Better Security With Two Factor Authentication (PHP Unconference 2013)
Upcoming SlideShare
Loading in...5
×
 

Better Security With Two Factor Authentication (PHP Unconference 2013)

on

  • 27,175 views

What does Two Factor Authentication mean? How does it work and how difficult is it to integrate it into your own web application?

What does Two Factor Authentication mean? How does it work and how difficult is it to integrate it into your own web application?

Statistics

Views

Total Views
27,175
Views on SlideShare
27,141
Embed Views
34

Actions

Likes
0
Downloads
13
Comments
0

2 Embeds 34

https://twitter.com 33
https://tweetdeck.twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Better Security With Two Factor Authentication (PHP Unconference 2013) Better Security With Two Factor Authentication (PHP Unconference 2013) Presentation Transcript

  • Who am I? Norman Soetbeer Computer Science Student Game Developer @ InnoGames Twitter: @TheBattleRattle Github: BattleRattle
  • John Doe ******** submit LOGIN 743503 submit Enter your Code An authenticator is connected to your account Welcome Hey, John Doe! You successfully logged in 1 2
  • also known as TFA, 2FA Two-Step Authentication Two-Step Verification (Google) Two Factor Verification (Dropbox, Twitter) Login Approvals (Facebook) Code Generator (Facebook)
  • three factors consider two (or more)
  • knowledge factor „something only the user knows“ PIN password pattern „What was the name of your first pet?“
  • possession factor „something only the user has“ key smart card ATM card mobile phone hard tokens USB tokens
  • inherence factor „something only the user is“ finger print iris voice DNA
  • Automatic Teller Machine ATM card + PIN = „something only the user has“ + „something only the user knows“
  • requirements for secure factors strong entropy on secrets
  • requirements for secure factors high resistance of a tokens to be cloned
  • requirements for secure factors uniqueness and reliability of biometrics
  • requirements for secure factors secure transport (tokens, passwords, etc.)
  • requirements for secure factors additional management: disable lost tokens determine steps for password reset withdraw credentials, if no longer required
  • requirements for secure factors fraud detection: monitor failed attempts, lock account
  • what is possible?
  • knowledge factor PIN?
  • knowledge factor password?
  • knowledge factor pattern? requires javascript / flash, but
  • knowledge factor „What was the name of your first pet“? does not fulfill „something only the user knows“
  • possession factor key? difficult to check
  • possession factor smart card? requires additional hardware not usable in web browser (maybe with plugin) costs (card, card reader, transport of card)
  • possession factor USB token? not usable in web browser (maybe with plugin) costs (token + transfer)
  • possession factor hard token? costs (token itself, transport)
  • possession factor mobile phone? SMS? Costs
  • Give us your phone number?
  • possession factor mobile phone? voice message? same as SMS
  • possession factor mobile phone? code generator (smart phone)
  • secret key secret counter value public serial new code on key press (counter increases)
  • HMAC-Based One-Time Password hash = hmac_sha1(key, counter) offset = last 4 bits of hash number = 4 bytes from hash, beginning at offset pad numbers to given length
  • example hash = hmac_sha1(„12345“, 1) 20 d4 c6 b0 32 ea 01 da 02 6e a8 a9 f6 f4 00 41 d0 95 6d 08 offset = last 4 bits of hash 8 number = 4 bytes from hash, beginning at offset 02 6e a8 a9 pad numbers to given length 40806569
  • usage serial key counter uid FOO-BAR- BAZ 43A7B66 200DD 7 42456 ABCD- EFGH-IJKL AF3A77E 8D638 19 87632 MNOP- QRST- UVWX 74DA393 55CB6 2 24572 SERIAL ABCD-EFGH-IJKL KEY (secret) AF3A77E8D638 COUNTER (secret) 19 authenticator web application
  • generate a new code serial key counter uid FOO-BAR- BAZ 43A7B66 200DD 7 42456 ABCD- EFGH-IJKL AF3A77E 8D638 19 87632 MNOP- QRST- UVWX 74DA393 55CB6 2 24572 SERIAL ABCD-EFGH-IJKL KEY (secret) AF3A77E8D638 COUNTER (secret) 20 authenticator web application 830429 830429
  • code was correct serial key counter uid FOO-BAR- BAZ 43A7B66 200DD 7 42456 ABCD- EFGH-IJKL AF3A77E 8D638 20 87632 MNOP- QRST- UVWX 74DA393 55CB6 2 24572 SERIAL ABCD-EFGH-IJKL KEY (secret) AF3A77E8D638 COUNTER (secret) 20 authenticator web application 830429 830429
  • code was incorrect (e.g. typo) serial key counter uid FOO-BAR- BAZ 43A7B66 200DD 7 42456 ABCD- EFGH-IJKL AF3A77E 8D638 19 87632 MNOP- QRST- UVWX 74DA393 55CB6 2 24572 SERIAL ABCD-EFGH-IJKL KEY (secret) AF3A77E8D638 COUNTER (secret) 20 authenticator web application 830428 830429
  • code was incorrect (e.g. typo) serial key counter uid FOO-BAR- BAZ 43A7B66 200DD 7 42456 ABCD- EFGH-IJKL AF3A77E 8D638 19 87632 MNOP- QRST- UVWX 74DA393 55CB6 2 24572 SERIAL ABCD-EFGH-IJKL KEY (secret) AF3A77E8D638 COUNTER (secret) 20 authenticator web application 830428 830429 counters out of sync
  • solution also check up to 10 upcoming codes and update counter
  • secret key internal clock new code every 30 seconds
  • Time-Based One-Time Password time_frame = floor (unix_timestamp / time_step) hash = hmac_sha1(key, time_frame) offset = last 4 bits of hash number = 4 bytes from hash, beginning at offset pad numbers to given length
  • usage key uid 43A7B66200DD 42456 AF3A77E8D638 87632 74DA39355CB6 24572 KEY (maybe secret) AF3A77E8D638 UNIX TIMESTAMP 1234567890 authenticator web application 692113 692113 code must be marked as used, because „one-time password“
  • wrong code key uid 43A7B66200DD 42456 AF3A77E8D638 87632 74DA39355CB6 24572 KEY (maybe secret) AF3A77E8D638 UNIX TIMESTAMP 1234567890 authenticator web application 849372 692113 you should lock the account for current time frame
  • what about delays? clocks out of sync?
  • simple just also check one time frame before and after current one
  • demo time
  • // Check Credentials (Step 1) $username = $_POST['username']; $password = $_POST['password']; $user = getUserByCredentials($username, $password); if (!$user) { redirect('/login/'); } if ($user->hasAuthenticator()) { $session->set('authenticated', false); } else { $session->set('authenticated', true); }
  • // Check for Authentication if (!$session->get('authenticated')) { redirect('/tfa-code/'); }
  • // Check Code (Step 2) use BattleRattleDoormanAuthenticationGoogleAuthenticator; // get the code from user input $code = $_POST['code']; // get the associated key for the current user $key = 'ONETIMEPASSWORDS'; $authenticator = new GoogleAuthenticator(); $result = $authenticator->authenticate($key, $code); if ($result) { echo 'Welcome, you successfully logged in'; } else { echo 'Nope, try again'; }
  • installation via composer / packagist “require”: { “battlerattle/doorman”: “dev-master” }
  • questions?
  • thank you