×
Copy
Open
Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix
Slide 2
Slide 2 text
https://www.entrepreneur.com/article/242208
Slide 3
Slide 3 text
90% of passwords are CRACKABLE within 6 hours 90% 90% https://www.entrepreneur.com/article/242208
Slide 4
Slide 4 text
90% FREAKING
Slide 5
Slide 5 text
65% of people use the SAME PASS everywhere 65% 65% https://www.entrepreneur.com/article/242208
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
初⼼心
Slide 8
Slide 8 text
BEGGINERS mind
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
No content
Slide 11
Slide 11 text
BEGGINERS mind
Slide 12
Slide 12 text
No content
Slide 13
Slide 13 text
No content
Slide 14
Slide 14 text
No content
Slide 15
Slide 15 text
No content
Slide 16
Slide 16 text
No content
Slide 17
Slide 17 text
No content
Slide 18
Slide 18 text
No content
Slide 19
Slide 19 text
No content
Slide 20
Slide 20 text
https://www.entrepreneur.com/article/242208
Slide 21
Slide 21 text
200.000,00 for a small business to fix issues post-breach 200.000,00 200.000,00 https://www.entrepreneur.com/article/242208
Slide 22
Slide 22 text
João M. D. Moura Senior Engineer at Packlane @joaomdmoura
Slide 23
Slide 23 text
TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix
Slide 24
Slide 24 text
TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix USABILITY
Slide 25
Slide 25 text
TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix USABILITY DELEGATE
Slide 26
Slide 26 text
TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix USABILITY DELEGATE SSO
Slide 27
Slide 27 text
TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix USABILITY DELEGATE SSO MICRO SERVICE
Slide 28
Slide 28 text
AUTHENTICATION AUTHORIZATION X
Slide 29
Slide 29 text
AUTHENTICATION
Slide 30
Slide 30 text
SOMETHING YOU KNOW
Slide 31
Slide 31 text
SOMETHING YOU KNOW
Slide 32
Slide 32 text
COHERENCE COHERENCE COHERENCE
Slide 33
Slide 33 text
mix coherence.install --full
Slide 34
Slide 34 text
ÜBERAUTH ÜBERAUTH ÜBERAUTH
Slide 35
Slide 35 text
REQUEST
Slide 36
Slide 36 text
CALLBACK
Slide 37
Slide 37 text
CALLBACK STRATEGIES }
Slide 38
Slide 38 text
}
Slide 39
Slide 39 text
}
Slide 40
Slide 40 text
a.k.a. magic login links SOMETHING YOU HAVE
Slide 41
Slide 41 text
a.k.a. magic login links SOMETHING YOU HAVE
Slide 42
Slide 42 text
POT POT POT
Slide 43
Slide 43 text
Secret + Time = 123456
Slide 44
Slide 44 text
secret = "S3CR3T" token = :pot.totp(secret)
Slide 45
Slide 45 text
secret = "S3CR3T" token = "123456" is_valid = :pot.valid_totp(token, secret)
Slide 46
Slide 46 text
MULTI-FACTOR authentication
Slide 47
Slide 47 text
MULTI-FACTOR authentication …or getting away with a shitty password
Slide 48
Slide 48 text
MULTI-FACTOR authentication …or getting away with a shitty password
Slide 49
Slide 49 text
AUTHORIZATION
Slide 50
Slide 50 text
No content
Slide 51
Slide 51 text
No content
Slide 52
Slide 52 text
No content
Slide 53
Slide 53 text
knock knock client server
Slide 54
Slide 54 text
No content
Slide 55
Slide 55 text
who's there? client server
Slide 56
Slide 56 text
No content
Slide 57
Slide 57 text
Me. client server
Slide 58
Slide 58 text
No content
Slide 59
Slide 59 text
ktkx. client server
Slide 60
Slide 60 text
SESSION COOKIES +
Slide 61
Slide 61 text
HTTP STATELESS
Slide 62
Slide 62 text
No content
Slide 63
Slide 63 text
client
Slide 64
Slide 64 text
client server
Slide 65
Slide 65 text
client server knock knock. BTW it’s me. ktkx.
Slide 66
Slide 66 text
JSON Web Tokens JWT
Slide 67
Slide 67 text
HEADER.PAYLOAD.SIGNATURE
Slide 68
Slide 68 text
HEADER PAYLOAD SIGNATURE } } }
Slide 69
Slide 69 text
HEADER PAYLOAD SIGNATURE } } }
Slide 70
Slide 70 text
HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}
Slide 71
Slide 71 text
HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"} {"sub": "1234567890", "name": "John Doe", "admin": true}
Slide 72
Slide 72 text
HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"} {"sub": "1234567890", "name": "John Doe", "admin": true} HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
Slide 73
Slide 73 text
eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ
Slide 74
Slide 74 text
eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ
Slide 75
Slide 75 text
HTTP HEADERS
Slide 76
Slide 76 text
Authorization: Bearer
Slide 77
Slide 77 text
client server
Slide 78
Slide 78 text
POST user/login client server
Slide 79
Slide 79 text
POST user/login creates JWT Token client server
Slide 80
Slide 80 text
HEADER PAYLOAD SIGNATURE } } }
Slide 81
Slide 81 text
HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}
Slide 82
Slide 82 text
HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"} {"sub": "1", "name": “João Moura", "admin": true}
Slide 83
Slide 83 text
HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"} {"sub": "1", "name": “João Moura", "admin": true} HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), “Th3B1gg3stS3cr3tEv3r”)
Slide 84
Slide 84 text
HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"} {"sub": "1", "name": “João Moura", "admin": true} HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), “Th3B1gg3stS3cr3tEv3r”)
Slide 85
Slide 85 text
eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ
Slide 86
Slide 86 text
POST user/login creates JWT Token client server
Slide 87
Slide 87 text
POST user/login creates JWT Token return JWT to browser client server
Slide 88
Slide 88 text
POST user/login creates JWT Token return JWT to browser send JWT as Header client server
Slide 89
Slide 89 text
POST user/login creates JWT Token return JWT to browser send JWT as Header check JWT signature client server
Slide 90
Slide 90 text
eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ
Slide 91
Slide 91 text
eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9
Slide 92
Slide 92 text
eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9
Slide 93
Slide 93 text
eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9 +SECRET
Slide 94
Slide 94 text
eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9 +SECRET TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ
Slide 95
Slide 95 text
eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9 +SECRET TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ
Slide 96
Slide 96 text
client server POST user/login creates JWT Token return JWT to browser send JWT as Header check JWT signature
Slide 97
Slide 97 text
client server POST user/login creates JWT Token return JWT to browser send JWT as Header check JWT signature send response to client
Slide 98
Slide 98 text
GUARD GUARD GUARD
Slide 99
Slide 99 text
Guardian.Plug.sign_in(conn, user)
Slide 100
Slide 100 text
def login(conn, params) do case User.confirm_password(params) do {:ok, user} -> conn |> Guardian.Plug.sign_in(user) |> redirect(to: "/") … end end
Slide 101
Slide 101 text
pipeline :browser_auth do plug Guardian.Plug.VerifySession plug Guardian.Plug.LoadResource end
Slide 102
Slide 102 text
scope "/", MyApp do pipe_through [:browser, :browser_auth] get ”/home”, HomeController, :homepage end
Slide 103
Slide 103 text
WRAP UP
Slide 104
Slide 104 text
1.We have a password problem
Slide 105
Slide 105 text
2.We should start embracing multi-factor authentication
Slide 106
Slide 106 text
3.Stateless auth is a thing. JWT is worth checking.
Slide 107
Slide 107 text
4. There are great auth libs around elixir!
Slide 108
Slide 108 text
No content
Slide 109
Slide 109 text
No content
Slide 110
Slide 110 text
https://github.com/joaomdmoura/keeper
Slide 111
Slide 111 text
No content
Slide 112
Slide 112 text
No content
Slide 113
Slide 113 text
No content
Slide 114
Slide 114 text
No content
Slide 115
Slide 115 text
joaomdmoura.com Learn Elixir with a Rubyist
Slide 116
Slide 116 text
João M. D. Moura Senior Engineer at Packlane joaomdmoura.com