simple two factor authentication
DESCRIPTION
My presentation at SDPHP went well. I definitely could improve on this presentation. I missed the mark on the general workflow. How the customers and developers are impacted. I made assumptions that I shouldn't have, such as everyone already knew what Two Factor Authentication (2fa) was.TRANSCRIPT
Simple Two Simple Two Factor Factor
AuthenticationAuthentication
Secure Your LifeSecure Your Life
About MeAbout Me
John CongdonJohn Congdon
IRC: johncongdonIRC: johncongdon
Twitter: Twitter:
@johncongdon@johncongdon
[email protected]@sdphp.org
Ultimate Frisbee Ultimate Frisbee
PlayerPlayer
AuthenticationAuthentication
PasswordsPasswords
““Something the user knows”Something the user knows”
Susceptible to Susceptible to
Brute force attacksBrute force attacks
PhishingPhishing
Social engineeringSocial engineering
Data breachesData breaches
Recent Web Data Recent Web Data ExploitsExploits
Thousands of vBulletin websites hackedThousands of vBulletin websites hackedhttp://krebsonsecurity.com/2013/10/thousands-of-sites-hacked-via-vbulletin-hole/http://krebsonsecurity.com/2013/10/thousands-of-sites-hacked-via-vbulletin-hole/
Evernote (50,000,000 accounts)Evernote (50,000,000 accounts)Washington state Administrative Office of Washington state Administrative Office of the Courtsthe Courts
160,000 Names, Social Security numbers, and driver’s license numbers 160,000 Names, Social Security numbers, and driver’s license numbers were accessedwere accessed
http://jrcon.me/1phbN9Uhttp://jrcon.me/1phbN9U
Living Social (50,000,000 accounts)Living Social (50,000,000 accounts)Adobe (38,000,000 accounts)Adobe (38,000,000 accounts)So many more… So many more…
http://jrcon.me/1phdJ24http://jrcon.me/1phdJ24
Two Factor Two Factor AuthenticationAuthentication
““Something the user has”Something the user has”
TokensTokens
Hardware (Hard tokens, USB, Cards)Hardware (Hard tokens, USB, Cards)
SoftwareSoftware
Mobile phone Mobile phone
ConcernsConcerns
Key LoggingKey Logging
Man-in-the-middle AttacksMan-in-the-middle Attacks
Man-in-the-browser AttacksMan-in-the-browser Attacks
Recovery of lost token (broken phone)Recovery of lost token (broken phone)
Two+ Factor Two+ Factor AuthenticationAuthentication
Why stop at just two?Why stop at just two?
““Something the user is”Something the user is”
BiometricsBiometrics
Finger printFinger print
Voice printVoice print
Retina scanRetina scan
DNA?DNA?
Simple 2FASimple 2FA
TOTP - Time based One Time PasswordTOTP - Time based One Time Password
Combines a secret with the current timeCombines a secret with the current time
New code is generated every 30 secondsNew code is generated every 30 seconds
Software TokenSoftware Token
Google Google AuthenticatorAuthenticator
Simple and freeSimple and free
SecureSecure
No backupNo backup
AuthyAuthy
Multi DeviceMulti Device
Easy backupEasy backup
What’s Needed?What’s Needed?
A “Secret” is used to create the TOTPA “Secret” is used to create the TOTP
Base 32 Encoder/DecoderBase 32 Encoder/Decoder
Accurate clockAccurate clock
QR CodeQR Code
Create The SecretCreate The Secret
public function createSecret($secretLength = 16) {public function createSecret($secretLength = 16) { $validChars = $this->_getBase32LookupTable();$validChars = $this->_getBase32LookupTable(); unset($validChars[32]);unset($validChars[32]);
$secret = '';$secret = ''; for ($i = 0; $i < $secretLength; $i++) {for ($i = 0; $i < $secretLength; $i++) { $secret .= $validChars[array_rand($validChars)];$secret .= $validChars[array_rand($validChars)]; }} return $secret;return $secret; }}
Generate QR CodeGenerate QR Code
function getQRCodeGoogleUrl($name, $secret) {function getQRCodeGoogleUrl($name, $secret) { $urlencoded = urlencode('otpauth://totp/'.$name.'?$urlencoded = urlencode('otpauth://totp/'.$name.'?secret='.$secret.'');secret='.$secret.''); return 'https://chart.googleapis.com/chart?return 'https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl='.chs=200x200&chld=M|0&cht=qr&chl='.$urlencoded.'';$urlencoded.'';}}
$image = getQRCodeGoogleUrl(‘SDPHP’, $secret);$image = getQRCodeGoogleUrl(‘SDPHP’, $secret);echo “<img src=‘$image’/>”;echo “<img src=‘$image’/>”;
Authentication StepsAuthentication Steps
<?php<?php
if ($user->auth($username, $password)) {if ($user->auth($username, $password)) { if ($user->two_factor_secret) {if ($user->two_factor_secret) { showTwoFactorForm();showTwoFactorForm(); }} return true;return true;}}return false;return false;
Verify The CodeVerify The Code
<?php<?php
//after password authentication//after password authentication$secret = $user->two_factor_secret;$secret = $user->two_factor_secret;$auth_code = $_POST[‘auth_code’];$auth_code = $_POST[‘auth_code’];if ($secret && $auth_code) {if ($secret && $auth_code) { if ($auth->verifyCode($secret, $auth_code)) {if ($auth->verifyCode($secret, $auth_code)) { return true;return true; }}}}return false;return false;
Verify With Discrepancy Verify With Discrepancy RangeRange
<?php<?php
function verifyCode($secret, $code, $discrepancy = 1) {function verifyCode($secret, $code, $discrepancy = 1) { $currentTimeSlice = floor(time() / 30);$currentTimeSlice = floor(time() / 30); for ($i = -$discrepancy; $i <= $discrepancy; $i++) {for ($i = -$discrepancy; $i <= $discrepancy; $i++) { // -1, 0, 1 by default// -1, 0, 1 by default $calculatedCode = $this->getCode($secret, $currentTimeSlice + $i);$calculatedCode = $this->getCode($secret, $currentTimeSlice + $i); if ($calculatedCode == $code) {if ($calculatedCode == $code) { return true;return true; }} }} return false;return false;}}
ConsiderationsConsiderations
Don’t Annoy Your UsersDon’t Annoy Your Users
#1 Reason People Hate 2FA#1 Reason People Hate 2FA
Make it optional and easy Make it optional and easy
Add a remember me for X days optionAdd a remember me for X days option
Questions?Questions?
Thank You!Thank You!