Two-factor authentication at GDG Tartu

Transcript

1. Two-factor authentication GDG Tartu, 3rd of August’17 Harri Kirik, Android

   Developer http://lab.mobi

2. designing & developing for mobile What? Why? How?

3. designing & developing for mobile What?

4. designing & developing for mobile Multi-factor authentication (MFA)

5. designing & developing for mobile Factors of authentication ➔ Knowledge

   factors ➔ Posession factors ➔ Inheritance factors

6. designing & developing for mobile Knowledge factors ➔ Pin ➔

   Password ➔ Passphrase ➔ Shape ➔ Hidden compartment ➔ “Secret” question

7. designing & developing for mobile Posession factors ➔ Key ➔

   Code card ➔ Pin generator / calculator ➔ Id card ➔ USB stick based token ➔ Your phone

8. designing & developing for mobile Inheritance factors ➔ Fingerprints ➔

   Retinal scans ➔ Voice ➔ Text typing patterns ➔ Your guard dog

9. designing & developing for mobile Multi-factor authentication, using ➔ Knowledge

   factors ➔ Posession factors ➔ Inheritance factors

10. designing & developing for mobile Two-factor authentication (2FA)

11. designing & developing for mobile 2FA - You’ve done it!

    ➔ Taking money out of the ATM ➔ Accessing banks via web page ➔ Adding a “secret lock” to your car ➔ Getting past your dog

12. designing & developing for mobile Why?

13. designing & developing for mobile Extra security

14. designing & developing for mobile Breach detection

15. designing & developing for mobile How?

16. designing & developing for mobile Use your phone

17. designing & developing for mobile How, technically?

18. designing & developing for mobile Use a code, which is

    ➔ Valid only for one time use ➔ Specific for every use ➔ Human readable ➔ Simple to enter ➔ Nonreversible

19. designing & developing for mobile SMS based codes

20. designing & developing for mobile HMAC-based One-time Password Algorithm (HOTP,

    RFC 4226)

21. designing & developing for mobile 1. Generate the Key (once)

    2. Calculate Hash = HMAC-SHA-1(Key, Counter); 2. Make it “human-usable” HOTP value = Truncate(Hash)

22. designing & developing for mobile PS: No need to build

    it yourself

23. designing & developing for mobile “Authenticator” apps

24. designing & developing for mobile Time-based One-time Password Algorithm (TOTP,

    RFC 6238)

25. designing & developing for mobile 1. Generate and share the

    Key (once) 2. Calculate Counter = (Current time - Epoch) / Step 2. Use HOTP TOTP value = HOTP(Key, Counter)

26. designing & developing for mobile Use one of many multi

    account apps

27. designing & developing for mobile Uh, all those codes ..

28. designing & developing for mobile Can I do with less

    work?

29. designing & developing for mobile Device prompts (Google, Valve)

30. designing & developing for mobile Is this secure?

31. designing & developing for mobile Which one should I use?

32. designing & developing for mobile Doesn’t matter. Just use 2FA!

33. Thank you! Questions? Harri Kirik, Android Developer [email protected] http://lab.mobi https://www.facebook.com/lab.mobi