Introduction xxvWho This Book is For xxviiWhat is Covered in This Book? xxviiMFA is Good xxxHow to Contact Wiley or the Author xxxiPart I Introduction 11 Logon Problems 3It's Bad Out There 3The Problem with Passwords 5Password Basics 9Identity 9The Password 10Password Registration 11Password Complexity 11Password Storage 12Password Authentication 13Password Policies 15Passwords Will Be with Us for a While 18Password Problems and Attacks 18Password Guessing 19Password Hash Cracking 23Password Stealing 27Passwords in Plain View 28Just Ask for It 29Password Hacking Defenses 30MFA Riding to the Rescue? 31Summary 322 Authentication Basics 33Authentication Life Cycle 34Identity 35Authentication 46Authorization 54Accounting/Auditing 54Standards 56Laws of Identity 56Authentication Problems in the Real World 57Summary 583 Types of Authentication 59Personal Recognition 59Knowledge-Based Authentication 60Passwords 60PINS 62Solving Puzzles 64Password Managers 69Single Sign-Ons and Proxies 71Cryptography 72Encryption 73Public Key Infrastructure 76Hashing 79Hardware Tokens 81One-Time Password Devices 81Physical Connection Devices 83Wireless 87Phone-Based 89Voice Authentication 89Phone Apps 89SMS 92Biometrics 92FIDO 93Federated Identities and APIs 94OAuth 94APIs 96Contextual/Adaptive 96Less Popular Methods 97Voiceover Radio 97Paper-Based 98Summary 994 Usability vs Security 101What Does Usability Mean? 101We Don't Really Want the Best Security 103Security Isn't Usually Binary 105Too Secure 106Seven-Factor MFA 106Moving ATM Keypad Numbers 108Not as Worried as You Think About Hacking 109Unhackable Fallacy 110Unbreakable Oracle 113DJB 113Unhackable Quantum Cryptography 114We are Reactive Sheep 115Security Theater r 116Security by Obscurity 117MFA Will Cause Slowdowns 117MFA Will Cause Downtime 118No MFA Solution Works Everywhere 118Summary 119Part II Hacking MFA 1215 Hacking MFA in General 123MFA Dependency Components 124Enrollment 125User 127Devices/Hardware 127Software 128API 129Authentication Factors 129Authentication Secrets Store 129Cryptography 130Technology 130Transmission/Network Channel 131Namespace 131Supporting Infrastructure 131Relying Party 132Federation/Proxies 132Alternate Authentication Methods/Recovery 132Migrations 133Deprovision 133MFA Component Conclusion 134Main Hacking Methods 134Technical Attacks 134Human Element 135Physical 137Two or More Hacking Methods Used 137"You Didn't Hack the MFA!" 137How MFA Vulnerabilities are Found 138Threat Modeling 138Code Review 138Fuzz Testing 138Penetration Testing 139Vulnerability Scanning 139Human Testing 139Accidents 140Summary 1406 Access Control Token Tricks 141Access Token Basics 141Access Control Token General Hacks142Token Reproduction/Guessing 142Token Theft 145Reproducing Token Hack Examples 146Network Session Hijacking Techniques and Examples 149Firesheep 149MitM Attacks 150Access Control Token Attack Defenses 157Generate Random, Unguessable Session IDs 157Use Industry-Accepted Cryptography and Key Sizes 158Developers Should Follow Secure Coding Practices 159Use Secure Transmission Channels 159Include Timeout Protections 159Tie the Token to Specifi c Devices or Sites 159Summary 1617 Endpoint Attacks 163Endpoint Attack Risks 163General Endpoint Attacks 165Programming Attacks 165Physical Access Attacks 165What Can an Endpoint Attacker Do? 166Specifi c Endpoint Attack Examples 169Bancos Trojans 169Transaction Attacks 171Mobile Attacks 172Compromised MFA Keys 173Endpoint Attack Defenses 174MFA Developer Defenses 174End-User Defenses 177Summary 1798 SMS Attacks 181Introduction to SMS 181SS7 184Biggest SMS Weaknesses 186Example SMS Attacks 187SIM Swap Attacks 187SMS Impersonation 191SMS Buffer Overflow 194Cell Phone User Account Hijacking 195Attacks Against the Underlying Supporting Infrastructure 196Other SMS-Based Attacks 196SIM/SMS Attack Method Summary 197NIST Digital Identity Guidelines Warning 198Defenses to SMS-Based MFA Attacks 199Developer Defenses 199User Defenses 201Is RCS Here to Save Mobile Messaging? 202Is SMS-Based MFA Still Better than Passwords? 202Summary 2039 One-Time Password Attacks 205Introduction to OTP 205Seed Value-Based OTPs 208HMAC-Based OTP 209Event-Based OTP 211TOTP 212Example OTP Attacks 217Phishing OTP Codes 217Poor OTP Creation 219OTP Theft, Re-Creation, and Reuse 219Stolen Seed Database 220Defenses to OTP Attacks 222Developer Defenses 222Use Reliable and Trusted and Tested OTP Algorithms 223OTP Setup Code Must Expire 223OTP Result Code Must Expire 223Prevent OTP Replay 224Make Sure Your RNG is NIST-Certified or Quantum 224Increase Security by Requiring Additional Entry Beyond OTP Code 224Stop Brute-Forcing Attacks224Secure Seed Value Database 225User Defenses 225Summary 22610 Subject Hijack Attacks 227Introduction 227Example Attacks 228Active Directory and Smartcards 228Simulated Demo Environment 231Subject Hijack Demo Attack 234The Broader Issue 240Dynamic Access Control Example 240ADFS MFA Bypass 241Defenses to Component Attacks 242Threat Model Dependency Abuse Scenarios 242Secure Critical Dependencies 242Educate About Dependency Abuses 243Prevent One to Many Mappings 244Monitor Critical Dependencies 244Summary 24411 Fake Authentication Attacks 245Learning About Fake Authentication Through UAC 245Example Fake Authentication Attacks 251Look-Alike Websites 251Fake Office 365 Logons 252Using an MFA-Incompatible Service or Protocol 253Defenses to Fake Authentication Attacks 254Developer Defenses 254User Defenses 256Summary 25712 Social Engineering Attacks 259Introduction 259Social Engineering Commonalities 261Unauthenticated Communication 261Nonphysical 262Usually Involves Well-Known Brands 263Often Based on Notable Current Events and Interests 264Uses Stressors 264Advanced: Pretexting 265Third-Party Reliances 266Example Social Engineering Attacks on MFA 266Fake Bank Alert 267Crying Babies 267Hacking Building Access Cards 268Defenses to Social Engineering Attacks on MFA 270Developer Defenses to MFA 270User Defenses to Social Engineering Attacks 271Summary 27313 Downgrade/Recovery Attacks 275Introduction 275Example Downgrade/Recovery Attacks 276Alternate Email Address Recovery 276Abusing Master Codes 280Guessing Personal-Knowledge Questions 281Defenses to Downgrade/Recovery Attacks 287Developer Defenses to Downgrade/Recovery Attacks 287User Defenses to Downgrade/Recovery Attacks 292Summary 29414 Brute-Force Attacks 295Introduction 295Birthday Attack Method 296Brute-Force Attack Methods 297Example of Brute-Force Attacks 298OTP Bypass Brute-Force Test 298Instagram MFA Brute-Force 299Slack MFA Brute-Force Bypass 299UAA MFA Brute-Force Bug 300Grab Android MFA Brute-Force 300Unlimited Biometric Brute-Forcing 300Defenses Against Brute-Force Attacks 301Developer Defenses Against Brute-Force Attacks 301User Defenses Against Brute-Force Attacks 305Summary 30615 Buggy Software 307Introduction 307Common Types of Vulnerabilities 308Vulnerability Outcomes 316Examples of Vulnerability Attacks 317Uber MFA Vulnerability 317Google Authenticator Vulnerability 318YubiKey Vulnerability 318Multiple RSA Vulnerabilities 318SafeNet Vulnerability 319Login gov 319ROCA Vulnerability 320Defenses to Vulnerability Attacks 321Developer Defenses Against Vulnerability Attacks 321User Defenses Against Vulnerability Attacks 322Summary 32316 Attacks Against Biometrics 325Introduction 325Biometrics 326Common Biometric Authentication Factors 327How Biometrics Work 337Problems with Biometric Authentication 339High False Error Rates 340Privacy Issues 344Disease Transmission 345Example Biometric Attacks 345Fingerprint Attacks345Hand Vein Attack 348Eye Biometric Spoof Attacks 348Facial Recognition Attacks 349Defenses Against Biometric Attacks 352Developer Defenses Against Biometric Attacks 352User/Admin Defenses Against Biometric Attacks 354Summary 35517 Physical Attacks 357Introduction 357Types of Physical Attacks 357Example Physical Attacks 362Smartcard Side-Channel Attack 362Electron Microscope Attack 364Cold-Boot Attacks 365Snooping On RFID-Enabled Credit Cards 367EMV Credit Card Tricks 370Defenses Against Physical Attacks 370Developer Defenses Against Physical Attacks 371User Defenses Against Physical Attacks 372Summary 37518 DNS Hijacking 377Introduction 377DNS 378DNS Record Types 382Common DNS Hacks 382Example Namespace Hijacking Attacks 388DNS Hijacking Attacks 388MX Record Hijacks 388Dangling CDN Hijack 389Registrar Takeover 390DNS Character Set Tricks 390ASN 1 Tricks 392BGP Hijacks 392Defenses Against Namespace Hijacking Attacks 393Developer Defenses 394User Defenses 395Summary 39719 API Abuses 399Introduction 399Common Authentication Standards and Protocols Involving APIs 402Other Common API Standards and Components 411Examples of API Abuse 414Compromised API Keys 414Bypassing PayPal 2FA Using an API 415AuthO MFA Bypass 416Authy API Format Injection 417Duo API As-Designed MFA Bypass 417Microsoft OAuth Attack 419Sign In with Apple MFA Bypass 419Token TOTP BLOB Future Attack 420Defenses Against API Abuses 420Developer Defenses Against API Abuses 420User Defenses Against API Abuses 422Summary 42320 Miscellaneous MFA Hacks 425Amazon Mystery Device MFA Bypass 425Obtaining Old Phone Numbers 426Auto-Logon MFA Bypass 427Password Reset MFA Bypass 427Hidden Cameras 427Keyboard Acoustic Eavesdropping 428Password Hints 428HP MFA DoS 429Trojan TOTP 429Hackers Turn MFA to Defeat You 430Summary 43021 Test: Can You Spot the Vulnerabilities? 431Threat Modeling MFA Solutions 431Document and Diagram the Components 432Brainstorm Potential Attacks 432Estimate Risk and Potential Losses 434Create and Test Mitigations 436Do Security Reviews 436Introducing the Bloomberg MFA Device 436Bloomberg, L P and the Bloomberg Terminal 437New User B-Unit Registration and Use 438Threat-Modeling the Bloomberg MFA Device 439Threat-Modeling the B-Unit in a General Example 440Specific Possible Attacks 441Multi-Factor Authentication Security Assessment Tool 450Summary 451Part III Looking Forward 45322 Designing a Secure Solution 455Introduction 455Exercise: Secure Remote Online Electronic Voting 457Use Case Scenario 457Threat Modeling 458SDL Design 460Physical Design and Defenses 461Cryptography 462Provisioning/Registration 463Authentication and Operations 464Verifiable/Auditable Vote 466Communications 467Backend Blockchain Ledger 467Migration and Deprovisioning 470API 470Operational Training 470Security Awareness Training 470Miscellaneous 471Summary 47123 Selecting the Right MFA Solution 473Introduction 473The Process for Selecting the Right MFA Solution 476Create a Project Team 477Create a Project Plan 478Educate 479Determine What Needs to Be Protected 479Choose Required and Desired Features 480Research/Select Vendor Solutions 488Conduct a Pilot Project 490Select a Winner 491Deploy to Production 491Summary 49124 The Future of Authentication 493Cyber Crime is Here to Stay 493Future Attacks 494Increasing Sophisticated Automation 495Increased Nation-State Attacks 496Cloud-Based Threats 497Automated Attacks Against MFA 497What is Likely Staying 498Passwords 498Proactive Alerts 498Preregistration of Sites and Devices 499Phones as MFA Devices 500Wireless 501Changing/Morphing Standards 501The Future 501Zero Trust 502Continuous, Adaptive, Risk-Based 503Quantum-Resistant Cryptography 506Interesting Newer Authentication Ideas 506Summary 50725 Takeaway Lessons 509Broader Lessons 509MFA Works 509MFA is Not Unhackable 510Education is Key 510Security Isn't Everything 511Every MFA Solution Has Trade-Offs 511Authentication Does Not Exist in a Vacuum 512There is No Single Best MFA Solution for Everyone 515There are Better MFA Solutions 515MFA Defensive Recap 516Developer Defense Summary 516User Defense Summary 518Appendix: List of MFA Vendors 521Index 527

ROGER A. GRIMES is a computer security professional and penetration tester with over three decades of experience. He's an internationally renowned consultant and was the IDG/InfoWorld/CSO magazine weekly columnist for fifteen years. He's a sought-after speaker who has given talks at major security industry events, including RSA, Black Hat, and TechMentor.