Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Two-factor authentication

Two-factor authentication

Talk given at Montreal Ruby in March 2013.

Synopsis of the talk:

Following the recent Rails vulnerabilities we all know that keeping our dependencies up-to-date is important. What is equally important is providing our users with ways of securing their accounts. We’ll look at how two-factor authentication works, a way of implementing it and how to leverage the Google Authenticator mobile app.

Christian Joudrey

March 19, 2013
Tweet

More Decks by Christian Joudrey

Other Decks in Programming

Transcript

  1. MontrealRb 2013-03
    Two-factor authentication
    ...or getting away with a shitty password

    View full-size slide

  2. cjoudrey  
    @

    View full-size slide

  3. Two-factor?
    Something
    you have
    Something
    you know
    +

    View full-size slide

  4. Two-factor?
    +
    Something you have
     
    Something you know

    View full-size slide

  5. It’s easy!
    Just generate random numbers!

    View full-size slide

  6. It’s easy!
    Just generate random numbers!
    Sort of...

    View full-size slide

  7. Time-based One-time Password

    View full-size slide

  8. Shared secret Time
    + = 123456
    Time-based One-time Password

    View full-size slide

  9. ROTP gem
    Time-based One-time Password

    View full-size slide

  10. totp = ROTP::TOTP.new('secret')
    totp.now # => 281918

    View full-size slide

  11. New password every 30 seconds
    Time-based One-time Password

    View full-size slide

  12. totp.now # => 281918
    totp.verify(281918) # => true
    sleep 30
    totp.verify(281918) # => false

    View full-size slide

  13. Getting the secret on the device
    Time-based One-time Password

    View full-size slide

  14. totp.provisioning_uri('my app')
    # => "otpauth://totp/my%20app?
    secret=secret"

    View full-size slide

  15. totp.provisioning_uri('Sample App ...')

    View full-size slide

  16. What about SMS?
    Time-based One-time Password

    View full-size slide

  17. totp.now # => 281918
    sleep 30
    totp.verify(281918) # => false
    totp.verify_with_drift(281918, 30) # => true

    View full-size slide

  18. Generate user secret

    View full-size slide

  19. class User < ActiveRecord::Base
    # ...
    before_create :set_auth_secret
    private
    def set_auth_secret
    self.auth_secret = ROTP::Base32.random_base32
    end
    end

    View full-size slide

  20. Validating the client

    View full-size slide

  21. class AdminController < ApplicationController
    # ...
    before_filter :authenticate_user!
    before_filter :validate_client
    private
    def validate_client
    # ...
    client_id = cookies.signed[:client_id] ||
    SecureRandom.uuid
    # ...
    end
    end

    View full-size slide

  22. create_table 'devices' do |t|
    t.string 'client_id'
    t.integer 'user_id'
    t.datetime 'authenticated_at'
    # ...
    end

    View full-size slide

  23. HTTP Cookies

    View full-size slide

  24. HTTP Cookies
    httponly

    View full-size slide

  25. HTTP Cookies
    secure

    View full-size slide

  26. HTTP Cookies
    signed

    View full-size slide

  27. Pitfalls
    Dead phone

    View full-size slide

  28. Pitfalls
    New phone

    View full-size slide

  29. Pitfalls
    Time not properly set on phone

    View full-size slide

  30. Thanks!
    Questions?

    View full-size slide