Going Password-Free

Going Password-Free Sunshine PHP 2017

hunter2

How can we ﬁx it? Password managers help Password strength
meters (zxcvbn) help Two-factor authentication helps But why require a password at all?

A PHP Example Defer to a 3rd party for email
& validation Use the SlimPHP framework for quick bootstrapping Allow either password or password-less authentication

Authentication Provider Free developer preview Powers both link-based and push-based
auth Supports PHP (and other langs)

Endpoints $app->get('/', function($request, $response, $args) {  // Render index view 
return $this->renderer->render($response, 'index.phtml', $args);  }); $app->get('/register', function($request, $response, $args) {  // Render registration view  return $this->renderer->render($response, ‘register.phtml', $args);  }); $app->get('/authenticated', function($request, $response, $args) {  // Render protected view  return $this->renderer->render($response, ‘authenticated.phtml', $args);  });

Endpoints $app->get('/authenticated', function($request, $response, $args) {  if (   !
isset( $_SESSION['username'] ) ||   ! $this->users->get( $_SESSION['username'] )   ) {  return $response->withRedirect('/?error=notloggedin');  }    // Render protected view  return $this->renderer->render($response, ‘authenticated.phtml', $args);  });

Endpoints $app->any('/login', function($request, $response, $args) {  return $response->withRedirect('/?error=invalidlogin');  }); $app->get('/logout',
function($request, $response, $args) {  session_destroy();    return $response->withRedirect('/?loggedout');  });

Middleware class PasswordAuth {  private $c;    public function __construct($cont)
{$this->c = $cont;}    public function __invoke($req, $res, $next) {  $user = $req->getParam(‘username’);  $pass = $req->getParam(‘password’);    if (empty($u) || empty($p)) return $res = $next($req, res);    if ($this->c->validAuth($user, $pass)) {  $_SESSION[‘username’] = $user;  return $res = $res->withRedirect(‘/authenticated’);  }  return $res = $res->withRedirect(‘/?error=invalidlogin’);  }  }

Endpoints $app->any('/login', function($request, $response, $args) {  return $response->withRedirect('/?error=invalidlogin');  })->add(new PasswordAuth($container));

Endpoints $app->any('/login', function($request, $response, $args) {  if($request->getParam(‘magiclink’) && $request->getParam(‘username’)) { 
$user = $this->users->get($request->getParam(‘username’));  $sent = sendMagicLink($user->email);    if(‘ok’ === $sent[‘return’])  return $response->withRedirect(‘/?message=checkemail’);  }  return $response->withRedirect('/?error=invalidlogin');  })->add(new PasswordAuth($container));

Middleware class MagicLinkAuth {  private $c;    public function __construct($cont)
{$this->c = $cont;}    public function __invoke($req, $res, $next) {  $toznyo = $req->getParam(‘toznyo’);  $toznyr = $req->getParam(‘toznyr’);    if (empty($toznyo) || empty($toznyr)) {  $res = $next($req, res);  } else {  if ($this->c->validLink($toznyo, $toznyr) {  $user = $this->c->users->getUserFromLink($toznyo);  $_SESSION[‘username’] = $user->username;  $res = $res->withRedirect(‘/authenticated’);  }  }  return $res;  }  }

Endpoints $app->any('/login', function($request, $response, $args) {  return $response->withRedirect('/?error=invalidlogin');  })->add(new PasswordAuth($container))->add(new
MagicLinkAuth($container));

What just happened? Registered users can authenticate with their password
Registered users can request a secure, one-time login link sent to their inbox The application doesn’t care which way the users authenticate

How does this beneﬁt us? One less password for users
to remember More ﬂexible authentication schemes for existing users The middleware stack could be further extended to support TOTP/HOTP/ U2F/etc

What are the risks? Your users’ accounts are only as
secure as their email

Questions?

Thank You! Eric Mann - @ericmann - http://eam.me/10v - https://tozny.com

Going Password-Free

Going Password-Free

Eric Mann

More Decks by Eric Mann

Other Decks in Technology

Featured

Transcript