Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Going Password-Free
Search
Eric Mann
February 03, 2017
Technology
0
150
Going Password-Free
Passwordless authentication via Tozny as presented at SunshinePHP 2017
Eric Mann
February 03, 2017
Tweet
Share
More Decks by Eric Mann
See All by Eric Mann
Evolution of PHP Security
ericmann
0
52
PHP, Meet AI
ericmann
0
55
Asynchronous Awesome
ericmann
0
140
WordPress, Meet AI
ericmann
0
37
Cooking with Credentials
ericmann
0
51
OWASP Top Ten in Review
ericmann
0
38
Monkeys in the Machine
ericmann
0
190
Asynchronous Awesome
ericmann
0
300
Evolution of PHP Security
ericmann
0
350
Other Decks in Technology
See All in Technology
Terraform Cloudで始めるおひとりさまOrganizationsのすゝめ
handy
2
190
グループ ポリシー再確認 (2)
murachiakira
0
110
Spring Bootで実装とインフラをこれでもかと分離するための試み
shintanimoto
7
880
4/16/25 - SFJug - Java meets AI: Build LLM-Powered Apps with LangChain4j
edeandrea
PRO
2
130
SnowflakeとDatabricks両方でRAGを構築してみた
kameitomohiro
1
470
AIエージェント開発手法と業務導入のプラクティス
ykosaka
8
2k
テストって楽しい!開発を加速させるテストの魅力 / Testing is Fun! The Fascinating of Testing to Accelerate Development
aiandrox
0
110
Bazel for Ruby (RubyKaigi 2025)
p0deje
0
120
アジャイル脅威モデリング#1(脅威モデリングナイト#8)
masakane55
3
230
Microsoft の SSE の現在地
skmkzyk
0
150
Databricksで完全履修!オールインワンレイクハウスは実在した!
akuwano
0
110
更新系と状態
uhyo
7
1.9k
Featured
See All Featured
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.4k
Fireside Chat
paigeccino
37
3.4k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
Adopting Sorbet at Scale
ufuk
76
9.3k
Product Roadmaps are Hard
iamctodd
PRO
52
11k
Java REST API Framework Comparison - PWX 2021
mraible
30
8.5k
Facilitating Awesome Meetings
lara
54
6.3k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
160
15k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
13
1.4k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
The Cult of Friendly URLs
andyhume
78
6.3k
How to Ace a Technical Interview
jacobian
276
23k
Transcript
Going Password-Free Sunshine PHP 2017
90
19
hunter2
None
How can we fix it? Password managers help Password strength
meters (zxcvbn) help Two-factor authentication helps But why require a password at all?
None
A PHP Example Defer to a 3rd party for email
& validation Use the SlimPHP framework for quick bootstrapping Allow either password or password-less authentication
Authentication Provider Free developer preview Powers both link-based and push-based
auth Supports PHP (and other langs)
Endpoints $app->get('/', function($request, $response, $args) { // Render index view
return $this->renderer->render($response, 'index.phtml', $args); }); $app->get('/register', function($request, $response, $args) { // Render registration view return $this->renderer->render($response, ‘register.phtml', $args); }); $app->get('/authenticated', function($request, $response, $args) { // Render protected view return $this->renderer->render($response, ‘authenticated.phtml', $args); });
Endpoints $app->get('/authenticated', function($request, $response, $args) { if ( !
isset( $_SESSION['username'] ) || ! $this->users->get( $_SESSION['username'] ) ) { return $response->withRedirect('/?error=notloggedin'); } // Render protected view return $this->renderer->render($response, ‘authenticated.phtml', $args); });
Endpoints $app->any('/login', function($request, $response, $args) { return $response->withRedirect('/?error=invalidlogin'); }); $app->get('/logout',
function($request, $response, $args) { session_destroy(); return $response->withRedirect('/?loggedout'); });
None
Middleware class PasswordAuth { private $c; public function __construct($cont)
{$this->c = $cont;} public function __invoke($req, $res, $next) { $user = $req->getParam(‘username’); $pass = $req->getParam(‘password’); if (empty($u) || empty($p)) return $res = $next($req, res); if ($this->c->validAuth($user, $pass)) { $_SESSION[‘username’] = $user; return $res = $res->withRedirect(‘/authenticated’); } return $res = $res->withRedirect(‘/?error=invalidlogin’); } }
Endpoints $app->any('/login', function($request, $response, $args) { return $response->withRedirect('/?error=invalidlogin'); })->add(new PasswordAuth($container));
Endpoints $app->any('/login', function($request, $response, $args) { if($request->getParam(‘magiclink’) && $request->getParam(‘username’)) {
$user = $this->users->get($request->getParam(‘username’)); $sent = sendMagicLink($user->email); if(‘ok’ === $sent[‘return’]) return $response->withRedirect(‘/?message=checkemail’); } return $response->withRedirect('/?error=invalidlogin'); })->add(new PasswordAuth($container));
Middleware class MagicLinkAuth { private $c; public function __construct($cont)
{$this->c = $cont;} public function __invoke($req, $res, $next) { $toznyo = $req->getParam(‘toznyo’); $toznyr = $req->getParam(‘toznyr’); if (empty($toznyo) || empty($toznyr)) { $res = $next($req, res); } else { if ($this->c->validLink($toznyo, $toznyr) { $user = $this->c->users->getUserFromLink($toznyo); $_SESSION[‘username’] = $user->username; $res = $res->withRedirect(‘/authenticated’); } } return $res; } }
Endpoints $app->any('/login', function($request, $response, $args) { return $response->withRedirect('/?error=invalidlogin'); })->add(new PasswordAuth($container))->add(new
MagicLinkAuth($container));
What just happened? Registered users can authenticate with their password
Registered users can request a secure, one-time login link sent to their inbox The application doesn’t care which way the users authenticate
How does this benefit us? One less password for users
to remember More flexible authentication schemes for existing users The middleware stack could be further extended to support TOTP/HOTP/ U2F/etc
What are the risks? Your users’ accounts are only as
secure as their email
Questions?
Thank You! Eric Mann - @ericmann - http://eam.me/10v - https://tozny.com