two factor authentication and you
Post on 13-Apr-2017
852 Views
Preview:
TRANSCRIPT
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 1
TWO-FACTOR AUTHENTICATION AND YOU
https://joind.in/10645
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 2
WHO AM I?•President and Co-Founder of E-Moxie - www.emoxie.com •Baltimore, MD •PHP Developer, System Administrator, Tinkerer •Meetup Organizer - Baltimore PHP/Mobile/API •Trainer •Maximize efficiencies and make life easier (mainly mine) •I’ve seen things, and learned a bit on the way !
chris@emoxie.com Twitter : @cmstone
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 3
BACKGROUND OF THIS TALK
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 4
WHAT IS TWO FACTOR AUTH?
•Not a new concept •Two pieces of information needed (in addition to a username) •Something you know and something you have •First factor is typically a password (The know) •Second factor is typically a uniquely generated code (The have)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 5
WHAT’S THE MOST COMMON EXAMPLE OF TWO-FACTOR AUTHENTICATION?
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 6
ATM
•Requires something you have (ATM Card) •Requires something you know (Pin Code)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 7
How do you get that second factor?
DELIVERY MECHANISMS
•E-Mail •SMS/Voice •App
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 8
E-MAIL -THE GOOD :)
•Wide adoption •Everyone has an email address (or a few) •If you don’t, it’s pretty easy to get one
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 9
E-MAIL - THE BAD :(•Prone to failure •Delivery problems •Message blocking •SPAM •Send/Receive Problems •Requires Internet/Network Access •More mail?? Who really wants to get more?
SMS
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 11
SMS - GOOD THINGS!
•Mobile device required (or a service like Google Voice) •SMS Penetration is high •Easy to implement •Global support
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 12
SMS - BAD THINGS :(•Can’t receive SMS •Could cost money •Network •Delivery delays •Lost messages •Power? •Threat could have access to a web front end! •Susceptible to architecture issues
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 13
TWILIO•REST API •Get your own number •Send a text message just like you would with any other app
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 14
NEXMO•php[tek] Sponsor - yay! •Shared short code •REST API
!
•API Key & Secret •Destination & Pin
curl "https://rest.nexmo.com/sc/us/2fa/json?api_key={api_key}&api_secret={api_secret}&to=14435281326&pin=1234"
MOBILE APP
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 16
MOBILE APP•Roll Your Own •Push Notices •Login Approvals •Authy •Duosecurity •Google Authenticator
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 17
MOBILE APP
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 18
•Easy to use •DOES NOT rely on an Internet connection •DOES NOT rely on cellular connection •Google just provides the app •Implements time-based on-time passwords (TOTP) •Open source (kind of) •All of those password thefts? Could be kind of a non-issue •Not just for websites
GOOGLE AUTHENTICATOR
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 19
•No power! •Lost phone/device •Broken phone/device •Susceptible to architecture and workflow issues
GOOGLE AUTHENTICATOR - PITFALLS
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 20
TOTP•Time-based One-time Password Algorithm •Computed from a shared secret key and the current time. •Combines secret with timestamp using a cryptographic hash func •Typically increases in 30-second intervals •Allows for a time drift •RFC 6238
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 21
APPLICATION
•base32 encoding and decoding •random secret key •timestamp •~30 lines of code
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 22
https://github.com/cmstone/phptek2014-two-factor
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645
https://github.com/cmstone/phptek2014-‐two-‐factor/
23
WORKFLOW OVERVIEW
$username = 'chris@baltimorephp.org'; $userkey = TwoFactor::generateKey(); $timestamp = TwoFactor::getTimestamp(); !
$secretKey = Base32::decode($userkey); $currentPassword = TwoFactor::getSecret($secretKey, $timestamp);
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645
https://github.com/cmstone/phptek2014-‐two-‐factor/
24
Step 1 - Generate a random secret keyTwoFactor::generateKey(); ——————— public static function generateKey($length = 16) { $key = ""; !
for ($i = 0; $i < $length; $i++) { $key .= Base32::getRandom(); } !
return $key; } !
// Gives you something like: CHBEYSUCFDAECIHM
WORKFLOW
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645
https://github.com/cmstone/phptek2014-‐two-‐factor/
25
Step 1 - Generate a random secret key
// Gives you something like: CHBEYSUCFDAECIHM
WORKFLOW
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645
https://github.com/cmstone/phptek2014-‐two-‐factor/
26
Step 2 - Get the current timestamp
TwoFactor::getTimestamp(); ——————— public static function getTimestamp() { return floor(microtime(true) / self::keyRegeneration); } !
// Gives you something like: 46692614
WORKFLOW
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645
https://github.com/cmstone/phptek2014-‐two-‐factor/
27
WORKFLOWStep 3 - Decode
$userkey = TwoFactor::generateKey(); $timestamp = TwoFactor::getTimestamp(); !
$secretKey = Base32::decode($userkey); !
// $secretKey = ?LJ?(?A ?
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645
https://github.com/cmstone/phptek2014-‐two-‐factor/
28
WORKFLOW
$currentPassword = TwoFactor::getSecret($secretKey, $timestamp); ——————— public static function getSecret($key, $counter) { if (strlen($key) < 8) { throw new Exception('Secret key is too short. Must be at least 16 base 32 characters'); } ! $bin_counter = pack('N*', 0) . pack('N*', $counter); // Counter must be 64-‐bit int $hash = hash_hmac('sha1', $bin_counter, $key, true); ! return str_pad(self::oathTruncate($hash), self::otpLength, '0', STR_PAD_LEFT); } !
// $currentPassword = 373604
Step 4 - Decode
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 29
ADDITIONAL RESOURCESBypassing two-factor authentication http://shubh.am/how-i-bypassed-2-factor-authentication-on-google-yahoo-linkedin-and-many-others/ !
Google Authenticator Code: https://code.google.com/p/google-authenticator/
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 30
QUESTIONS?
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 31
THANKS!
Please reach out to me @cmstone or chris@emoxie.com
Please rate and give feedback!!https://joind.in/10645
top related