Google Authenticator All the tools you need to add two- factor authentication to your web app Adrian Hardy / @adrianhardy 

Authentication: Factor Categories Stuff you have - "keys" Door key / Swipe card Stuff you know - passwords / PINs Computer password (encrypted or otherwise) Stuff you are - Unique personal attributes Iris scans / Finger prints 

Usernames & Passwords Traditional Single Factor Authentication Once someone knows your password, game over Well understood methods of extracting passwords U s e r n a m e : A z u r e D i a m o n d P a s s w o r d : h u n t e r 2 W e l c o m e , a d r i a n If you don't get the hunter2 reference, google it - hit the first result 

SFA relies on diligence 

Two-Factor Authentication Examples [Insert audience participation here] 

Google Authentication I may not be able to contain myself Provides a "something you have" factor Uses a mobile phone FREE for Android, iPhone and yes, even Blackberry Uses QR codes Implements RFC 6238 TOTP algorithm 

Time-based One-Time Password Your phone gives you a 6 digit pin That six digit pin is good for 30 seconds In 30 seconds you get a new one That pin is unique to you* What's a TOTP 

When creating a user account, show a QR QR contains a secret which seeds the TOTP Store the secret against the user acc Basic Workflow 

Basic Workflow - 2 As the server you know: Username Password User's TOTP Secret Seconds since the Unix epoc So you can pre-calculate the TOTP using the same implementation! 

I'll tweet out a bit.ly bundle in a bit I haven't prepared the links and stuff that you'll need for this, so I'll prepare that offline and let you all know