Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2FA: The Rise of Two-Factor Authentication

2FA: The Rise of Two-Factor Authentication

Two-factor authentication has gotten lots of attention lately. It's being praised as a way to help eliminate passwords and already has several major companies adapting their practices to use it. Let me guide you through the world of 2FA, some of the basic concepts (with examples) and dive deeper into the associated protocols and RFCs.

@ PHP Master Series, Vol 2

224dac66704579d941e927965a6220a2?s=128

Chris Cornutt

October 18, 2013
Tweet

Transcript

  1. 2FA Chris Cornutt - PHP Master Series, Vol 2 The

    rise of two-factor authentication Wednesday, October 16, 2013
  2. A Wednesday, October 16, 2013

  3. A Wednesday, October 16, 2013

  4. A USER & PASS Wednesday, October 16, 2013

  5. A USER & PASS SECURITY QUESTIONS Wednesday, October 16, 2013

  6. A USER & PASS SECURITY QUESTIONS ? Wednesday, October 16,

    2013
  7. Identity is hard Wednesday, October 16, 2013

  8. Wednesday, October 16, 2013

  9. ? who? Wednesday, October 16, 2013

  10. Know Wednesday, October 16, 2013

  11. Know Have Wednesday, October 16, 2013

  12. Know Have Are Wednesday, October 16, 2013

  13. Know Have Are ...and sometimes where Wednesday, October 16, 2013

  14. 1 2 3 4 5 6 7 8 9 0

    + Wednesday, October 16, 2013
  15. ))) Wednesday, October 16, 2013

  16. Wednesday, October 16, 2013

  17. Wednesday, October 16, 2013

  18. 2Fa myths Wednesday, October 16, 2013

  19. it’s a “quick fix” Wednesday, October 16, 2013

  20. it’s not easy to break Wednesday, October 16, 2013

  21. too many similarities Wednesday, October 16, 2013

  22. just for compliance... Wednesday, October 16, 2013

  23. 2Fa advantages Wednesday, October 16, 2013

  24. safer than just passwords (duh) Wednesday, October 16, 2013

  25. defense in depth Wednesday, October 16, 2013

  26. increase customer confidence Wednesday, October 16, 2013

  27. 2Fa disadvantages Wednesday, October 16, 2013

  28. yet another device? Wednesday, October 16, 2013

  29. not cost effective Wednesday, October 16, 2013

  30. harder for users Wednesday, October 16, 2013

  31. 2Fa flow Wednesday, October 16, 2013

  32. Wednesday, October 16, 2013

  33. 1. user creates account (user/pass) Wednesday, October 16, 2013

  34. 1. user creates account (user/pass) 2. user configures 2FA device

    Wednesday, October 16, 2013
  35. 1. user creates account (user/pass) 2. user configures 2FA device

    3. confirmation code sent Wednesday, October 16, 2013
  36. 1. user creates account (user/pass) 2. user configures 2FA device

    3. confirmation code sent 4. site requests code as validation Wednesday, October 16, 2013
  37. 1. user creates account (user/pass) 2. user configures 2FA device

    3. confirmation code sent 4. site requests code as validation Device configured, code sent on login Wednesday, October 16, 2013
  38. Wednesday, October 16, 2013

  39. 1. user creates account (user/pass) Wednesday, October 16, 2013

  40. 1. user creates account (user/pass) 2. user configures 2FA device

    Wednesday, October 16, 2013
  41. 1. user creates account (user/pass) 2. user configures 2FA device

    3. user set up with 3rd party Wednesday, October 16, 2013
  42. 1. user creates account (user/pass) 2. user configures 2FA device

    3. user set up with 3rd party 4. 3rd party validates user Wednesday, October 16, 2013
  43. 1. user creates account (user/pass) 2. user configures 2FA device

    3. user set up with 3rd party 4. 3rd party validates user Device configured, 3rd party request Wednesday, October 16, 2013
  44. 2Fa options Wednesday, October 16, 2013

  45. Wednesday, October 16, 2013

  46. 2Fa tech Wednesday, October 16, 2013

  47. Google Authenticator Wednesday, October 16, 2013

  48. Google Authenticator Wednesday, October 16, 2013

  49. Google Authenticator HMAC-based OTP Wednesday, October 16, 2013

  50. Google Authenticator HMAC-based OTP RFC 4226 Wednesday, October 16, 2013

  51. Google Authenticator HMAC-based OTP RFC 4226 Time-based OTP Wednesday, October

    16, 2013
  52. Google Authenticator HMAC-based OTP RFC 4226 Time-based OTP RFC 6238

    Wednesday, October 16, 2013
  53. Google Authenticator HMAC-based OTP RFC 4226 Time-based OTP RFC 6238

    base32 encoded Wednesday, October 16, 2013
  54. Google Authenticator HMAC-based OTP RFC 4226 Time-based OTP RFC 6238

    base32 encoded sha1 HMAC hashed Wednesday, October 16, 2013
  55. enygma/gauth : dev-master <?php require_once ‘vendor/autoload.php’; $userCode = ‘123456’; $initCode

    = ‘...’; $verify = $g->validateCode($code); var_dump($verify); // boolean Wednesday, October 16, 2013
  56. Yubikey Wednesday, October 16, 2013

  57. Yubikey Wednesday, October 16, 2013

  58. Yubikey API validated request Wednesday, October 16, 2013

  59. Yubikey API validated request OTP + Nonce + Client ID

    Wednesday, October 16, 2013
  60. Yubikey API validated request OTP + Nonce + Client ID

    Signature Wednesday, October 16, 2013
  61. Yubikey API validated request OTP + Nonce + Client ID

    Signature Unique 44 characters Wednesday, October 16, 2013
  62. Yubikey API validated request OTP + Nonce + Client ID

    Signature Unique 44 characters 128-bit AES OTP Wednesday, October 16, 2013
  63. enygma/yubikey : dev-master <?php require_once ‘vendor/autoload.php’; $apiKey = ‘dGVzdG1uZzEyMzQ1Njc40TA=’; $clientId

    = ‘12345’; $v = new \Yubikey\Validate($apiKey, $clientId); $response = $v->check($inputtedKey); echo ($response->success() === true) ? 'success!' : 'you failed. aw.'; Wednesday, October 16, 2013
  64. Duo Security Wednesday, October 16, 2013

  65. Duo Security Wednesday, October 16, 2013

  66. Duo Security Hosted service (API) Wednesday, October 16, 2013

  67. Duo Security Hosted service (API) OTP codes Wednesday, October 16,

    2013
  68. Duo Security Hosted service (API) OTP codes SMS messaging Wednesday,

    October 16, 2013
  69. Duo Security Hosted service (API) OTP codes SMS messaging Phone

    callback Wednesday, October 16, 2013
  70. Duo Security Hosted service (API) OTP codes SMS messaging Phone

    callback Push notifications Wednesday, October 16, 2013
  71. Duo Security Hosted service (API) OTP codes SMS messaging Phone

    callback Push notifications NIST certified Wednesday, October 16, 2013
  72. enygma/duoauth : v1.0 <?php require_once ‘vendor/autoload.php’; $user = new \DuoAuth\User();

    if ($user->validateCode(‘username’, $code)) { echo ‘success!’; } Wednesday, October 16, 2013
  73. Authy Wednesday, October 16, 2013

  74. Authy Wednesday, October 16, 2013

  75. Authy API validated request Wednesday, October 16, 2013

  76. Authy API validated request One time password Wednesday, October 16,

    2013
  77. Authy API validated request One time password Bluetooth pairing Wednesday,

    October 16, 2013
  78. Authy API validated request One time password Bluetooth pairing SMS

    messaging Wednesday, October 16, 2013
  79. Authy API validated request One time password Bluetooth pairing SMS

    messaging Works with other OTP codes Wednesday, October 16, 2013
  80. Authy API validated request One time password Bluetooth pairing SMS

    messaging Works with other OTP codes Wednesday, October 16, 2013
  81. Twilio Wednesday, October 16, 2013

  82. http://www.twilio.com/docs/howto/two-factor-authentication <?php $password = substr(md5(time().rand(0, 10^10)), 0, 10); $content =

    ‘Your new password is ‘.$password; $client = new Services_Twilio($acctSid, $token); $client->account->sms_messages->create( ‘from-phone-number’, ‘to-phone-number’, $content ); // store code, verify when user returns Wednesday, October 16, 2013
  83. Custom Wednesday, October 16, 2013

  84. Custom Internal implementation SMS send through service Internal authorization Custom

    auth requirements intact Wednesday, October 16, 2013
  85. enough? but is it Wednesday, October 16, 2013

  86. Wednesday, October 16, 2013

  87. Weak passwords are still a problem Wednesday, October 16, 2013

  88. Weak passwords are still a problem Why stop at two?

    Wednesday, October 16, 2013
  89. Weak passwords are still a problem Why stop at two?

    Other options aren’t as strong, but help Wednesday, October 16, 2013
  90. Wednesday, October 16, 2013

  91. the unfortunate truth is that passwords are here to stay...

    Wednesday, October 16, 2013
  92. Wednesday, October 16, 2013

  93. Thanks! Wednesday, October 16, 2013

  94. Thanks! Questions? Wednesday, October 16, 2013

  95. Thanks! Questions? @enygma Wednesday, October 16, 2013

  96. Thanks! Questions? @enygma http://websec.io/tagged/twofactor Wednesday, October 16, 2013

  97. Thanks! Questions? @enygma http://websec.io/tagged/twofactor http://joind.in/9750 Wednesday, October 16, 2013