Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
MontrealRb 2013-03 Two-factor authentication ...or getting away with a shitty password
Slide 2
Slide 2 text
cjoudrey @
Slide 3
Slide 3 text
No content
Slide 4
Slide 4 text
Two-factor? Something you have Something you know +
Slide 5
Slide 5 text
Two-factor? + Something you have Something you know
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
It’s easy! Just generate random numbers!
Slide 8
Slide 8 text
It’s easy! Just generate random numbers! Sort of...
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
Time-based One-time Password
Slide 11
Slide 11 text
Shared secret Time + = 123456 Time-based One-time Password
Slide 12
Slide 12 text
ROTP gem Time-based One-time Password
Slide 13
Slide 13 text
totp = ROTP::TOTP.new('secret') totp.now # => 281918
Slide 14
Slide 14 text
New password every 30 seconds Time-based One-time Password
Slide 15
Slide 15 text
totp.now # => 281918 totp.verify(281918) # => true sleep 30 totp.verify(281918) # => false
Slide 16
Slide 16 text
Getting the secret on the device Time-based One-time Password
Slide 17
Slide 17 text
No content
Slide 18
Slide 18 text
totp.provisioning_uri('my app') # => "otpauth://totp/my%20app? secret=secret"
Slide 19
Slide 19 text
totp.provisioning_uri('Sample App ...')
Slide 20
Slide 20 text
What about SMS? Time-based One-time Password
Slide 21
Slide 21 text
totp.now # => 281918 sleep 30 totp.verify(281918) # => false totp.verify_with_drift(281918, 30) # => true
Slide 22
Slide 22 text
In practice
Slide 23
Slide 23 text
Demo
Slide 24
Slide 24 text
Generate user secret
Slide 25
Slide 25 text
class User < ActiveRecord::Base # ... before_create :set_auth_secret private def set_auth_secret self.auth_secret = ROTP::Base32.random_base32 end end
Slide 26
Slide 26 text
No content
Slide 27
Slide 27 text
Validating the client
Slide 28
Slide 28 text
class AdminController < ApplicationController # ... before_filter :authenticate_user! before_filter :validate_client private def validate_client # ... client_id = cookies.signed[:client_id] || SecureRandom.uuid # ... end end
Slide 29
Slide 29 text
create_table 'devices' do |t| t.string 'client_id' t.integer 'user_id' t.datetime 'authenticated_at' # ... end
Slide 30
Slide 30 text
HTTP Cookies
Slide 31
Slide 31 text
HTTP Cookies httponly
Slide 32
Slide 32 text
HTTP Cookies secure
Slide 33
Slide 33 text
HTTP Cookies signed
Slide 34
Slide 34 text
Pitfalls
Slide 35
Slide 35 text
Pitfalls Dead phone
Slide 36
Slide 36 text
Pitfalls New phone
Slide 37
Slide 37 text
Pitfalls Time not properly set on phone
Slide 38
Slide 38 text
No content
Slide 39
Slide 39 text
Thanks! Questions?