Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2FA: The Rise of Two-Factor Authentication

2FA: The Rise of Two-Factor Authentication

Two-factor authentication has gotten lots of attention lately. It's being praised as a way to help eliminate passwords and already has several major companies adapting their practices to use it. Let me guide you through the world of 2FA, some of the basic concepts (with examples) and dive deeper into the associated protocols and RFCs.

@ PHP Master Series, Vol 2

Chris Cornutt

October 18, 2013
Tweet

More Decks by Chris Cornutt

Other Decks in Technology

Transcript

  1. 2FA Chris Cornutt - PHP Master Series, Vol 2 The

    rise of two-factor authentication Wednesday, October 16, 2013
  2. 1 2 3 4 5 6 7 8 9 0

    + Wednesday, October 16, 2013
  3. 1. user creates account (user/pass) 2. user configures 2FA device

    3. confirmation code sent Wednesday, October 16, 2013
  4. 1. user creates account (user/pass) 2. user configures 2FA device

    3. confirmation code sent 4. site requests code as validation Wednesday, October 16, 2013
  5. 1. user creates account (user/pass) 2. user configures 2FA device

    3. confirmation code sent 4. site requests code as validation Device configured, code sent on login Wednesday, October 16, 2013
  6. 1. user creates account (user/pass) 2. user configures 2FA device

    3. user set up with 3rd party Wednesday, October 16, 2013
  7. 1. user creates account (user/pass) 2. user configures 2FA device

    3. user set up with 3rd party 4. 3rd party validates user Wednesday, October 16, 2013
  8. 1. user creates account (user/pass) 2. user configures 2FA device

    3. user set up with 3rd party 4. 3rd party validates user Device configured, 3rd party request Wednesday, October 16, 2013
  9. Google Authenticator HMAC-based OTP RFC 4226 Time-based OTP RFC 6238

    base32 encoded sha1 HMAC hashed Wednesday, October 16, 2013
  10. enygma/gauth : dev-master <?php require_once ‘vendor/autoload.php’; $userCode = ‘123456’; $initCode

    = ‘...’; $verify = $g->validateCode($code); var_dump($verify); // boolean Wednesday, October 16, 2013
  11. Yubikey API validated request OTP + Nonce + Client ID

    Signature Wednesday, October 16, 2013
  12. Yubikey API validated request OTP + Nonce + Client ID

    Signature Unique 44 characters Wednesday, October 16, 2013
  13. Yubikey API validated request OTP + Nonce + Client ID

    Signature Unique 44 characters 128-bit AES OTP Wednesday, October 16, 2013
  14. enygma/yubikey : dev-master <?php require_once ‘vendor/autoload.php’; $apiKey = ‘dGVzdG1uZzEyMzQ1Njc40TA=’; $clientId

    = ‘12345’; $v = new \Yubikey\Validate($apiKey, $clientId); $response = $v->check($inputtedKey); echo ($response->success() === true) ? 'success!' : 'you failed. aw.'; Wednesday, October 16, 2013
  15. Duo Security Hosted service (API) OTP codes SMS messaging Phone

    callback Push notifications Wednesday, October 16, 2013
  16. Duo Security Hosted service (API) OTP codes SMS messaging Phone

    callback Push notifications NIST certified Wednesday, October 16, 2013
  17. enygma/duoauth : v1.0 <?php require_once ‘vendor/autoload.php’; $user = new \DuoAuth\User();

    if ($user->validateCode(‘username’, $code)) { echo ‘success!’; } Wednesday, October 16, 2013
  18. Authy API validated request One time password Bluetooth pairing SMS

    messaging Works with other OTP codes Wednesday, October 16, 2013
  19. Authy API validated request One time password Bluetooth pairing SMS

    messaging Works with other OTP codes Wednesday, October 16, 2013
  20. http://www.twilio.com/docs/howto/two-factor-authentication <?php $password = substr(md5(time().rand(0, 10^10)), 0, 10); $content =

    ‘Your new password is ‘.$password; $client = new Services_Twilio($acctSid, $token); $client->account->sms_messages->create( ‘from-phone-number’, ‘to-phone-number’, $content ); // store code, verify when user returns Wednesday, October 16, 2013
  21. Weak passwords are still a problem Why stop at two?

    Other options aren’t as strong, but help Wednesday, October 16, 2013