Two-factor authentication

Two-factor authentication

Talk given at Montreal Ruby in March 2013.

Synopsis of the talk:

Following the recent Rails vulnerabilities we all know that keeping our dependencies up-to-date is important. What is equally important is providing our users with ways of securing their accounts. We’ll look at how two-factor authentication works, a way of implementing it and how to leverage the Google Authenticator mobile app.

85b03650a2ec5235376b0b983a49511a?s=128

Christian Joudrey

March 19, 2013
Tweet

Transcript

  1. MontrealRb 2013-03 Two-factor authentication ...or getting away with a shitty

    password
  2. cjoudrey   @

  3. None
  4. Two-factor? Something you have Something you know +

  5. Two-factor? + Something you have   Something you know

  6. None
  7. It’s easy! Just generate random numbers!

  8. It’s easy! Just generate random numbers! Sort of...

  9. None
  10. Time-based One-time Password

  11. Shared secret Time + = 123456 Time-based One-time Password

  12. ROTP gem Time-based One-time Password

  13. totp = ROTP::TOTP.new('secret') totp.now # => 281918

  14. New password every 30 seconds Time-based One-time Password

  15. totp.now # => 281918 totp.verify(281918) # => true sleep 30

    totp.verify(281918) # => false
  16. Getting the secret on the device Time-based One-time Password

  17. None
  18. totp.provisioning_uri('my app') # => "otpauth://totp/my%20app? secret=secret"

  19. totp.provisioning_uri('Sample App ...')

  20. What about SMS? Time-based One-time Password

  21. totp.now # => 281918 sleep 30 totp.verify(281918) # => false

    totp.verify_with_drift(281918, 30) # => true
  22. In practice

  23. Demo

  24. Generate user secret

  25. class User < ActiveRecord::Base # ... before_create :set_auth_secret private def

    set_auth_secret self.auth_secret = ROTP::Base32.random_base32 end end
  26. None
  27. Validating the client

  28. class AdminController < ApplicationController # ... before_filter :authenticate_user! before_filter :validate_client

    private def validate_client # ... client_id = cookies.signed[:client_id] || SecureRandom.uuid # ... end end
  29. create_table 'devices' do |t| t.string 'client_id' t.integer 'user_id' t.datetime 'authenticated_at'

    # ... end
  30. HTTP Cookies

  31. HTTP Cookies httponly

  32. HTTP Cookies secure

  33. HTTP Cookies signed

  34. Pitfalls

  35. Pitfalls Dead phone

  36. Pitfalls New phone

  37. Pitfalls Time not properly set on phone

  38. None
  39. Thanks! Questions?