2FA: The Rise of Two-Factor Authentication

2FA
Chris Cornutt - PHP Master Series, Vol 2
The rise of
two-factor authentication
Wednesday, October 16, 2013

View Slide

A

View Slide

A
USER & PASS

View Slide

A
USER & PASS
SECURITY QUESTIONS

View Slide

A
USER & PASS
SECURITY QUESTIONS
?

View Slide

Identity
is hard

View Slide


View Slide

?
who?

View Slide

Know

View Slide

Know
Have

View Slide

Know
Have
Are

View Slide

Know
Have
Are
...and sometimes where

View Slide

1 2 3
4 5 6
7 8 9
0
+

View Slide

)))

View Slide


View Slide

2Fa
myths

View Slide

it’s a “quick ﬁx”

View Slide

it’s not easy to break

View Slide

too many similarities

View Slide

just for compliance...

View Slide

2Fa
advantages

View Slide

safer than just passwords (duh)

View Slide

defense in depth

View Slide

increase customer conﬁdence

View Slide

2Fa
disadvantages

View Slide

yet another device?

View Slide

not cost eﬀective

View Slide

harder for users

View Slide

2Fa
ﬂow

View Slide


View Slide

1. user creates account (user/pass)

View Slide

2. user conﬁgures 2FA device

View Slide

3. conﬁrmation code sent

View Slide

4. site requests code as validation

View Slide

4. site requests code as validation
Device conﬁgured, code sent on login

View Slide


View Slide

3. user set up with 3rd party

View Slide

4. 3rd party validates user

View Slide

4. 3rd party validates user
Device conﬁgured, 3rd party request

View Slide

2Fa
options

View Slide


View Slide

2Fa
tech

View Slide

Google Authenticator

View Slide

HMAC-based OTP

View Slide

HMAC-based OTP
RFC 4226

View Slide

HMAC-based OTP
RFC 4226
Time-based OTP

View Slide

HMAC-based OTP
RFC 4226
Time-based OTP
RFC 6238

View Slide

HMAC-based OTP
RFC 4226
Time-based OTP
RFC 6238
base32 encoded

View Slide

HMAC-based OTP
RFC 4226
Time-based OTP
RFC 6238
base32 encoded
sha1 HMAC hashed

View Slide

enygma/gauth : dev-master
require_once ‘vendor/autoload.php’;
$userCode = ‘123456’;
$initCode = ‘...’;
$verify = $g->validateCode($code);
var_dump($verify); // boolean

View Slide

Yubikey

View Slide

Yubikey
API validated request

View Slide

Yubikey
OTP + Nonce + Client ID

View Slide

Yubikey
Signature

View Slide

Yubikey
Signature
Unique 44 characters

View Slide

Yubikey
Signature
Unique 44 characters
128-bit AES OTP

View Slide

enygma/yubikey : dev-master
$apiKey = ‘dGVzdG1uZzEyMzQ1Njc40TA=’;
$clientId = ‘12345’;
$v = new \Yubikey\Validate($apiKey, $clientId);
$response = $v->check($inputtedKey);
echo ($response->success() === true)
? 'success!' : 'you failed. aw.';

View Slide

Duo Security

View Slide

Duo Security
Hosted service (API)

View Slide

Duo Security
OTP codes

View Slide

Duo Security
OTP codes
SMS messaging

View Slide

Duo Security
OTP codes
SMS messaging
Phone callback

View Slide

Duo Security
OTP codes
SMS messaging
Phone callback
Push notiﬁcations

View Slide

Duo Security
OTP codes
SMS messaging
Phone callback
Push notiﬁcations
NIST certiﬁed

View Slide

enygma/duoauth : v1.0
$user = new \DuoAuth\User();
if ($user->validateCode(‘username’, $code)) {
echo ‘success!’;
}

View Slide

Authy

View Slide

Authy
One time password

View Slide

Authy
One time password
Bluetooth pairing

View Slide

Authy
One time password
Bluetooth pairing
SMS messaging

View Slide

Authy
One time password
Bluetooth pairing
SMS messaging
Works with other OTP
codes

View Slide

Twilio

View Slide

http://www.twilio.com/docs/howto/two-factor-authentication
$password = substr(md5(time().rand(0, 10^10)),
0, 10);
$content = ‘Your new password is ‘.$password;
$client = new Services_Twilio($acctSid, $token);
$client->account->sms_messages->create(
‘from-phone-number’,
‘to-phone-number’,
$content
);
// store code, verify when user returns

View Slide

Custom

View Slide

Custom
Internal implementation
SMS send through service
Internal authorization
Custom auth
requirements intact

View Slide

enough?
but is it

View Slide


View Slide

Weak passwords are still a problem

View Slide

Why stop at two?

View Slide

Why stop at two?
Other options aren’t as strong, but help

View Slide


View Slide

the unfortunate truth is that
passwords are here to stay...

View Slide


View Slide

Thanks!

View Slide

Thanks!
Questions?

View Slide

Thanks!
Questions?
@enygma

View Slide

Thanks!
Questions?
@enygma
http://websec.io/tagged/twofactor

View Slide

Thanks!
Questions?
@enygma
http://websec.io/tagged/twofactor
http://joind.in/9750

View Slide

2FA: The Rise of Two-Factor Authentication

2FA: The Rise of Two-Factor Authentication

Chris Cornutt

More Decks by Chris Cornutt

Other Decks in Technology

Featured

Transcript