Shostack + Friends Blog


Authentic Thoughts About What Can Go Wrong

Threat modeling doesn't need to be big and complex Printed backup codes for mutlifactor authentication

This is a backup code I printed recently for some account, and I want to talk about threat modeling by asking: what can go wrong?

Take a minute and look at it and ask that question. I have an answer which is very real: I have no idea what site this is for. I dilligently used the print button on the site, it sat on my printer, and I forgot. I have some guesses, based on when it was printed, but I don't know, because the print button led to it being printed without a URL, without a site name or any other identifiers.

This doesn't require a framework — simply asking what can go wrong may well illuminate this. We can also use a framework like NEAT (necessary, explained, actionable, tested) to see that while this is necessary, there's no explanation. An explanation could have a few elements: where do I go ("just try to login to, and when prompted for your password, there'll be a "use backup code" link. Click that and enter this code.") What do I do next (do I need make sure to print additional access codes, or maybe this code will work repeatedly?).

It's also pretty clear that this is not tested. One beautiful element that I've seen in these systems is a prompt after you supposedly printed the codes and hit next: Please enter the code you supposedly just printed and "oops let me print more codes." I've needed that oops button at least once.

Threat modeling doesn't need to be big and complex. It's a way of thinking about the world, pausing to ask, what can go wrong. If you're not doing it, we have open classes coming up in July and August. These courses are longer and more intensive than just asking what can go wrong. Participants will learn how to use the Four Question Framework, tools for answering each question, apply them hands on, and get feedback from both me and their fellow students. It's awesome training, and especially beneficial for people who want to take their careers to the next level.

The week of July 11, I have a distributed training, and in August, I have two courses at Blackhat in Las Vegas one Aug 6+7 the other Aug 8+9. Both Blackhat courses are in person only.