Simple Two Simple Two Factor Factor

AuthenticationAuthentication

Secure Your LifeSecure Your Life

About MeAbout Me

John CongdonJohn Congdon

IRC: johncongdonIRC: johncongdon

Twitter: Twitter:

@johncongdon@johncongdon

john@sdphp.orgjohn@sdphp.org

Ultimate Frisbee Ultimate Frisbee

PlayerPlayer

AuthenticationAuthentication

PasswordsPasswords

““Something the user knows”Something the user knows”

Susceptible to Susceptible to

Brute force attacksBrute force attacks

PhishingPhishing

Social engineeringSocial engineering

Data breachesData breaches

Recent Web Data Recent Web Data ExploitsExploits

Thousands of vBulletin websites hackedThousands of vBulletin websites hackedhttp://krebsonsecurity.com/2013/10/thousands-of-sites-hacked-via-vbulletin-hole/http://krebsonsecurity.com/2013/10/thousands-of-sites-hacked-via-vbulletin-hole/

Evernote (50,000,000 accounts)Evernote (50,000,000 accounts)Washington state Administrative Office of Washington state Administrative Office of the Courtsthe Courts

160,000 Names, Social Security numbers, and driver’s license numbers 160,000 Names, Social Security numbers, and driver’s license numbers were accessedwere accessed

http://jrcon.me/1phbN9Uhttp://jrcon.me/1phbN9U

Living Social (50,000,000 accounts)Living Social (50,000,000 accounts)Adobe (38,000,000 accounts)Adobe (38,000,000 accounts)So many more… So many more…

http://jrcon.me/1phdJ24http://jrcon.me/1phdJ24

Two Factor Two Factor AuthenticationAuthentication

““Something the user has”Something the user has”

TokensTokens

Hardware (Hard tokens, USB, Cards)Hardware (Hard tokens, USB, Cards)

SoftwareSoftware

Mobile phone Mobile phone

ConcernsConcerns

Key LoggingKey Logging

Man-in-the-middle AttacksMan-in-the-middle Attacks

Man-in-the-browser AttacksMan-in-the-browser Attacks

Recovery of lost token (broken phone)Recovery of lost token (broken phone)

Two+ Factor Two+ Factor AuthenticationAuthentication

Why stop at just two?Why stop at just two?

““Something the user is”Something the user is”

BiometricsBiometrics

Finger printFinger print

Voice printVoice print

Retina scanRetina scan

DNA?DNA?

Simple 2FASimple 2FA

TOTP - Time based One Time PasswordTOTP - Time based One Time Password

Combines a secret with the current timeCombines a secret with the current time

New code is generated every 30 secondsNew code is generated every 30 seconds

Software TokenSoftware Token

Google Google AuthenticatorAuthenticator

Simple and freeSimple and free

SecureSecure

No backupNo backup

AuthyAuthy

Multi DeviceMulti Device

Easy backupEasy backup

What’s Needed?What’s Needed?

A “Secret” is used to create the TOTPA “Secret” is used to create the TOTP

Base 32 Encoder/DecoderBase 32 Encoder/Decoder

Accurate clockAccurate clock

QR CodeQR Code

Create The SecretCreate The Secret

public function createSecret($secretLength = 16) {public function createSecret($secretLength = 16) { $validChars = $this->_getBase32LookupTable();$validChars = $this->_getBase32LookupTable(); unset($validChars[32]);unset($validChars[32]);

$secret = '';$secret = ''; for ($i = 0; $i < $secretLength; $i++) {for ($i = 0; $i < $secretLength; $i++) { $secret .= $validChars[array_rand($validChars)];$secret .= $validChars[array_rand($validChars)]; }} return $secret;return $secret; }}

Generate QR CodeGenerate QR Code

function getQRCodeGoogleUrl($name, $secret) {function getQRCodeGoogleUrl($name, $secret) { $urlencoded = urlencode('otpauth://totp/'.$name.'?$urlencoded = urlencode('otpauth://totp/'.$name.'?secret='.$secret.'');secret='.$secret.''); return 'https://chart.googleapis.com/chart?return 'https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl='.chs=200x200&chld=M|0&cht=qr&chl='.$urlencoded.'';$urlencoded.'';}}

$image = getQRCodeGoogleUrl(‘SDPHP’, $secret);$image = getQRCodeGoogleUrl(‘SDPHP’, $secret);echo “<img src=‘$image’/>”;echo “<img src=‘$image’/>”;

Authentication StepsAuthentication Steps

<?php<?php

if ($user->auth($username, $password)) {if ($user->auth($username, $password)) { if ($user->two_factor_secret) {if ($user->two_factor_secret) { showTwoFactorForm();showTwoFactorForm(); }} return true;return true;}}return false;return false;

Verify The CodeVerify The Code

<?php<?php

//after password authentication//after password authentication$secret = $user->two_factor_secret;$secret = $user->two_factor_secret;$auth_code = $_POST[‘auth_code’];$auth_code = $_POST[‘auth_code’];if ($secret && $auth_code) {if ($secret && $auth_code) { if ($auth->verifyCode($secret, $auth_code)) {if ($auth->verifyCode($secret, $auth_code)) { return true;return true; }}}}return false;return false;

Verify With Discrepancy Verify With Discrepancy RangeRange

<?php<?php

function verifyCode($secret, $code, $discrepancy = 1) {function verifyCode($secret, $code, $discrepancy = 1) { $currentTimeSlice = floor(time() / 30);$currentTimeSlice = floor(time() / 30); for ($i = -$discrepancy; $i <= $discrepancy; $i++) {for ($i = -$discrepancy; $i <= $discrepancy; $i++) { // -1, 0, 1 by default// -1, 0, 1 by default $calculatedCode = $this->getCode($secret, $currentTimeSlice + $i);$calculatedCode = $this->getCode($secret, $currentTimeSlice + $i); if ($calculatedCode == $code) {if ($calculatedCode == $code) { return true;return true; }} }} return false;return false;}}

ConsiderationsConsiderations

Don’t Annoy Your UsersDon’t Annoy Your Users

#1 Reason People Hate 2FA#1 Reason People Hate 2FA

Make it optional and easy Make it optional and easy

Add a remember me for X days optionAdd a remember me for X days option

Questions?Questions?

Thank You!Thank You!