Two-factor authentication

Transcript

1. MontrealRb 2013-03
   Two-factor authentication
   ...or getting away with a shitty password
   

   View Slide

2. cjoudrey  
   @
   

   View Slide

3. View Slide

4. Two-factor?
   Something
   you have
   Something
   you know
   +
   

   View Slide

5. Two-factor?
   +
   Something you have
    
   Something you know
   

   View Slide

6. View Slide

7. It’s easy!
   Just generate random numbers!
   

   View Slide

8. It’s easy!
   Just generate random numbers!
   Sort of...
   

   View Slide

9. View Slide

10. Time-based One-time Password
    

    View Slide

11. Shared secret Time
    + = 123456
    Time-based One-time Password
    

    View Slide

12. ROTP gem
    Time-based One-time Password
    

    View Slide

13. totp = ROTP::TOTP.new('secret')
    totp.now # => 281918
    

    View Slide

14. New password every 30 seconds
    Time-based One-time Password
    

    View Slide

15. totp.now # => 281918
    totp.verify(281918) # => true
    sleep 30
    totp.verify(281918) # => false
    

    View Slide

16. Getting the secret on the device
    Time-based One-time Password
    

    View Slide

17. View Slide

18. totp.provisioning_uri('my app')
    # => "otpauth://totp/my%20app?
    secret=secret"
    

    View Slide

19. totp.provisioning_uri('Sample App ...')
    

    View Slide

20. What about SMS?
    Time-based One-time Password
    

    View Slide

21. totp.now # => 281918
    sleep 30
    totp.verify(281918) # => false
    totp.verify_with_drift(281918, 30) # => true
    

    View Slide

22. In practice
    

    View Slide

23. Demo
    

    View Slide

24. Generate user secret
    

    View Slide

25. class User < ActiveRecord::Base
    # ...
    before_create :set_auth_secret
    private
    def set_auth_secret
    self.auth_secret = ROTP::Base32.random_base32
    end
    end
    

    View Slide

26. View Slide

27. Validating the client
    

    View Slide

28. class AdminController < ApplicationController
    # ...
    before_filter :authenticate_user!
    before_filter :validate_client
    private
    def validate_client
    # ...
    client_id = cookies.signed[:client_id] ||
    SecureRandom.uuid
    # ...
    end
    end
    

    View Slide

29. create_table 'devices' do |t|
    t.string 'client_id'
    t.integer 'user_id'
    t.datetime 'authenticated_at'
    # ...
    end
    

    View Slide

30. HTTP Cookies
    

    View Slide

31. HTTP Cookies
    httponly
    

    View Slide

32. HTTP Cookies
    secure
    

    View Slide

33. HTTP Cookies
    signed
    

    View Slide

34. Pitfalls
    

    View Slide

35. Pitfalls
    Dead phone
    

    View Slide

36. Pitfalls
    New phone
    

    View Slide

37. Pitfalls
    Time not properly set on phone
    

    View Slide

38. View Slide

39. Thanks!
    Questions?
    

    View Slide