Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Going Password-Free
Search
Eric Mann
February 03, 2017
Technology
0
130
Going Password-Free
Passwordless authentication via Tozny as presented at SunshinePHP 2017
Eric Mann
February 03, 2017
Tweet
Share
More Decks by Eric Mann
See All by Eric Mann
Asynchronous Awesome
ericmann
0
98
WordPress, Meet AI
ericmann
0
27
Cooking with Credentials
ericmann
0
37
OWASP Top Ten in Review
ericmann
0
25
Monkeys in the Machine
ericmann
0
120
Asynchronous Awesome
ericmann
0
230
Evolution of PHP Security
ericmann
0
280
Web Application Security Update: Top Vulnerabilities
ericmann
0
120
Asynchronous Awesome
ericmann
0
78
Other Decks in Technology
See All in Technology
Handling focus in 2024
tahia910
0
610
サービス開発におけるVue3とTypeScriptの親和性について
tsukuha
0
120
Microsoft for Startups Founders Hub_20240429 update
daikikanemitsu
1
2.5k
AWS学習者向けにAzureの解説スライドを作成した話
handy
3
220
Max out Local LLM in Challenging Environments
sashimimochi
2
210
実例で紹介するRAG導入時の知見と精度向上の勘所
yamahiro
7
2.4k
How to do well in consulting–Balkan Ruby 2024
irinanazarova
0
180
require(ESM)とECMAScript仕様
uhyo
4
1k
今さら聞けないDocker入門 〜 Dockerfileのベストプラクティス編
devops_vtj
21
6.3k
エンジニア候補者向け資料2024.04.24.pdf
macloud
0
3.4k
中年男性がメインフレームから クラウドへキャリアシフトしてみた
uechishingo
1
430
障害対応をちょっとずつよくしていくための 演習の作りかた
heleeen
1
1.9k
Featured
See All Featured
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
34
6.1k
Thoughts on Productivity
jonyablonski
60
3.9k
Rails Girls Zürich Keynote
gr2m
91
13k
Build your cross-platform service in a week with App Engine
jlugia
226
17k
Git: the NoSQL Database
bkeepers
PRO
423
63k
Debugging Ruby Performance
tmm1
70
11k
Ruby is Unlike a Banana
tanoku
96
10k
Designing the Hi-DPI Web
ddemaree
276
33k
Documentation Writing (for coders)
carmenintech
60
4k
What the flash - Photography Introduction
edds
64
11k
Designing on Purpose - Digital PM Summit 2013
jponch
111
6.5k
What’s in a name? Adding method to the madness
productmarketing
PRO
17
2.7k
Transcript
Going Password-Free Sunshine PHP 2017
90
19
hunter2
None
How can we fix it? Password managers help Password strength
meters (zxcvbn) help Two-factor authentication helps But why require a password at all?
None
A PHP Example Defer to a 3rd party for email
& validation Use the SlimPHP framework for quick bootstrapping Allow either password or password-less authentication
Authentication Provider Free developer preview Powers both link-based and push-based
auth Supports PHP (and other langs)
Endpoints $app->get('/', function($request, $response, $args) { // Render index view
return $this->renderer->render($response, 'index.phtml', $args); }); $app->get('/register', function($request, $response, $args) { // Render registration view return $this->renderer->render($response, ‘register.phtml', $args); }); $app->get('/authenticated', function($request, $response, $args) { // Render protected view return $this->renderer->render($response, ‘authenticated.phtml', $args); });
Endpoints $app->get('/authenticated', function($request, $response, $args) { if ( !
isset( $_SESSION['username'] ) || ! $this->users->get( $_SESSION['username'] ) ) { return $response->withRedirect('/?error=notloggedin'); } // Render protected view return $this->renderer->render($response, ‘authenticated.phtml', $args); });
Endpoints $app->any('/login', function($request, $response, $args) { return $response->withRedirect('/?error=invalidlogin'); }); $app->get('/logout',
function($request, $response, $args) { session_destroy(); return $response->withRedirect('/?loggedout'); });
None
Middleware class PasswordAuth { private $c; public function __construct($cont)
{$this->c = $cont;} public function __invoke($req, $res, $next) { $user = $req->getParam(‘username’); $pass = $req->getParam(‘password’); if (empty($u) || empty($p)) return $res = $next($req, res); if ($this->c->validAuth($user, $pass)) { $_SESSION[‘username’] = $user; return $res = $res->withRedirect(‘/authenticated’); } return $res = $res->withRedirect(‘/?error=invalidlogin’); } }
Endpoints $app->any('/login', function($request, $response, $args) { return $response->withRedirect('/?error=invalidlogin'); })->add(new PasswordAuth($container));
Endpoints $app->any('/login', function($request, $response, $args) { if($request->getParam(‘magiclink’) && $request->getParam(‘username’)) {
$user = $this->users->get($request->getParam(‘username’)); $sent = sendMagicLink($user->email); if(‘ok’ === $sent[‘return’]) return $response->withRedirect(‘/?message=checkemail’); } return $response->withRedirect('/?error=invalidlogin'); })->add(new PasswordAuth($container));
Middleware class MagicLinkAuth { private $c; public function __construct($cont)
{$this->c = $cont;} public function __invoke($req, $res, $next) { $toznyo = $req->getParam(‘toznyo’); $toznyr = $req->getParam(‘toznyr’); if (empty($toznyo) || empty($toznyr)) { $res = $next($req, res); } else { if ($this->c->validLink($toznyo, $toznyr) { $user = $this->c->users->getUserFromLink($toznyo); $_SESSION[‘username’] = $user->username; $res = $res->withRedirect(‘/authenticated’); } } return $res; } }
Endpoints $app->any('/login', function($request, $response, $args) { return $response->withRedirect('/?error=invalidlogin'); })->add(new PasswordAuth($container))->add(new
MagicLinkAuth($container));
What just happened? Registered users can authenticate with their password
Registered users can request a secure, one-time login link sent to their inbox The application doesn’t care which way the users authenticate
How does this benefit us? One less password for users
to remember More flexible authentication schemes for existing users The middleware stack could be further extended to support TOTP/HOTP/ U2F/etc
What are the risks? Your users’ accounts are only as
secure as their email
Questions?
Thank You! Eric Mann - @ericmann - http://eam.me/10v - https://tozny.com