Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 1 TWO-FACTOR AUTHENTICATION AND YOU https://joind.in/10645 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 2 WHO AM I? •President and Co-Founder of E-Moxie - www.emoxie.com •Baltimore, MD •PHP Developer, System Administrator, Tinkerer •Meetup Organizer - Baltimore PHP/Mobile/API •Trainer •Maximize efficiencies and make life easier (mainly mine) •I’ve seen things, and learned a bit on the way ! [email protected] Twitter: @cmstone 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 3 BACKGROUND OF THIS TALK 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 4 WHAT IS TWO FACTOR AUTH? •Not a new concept •Two pieces of information needed (in addition to a username) •Something you know and something you have •First factor is typically a password (The know) •Second factor is typically a uniquely generated code (The have) 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 5 WHAT’S THE MOST COMMON EXAMPLE OF TWO-FACTOR AUTHENTICATION? 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 6 ATM •Requires something you have (ATM Card) •Requires something you know (Pin Code) 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 7 How do you get that second factor? DELIVERY MECHANISMS •E-Mail •SMS/Voice •App 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 8 E-MAIL -THE GOOD :) •Wide adoption •Everyone has an email address (or a few) •If you don’t, it’s pretty easy to get one 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 9 E-MAIL - THE BAD :( •Prone to failure •Delivery problems •Message blocking •SPAM •Send/Receive Problems •Requires Internet/Network Access •More mail?? Who really wants to get more? 

SMS 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 11 SMS - GOOD THINGS! •Mobile device required (or a service like Google Voice) •SMS Penetration is high •Easy to implement •Global support 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 12 SMS - BAD THINGS :( •Can’t receive SMS •Could cost money •Network •Delivery delays •Lost messages •Power? •Threat could have access to a web front end! •Susceptible to architecture issues 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 13 TWILIO •REST API •Get your own number •Send a text message just like you would with any other app 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 14 NEXMO •php[tek] Sponsor - yay! •Shared short code •REST API ! •API Key & Secret •Destination & Pin curl "https://rest.nexmo.com/sc/us/2fa/json?api_key={api_key} &api_secret={api_secret}&to=14435281326&pin=1234" 

MOBILE APP 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 16 MOBILE APP •Roll Your Own •Push Notices •Login Approvals •Authy •Duosecurity •Google Authenticator 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 17 MOBILE APP 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 18 •Easy to use •DOES NOT rely on an Internet connection •DOES NOT rely on cellular connection •Google just provides the app •Implements time-based on-time passwords (TOTP) •Open source (kind of) •All of those password thefts? Could be kind of a non-issue •Not just for websites GOOGLE AUTHENTICATOR 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 19 •No power! •Lost phone/device •Broken phone/device •Susceptible to architecture and workflow issues GOOGLE AUTHENTICATOR - PITFALLS 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 20 TOTP •Time-based One-time Password Algorithm •Computed from a shared secret key and the current time. •Combines secret with timestamp using a cryptographic hash func •Typically increases in 30-second intervals •Allows for a time drift •RFC 6238 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 21 APPLICATION •base32 encoding and decoding •random secret key •timestamp •~30 lines of code 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 22 https://github.com/cmstone/phptek2014-two-factor 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 https://github.com/cmstone/phptek2014-­‐two-­‐factor/ 23 WORKFLOW OVERVIEW $username  =  '[email protected]';   $userkey  =  TwoFactor::generateKey();   $timestamp  =  TwoFactor::getTimestamp();   ! $secretKey  =  Base32::decode($userkey);   $currentPassword  =  TwoFactor::getSecret($secretKey,  $timestamp); 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 https://github.com/cmstone/phptek2014-­‐two-­‐factor/ 24 Step 1 - Generate a random secret key TwoFactor::generateKey();   ———————   public  static  function  generateKey($length  =  16)  {                  $key  =  "";   !                for  ($i  =  0;  $i  <  $length;  $i++)  {                          $key  .=  Base32::getRandom();                  }   !                return  $key;   }   ! //  Gives  you  something  like:  CHBEYSUCFDAECIHM WORKFLOW 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 https://github.com/cmstone/phptek2014-­‐two-­‐factor/ 25 Step 1 - Generate a random secret key //  Gives  you  something  like:  CHBEYSUCFDAECIHM WORKFLOW 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 https://github.com/cmstone/phptek2014-­‐two-­‐factor/ 26 Step 2 - Get the current timestamp TwoFactor::getTimestamp();   ———————   public  static  function  getTimestamp()  {          return  floor(microtime(true)  /  self::keyRegeneration);   }   ! //  Gives  you  something  like:  46692614 WORKFLOW 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 https://github.com/cmstone/phptek2014-­‐two-­‐factor/ 27 WORKFLOW Step 3 - Decode $userkey  =  TwoFactor::generateKey();   $timestamp  =  TwoFactor::getTimestamp();   ! $secretKey  =  Base32::decode($userkey);   ! //  $secretKey  =  ?LJ?(?A  ? 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 https://github.com/cmstone/phptek2014-­‐two-­‐factor/ 28 WORKFLOW $currentPassword  =  TwoFactor::getSecret($secretKey,  $timestamp);   ———————   public  static  function  getSecret($key,  $counter)  {                  if  (strlen($key)  <  8)  {                          throw  new  Exception('Secret  key  is  too  short.  Must  be  at  least  16  base  32  characters');                  }   !                $bin_counter  =  pack('N*',  0)  .  pack('N*',  $counter);    //  Counter  must  be  64-­‐bit  int                  $hash  =  hash_hmac('sha1',  $bin_counter,  $key,  true);   !                return  str_pad(self::oathTruncate($hash),  self::otpLength,  '0',  STR_PAD_LEFT);   }   ! //  $currentPassword  =  373604 Step 4 - Decode 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 29 ADDITIONAL RESOURCES Bypassing two-factor authentication http://shubh.am/how-i-bypassed-2-factor-authentication-on-google- yahoo-linkedin-and-many-others/ ! Google Authenticator Code: https://code.google.com/p/google-authenticator/ 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 30 QUESTIONS? 

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 31 THANKS! Please reach out to me @cmstone or [email protected] Please rate and give feedback!! https://joind.in/10645