two factor authentication and you
TRANSCRIPT
![Page 1: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/1.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 1
TWO-FACTOR AUTHENTICATION AND YOU
https://joind.in/10645
![Page 2: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/2.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 2
WHO AM I?•President and Co-Founder of E-Moxie - www.emoxie.com •Baltimore, MD •PHP Developer, System Administrator, Tinkerer •Meetup Organizer - Baltimore PHP/Mobile/API •Trainer •Maximize efficiencies and make life easier (mainly mine) •I’ve seen things, and learned a bit on the way !
[email protected] Twitter : @cmstone
![Page 3: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/3.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 3
BACKGROUND OF THIS TALK
![Page 4: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/4.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 4
WHAT IS TWO FACTOR AUTH?
•Not a new concept •Two pieces of information needed (in addition to a username) •Something you know and something you have •First factor is typically a password (The know) •Second factor is typically a uniquely generated code (The have)
![Page 5: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/5.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 5
WHAT’S THE MOST COMMON EXAMPLE OF TWO-FACTOR AUTHENTICATION?
![Page 6: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/6.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 6
ATM
•Requires something you have (ATM Card) •Requires something you know (Pin Code)
![Page 7: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/7.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 7
How do you get that second factor?
DELIVERY MECHANISMS
•E-Mail •SMS/Voice •App
![Page 8: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/8.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 8
E-MAIL -THE GOOD :)
•Wide adoption •Everyone has an email address (or a few) •If you don’t, it’s pretty easy to get one
![Page 9: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/9.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 9
E-MAIL - THE BAD :(•Prone to failure •Delivery problems •Message blocking •SPAM •Send/Receive Problems •Requires Internet/Network Access •More mail?? Who really wants to get more?
![Page 10: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/10.jpg)
SMS
![Page 11: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/11.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 11
SMS - GOOD THINGS!
•Mobile device required (or a service like Google Voice) •SMS Penetration is high •Easy to implement •Global support
![Page 12: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/12.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 12
SMS - BAD THINGS :(•Can’t receive SMS •Could cost money •Network •Delivery delays •Lost messages •Power? •Threat could have access to a web front end! •Susceptible to architecture issues
![Page 13: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/13.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 13
TWILIO•REST API •Get your own number •Send a text message just like you would with any other app
![Page 14: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/14.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 14
NEXMO•php[tek] Sponsor - yay! •Shared short code •REST API
!
•API Key & Secret •Destination & Pin
curl "https://rest.nexmo.com/sc/us/2fa/json?api_key={api_key}&api_secret={api_secret}&to=14435281326&pin=1234"
![Page 15: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/15.jpg)
MOBILE APP
![Page 16: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/16.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 16
MOBILE APP•Roll Your Own •Push Notices •Login Approvals •Authy •Duosecurity •Google Authenticator
![Page 17: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/17.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 17
MOBILE APP
![Page 18: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/18.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 18
•Easy to use •DOES NOT rely on an Internet connection •DOES NOT rely on cellular connection •Google just provides the app •Implements time-based on-time passwords (TOTP) •Open source (kind of) •All of those password thefts? Could be kind of a non-issue •Not just for websites
GOOGLE AUTHENTICATOR
![Page 19: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/19.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 19
•No power! •Lost phone/device •Broken phone/device •Susceptible to architecture and workflow issues
GOOGLE AUTHENTICATOR - PITFALLS
![Page 20: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/20.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 20
TOTP•Time-based One-time Password Algorithm •Computed from a shared secret key and the current time. •Combines secret with timestamp using a cryptographic hash func •Typically increases in 30-second intervals •Allows for a time drift •RFC 6238
![Page 21: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/21.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 21
APPLICATION
•base32 encoding and decoding •random secret key •timestamp •~30 lines of code
![Page 22: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/22.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 22
https://github.com/cmstone/phptek2014-two-factor
![Page 23: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/23.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645
https://github.com/cmstone/phptek2014-‐two-‐factor/
23
WORKFLOW OVERVIEW
$username = '[email protected]'; $userkey = TwoFactor::generateKey(); $timestamp = TwoFactor::getTimestamp(); !
$secretKey = Base32::decode($userkey); $currentPassword = TwoFactor::getSecret($secretKey, $timestamp);
![Page 24: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/24.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645
https://github.com/cmstone/phptek2014-‐two-‐factor/
24
Step 1 - Generate a random secret keyTwoFactor::generateKey(); ——————— public static function generateKey($length = 16) { $key = ""; !
for ($i = 0; $i < $length; $i++) { $key .= Base32::getRandom(); } !
return $key; } !
// Gives you something like: CHBEYSUCFDAECIHM
WORKFLOW
![Page 25: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/25.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645
https://github.com/cmstone/phptek2014-‐two-‐factor/
25
Step 1 - Generate a random secret key
// Gives you something like: CHBEYSUCFDAECIHM
WORKFLOW
![Page 26: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/26.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645
https://github.com/cmstone/phptek2014-‐two-‐factor/
26
Step 2 - Get the current timestamp
TwoFactor::getTimestamp(); ——————— public static function getTimestamp() { return floor(microtime(true) / self::keyRegeneration); } !
// Gives you something like: 46692614
WORKFLOW
![Page 27: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/27.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645
https://github.com/cmstone/phptek2014-‐two-‐factor/
27
WORKFLOWStep 3 - Decode
$userkey = TwoFactor::generateKey(); $timestamp = TwoFactor::getTimestamp(); !
$secretKey = Base32::decode($userkey); !
// $secretKey = ?LJ?(?A ?
![Page 28: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/28.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645
https://github.com/cmstone/phptek2014-‐two-‐factor/
28
WORKFLOW
$currentPassword = TwoFactor::getSecret($secretKey, $timestamp); ——————— public static function getSecret($key, $counter) { if (strlen($key) < 8) { throw new Exception('Secret key is too short. Must be at least 16 base 32 characters'); } ! $bin_counter = pack('N*', 0) . pack('N*', $counter); // Counter must be 64-‐bit int $hash = hash_hmac('sha1', $bin_counter, $key, true); ! return str_pad(self::oathTruncate($hash), self::otpLength, '0', STR_PAD_LEFT); } !
// $currentPassword = 373604
Step 4 - Decode
![Page 29: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/29.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 29
ADDITIONAL RESOURCESBypassing two-factor authentication http://shubh.am/how-i-bypassed-2-factor-authentication-on-google-yahoo-linkedin-and-many-others/ !
Google Authenticator Code: https://code.google.com/p/google-authenticator/
![Page 30: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/30.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 30
QUESTIONS?
![Page 31: Two Factor Authentication and You](https://reader031.vdocuments.mx/reader031/viewer/2022021922/58eeaf6b1a28ab1c1d8b4691/html5/thumbnails/31.jpg)
Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 31
THANKS!
Please reach out to me @cmstone or [email protected]
Please rate and give feedback!!https://joind.in/10645