PasswordsCon 2014: End-User Authentication Security on the Internet
I'm nearly recovered from a week in the desert and wanted to catch everyone up on some research I've been working on the past few months. If you're curious about how online services protect your authentication process (including two-factor authentication, of course), I've got data, slides, and even a plugin that you may enjoy!
Framing the Research
The features that make for a secure authentication experience are actually quite diverse. Cookies have specific flags, browsers have specific headers, and the transmission of data requires some cryptographic magic to keep that authentication process and your related session safe from attackers. A weak link in this chain of features can render even the best security control (read: two-factor authentication [2FA]) somewhat moot.
For this research, I opted to determine what features beyond 2FA online services were providing to their end users to get a clearer picture of the state of security online. Perhaps you, like me, would assume that sites which offer two factor would likely have a high level of security features enabled across the board. From my research I can tell you that while it's not all doom-and-gloom, there's a lot of improvement yet to be had!
The data set includes details on 141 online services that provide two-factor authentication to their users. If raw data is more your speed, here's the CSV export you'll probably enjoy reviewing. Note that assessment of SSL, browser headers, and cookies are related to the login page for the service.
- Web Site URL
- User Login URL
- Sector (Financial, Technology, Gaming, Social, Retail)
- Security Information URL
- Breach Date
- Breach Notice URL
- Deployment Date
- Announcement URL
- Setup Instructions URL
- Enrollment Style
- Moniker (2FA, 2SV, MFA, Other)
- Types (EMail, SMS, Call, Card, Token, Yubikey, [T|H]OTP, Mobile, Duo, Authy, Rublon)
- HTTP Strict Transport Security (HSTS)
- Content Security Policy (CSP)
- SSL Labs Score
- MASSACRE Score
If you're wondering, "What is a MASSACRE Score? It sounds terrifying!" then you've scrolled down far enough to receive an answer! Going into this research, I had the desire to provide a composite score from these various data points to give better insight into the overall security of a site's authentication process. With some simple weighting and addition, each of the sites are given a score that should provide end users a better sense of the holistic authentication security of a company and not just the fact they utilize two-factor authentication.
The result of this process is Mark's Authentication Security Scoring Algorithm -- Crudely Realized Edition, or more interestingly, MASSACRE. Yes, I definitely stretched this backronym to fit... I apologize for nothing!
Curious about the scoring algorithm? Details are on slide #25 below! I've also taken the time to create a simple Chrome Extension that will provide you not only a MASSACRE score but also valuable security details and links in your browser on sites that are supported (i.e. the 141 covered during research). Want to add it to your browser? Download the MASSACRE Chrome Extension today!
The below slides contain many insights, correlations, and conclusions from the aforementioned data set. I hope that many of you will find this data useful and crunch it further to find additional value beyond what I've noted.
I was rather surprised at just how many sites are ignoring basic security features such as cookie flags, HSTS, and X-Frame-Options. When it comes to protecting end users, these simple tweaks can dramatically reduce click jacking, man-in-the-middle attacks, and session hijacking techniques available to attackers.
SSL scores, however, were actually higher than I was expecting with some notable exceptions I point out in the research.
Ignoring layered security but touting a single security feature provides a false sense of security maturity and leaves users amazed when they still get compromised. Sites like GitHub and LastPass should be cheered on for their great approach to comprehensive user security.
At the very least, take a look at the data and perhaps think about discussing some of these features with vendors you use.