«slow down online guessing attack with device cookies», Антон Дедов (odin)
TRANSCRIPT
Attackergoals
PasswordforspecificaccountPasswordforanyaccountinasystemPasswordforanyaccountinanysystem
Authenticationattacks:Mitigations
M-FA/M-Step UX!Passwordpolicy Magic106
Ratelimiting ßßßßßßß
Authentication parameters e.g.time,location,etc.
Monitoring e.g.haveibeenpwned.com
Accountlockout
Lockaccount EffectiveEasyDoS
Lock (account,IP) Somewhat DoSmitigationBotnetsProxiesIPv6DoSasacollateraldamage
App
Lockoutallunknowndevicesatonce
Lockoutindividualuserperdevicecookie
user : password
user : passwordDevice Cookie
Set-Cookie:KnownDevice=JWT
{"alg": "HS256","typ": "JWT”
} . {"aud": "device-cookie","sub": "[email protected]","jti": "40e2a97a2ab37406”
}
Threats&Mitigations
Threat MitigationOnlineattackagainstoneuser PasswordpolicyOnlineattackusingstolendevicecookies Limited,preventcookieleaks
Onlineattackagainstmultipleusers NotmitigatedSpoofdevicecookie CryptoTamperwithexistingdevicecookie CryptoDoSforspecificaccount OOBdevicecookieissueDoSforspecificaccountwhenclientisusedbydifferentaccounts
Devicecookiesperaccount
Implementationrecommendations
Usegoodcrypto,likeHMAC-SHA2orsignedJWT.PreventcookieleakagewithSecure&HttpOnly flags.Issuecookieforvalidresetpasswordlink.Issuenewdevicecookieaftereachsuccessfullogin.IncludeuserIDintocookiename(privacyconcerns?).