Going Password-Free

46093583d8895095adb1b0071c505af2?s=47 Eric Mann
February 03, 2017
Technology
0
79

Going Password-Free

Passwordless authentication via Tozny as presented at SunshinePHP 2017

46093583d8895095adb1b0071c505af2?s=128

Eric Mann

February 03, 2017
Tweet

Want more?

46093583d8895095adb1b0071c505af2?s=48 ericmann
0
45
46093583d8895095adb1b0071c505af2?s=48 ericmann
0
53
46093583d8895095adb1b0071c505af2?s=48 ericmann
0
66
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
2
150
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
1
74
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
0
68
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
5
140
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
4
160
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
2
220
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
2
430
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
1
120
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
4
200

Transcript

  1. 1.

    Going Password-Free Sunshine PHP 2017

  2. 2.

    90

  3. 3.

    19

  4. 4.

    hunter2

  5. 5.
    None
  6. 6.

    How can we fix it? Password managers help Password strength

    meters (zxcvbn) help Two-factor authentication helps But why require a password at all?
  7. 7.
    None
  8. 8.

    A PHP Example Defer to a 3rd party for email

    & validation Use the SlimPHP framework for quick bootstrapping Allow either password or password-less authentication
  9. 9.

    Authentication Provider Free developer preview Powers both link-based and push-based

    auth Supports PHP (and other langs)
  10. 10.

    Endpoints $app->get('/', function($request, $response, $args) {
 // Render index view


    return $this->renderer->render($response, 'index.phtml', $args);
 }); $app->get('/register', function($request, $response, $args) {
 // Render registration view
 return $this->renderer->render($response, ‘register.phtml', $args);
 }); $app->get('/authenticated', function($request, $response, $args) {
 // Render protected view
 return $this->renderer->render($response, ‘authenticated.phtml', $args);
 });
  11. 11.

    Endpoints $app->get('/authenticated', function($request, $response, $args) {
 if ( 
 !

    isset( $_SESSION['username'] ) || 
 ! $this->users->get( $_SESSION['username'] ) 
 ) {
 return $response->withRedirect('/?error=notloggedin');
 }
 
 // Render protected view
 return $this->renderer->render($response, ‘authenticated.phtml', $args);
 });
  12. 12.

    Endpoints $app->any('/login', function($request, $response, $args) {
 return $response->withRedirect('/?error=invalidlogin');
 }); $app->get('/logout',

    function($request, $response, $args) {
 session_destroy();
 
 return $response->withRedirect('/?loggedout');
 });
  13. 13.
    None
  14. 14.

    Middleware class PasswordAuth {
 private $c;
 
 public function __construct($cont)

    {$this->c = $cont;}
 
 public function __invoke($req, $res, $next) {
 $user = $req->getParam(‘username’);
 $pass = $req->getParam(‘password’);
 
 if (empty($u) || empty($p)) return $res = $next($req, res);
 
 if ($this->c->validAuth($user, $pass)) {
 $_SESSION[‘username’] = $user;
 return $res = $res->withRedirect(‘/authenticated’);
 }
 return $res = $res->withRedirect(‘/?error=invalidlogin’);
 }
 }
  15. 15.

    Endpoints $app->any('/login', function($request, $response, $args) {
 return $response->withRedirect('/?error=invalidlogin');
 })->add(new PasswordAuth($container));

  16. 16.

    Endpoints $app->any('/login', function($request, $response, $args) {
 if($request->getParam(‘magiclink’) && $request->getParam(‘username’)) {


    $user = $this->users->get($request->getParam(‘username’));
 $sent = sendMagicLink($user->email);
 
 if(‘ok’ === $sent[‘return’])
 return $response->withRedirect(‘/?message=checkemail’);
 }
 return $response->withRedirect('/?error=invalidlogin');
 })->add(new PasswordAuth($container));
  17. 17.

    Middleware class MagicLinkAuth {
 private $c;
 
 public function __construct($cont)

    {$this->c = $cont;}
 
 public function __invoke($req, $res, $next) {
 $toznyo = $req->getParam(‘toznyo’);
 $toznyr = $req->getParam(‘toznyr’);
 
 if (empty($toznyo) || empty($toznyr)) {
 $res = $next($req, res);
 } else {
 if ($this->c->validLink($toznyo, $toznyr) {
 $user = $this->c->users->getUserFromLink($toznyo);
 $_SESSION[‘username’] = $user->username;
 $res = $res->withRedirect(‘/authenticated’);
 }
 }
 return $res;
 }
 }
  18. 18.

    Endpoints $app->any('/login', function($request, $response, $args) {
 return $response->withRedirect('/?error=invalidlogin');
 })->add(new PasswordAuth($container))->add(new

    MagicLinkAuth($container));
  19. 19.

    What just happened? Registered users can authenticate with their password

    Registered users can request a secure, one-time login link sent to their inbox The application doesn’t care which way the users authenticate
  20. 20.

    How does this benefit us? One less password for users

    to remember More flexible authentication schemes for existing users The middleware stack could be further extended to support TOTP/HOTP/ U2F/etc
  21. 21.

    What are the risks? Your users’ accounts are only as

    secure as their email
  22. 22.

    Questions?

  23. 23.

    Thank You! Eric Mann - @ericmann - http://eam.me/10v - https://tozny.com