Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2FA: The Rise of Two-Factor Authentication

Chris Cornutt
October 18, 2013
Technology
0
140

2FA: The Rise of Two-Factor Authentication

Two-factor authentication has gotten lots of attention lately. It's being praised as a way to help eliminate passwords and already has several major companies adapting their practices to use it. Let me guide you through the world of 2FA, some of the basic concepts (with examples) and dive deeper into the associated protocols and RFCs.

@ PHP Master Series, Vol 2

Chris Cornutt

October 18, 2013
Tweet

More Decks by Chris Cornutt

See All by Chris Cornutt
Securing Legacy Applications
ccornutt
0
94
Pentesting for Developers
ccornutt
0
100
Securing Legacy Applications - Longhorn PHP 2018
ccornutt
1
150
Pieces of Auth
ccornutt
0
290
Securing Legacy Applications
ccornutt
0
360
Build Security In
ccornutt
0
160
Introduction to Slim 3
ccornutt
0
150
Securing Legacy Applications
ccornutt
0
32
PHP Security, Redfined
ccornutt
0
240

Other Decks in Technology

See All in Technology
SREとその組織類型
tatsuo48
8
1.5k
自動生成を活用した、運用保守コストを抑える Error/Alert/Runbook の一元集約管理 / Centralized management of Error/Alert/Runbook to minimize operational costs using automated code generation
biwashi
9
2k
o11y入門_外形監視を利用したWebアプリケーションへの最適なモニタリング_TechBrew
k5k
2
100
Next'24 事例セッションの紹介とクラウド資格を活用したキャリア形成について語りMuscle
yasumuusan
0
250
Databricks における 『MLOps』
databricksjapan
2
120
Postman v10リリース後を振り返る
nagix
0
110
ここが嬉しいABAC ここが辛いよABAC #再解説+補足編
masahirokawahara
0
170
Discord とビルダー&チャットボットの使い方 / How to use Discord and Builder & Chatbots
ks91
PRO
0
130
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs (QCon London)
inesmontani
PRO
0
150
株式会社EventHub・エンジニア採用資料
eventhub
0
1.9k
2024-04-06 AMeDAS to Lagoon SORACOM UG 2024-04-06
anysonica
0
120
エンタープライズ環境下での Active Directory の運用 TIPS
tamaiyutaro
1
1.5k

Featured

See All Featured
Imperfection Machines: The Place of Print at Facebook
scottboms
258
12k
Clear Off the Table
cherdarchuk
82
310k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
153
14k
Designing for Performance
lara
601
67k
The Cost Of JavaScript in 2023
addyosmani
13
3.8k
Docker and Python
trallard
33
2.7k
VelocityConf: Rendering Performance Case Studies
addyosmani
319
23k
Producing Creativity
orderedlist
PRO
336
39k
A Modern Web Designer's Workflow
chriscoyier
689
190k
A Philosophy of Restraint
colly
195
16k
YesSQL, Process and Tooling at Scale
rocio
162
13k
The Brand Is Dead. Long Live the Brand.
mthomps
48
28k

Transcript

  1. 2FA Chris Cornutt - PHP Master Series, Vol 2 The

    rise of two-factor authentication Wednesday, October 16, 2013

  2. A Wednesday, October 16, 2013

  3. A Wednesday, October 16, 2013

  4. A USER & PASS Wednesday, October 16, 2013

  5. A USER & PASS SECURITY QUESTIONS Wednesday, October 16, 2013

  6. A USER & PASS SECURITY QUESTIONS ? Wednesday, October 16,

    2013

  7. Identity is hard Wednesday, October 16, 2013

  8. Wednesday, October 16, 2013

  9. ? who? Wednesday, October 16, 2013

  10. Know Wednesday, October 16, 2013

  11. Know Have Wednesday, October 16, 2013

  12. Know Have Are Wednesday, October 16, 2013

  13. Know Have Are ...and sometimes where Wednesday, October 16, 2013

  14. 1 2 3 4 5 6 7 8 9 0

    + Wednesday, October 16, 2013

  15. ))) Wednesday, October 16, 2013

  16. Wednesday, October 16, 2013

  17. Wednesday, October 16, 2013

  18. 2Fa myths Wednesday, October 16, 2013

  19. it’s a “quick fix” Wednesday, October 16, 2013

  20. it’s not easy to break Wednesday, October 16, 2013

  21. too many similarities Wednesday, October 16, 2013

  22. just for compliance... Wednesday, October 16, 2013

  23. 2Fa advantages Wednesday, October 16, 2013

  24. safer than just passwords (duh) Wednesday, October 16, 2013

  25. defense in depth Wednesday, October 16, 2013

  26. increase customer confidence Wednesday, October 16, 2013

  27. 2Fa disadvantages Wednesday, October 16, 2013

  28. yet another device? Wednesday, October 16, 2013

  29. not cost effective Wednesday, October 16, 2013

  30. harder for users Wednesday, October 16, 2013

  31. 2Fa flow Wednesday, October 16, 2013

  32. Wednesday, October 16, 2013

  33. 1. user creates account (user/pass) Wednesday, October 16, 2013

  34. 1. user creates account (user/pass) 2. user configures 2FA device

    Wednesday, October 16, 2013

  35. 1. user creates account (user/pass) 2. user configures 2FA device

    3. confirmation code sent Wednesday, October 16, 2013

  36. 1. user creates account (user/pass) 2. user configures 2FA device

    3. confirmation code sent 4. site requests code as validation Wednesday, October 16, 2013

  37. 1. user creates account (user/pass) 2. user configures 2FA device

    3. confirmation code sent 4. site requests code as validation Device configured, code sent on login Wednesday, October 16, 2013

  38. Wednesday, October 16, 2013

  39. 1. user creates account (user/pass) Wednesday, October 16, 2013

  40. 1. user creates account (user/pass) 2. user configures 2FA device

    Wednesday, October 16, 2013

  41. 1. user creates account (user/pass) 2. user configures 2FA device

    3. user set up with 3rd party Wednesday, October 16, 2013

  42. 1. user creates account (user/pass) 2. user configures 2FA device

    3. user set up with 3rd party 4. 3rd party validates user Wednesday, October 16, 2013

  43. 1. user creates account (user/pass) 2. user configures 2FA device

    3. user set up with 3rd party 4. 3rd party validates user Device configured, 3rd party request Wednesday, October 16, 2013

  44. 2Fa options Wednesday, October 16, 2013

  45. Wednesday, October 16, 2013

  46. 2Fa tech Wednesday, October 16, 2013

  47. Google Authenticator Wednesday, October 16, 2013

  48. Google Authenticator Wednesday, October 16, 2013

  49. Google Authenticator HMAC-based OTP Wednesday, October 16, 2013

  50. Google Authenticator HMAC-based OTP RFC 4226 Wednesday, October 16, 2013

  51. Google Authenticator HMAC-based OTP RFC 4226 Time-based OTP Wednesday, October

    16, 2013

  52. Google Authenticator HMAC-based OTP RFC 4226 Time-based OTP RFC 6238

    Wednesday, October 16, 2013

  53. Google Authenticator HMAC-based OTP RFC 4226 Time-based OTP RFC 6238

    base32 encoded Wednesday, October 16, 2013

  54. Google Authenticator HMAC-based OTP RFC 4226 Time-based OTP RFC 6238

    base32 encoded sha1 HMAC hashed Wednesday, October 16, 2013

  55. enygma/gauth : dev-master <?php require_once ‘vendor/autoload.php’; $userCode = ‘123456’; $initCode

    = ‘...’; $verify = $g->validateCode($code); var_dump($verify); // boolean Wednesday, October 16, 2013

  56. Yubikey Wednesday, October 16, 2013

  57. Yubikey Wednesday, October 16, 2013

  58. Yubikey API validated request Wednesday, October 16, 2013

  59. Yubikey API validated request OTP + Nonce + Client ID

    Wednesday, October 16, 2013

  60. Yubikey API validated request OTP + Nonce + Client ID

    Signature Wednesday, October 16, 2013

  61. Yubikey API validated request OTP + Nonce + Client ID

    Signature Unique 44 characters Wednesday, October 16, 2013

  62. Yubikey API validated request OTP + Nonce + Client ID

    Signature Unique 44 characters 128-bit AES OTP Wednesday, October 16, 2013

  63. enygma/yubikey : dev-master <?php require_once ‘vendor/autoload.php’; $apiKey = ‘dGVzdG1uZzEyMzQ1Njc40TA=’; $clientId

    = ‘12345’; $v = new \Yubikey\Validate($apiKey, $clientId); $response = $v->check($inputtedKey); echo ($response->success() === true) ? 'success!' : 'you failed. aw.'; Wednesday, October 16, 2013

  64. Duo Security Wednesday, October 16, 2013

  65. Duo Security Wednesday, October 16, 2013

  66. Duo Security Hosted service (API) Wednesday, October 16, 2013

  67. Duo Security Hosted service (API) OTP codes Wednesday, October 16,

    2013

  68. Duo Security Hosted service (API) OTP codes SMS messaging Wednesday,

    October 16, 2013

  69. Duo Security Hosted service (API) OTP codes SMS messaging Phone

    callback Wednesday, October 16, 2013

  70. Duo Security Hosted service (API) OTP codes SMS messaging Phone

    callback Push notifications Wednesday, October 16, 2013

  71. Duo Security Hosted service (API) OTP codes SMS messaging Phone

    callback Push notifications NIST certified Wednesday, October 16, 2013

  72. enygma/duoauth : v1.0 <?php require_once ‘vendor/autoload.php’; $user = new \DuoAuth\User();

    if ($user->validateCode(‘username’, $code)) { echo ‘success!’; } Wednesday, October 16, 2013

  73. Authy Wednesday, October 16, 2013

  74. Authy Wednesday, October 16, 2013

  75. Authy API validated request Wednesday, October 16, 2013

  76. Authy API validated request One time password Wednesday, October 16,

    2013

  77. Authy API validated request One time password Bluetooth pairing Wednesday,

    October 16, 2013

  78. Authy API validated request One time password Bluetooth pairing SMS

    messaging Wednesday, October 16, 2013

  79. Authy API validated request One time password Bluetooth pairing SMS

    messaging Works with other OTP codes Wednesday, October 16, 2013

  80. Authy API validated request One time password Bluetooth pairing SMS

    messaging Works with other OTP codes Wednesday, October 16, 2013

  81. Twilio Wednesday, October 16, 2013

  82. http://www.twilio.com/docs/howto/two-factor-authentication <?php $password = substr(md5(time().rand(0, 10^10)), 0, 10); $content =

    ‘Your new password is ‘.$password; $client = new Services_Twilio($acctSid, $token); $client->account->sms_messages->create( ‘from-phone-number’, ‘to-phone-number’, $content ); // store code, verify when user returns Wednesday, October 16, 2013

  83. Custom Wednesday, October 16, 2013

  84. Custom Internal implementation SMS send through service Internal authorization Custom

    auth requirements intact Wednesday, October 16, 2013

  85. enough? but is it Wednesday, October 16, 2013

  86. Wednesday, October 16, 2013

  87. Weak passwords are still a problem Wednesday, October 16, 2013

  88. Weak passwords are still a problem Why stop at two?

    Wednesday, October 16, 2013

  89. Weak passwords are still a problem Why stop at two?

    Other options aren’t as strong, but help Wednesday, October 16, 2013

  90. Wednesday, October 16, 2013

  91. the unfortunate truth is that passwords are here to stay...

    Wednesday, October 16, 2013

  92. Wednesday, October 16, 2013

  93. Thanks! Wednesday, October 16, 2013

  94. Thanks! Questions? Wednesday, October 16, 2013

  95. Thanks! Questions? @enygma Wednesday, October 16, 2013

  96. Thanks! Questions? @enygma http://websec.io/tagged/twofactor Wednesday, October 16, 2013

  97. Thanks! Questions? @enygma http://websec.io/tagged/twofactor http://joind.in/9750 Wednesday, October 16, 2013