad feedback so um you said that there was an entire team or an entire group of people looking at

this in a class and i'm wondering what kinds of tools did you use to investigate the implementation of multi-factor [Music] oh you mentioned yeah go ahead sorry yeah fiddler was what's the option and [Music] i i only used fiddler i have to ask other you know other team [Music] and basically uh python okay um and then my final um yep so you you're the class that you were taking though focused on um basically finding vulnerabilities in code so what kind of tooling do you do you do or do you use in that course to actually find vulnerabilities in code oh yeah uh we use ida pro for sure you of course yeah i think that's all

and yeah and we use we write our exploit with python and using pawn i cannot recall the name of the library right now okay and then uh for the solution that you analyzed was it i didn't get at the beginning was it a homegrown solution yeah yeah right yeah okay would you ever recommend to build your own multi-factor solution or should you just buy it off the shelf uh i think it's i would buy a buy it off the shelf because i mean it's very trivial to to satisfy the 2fa property so that you won't get any additional benefit by having it yourself unless you have a very clear idea that can uh you know balance

i mean uh guarantee other properties such as usability here and yeah i if if the purpose is just for security i would bite off the shelf but if you do it something more fun definitely [Music] all right does anyone have any other questions okay then thank you so much for your time today um it was great to hear about your story and have a great rest of your day thank you [Applause]