Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Going Password-Free
Search
Eric Mann
February 03, 2017
Technology
210
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Going Password-Free
Passwordless authentication via Tozny as presented at SunshinePHP 2017
Eric Mann
February 03, 2017
More Decks by Eric Mann
See All by Eric Mann
Kubernetes for PHP Developers: From Docker Compose to Production
ericmann
0
59
Semantic Search and Embeddings: Modernizing PHP Search with Vector Databases
ericmann
0
52
Evolution of PHP Security
ericmann
0
130
PHP, Meet AI
ericmann
0
120
Asynchronous Awesome
ericmann
0
220
WordPress, Meet AI
ericmann
0
86
Cooking with Credentials
ericmann
0
70
OWASP Top Ten in Review
ericmann
0
84
Monkeys in the Machine
ericmann
0
230
Other Decks in Technology
See All in Technology
AIをフル活用してオンコール機能のプロトタイプを2日で作った話 / Building an AI-Powered On-Call Prototype in Just Two Days
nari_ex
0
160
『AIに負けない』より『AIと遊ぶ』」〜ワクワクが最強のテスト・QA学習戦略_公開用
odan611
1
330
BPaaSで進むAIオペレーションの現在地 AI実装が効く領域とスケーラビリティの選定と実装
kentarofujii
0
250
本当の”仕事”を手放せる未来が見えた
mu7889yoon
0
210
起点・思考・出力で分解する 〜PM業務の自動化設計〜
kazu_kichi_67
2
1.2k
Tech-Verse 2026_Keynote
lycorptech_jp
PRO
0
110
Mastraエージェント、どのクラウドにデプロイする?
minorun365
PRO
1
130
Zenoh on Zephyr on LiteX
takasehideki
2
170
次世代ランサムウェア対策の考察 / 20260704 Mitsutoshi Matsuo
shift_evolve
PRO
5
1.6k
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
11k
product engineering with qa
nealle
0
130
初めてのDatabricks勉強会
taka_aki
2
220
Featured
See All Featured
Writing Fast Ruby
sferik
630
63k
Navigating the Design Leadership Dip - Product Design Week Design Leaders+ Conference 2024
apolaine
1
360
Ten Tips & Tricks for a 🌱 transition
stuffmc
0
150
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
25
2k
Digital Projects Gone Horribly Wrong (And the UX Pros Who Still Save the Day) - Dean Schuster
uxyall
1
1.8k
SEO Brein meetup: CTRL+C is not how to scale international SEO
lindahogenes
1
2.8k
We Are The Robots
honzajavorek
0
260
The SEO identity crisis: Don't let AI make you average
varn
0
510
Jamie Indigo - Trashchat’s Guide to Black Boxes: Technical SEO Tactics for LLMs
techseoconnect
PRO
0
240
Game over? The fight for quality and originality in the time of robots
wayneb77
1
210
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
38
2.9k
Transcript
Going Password-Free Sunshine PHP 2017
90
19
hunter2
None
How can we fix it? Password managers help Password strength
meters (zxcvbn) help Two-factor authentication helps But why require a password at all?
None
A PHP Example Defer to a 3rd party for email
& validation Use the SlimPHP framework for quick bootstrapping Allow either password or password-less authentication
Authentication Provider Free developer preview Powers both link-based and push-based
auth Supports PHP (and other langs)
Endpoints $app->get('/', function($request, $response, $args) { // Render index view
return $this->renderer->render($response, 'index.phtml', $args); }); $app->get('/register', function($request, $response, $args) { // Render registration view return $this->renderer->render($response, ‘register.phtml', $args); }); $app->get('/authenticated', function($request, $response, $args) { // Render protected view return $this->renderer->render($response, ‘authenticated.phtml', $args); });
Endpoints $app->get('/authenticated', function($request, $response, $args) { if ( !
isset( $_SESSION['username'] ) || ! $this->users->get( $_SESSION['username'] ) ) { return $response->withRedirect('/?error=notloggedin'); } // Render protected view return $this->renderer->render($response, ‘authenticated.phtml', $args); });
Endpoints $app->any('/login', function($request, $response, $args) { return $response->withRedirect('/?error=invalidlogin'); }); $app->get('/logout',
function($request, $response, $args) { session_destroy(); return $response->withRedirect('/?loggedout'); });
None
Middleware class PasswordAuth { private $c; public function __construct($cont)
{$this->c = $cont;} public function __invoke($req, $res, $next) { $user = $req->getParam(‘username’); $pass = $req->getParam(‘password’); if (empty($u) || empty($p)) return $res = $next($req, res); if ($this->c->validAuth($user, $pass)) { $_SESSION[‘username’] = $user; return $res = $res->withRedirect(‘/authenticated’); } return $res = $res->withRedirect(‘/?error=invalidlogin’); } }
Endpoints $app->any('/login', function($request, $response, $args) { return $response->withRedirect('/?error=invalidlogin'); })->add(new PasswordAuth($container));
Endpoints $app->any('/login', function($request, $response, $args) { if($request->getParam(‘magiclink’) && $request->getParam(‘username’)) {
$user = $this->users->get($request->getParam(‘username’)); $sent = sendMagicLink($user->email); if(‘ok’ === $sent[‘return’]) return $response->withRedirect(‘/?message=checkemail’); } return $response->withRedirect('/?error=invalidlogin'); })->add(new PasswordAuth($container));
Middleware class MagicLinkAuth { private $c; public function __construct($cont)
{$this->c = $cont;} public function __invoke($req, $res, $next) { $toznyo = $req->getParam(‘toznyo’); $toznyr = $req->getParam(‘toznyr’); if (empty($toznyo) || empty($toznyr)) { $res = $next($req, res); } else { if ($this->c->validLink($toznyo, $toznyr) { $user = $this->c->users->getUserFromLink($toznyo); $_SESSION[‘username’] = $user->username; $res = $res->withRedirect(‘/authenticated’); } } return $res; } }
Endpoints $app->any('/login', function($request, $response, $args) { return $response->withRedirect('/?error=invalidlogin'); })->add(new PasswordAuth($container))->add(new
MagicLinkAuth($container));
What just happened? Registered users can authenticate with their password
Registered users can request a secure, one-time login link sent to their inbox The application doesn’t care which way the users authenticate
How does this benefit us? One less password for users
to remember More flexible authentication schemes for existing users The middleware stack could be further extended to support TOTP/HOTP/ U2F/etc
What are the risks? Your users’ accounts are only as
secure as their email
Questions?
Thank You! Eric Mann - @ericmann - http://eam.me/10v - https://tozny.com