Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2FA: The Rise of Two-Factor Authentication

Avatar for Chris Cornutt Chris Cornutt
October 18, 2013
Technology
0
200

2FA: The Rise of Two-Factor Authentication

Two-factor authentication has gotten lots of attention lately. It's being praised as a way to help eliminate passwords and already has several major companies adapting their practices to use it. Let me guide you through the world of 2FA, some of the basic concepts (with examples) and dive deeper into the associated protocols and RFCs.

@ PHP Master Series, Vol 2
Avatar for Chris Cornutt

Chris Cornutt

October 18, 2013
Tweet

More Decks by Chris Cornutt

See All by Chris Cornutt
Securing Legacy Applications
Avatar for Chris Cornutt ccornutt
0
140
Pentesting for Developers
Avatar for Chris Cornutt ccornutt
0
140
Securing Legacy Applications - Longhorn PHP 2018
Avatar for Chris Cornutt ccornutt
1
190
Pieces of Auth
Avatar for Chris Cornutt ccornutt
0
340
Securing Legacy Applications
Avatar for Chris Cornutt ccornutt
0
510
Build Security In
Avatar for Chris Cornutt ccornutt
0
210
Introduction to Slim 3
Avatar for Chris Cornutt ccornutt
0
170
Securing Legacy Applications
Avatar for Chris Cornutt ccornutt
0
32
PHP Security, Redfined
Avatar for Chris Cornutt ccornutt
0
280

Other Decks in Technology

See All in Technology
社会人力と研究力ー博士号をキャリアの武器にするー
Avatar for Kentaro Kuribayashi kentaro
2
110
Part2 GitHub Copilotってなんだろう
Avatar for tomokusaba tomokusaba
2
740
LLMの開発と社会実装の今と未来 / AI Builders' Community (ABC) vol.2
Avatar for Preferred Networks pfn
PRO
1
120
MySQL InnoDB Data Recovery - The Last Resort
Avatar for lefred lefred
0
110
genspark_presentation.pdf
Avatar for h.uriu haruki_uiru
1
240
Microsoft の SSE の現在地
Avatar for skmkzyk skmkzyk
0
300
時間がないなら、つくればいい 〜数十人規模のチームが自律性を発揮するために試しているいくつかのこと〜
Avatar for KAKEHASHI kakehashi
PRO
22
5.2k
AIにおけるソフトウェアテスト_ver1.00
Avatar for fumisuke fumisuke
1
360
Ninno LT
Avatar for Yasunobu Kawaguchi kawaguti
PRO
1
110
GraphQLを活用したリアーキテクチャに対応するSLI/Oの再設計
Avatar for coconala_engineer coconala_engineer
0
210
AndroidアプリエンジニアもMCPを触ろう
Avatar for Shinnosuke Kugimiya kgmyshin
2
640
RubyKaigi NOC 近況 2025
Avatar for Sorah Fukumori sorah
1
700

Featured

See All Featured
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
137
6.9k
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
29
2.6k
Faster Mobile Websites
Avatar for Dean Hume deanohume
307
31k
Rails Girls Zürich Keynote
Avatar for Gregor Martynus gr2m
94
13k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
53
11k
What’s in a name? Adding method to the madness
Avatar for Product Marketing Alliance productmarketing
PRO
22
3.4k
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
40
7.2k
Writing Fast Ruby
Avatar for Erik Berlin sferik
628
61k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
251
21k
A Tale of Four Properties
Avatar for Chris Coyier chriscoyier
159
23k
Producing Creativity
Avatar for Steve Smith orderedlist
PRO
344
40k
The Illustrated Children's Guide to Kubernetes
Avatar for Chris Short chrisshort
48
49k

Transcript

  1. 2FA Chris Cornutt - PHP Master Series, Vol 2 The

    rise of two-factor authentication Wednesday, October 16, 2013

  2. A Wednesday, October 16, 2013

  3. A Wednesday, October 16, 2013

  4. A USER & PASS Wednesday, October 16, 2013

  5. A USER & PASS SECURITY QUESTIONS Wednesday, October 16, 2013

  6. A USER & PASS SECURITY QUESTIONS ? Wednesday, October 16,

    2013

  7. Identity is hard Wednesday, October 16, 2013

  8. Wednesday, October 16, 2013

  9. ? who? Wednesday, October 16, 2013

  10. Know Wednesday, October 16, 2013

  11. Know Have Wednesday, October 16, 2013

  12. Know Have Are Wednesday, October 16, 2013

  13. Know Have Are ...and sometimes where Wednesday, October 16, 2013

  14. 1 2 3 4 5 6 7 8 9 0

    + Wednesday, October 16, 2013

  15. ))) Wednesday, October 16, 2013

  16. Wednesday, October 16, 2013

  17. Wednesday, October 16, 2013

  18. 2Fa myths Wednesday, October 16, 2013

  19. it’s a “quick fix” Wednesday, October 16, 2013

  20. it’s not easy to break Wednesday, October 16, 2013

  21. too many similarities Wednesday, October 16, 2013

  22. just for compliance... Wednesday, October 16, 2013

  23. 2Fa advantages Wednesday, October 16, 2013

  24. safer than just passwords (duh) Wednesday, October 16, 2013

  25. defense in depth Wednesday, October 16, 2013

  26. increase customer confidence Wednesday, October 16, 2013

  27. 2Fa disadvantages Wednesday, October 16, 2013

  28. yet another device? Wednesday, October 16, 2013

  29. not cost effective Wednesday, October 16, 2013

  30. harder for users Wednesday, October 16, 2013

  31. 2Fa flow Wednesday, October 16, 2013

  32. Wednesday, October 16, 2013

  33. 1. user creates account (user/pass) Wednesday, October 16, 2013

  34. 1. user creates account (user/pass) 2. user configures 2FA device

    Wednesday, October 16, 2013

  35. 1. user creates account (user/pass) 2. user configures 2FA device

    3. confirmation code sent Wednesday, October 16, 2013

  36. 1. user creates account (user/pass) 2. user configures 2FA device

    3. confirmation code sent 4. site requests code as validation Wednesday, October 16, 2013

  37. 1. user creates account (user/pass) 2. user configures 2FA device

    3. confirmation code sent 4. site requests code as validation Device configured, code sent on login Wednesday, October 16, 2013

  38. Wednesday, October 16, 2013

  39. 1. user creates account (user/pass) Wednesday, October 16, 2013

  40. 1. user creates account (user/pass) 2. user configures 2FA device

    Wednesday, October 16, 2013

  41. 1. user creates account (user/pass) 2. user configures 2FA device

    3. user set up with 3rd party Wednesday, October 16, 2013

  42. 1. user creates account (user/pass) 2. user configures 2FA device

    3. user set up with 3rd party 4. 3rd party validates user Wednesday, October 16, 2013

  43. 1. user creates account (user/pass) 2. user configures 2FA device

    3. user set up with 3rd party 4. 3rd party validates user Device configured, 3rd party request Wednesday, October 16, 2013

  44. 2Fa options Wednesday, October 16, 2013

  45. Wednesday, October 16, 2013

  46. 2Fa tech Wednesday, October 16, 2013

  47. Google Authenticator Wednesday, October 16, 2013

  48. Google Authenticator Wednesday, October 16, 2013

  49. Google Authenticator HMAC-based OTP Wednesday, October 16, 2013

  50. Google Authenticator HMAC-based OTP RFC 4226 Wednesday, October 16, 2013

  51. Google Authenticator HMAC-based OTP RFC 4226 Time-based OTP Wednesday, October

    16, 2013

  52. Google Authenticator HMAC-based OTP RFC 4226 Time-based OTP RFC 6238

    Wednesday, October 16, 2013

  53. Google Authenticator HMAC-based OTP RFC 4226 Time-based OTP RFC 6238

    base32 encoded Wednesday, October 16, 2013

  54. Google Authenticator HMAC-based OTP RFC 4226 Time-based OTP RFC 6238

    base32 encoded sha1 HMAC hashed Wednesday, October 16, 2013

  55. enygma/gauth : dev-master <?php require_once ‘vendor/autoload.php’; $userCode = ‘123456’; $initCode

    = ‘...’; $verify = $g->validateCode($code); var_dump($verify); // boolean Wednesday, October 16, 2013

  56. Yubikey Wednesday, October 16, 2013

  57. Yubikey Wednesday, October 16, 2013

  58. Yubikey API validated request Wednesday, October 16, 2013

  59. Yubikey API validated request OTP + Nonce + Client ID

    Wednesday, October 16, 2013

  60. Yubikey API validated request OTP + Nonce + Client ID

    Signature Wednesday, October 16, 2013

  61. Yubikey API validated request OTP + Nonce + Client ID

    Signature Unique 44 characters Wednesday, October 16, 2013

  62. Yubikey API validated request OTP + Nonce + Client ID

    Signature Unique 44 characters 128-bit AES OTP Wednesday, October 16, 2013

  63. enygma/yubikey : dev-master <?php require_once ‘vendor/autoload.php’; $apiKey = ‘dGVzdG1uZzEyMzQ1Njc40TA=’; $clientId

    = ‘12345’; $v = new \Yubikey\Validate($apiKey, $clientId); $response = $v->check($inputtedKey); echo ($response->success() === true) ? 'success!' : 'you failed. aw.'; Wednesday, October 16, 2013

  64. Duo Security Wednesday, October 16, 2013

  65. Duo Security Wednesday, October 16, 2013

  66. Duo Security Hosted service (API) Wednesday, October 16, 2013

  67. Duo Security Hosted service (API) OTP codes Wednesday, October 16,

    2013

  68. Duo Security Hosted service (API) OTP codes SMS messaging Wednesday,

    October 16, 2013

  69. Duo Security Hosted service (API) OTP codes SMS messaging Phone

    callback Wednesday, October 16, 2013

  70. Duo Security Hosted service (API) OTP codes SMS messaging Phone

    callback Push notifications Wednesday, October 16, 2013

  71. Duo Security Hosted service (API) OTP codes SMS messaging Phone

    callback Push notifications NIST certified Wednesday, October 16, 2013

  72. enygma/duoauth : v1.0 <?php require_once ‘vendor/autoload.php’; $user = new \DuoAuth\User();

    if ($user->validateCode(‘username’, $code)) { echo ‘success!’; } Wednesday, October 16, 2013

  73. Authy Wednesday, October 16, 2013

  74. Authy Wednesday, October 16, 2013

  75. Authy API validated request Wednesday, October 16, 2013

  76. Authy API validated request One time password Wednesday, October 16,

    2013

  77. Authy API validated request One time password Bluetooth pairing Wednesday,

    October 16, 2013

  78. Authy API validated request One time password Bluetooth pairing SMS

    messaging Wednesday, October 16, 2013

  79. Authy API validated request One time password Bluetooth pairing SMS

    messaging Works with other OTP codes Wednesday, October 16, 2013

  80. Authy API validated request One time password Bluetooth pairing SMS

    messaging Works with other OTP codes Wednesday, October 16, 2013

  81. Twilio Wednesday, October 16, 2013

  82. http://www.twilio.com/docs/howto/two-factor-authentication <?php $password = substr(md5(time().rand(0, 10^10)), 0, 10); $content =

    ‘Your new password is ‘.$password; $client = new Services_Twilio($acctSid, $token); $client->account->sms_messages->create( ‘from-phone-number’, ‘to-phone-number’, $content ); // store code, verify when user returns Wednesday, October 16, 2013

  83. Custom Wednesday, October 16, 2013

  84. Custom Internal implementation SMS send through service Internal authorization Custom

    auth requirements intact Wednesday, October 16, 2013

  85. enough? but is it Wednesday, October 16, 2013

  86. Wednesday, October 16, 2013

  87. Weak passwords are still a problem Wednesday, October 16, 2013

  88. Weak passwords are still a problem Why stop at two?

    Wednesday, October 16, 2013

  89. Weak passwords are still a problem Why stop at two?

    Other options aren’t as strong, but help Wednesday, October 16, 2013

  90. Wednesday, October 16, 2013

  91. the unfortunate truth is that passwords are here to stay...

    Wednesday, October 16, 2013

  92. Wednesday, October 16, 2013

  93. Thanks! Wednesday, October 16, 2013

  94. Thanks! Questions? Wednesday, October 16, 2013

  95. Thanks! Questions? @enygma Wednesday, October 16, 2013

  96. Thanks! Questions? @enygma http://websec.io/tagged/twofactor Wednesday, October 16, 2013

  97. Thanks! Questions? @enygma http://websec.io/tagged/twofactor http://joind.in/9750 Wednesday, October 16, 2013