Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2FA: The Rise of Two-Factor Authentication

Chris Cornutt
February 27, 2014
Technology
0
160

2FA: The Rise of Two-Factor Authentication

Two-factor authentication has gotten lots of attention lately. It's being praised as a way to help eliminate passwords and already has several major companies adapting their practices to use it. Let me guide you through the world of 2FA, some of the basic concepts (with examples) and dive deeper into the associated protocols and RFCs.

Chris Cornutt

February 27, 2014
Tweet

More Decks by Chris Cornutt

See All by Chris Cornutt
Securing Legacy Applications
ccornutt
0
94
Pentesting for Developers
ccornutt
0
100
Securing Legacy Applications - Longhorn PHP 2018
ccornutt
1
150
Pieces of Auth
ccornutt
0
290
Securing Legacy Applications
ccornutt
0
360
Build Security In
ccornutt
0
170
Introduction to Slim 3
ccornutt
0
150
Securing Legacy Applications
ccornutt
0
32
PHP Security, Redfined
ccornutt
0
240

Other Decks in Technology

See All in Technology
DMM.com アルファ室採用案内資料
hsugita
1
160
エンジニアのキャリアをちょっと楽しくする3本の軸/Three Pillars to Make an Engineer's Career More Enjoyable
kwappa
0
2.7k
TechFeed Experts Night#27 〜 フロントエンドフレームワーク最前線 (Svelte)
baseballyama
1
530
VSCodeの拡張機能を作っている話
ebarakazuhiro
1
510
web-application-security
matsuihidetoshi
0
170
レガシーをぶっ壊せ。AEONで始めるDevRelの話 / Qiita Night 2024-2-22
aeonpeople
3
1.3k
「スニダン」開発組織の構造に込めた意図 ~組織作りはパッションや政治ではない!~
rinchsan
3
570
ServiceNow Knowledge 24の歩き方 EYストラテジー・アンド・コンサルティング
manarobot
0
200
JSON攻略法.pdf
miyakemito
8
5.1k
非同期推論システムによるコスト削減と信頼性向上
koki_nishihara
0
260
本当のAWS基礎
toru_kubota
0
520
Meta Quest 3 で動く桜マシマシ WebXR アプリを IBM Cloud Code Engine と Babylon.js で作った話
1ftseabass
PRO
0
120

Featured

See All Featured
Side Projects
sachag
451
41k
Creatively Recalculating Your Daily Design Routine
revolveconf
210
11k
The Art of Programming - Codeland 2020
erikaheidi
42
12k
[RailsConf 2023] Rails as a piece of cake
palkan
23
4k
Navigating Team Friction
lara
178
13k
Fireside Chat
paigeccino
21
2.6k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
2
3.4k
Six Lessons from altMBA
skipperchong
21
3k
Testing 201, or: Great Expectations
jmmastey
28
6.4k
Web development in the modern age
philhawksworth
202
10k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
30
6k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
40
4.4k

Transcript

  1. 2FA Chris Cornutt - Confoo 2014 The rise of two-factor

    authentication

  2. A

  3. A

  4. USER & PASS A

  5. USER & PASS SECURITY QUESTIONS A

  6. USER & PASS SECURITY QUESTIONS ? A

  7. Identity is hard

  8. None

  9. who? who?

  10. Know Password PIN Konami code

  11. Know Know Have ATM Card Hardware token Cellphone

  12. Know Know Have Are Fingerprint Voice

  13. Know Are ...and sometimes where Know Know Have Are

  14. 1 2 3 4 5 6 7 8 9 0

    +

  15. )))

  16. None
  17. None

  18. Source: http://www.howtogeek.com/103041/geek-comic-for-january-28th-horrible-two-factor-authentication/

  19. 2FA myths

  20. it’s a “quick fix”

  21. it’s not easy to break

  22. Source: Authy Blog

  23. it’s cheap

  24. your users will love you

  25. 2FA advantages

  26. safer than just passwords (duh)

  27. defense in depth

  28. increase customer confidence

  29. 2FA disadvantages

  30. yet another device?

  31. not cost effective

  32. harder for users

  33. 2FA flow

  34. 1. user creates account (user/pass) 2. user configures 2FA device

    3. confirmation code sent 4. site requests code as validation ! Device configured, code sent on login

  35. 1. user creates account (user/pass) 2. user configures 2FA device

    3. user set up with 3rd party 4. 3rd party validates user ! Device configured, 3rd party request

  36. 2FA options

  37. None

  38. 2FA tech

  39. Google Authenticator

  40. Google Authenticator HMAC-based OTP RFC 4226 Time-based OTP RFC 6238

    ! base32 encoded sha1 HMAC hashed
  41. None

  42. Yubikey

  43. Yubikey API validated request OTP + Nonce + Client ID

    Signature ! Unique 44 characters 128-bit AES OTP
  44. None

  45. ccccccbjnrirungbcderlhbidgeddkcfrnffdecnnkdv

  46. ccccccbjnrir ungbcderlhbidgeddkcfrnffdecnnkdv Public ID Generated Code

  47. Duo Security

  48. Duo Security Hosted service (API) ! OTP codes SMS messaging

    Phone callback Push notifications ! NIST certified
  49. None

  50. Authy

  51. Authy API validated request One time password Bluetooth pairing SMS

    messaging ! Works with other OTP codes

  52. Custom

  53. Twilio Nexmo

  54. Custom Internal implementation ! SMS send through service Internal authorization

    Custom auth requirements intact

  55. enough? but is it

  56. Weak passwords are still a problem ! Why stop at

    two? ! Other options aren’t as strong, but help

  57. the unfortunate truth is that passwords are here to stay...

  58. Demo Time! http://iheart2fa.com https://github.com/enygma/iheart2fa

  59. Thanks Questions? @enygma http://websec.io/tagged/twofactor http://securingphp.com