Google Authenticator - Lightning Talk

Transcript

1. Google Authenticator All the tools you need to add two-

   factor authentication to your web app Adrian Hardy / @adrianhardy

2. Authentication: Factor Categories Stuff you have - "keys" Door key

   / Swipe card Stuff you know - passwords / PINs Computer password (encrypted or otherwise) Stuff you are - Unique personal attributes Iris scans / Finger prints

3. Usernames & Passwords Traditional Single Factor Authentication Once someone knows

   your password, game over Well understood methods of extracting passwords U s e r n a m e : A z u r e D i a m o n d P a s s w o r d : h u n t e r 2 W e l c o m e , a d r i a n If you don't get the hunter2 reference, google it - hit the first result

4. SFA relies on diligence

5. Two-Factor Authentication Examples [Insert audience participation here]

6. Google Authentication I may not be able to contain myself

   Provides a "something you have" factor Uses a mobile phone FREE for Android, iPhone and yes, even Blackberry Uses QR codes Implements RFC 6238 TOTP algorithm

7. Time-based One-Time Password Your phone gives you a 6 digit

   pin That six digit pin is good for 30 seconds In 30 seconds you get a new one That pin is unique to you* What's a TOTP

8. When creating a user account, show a QR QR contains

   a secret which seeds the TOTP Store the secret against the user acc Basic Workflow

9. Basic Workflow - 2 As the server you know: Username

   Password User's TOTP Secret Seconds since the Unix epoc So you can pre-calculate the TOTP using the same implementation!

10. I'll tweet out a bit.ly bundle in a bit I

    haven't prepared the links and stuff that you'll need for this, so I'll prepare that offline and let you all know