$30 off During Our Annual Pro Sale. View Details »

2FA: The Rise of Two-Factor Authentication

2FA: The Rise of Two-Factor Authentication

Two-factor authentication has gotten lots of attention lately. It's being praised as a way to help eliminate passwords and already has several major companies adapting their practices to use it. Let me guide you through the world of 2FA, some of the basic concepts (with examples) and dive deeper into the associated protocols and RFCs.

@ PHP Master Series, Vol 2

Chris Cornutt

October 18, 2013
Tweet

More Decks by Chris Cornutt

Other Decks in Technology

Transcript

  1. 2FA
    Chris Cornutt - PHP Master Series, Vol 2
    The rise of
    two-factor authentication
    Wednesday, October 16, 2013

    View Slide

  2. A
    Wednesday, October 16, 2013

    View Slide

  3. A
    Wednesday, October 16, 2013

    View Slide

  4. A
    USER & PASS
    Wednesday, October 16, 2013

    View Slide

  5. A
    USER & PASS
    SECURITY QUESTIONS
    Wednesday, October 16, 2013

    View Slide

  6. A
    USER & PASS
    SECURITY QUESTIONS
    ?
    Wednesday, October 16, 2013

    View Slide

  7. Identity
    is hard
    Wednesday, October 16, 2013

    View Slide

  8. Wednesday, October 16, 2013

    View Slide

  9. ?
    who?
    Wednesday, October 16, 2013

    View Slide

  10. Know
    Wednesday, October 16, 2013

    View Slide

  11. Know
    Have
    Wednesday, October 16, 2013

    View Slide

  12. Know
    Have
    Are
    Wednesday, October 16, 2013

    View Slide

  13. Know
    Have
    Are
    ...and sometimes where
    Wednesday, October 16, 2013

    View Slide

  14. 1 2 3
    4 5 6
    7 8 9
    0
    +
    Wednesday, October 16, 2013

    View Slide

  15. )))
    Wednesday, October 16, 2013

    View Slide

  16. Wednesday, October 16, 2013

    View Slide

  17. Wednesday, October 16, 2013

    View Slide

  18. 2Fa
    myths
    Wednesday, October 16, 2013

    View Slide

  19. it’s a “quick fix”
    Wednesday, October 16, 2013

    View Slide

  20. it’s not easy to break
    Wednesday, October 16, 2013

    View Slide

  21. too many similarities
    Wednesday, October 16, 2013

    View Slide

  22. just for compliance...
    Wednesday, October 16, 2013

    View Slide

  23. 2Fa
    advantages
    Wednesday, October 16, 2013

    View Slide

  24. safer than just passwords (duh)
    Wednesday, October 16, 2013

    View Slide

  25. defense in depth
    Wednesday, October 16, 2013

    View Slide

  26. increase customer confidence
    Wednesday, October 16, 2013

    View Slide

  27. 2Fa
    disadvantages
    Wednesday, October 16, 2013

    View Slide

  28. yet another device?
    Wednesday, October 16, 2013

    View Slide

  29. not cost effective
    Wednesday, October 16, 2013

    View Slide

  30. harder for users
    Wednesday, October 16, 2013

    View Slide

  31. 2Fa
    flow
    Wednesday, October 16, 2013

    View Slide

  32. Wednesday, October 16, 2013

    View Slide

  33. 1. user creates account (user/pass)
    Wednesday, October 16, 2013

    View Slide

  34. 1. user creates account (user/pass)
    2. user configures 2FA device
    Wednesday, October 16, 2013

    View Slide

  35. 1. user creates account (user/pass)
    2. user configures 2FA device
    3. confirmation code sent
    Wednesday, October 16, 2013

    View Slide

  36. 1. user creates account (user/pass)
    2. user configures 2FA device
    3. confirmation code sent
    4. site requests code as validation
    Wednesday, October 16, 2013

    View Slide

  37. 1. user creates account (user/pass)
    2. user configures 2FA device
    3. confirmation code sent
    4. site requests code as validation
    Device configured, code sent on login
    Wednesday, October 16, 2013

    View Slide

  38. Wednesday, October 16, 2013

    View Slide

  39. 1. user creates account (user/pass)
    Wednesday, October 16, 2013

    View Slide

  40. 1. user creates account (user/pass)
    2. user configures 2FA device
    Wednesday, October 16, 2013

    View Slide

  41. 1. user creates account (user/pass)
    2. user configures 2FA device
    3. user set up with 3rd party
    Wednesday, October 16, 2013

    View Slide

  42. 1. user creates account (user/pass)
    2. user configures 2FA device
    3. user set up with 3rd party
    4. 3rd party validates user
    Wednesday, October 16, 2013

    View Slide

  43. 1. user creates account (user/pass)
    2. user configures 2FA device
    3. user set up with 3rd party
    4. 3rd party validates user
    Device configured, 3rd party request
    Wednesday, October 16, 2013

    View Slide

  44. 2Fa
    options
    Wednesday, October 16, 2013

    View Slide

  45. Wednesday, October 16, 2013

    View Slide

  46. 2Fa
    tech
    Wednesday, October 16, 2013

    View Slide

  47. Google Authenticator
    Wednesday, October 16, 2013

    View Slide

  48. Google Authenticator
    Wednesday, October 16, 2013

    View Slide

  49. Google Authenticator
    HMAC-based OTP
    Wednesday, October 16, 2013

    View Slide

  50. Google Authenticator
    HMAC-based OTP
    RFC 4226
    Wednesday, October 16, 2013

    View Slide

  51. Google Authenticator
    HMAC-based OTP
    RFC 4226
    Time-based OTP
    Wednesday, October 16, 2013

    View Slide

  52. Google Authenticator
    HMAC-based OTP
    RFC 4226
    Time-based OTP
    RFC 6238
    Wednesday, October 16, 2013

    View Slide

  53. Google Authenticator
    HMAC-based OTP
    RFC 4226
    Time-based OTP
    RFC 6238
    base32 encoded
    Wednesday, October 16, 2013

    View Slide

  54. Google Authenticator
    HMAC-based OTP
    RFC 4226
    Time-based OTP
    RFC 6238
    base32 encoded
    sha1 HMAC hashed
    Wednesday, October 16, 2013

    View Slide

  55. enygma/gauth : dev-master
    require_once ‘vendor/autoload.php’;
    $userCode = ‘123456’;
    $initCode = ‘...’;
    $verify = $g->validateCode($code);
    var_dump($verify); // boolean
    Wednesday, October 16, 2013

    View Slide

  56. Yubikey
    Wednesday, October 16, 2013

    View Slide

  57. Yubikey
    Wednesday, October 16, 2013

    View Slide

  58. Yubikey
    API validated request
    Wednesday, October 16, 2013

    View Slide

  59. Yubikey
    API validated request
    OTP + Nonce + Client ID
    Wednesday, October 16, 2013

    View Slide

  60. Yubikey
    API validated request
    OTP + Nonce + Client ID
    Signature
    Wednesday, October 16, 2013

    View Slide

  61. Yubikey
    API validated request
    OTP + Nonce + Client ID
    Signature
    Unique 44 characters
    Wednesday, October 16, 2013

    View Slide

  62. Yubikey
    API validated request
    OTP + Nonce + Client ID
    Signature
    Unique 44 characters
    128-bit AES OTP
    Wednesday, October 16, 2013

    View Slide

  63. enygma/yubikey : dev-master
    require_once ‘vendor/autoload.php’;
    $apiKey = ‘dGVzdG1uZzEyMzQ1Njc40TA=’;
    $clientId = ‘12345’;
    $v = new \Yubikey\Validate($apiKey, $clientId);
    $response = $v->check($inputtedKey);
    echo ($response->success() === true)
    ? 'success!' : 'you failed. aw.';
    Wednesday, October 16, 2013

    View Slide

  64. Duo Security
    Wednesday, October 16, 2013

    View Slide

  65. Duo Security
    Wednesday, October 16, 2013

    View Slide

  66. Duo Security
    Hosted service (API)
    Wednesday, October 16, 2013

    View Slide

  67. Duo Security
    Hosted service (API)
    OTP codes
    Wednesday, October 16, 2013

    View Slide

  68. Duo Security
    Hosted service (API)
    OTP codes
    SMS messaging
    Wednesday, October 16, 2013

    View Slide

  69. Duo Security
    Hosted service (API)
    OTP codes
    SMS messaging
    Phone callback
    Wednesday, October 16, 2013

    View Slide

  70. Duo Security
    Hosted service (API)
    OTP codes
    SMS messaging
    Phone callback
    Push notifications
    Wednesday, October 16, 2013

    View Slide

  71. Duo Security
    Hosted service (API)
    OTP codes
    SMS messaging
    Phone callback
    Push notifications
    NIST certified
    Wednesday, October 16, 2013

    View Slide

  72. enygma/duoauth : v1.0
    require_once ‘vendor/autoload.php’;
    $user = new \DuoAuth\User();
    if ($user->validateCode(‘username’, $code)) {
    echo ‘success!’;
    }
    Wednesday, October 16, 2013

    View Slide

  73. Authy
    Wednesday, October 16, 2013

    View Slide

  74. Authy
    Wednesday, October 16, 2013

    View Slide

  75. Authy
    API validated request
    Wednesday, October 16, 2013

    View Slide

  76. Authy
    API validated request
    One time password
    Wednesday, October 16, 2013

    View Slide

  77. Authy
    API validated request
    One time password
    Bluetooth pairing
    Wednesday, October 16, 2013

    View Slide

  78. Authy
    API validated request
    One time password
    Bluetooth pairing
    SMS messaging
    Wednesday, October 16, 2013

    View Slide

  79. Authy
    API validated request
    One time password
    Bluetooth pairing
    SMS messaging
    Works with other OTP
    codes
    Wednesday, October 16, 2013

    View Slide

  80. Authy
    API validated request
    One time password
    Bluetooth pairing
    SMS messaging
    Works with other OTP
    codes
    Wednesday, October 16, 2013

    View Slide

  81. Twilio
    Wednesday, October 16, 2013

    View Slide

  82. http://www.twilio.com/docs/howto/two-factor-authentication
    $password = substr(md5(time().rand(0, 10^10)),
    0, 10);
    $content = ‘Your new password is ‘.$password;
    $client = new Services_Twilio($acctSid, $token);
    $client->account->sms_messages->create(
    ‘from-phone-number’,
    ‘to-phone-number’,
    $content
    );
    // store code, verify when user returns
    Wednesday, October 16, 2013

    View Slide

  83. Custom
    Wednesday, October 16, 2013

    View Slide

  84. Custom
    Internal implementation
    SMS send through service
    Internal authorization
    Custom auth
    requirements intact
    Wednesday, October 16, 2013

    View Slide

  85. enough?
    but is it
    Wednesday, October 16, 2013

    View Slide

  86. Wednesday, October 16, 2013

    View Slide

  87. Weak passwords are still a problem
    Wednesday, October 16, 2013

    View Slide

  88. Weak passwords are still a problem
    Why stop at two?
    Wednesday, October 16, 2013

    View Slide

  89. Weak passwords are still a problem
    Why stop at two?
    Other options aren’t as strong, but help
    Wednesday, October 16, 2013

    View Slide

  90. Wednesday, October 16, 2013

    View Slide

  91. the unfortunate truth is that
    passwords are here to stay...
    Wednesday, October 16, 2013

    View Slide

  92. Wednesday, October 16, 2013

    View Slide

  93. Thanks!
    Wednesday, October 16, 2013

    View Slide

  94. Thanks!
    Questions?
    Wednesday, October 16, 2013

    View Slide

  95. Thanks!
    Questions?
    @enygma
    Wednesday, October 16, 2013

    View Slide

  96. Thanks!
    Questions?
    @enygma
    http://websec.io/tagged/twofactor
    Wednesday, October 16, 2013

    View Slide

  97. Thanks!
    Questions?
    @enygma
    http://websec.io/tagged/twofactor
    http://joind.in/9750
    Wednesday, October 16, 2013

    View Slide