Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Going Password-Free
Search
Eric Mann
February 03, 2017
Technology
0
160
Going Password-Free
Passwordless authentication via Tozny as presented at SunshinePHP 2017
Eric Mann
February 03, 2017
Tweet
Share
More Decks by Eric Mann
See All by Eric Mann
Evolution of PHP Security
ericmann
0
74
PHP, Meet AI
ericmann
0
65
Asynchronous Awesome
ericmann
0
160
WordPress, Meet AI
ericmann
0
41
Cooking with Credentials
ericmann
0
52
OWASP Top Ten in Review
ericmann
0
46
Monkeys in the Machine
ericmann
0
200
Asynchronous Awesome
ericmann
0
320
Evolution of PHP Security
ericmann
0
360
Other Decks in Technology
See All in Technology
Four Keysから始める信頼性の改善 - SRE NEXT 2025
ozakikota
0
240
SREの次のキャリアの道しるべ 〜SREがマネジメントレイヤーに挑戦して、 気づいたこととTips〜
coconala_engineer
1
3.8k
全部AI、全員Cursor、ドキュメント駆動開発 〜DevinやGeminiも添えて〜
rinchsan
6
3.4k
cdk initで生成されるあのファイル達は何なのか/cdk-init-generated-files
tomoki10
1
620
SEQUENCE object comparison - db tech showcase 2025 LT2
nori_shinoda
0
290
Figma Dev Mode MCP Serverを用いたUI開発
zoothezoo
0
130
Lakebaseを使ったAIエージェントを実装してみる
kameitomohiro
0
190
VS CodeとGitHub Copilotで爆速開発!アップデートの波に乗るおさらい会 / Rapid Development with VS Code and GitHub Copilot: Catch the Latest Wave
yamachu
2
390
QuickSight SPICE の効果的な運用戦略~S3 + Athena 構成での実践ノウハウ~/quicksight-spice-s3-athena-best-practices
emiki
0
270
【Oracle Cloud ウェビナー】【入門&再入門】はじめてのOracle Cloud Infrastructure [+最新情報]
oracle4engineer
PRO
1
110
How Do I Contact HP Printer Support? [Full 2025 Guide for U.S. Businesses]
harrry1211
0
130
データ戦略部門 紹介資料
sansan33
PRO
1
3.3k
Featured
See All Featured
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
53
2.9k
Bash Introduction
62gerente
613
210k
Code Reviewing Like a Champion
maltzj
524
40k
Agile that works and the tools we love
rasmusluckow
329
21k
StorybookのUI Testing Handbookを読んだ
zakiyama
30
5.9k
Automating Front-end Workflow
addyosmani
1370
200k
Done Done
chrislema
184
16k
Balancing Empowerment & Direction
lara
1
450
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.4k
Intergalactic Javascript Robots from Outer Space
tanoku
271
27k
The Straight Up "How To Draw Better" Workshop
denniskardys
235
140k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
21
1.3k
Transcript
Going Password-Free Sunshine PHP 2017
90
19
hunter2
None
How can we fix it? Password managers help Password strength
meters (zxcvbn) help Two-factor authentication helps But why require a password at all?
None
A PHP Example Defer to a 3rd party for email
& validation Use the SlimPHP framework for quick bootstrapping Allow either password or password-less authentication
Authentication Provider Free developer preview Powers both link-based and push-based
auth Supports PHP (and other langs)
Endpoints $app->get('/', function($request, $response, $args) { // Render index view
return $this->renderer->render($response, 'index.phtml', $args); }); $app->get('/register', function($request, $response, $args) { // Render registration view return $this->renderer->render($response, ‘register.phtml', $args); }); $app->get('/authenticated', function($request, $response, $args) { // Render protected view return $this->renderer->render($response, ‘authenticated.phtml', $args); });
Endpoints $app->get('/authenticated', function($request, $response, $args) { if ( !
isset( $_SESSION['username'] ) || ! $this->users->get( $_SESSION['username'] ) ) { return $response->withRedirect('/?error=notloggedin'); } // Render protected view return $this->renderer->render($response, ‘authenticated.phtml', $args); });
Endpoints $app->any('/login', function($request, $response, $args) { return $response->withRedirect('/?error=invalidlogin'); }); $app->get('/logout',
function($request, $response, $args) { session_destroy(); return $response->withRedirect('/?loggedout'); });
None
Middleware class PasswordAuth { private $c; public function __construct($cont)
{$this->c = $cont;} public function __invoke($req, $res, $next) { $user = $req->getParam(‘username’); $pass = $req->getParam(‘password’); if (empty($u) || empty($p)) return $res = $next($req, res); if ($this->c->validAuth($user, $pass)) { $_SESSION[‘username’] = $user; return $res = $res->withRedirect(‘/authenticated’); } return $res = $res->withRedirect(‘/?error=invalidlogin’); } }
Endpoints $app->any('/login', function($request, $response, $args) { return $response->withRedirect('/?error=invalidlogin'); })->add(new PasswordAuth($container));
Endpoints $app->any('/login', function($request, $response, $args) { if($request->getParam(‘magiclink’) && $request->getParam(‘username’)) {
$user = $this->users->get($request->getParam(‘username’)); $sent = sendMagicLink($user->email); if(‘ok’ === $sent[‘return’]) return $response->withRedirect(‘/?message=checkemail’); } return $response->withRedirect('/?error=invalidlogin'); })->add(new PasswordAuth($container));
Middleware class MagicLinkAuth { private $c; public function __construct($cont)
{$this->c = $cont;} public function __invoke($req, $res, $next) { $toznyo = $req->getParam(‘toznyo’); $toznyr = $req->getParam(‘toznyr’); if (empty($toznyo) || empty($toznyr)) { $res = $next($req, res); } else { if ($this->c->validLink($toznyo, $toznyr) { $user = $this->c->users->getUserFromLink($toznyo); $_SESSION[‘username’] = $user->username; $res = $res->withRedirect(‘/authenticated’); } } return $res; } }
Endpoints $app->any('/login', function($request, $response, $args) { return $response->withRedirect('/?error=invalidlogin'); })->add(new PasswordAuth($container))->add(new
MagicLinkAuth($container));
What just happened? Registered users can authenticate with their password
Registered users can request a secure, one-time login link sent to their inbox The application doesn’t care which way the users authenticate
How does this benefit us? One less password for users
to remember More flexible authentication schemes for existing users The middleware stack could be further extended to support TOTP/HOTP/ U2F/etc
What are the risks? Your users’ accounts are only as
secure as their email
Questions?
Thank You! Eric Mann - @ericmann - http://eam.me/10v - https://tozny.com