simple two factor authentication
DESCRIPTION
My presentation at SDPHP went well. I definitely could improve on this presentation. I missed the mark on the general workflow. How the customers and developers are impacted. I made assumptions that I shouldn't have, such as everyone already knew what Two Factor Authentication (2fa) was.TRANSCRIPT
![Page 1: Simple Two Factor Authentication](https://reader030.vdocuments.mx/reader030/viewer/2022012301/555a084ad8b42aa8098b53a9/html5/thumbnails/1.jpg)
Simple Two Simple Two Factor Factor
AuthenticationAuthentication
Secure Your LifeSecure Your Life
![Page 2: Simple Two Factor Authentication](https://reader030.vdocuments.mx/reader030/viewer/2022012301/555a084ad8b42aa8098b53a9/html5/thumbnails/2.jpg)
About MeAbout Me
John CongdonJohn Congdon
IRC: johncongdonIRC: johncongdon
Twitter: Twitter:
@johncongdon@johncongdon
[email protected]@sdphp.org
Ultimate Frisbee Ultimate Frisbee
PlayerPlayer
![Page 3: Simple Two Factor Authentication](https://reader030.vdocuments.mx/reader030/viewer/2022012301/555a084ad8b42aa8098b53a9/html5/thumbnails/3.jpg)
AuthenticationAuthentication
![Page 4: Simple Two Factor Authentication](https://reader030.vdocuments.mx/reader030/viewer/2022012301/555a084ad8b42aa8098b53a9/html5/thumbnails/4.jpg)
PasswordsPasswords
““Something the user knows”Something the user knows”
Susceptible to Susceptible to
Brute force attacksBrute force attacks
PhishingPhishing
Social engineeringSocial engineering
Data breachesData breaches
![Page 5: Simple Two Factor Authentication](https://reader030.vdocuments.mx/reader030/viewer/2022012301/555a084ad8b42aa8098b53a9/html5/thumbnails/5.jpg)
Recent Web Data Recent Web Data ExploitsExploits
Thousands of vBulletin websites hackedThousands of vBulletin websites hackedhttp://krebsonsecurity.com/2013/10/thousands-of-sites-hacked-via-vbulletin-hole/http://krebsonsecurity.com/2013/10/thousands-of-sites-hacked-via-vbulletin-hole/
Evernote (50,000,000 accounts)Evernote (50,000,000 accounts)Washington state Administrative Office of Washington state Administrative Office of the Courtsthe Courts
160,000 Names, Social Security numbers, and driver’s license numbers 160,000 Names, Social Security numbers, and driver’s license numbers were accessedwere accessed
http://jrcon.me/1phbN9Uhttp://jrcon.me/1phbN9U
Living Social (50,000,000 accounts)Living Social (50,000,000 accounts)Adobe (38,000,000 accounts)Adobe (38,000,000 accounts)So many more… So many more…
http://jrcon.me/1phdJ24http://jrcon.me/1phdJ24
![Page 6: Simple Two Factor Authentication](https://reader030.vdocuments.mx/reader030/viewer/2022012301/555a084ad8b42aa8098b53a9/html5/thumbnails/6.jpg)
![Page 7: Simple Two Factor Authentication](https://reader030.vdocuments.mx/reader030/viewer/2022012301/555a084ad8b42aa8098b53a9/html5/thumbnails/7.jpg)
Two Factor Two Factor AuthenticationAuthentication
““Something the user has”Something the user has”
TokensTokens
Hardware (Hard tokens, USB, Cards)Hardware (Hard tokens, USB, Cards)
SoftwareSoftware
Mobile phone Mobile phone
![Page 8: Simple Two Factor Authentication](https://reader030.vdocuments.mx/reader030/viewer/2022012301/555a084ad8b42aa8098b53a9/html5/thumbnails/8.jpg)
ConcernsConcerns
Key LoggingKey Logging
Man-in-the-middle AttacksMan-in-the-middle Attacks
Man-in-the-browser AttacksMan-in-the-browser Attacks
Recovery of lost token (broken phone)Recovery of lost token (broken phone)
![Page 9: Simple Two Factor Authentication](https://reader030.vdocuments.mx/reader030/viewer/2022012301/555a084ad8b42aa8098b53a9/html5/thumbnails/9.jpg)
Two+ Factor Two+ Factor AuthenticationAuthentication
Why stop at just two?Why stop at just two?
““Something the user is”Something the user is”
BiometricsBiometrics
Finger printFinger print
Voice printVoice print
Retina scanRetina scan
DNA?DNA?
![Page 10: Simple Two Factor Authentication](https://reader030.vdocuments.mx/reader030/viewer/2022012301/555a084ad8b42aa8098b53a9/html5/thumbnails/10.jpg)
Simple 2FASimple 2FA
TOTP - Time based One Time PasswordTOTP - Time based One Time Password
Combines a secret with the current timeCombines a secret with the current time
New code is generated every 30 secondsNew code is generated every 30 seconds
![Page 11: Simple Two Factor Authentication](https://reader030.vdocuments.mx/reader030/viewer/2022012301/555a084ad8b42aa8098b53a9/html5/thumbnails/11.jpg)
Software TokenSoftware Token
Google Google AuthenticatorAuthenticator
Simple and freeSimple and free
SecureSecure
No backupNo backup
AuthyAuthy
Multi DeviceMulti Device
Easy backupEasy backup
![Page 12: Simple Two Factor Authentication](https://reader030.vdocuments.mx/reader030/viewer/2022012301/555a084ad8b42aa8098b53a9/html5/thumbnails/12.jpg)
What’s Needed?What’s Needed?
A “Secret” is used to create the TOTPA “Secret” is used to create the TOTP
Base 32 Encoder/DecoderBase 32 Encoder/Decoder
Accurate clockAccurate clock
QR CodeQR Code
![Page 13: Simple Two Factor Authentication](https://reader030.vdocuments.mx/reader030/viewer/2022012301/555a084ad8b42aa8098b53a9/html5/thumbnails/13.jpg)
Create The SecretCreate The Secret
public function createSecret($secretLength = 16) {public function createSecret($secretLength = 16) { $validChars = $this->_getBase32LookupTable();$validChars = $this->_getBase32LookupTable(); unset($validChars[32]);unset($validChars[32]);
$secret = '';$secret = ''; for ($i = 0; $i < $secretLength; $i++) {for ($i = 0; $i < $secretLength; $i++) { $secret .= $validChars[array_rand($validChars)];$secret .= $validChars[array_rand($validChars)]; }} return $secret;return $secret; }}
![Page 14: Simple Two Factor Authentication](https://reader030.vdocuments.mx/reader030/viewer/2022012301/555a084ad8b42aa8098b53a9/html5/thumbnails/14.jpg)
Generate QR CodeGenerate QR Code
function getQRCodeGoogleUrl($name, $secret) {function getQRCodeGoogleUrl($name, $secret) { $urlencoded = urlencode('otpauth://totp/'.$name.'?$urlencoded = urlencode('otpauth://totp/'.$name.'?secret='.$secret.'');secret='.$secret.''); return 'https://chart.googleapis.com/chart?return 'https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl='.chs=200x200&chld=M|0&cht=qr&chl='.$urlencoded.'';$urlencoded.'';}}
$image = getQRCodeGoogleUrl(‘SDPHP’, $secret);$image = getQRCodeGoogleUrl(‘SDPHP’, $secret);echo “<img src=‘$image’/>”;echo “<img src=‘$image’/>”;
![Page 15: Simple Two Factor Authentication](https://reader030.vdocuments.mx/reader030/viewer/2022012301/555a084ad8b42aa8098b53a9/html5/thumbnails/15.jpg)
Authentication StepsAuthentication Steps
<?php<?php
if ($user->auth($username, $password)) {if ($user->auth($username, $password)) { if ($user->two_factor_secret) {if ($user->two_factor_secret) { showTwoFactorForm();showTwoFactorForm(); }} return true;return true;}}return false;return false;
![Page 16: Simple Two Factor Authentication](https://reader030.vdocuments.mx/reader030/viewer/2022012301/555a084ad8b42aa8098b53a9/html5/thumbnails/16.jpg)
Verify The CodeVerify The Code
<?php<?php
//after password authentication//after password authentication$secret = $user->two_factor_secret;$secret = $user->two_factor_secret;$auth_code = $_POST[‘auth_code’];$auth_code = $_POST[‘auth_code’];if ($secret && $auth_code) {if ($secret && $auth_code) { if ($auth->verifyCode($secret, $auth_code)) {if ($auth->verifyCode($secret, $auth_code)) { return true;return true; }}}}return false;return false;
![Page 17: Simple Two Factor Authentication](https://reader030.vdocuments.mx/reader030/viewer/2022012301/555a084ad8b42aa8098b53a9/html5/thumbnails/17.jpg)
Verify With Discrepancy Verify With Discrepancy RangeRange
<?php<?php
function verifyCode($secret, $code, $discrepancy = 1) {function verifyCode($secret, $code, $discrepancy = 1) { $currentTimeSlice = floor(time() / 30);$currentTimeSlice = floor(time() / 30); for ($i = -$discrepancy; $i <= $discrepancy; $i++) {for ($i = -$discrepancy; $i <= $discrepancy; $i++) { // -1, 0, 1 by default// -1, 0, 1 by default $calculatedCode = $this->getCode($secret, $currentTimeSlice + $i);$calculatedCode = $this->getCode($secret, $currentTimeSlice + $i); if ($calculatedCode == $code) {if ($calculatedCode == $code) { return true;return true; }} }} return false;return false;}}
![Page 18: Simple Two Factor Authentication](https://reader030.vdocuments.mx/reader030/viewer/2022012301/555a084ad8b42aa8098b53a9/html5/thumbnails/18.jpg)
ConsiderationsConsiderations
Don’t Annoy Your UsersDon’t Annoy Your Users
#1 Reason People Hate 2FA#1 Reason People Hate 2FA
Make it optional and easy Make it optional and easy
Add a remember me for X days optionAdd a remember me for X days option
![Page 19: Simple Two Factor Authentication](https://reader030.vdocuments.mx/reader030/viewer/2022012301/555a084ad8b42aa8098b53a9/html5/thumbnails/19.jpg)
Questions?Questions?
![Page 20: Simple Two Factor Authentication](https://reader030.vdocuments.mx/reader030/viewer/2022012301/555a084ad8b42aa8098b53a9/html5/thumbnails/20.jpg)
Thank You!Thank You!