Two Factor Authentication and You

WHO AM I?
•President and Co-Founder of E-Moxie - www.emoxie.com

•Baltimore, MD

•PHP Developer, System Administrator, Tinkerer

•Meetup Organizer - Baltimore PHP/Mobile/API

•Trainer

•Maximize efﬁciencies and make life easier (mainly mine)

•I’ve seen things, and learned a bit on the way

!
[email protected]

Twitter: @cmstone

View Slide

BACKGROUND OF THIS TALK

View Slide

WHAT IS TWO FACTOR AUTH?
•Not a new concept

•Two pieces of information needed (in addition to a username)

•Something you know and something you have

•First factor is typically a password (The know)

•Second factor is typically a uniquely generated code (The have)

View Slide

WHAT’S THE MOST COMMON EXAMPLE
OF TWO-FACTOR AUTHENTICATION?

View Slide

ATM
•Requires something you have (ATM Card)

•Requires something you know (Pin Code)

View Slide

How do you get that second factor?
DELIVERY MECHANISMS
•E-Mail

•SMS/Voice

•App

View Slide

E-MAIL -THE GOOD :)
•Wide adoption

•Everyone has an email address (or a few)

•If you don’t, it’s pretty easy to get one

View Slide

E-MAIL - THE BAD :(
•Prone to failure

•Delivery problems

•Message blocking

•SPAM

•Send/Receive Problems

•Requires Internet/Network Access

•More mail?? Who really wants to get more?

View Slide

SMS

View Slide

SMS - GOOD THINGS!
•Mobile device required (or a service like Google Voice)

•SMS Penetration is high

•Easy to implement

•Global support

View Slide

SMS - BAD THINGS :(
•Can’t receive SMS

•Could cost money

•Network

•Delivery delays

•Lost messages

•Power?

•Threat could have access to a web front end!

•Susceptible to architecture issues

View Slide

TWILIO
•REST API

•Get your own number

•Send a text message just like you would with any other app

View Slide

NEXMO
•php[tek] Sponsor - yay!

•Shared short code

•REST API

!
•API Key & Secret

•Destination & Pin
curl "https://rest.nexmo.com/sc/us/2fa/json?api_key={api_key}
&api_secret={api_secret}&to=14435281326&pin=1234"

View Slide

MOBILE APP

View Slide

MOBILE APP
•Roll Your Own

•Push Notices

•Login Approvals

•Authy

•Duosecurity

•Google Authenticator

View Slide

MOBILE APP

View Slide

•Easy to use

•DOES NOT rely on an Internet connection

•DOES NOT rely on cellular connection

•Google just provides the app

•Implements time-based on-time passwords (TOTP)

•Open source (kind of)

•All of those password thefts? Could be kind of a non-issue

•Not just for websites
GOOGLE AUTHENTICATOR

View Slide

•No power!

•Lost phone/device

•Broken phone/device

•Susceptible to architecture and workﬂow issues
GOOGLE AUTHENTICATOR - PITFALLS

View Slide

TOTP
•Time-based One-time Password Algorithm

•Computed from a shared secret key and the current time.

•Combines secret with timestamp using a cryptographic hash func

•Typically increases in 30-second intervals

•Allows for a time drift

•RFC 6238

View Slide

APPLICATION
•base32 encoding and decoding

•random secret key

•timestamp

•~30 lines of code

View Slide

https://github.com/cmstone/phptek2014-two-factor

View Slide

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645
https://github.com/cmstone/phptek2014-‐two-‐factor/
23
WORKFLOW OVERVIEW
$username = '[email protected]';
$userkey = TwoFactor::generateKey();
$timestamp = TwoFactor::getTimestamp();
!
$secretKey = Base32::decode($userkey);
$currentPassword = TwoFactor::getSecret($secretKey, $timestamp);

View Slide

24
Step 1 - Generate a random secret key
TwoFactor::generateKey();
———————
public static function generateKey($length = 16) {
$key = "";
!
for ($i = 0; $i < $length; $i++) {
$key .= Base32::getRandom();
}
!
return $key;
}
!
// Gives you something like: CHBEYSUCFDAECIHM
WORKFLOW

View Slide

25
Step 1 - Generate a random secret key
// Gives you something like: CHBEYSUCFDAECIHM
WORKFLOW

View Slide

26
Step 2 - Get the current timestamp
TwoFactor::getTimestamp();
———————
public static function getTimestamp() {
return floor(microtime(true) / self::keyRegeneration);
}
!
// Gives you something like: 46692614
WORKFLOW

View Slide

27
WORKFLOW
Step 3 - Decode
$userkey = TwoFactor::generateKey();
$timestamp = TwoFactor::getTimestamp();
!
$secretKey = Base32::decode($userkey);
!
// $secretKey = ?LJ?(?A ?

View Slide

28
WORKFLOW
$currentPassword = TwoFactor::getSecret($secretKey, $timestamp);
———————
public static function getSecret($key, $counter) {
if (strlen($key) < 8) {
throw new Exception('Secret key is too short. Must be at least 16 base 32 characters');
}
!
$bin_counter = pack('N*', 0) . pack('N*', $counter); // Counter must be 64-‐bit int
$hash = hash_hmac('sha1', $bin_counter, $key, true);
!
return str_pad(self::oathTruncate($hash), self::otpLength, '0', STR_PAD_LEFT);
}
!
// $currentPassword = 373604
Step 4 - Decode

View Slide

ADDITIONAL RESOURCES
Bypassing two-factor authentication
http://shubh.am/how-i-bypassed-2-factor-authentication-on-google-
yahoo-linkedin-and-many-others/

!
Google Authenticator Code:
https://code.google.com/p/google-authenticator/

View Slide

QUESTIONS?

View Slide

THANKS!
Please reach out to me @cmstone or [email protected]
Please rate and give feedback!!
https://joind.in/10645

View Slide

Two Factor Authentication and You

Two Factor Authentication and You

Chris Stone

More Decks by Chris Stone

Other Decks in Technology

Featured

Transcript