Two Factor Authentication and You
Upcoming SlideShare
Loading in...5
×
 

Two Factor Authentication and You

on

  • 124 views

Everyone has at least one password, but that's not enough anymore. When is that not enough? Passwords get out of your hands all the time. You know your password, but what about using something you ...

Everyone has at least one password, but that's not enough anymore. When is that not enough? Passwords get out of your hands all the time. You know your password, but what about using something you have in addition to what you know. Let's look at how you can leverage your mobile device for added security, and implement it in your projects. This talk will cover how two factor auth works, how to use it and the ins and outs of rolling your own solution using Time-based One-time Password (TOTP) (and the Google Authenticator app) or a third party service and the pitfalls of both. AWS, Mailchimp, Dropbox and Facebook integrate two factor authentication and you can too! There's no reason not to use it!

Statistics

Views

Total Views
124
Views on SlideShare
124
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Two Factor Authentication and You Presentation Transcript

  • 1. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 1 TWO-FACTOR AUTHENTICATION AND YOU https://joind.in/10645
  • 2. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 2 WHO AM I? •President and Co-Founder of E-Moxie - www.emoxie.com •Baltimore, MD •PHP Developer, System Administrator,Tinkerer •Meetup Organizer - Baltimore PHP/Mobile/API •Trainer •Maximize efficiencies and make life easier (mainly mine) •I’ve seen things, and learned a bit on the way ! chris@emoxie.com Twitter: @cmstone
  • 3. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 3 BACKGROUND OFTHISTALK
  • 4. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 4 WHAT ISTWO FACTOR AUTH? •Not a new concept •Two pieces of information needed (in addition to a username) •Something you know and something you have •First factor is typically a password (The know) •Second factor is typically a uniquely generated code (The have)
  • 5. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 5 WHAT’S THE MOST COMMON EXAMPLE OF TWO-FACTOR AUTHENTICATION?
  • 6. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 6 ATM •Requires something you have (ATM Card) •Requires something you know (Pin Code)
  • 7. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 7 How do you get that second factor? DELIVERY MECHANISMS •E-Mail •SMS/Voice •App
  • 8. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 8 E-MAIL -THE GOOD :) •Wide adoption •Everyone has an email address (or a few) •If you don’t, it’s pretty easy to get one
  • 9. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 9 E-MAIL -THE BAD :( •Prone to failure •Delivery problems •Message blocking •SPAM •Send/Receive Problems •Requires Internet/Network Access •More mail?? Who really wants to get more?
  • 10. SMS
  • 11. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 11 SMS - GOODTHINGS! •Mobile device required (or a service like GoogleVoice) •SMS Penetration is high •Easy to implement •Global support
  • 12. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 12 SMS - BADTHINGS :( •Can’t receive SMS •Could cost money •Network •Delivery delays •Lost messages •Power? •Threat could have access to a web front end! •Susceptible to architecture issues
  • 13. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 13 TWILIO •REST API •Get your own number •Send a text message just like you would with any other app
  • 14. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 14 NEXMO •php[tek] Sponsor - yay! •Shared short code •REST API ! •API Key & Secret •Destination & Pin curl "https://rest.nexmo.com/sc/us/2fa/json?api_key={api_key} &api_secret={api_secret}&to=14435281326&pin=1234"
  • 15. MOBILE APP
  • 16. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 16 MOBILE APP •RollYour Own •Push Notices •Login Approvals •Authy •Duosecurity •Google Authenticator
  • 17. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 17 MOBILE APP
  • 18. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 18 •Easy to use •DOES NOT rely on an Internet connection •DOES NOT rely on cellular connection •Google just provides the app •Implements time-based on-time passwords (TOTP) •Open source (kind of) •All of those password thefts? Could be kind of a non-issue •Not just for websites GOOGLE AUTHENTICATOR
  • 19. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 19 •No power! •Lost phone/device •Broken phone/device •Susceptible to architecture and workflow issues GOOGLE AUTHENTICATOR - PITFALLS
  • 20. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 20 TOTP •Time-based One-time Password Algorithm •Computed from a shared secret key and the current time. •Combines secret with timestamp using a cryptographic hash func •Typically increases in 30-second intervals •Allows for a time drift •RFC 6238
  • 21. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 21 APPLICATION •base32 encoding and decoding •random secret key •timestamp •~30 lines of code
  • 22. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 22 https://github.com/cmstone/phptek2014-two-factor
  • 23. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 https://github.com/cmstone/phptek2014-­‐two-­‐factor/ 23 WORKFLOW OVERVIEW $username  =  'chris@baltimorephp.org';   $userkey  =  TwoFactor::generateKey();   $timestamp  =  TwoFactor::getTimestamp();   ! $secretKey  =  Base32::decode($userkey);   $currentPassword  =  TwoFactor::getSecret($secretKey,  $timestamp);
  • 24. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 https://github.com/cmstone/phptek2014-­‐two-­‐factor/ 24 Step 1 - Generate a random secret key TwoFactor::generateKey();   ———————   public  static  function  generateKey($length  =  16)  {                  $key  =  "";   !                for  ($i  =  0;  $i  <  $length;  $i++)  {                          $key  .=  Base32::getRandom();                  }   !                return  $key;   }   ! //  Gives  you  something  like:  CHBEYSUCFDAECIHM WORKFLOW
  • 25. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 https://github.com/cmstone/phptek2014-­‐two-­‐factor/ 25 Step 1 - Generate a random secret key //  Gives  you  something  like:  CHBEYSUCFDAECIHM WORKFLOW
  • 26. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 https://github.com/cmstone/phptek2014-­‐two-­‐factor/ 26 Step 2 - Get the current timestamp TwoFactor::getTimestamp();   ———————   public  static  function  getTimestamp()  {          return  floor(microtime(true)  /  self::keyRegeneration);   }   ! //  Gives  you  something  like:  46692614 WORKFLOW
  • 27. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 https://github.com/cmstone/phptek2014-­‐two-­‐factor/ 27 WORKFLOW Step 3 - Decode $userkey  =  TwoFactor::generateKey();   $timestamp  =  TwoFactor::getTimestamp();   ! $secretKey  =  Base32::decode($userkey);   ! //  $secretKey  =  ?LJ?(?A  ?
  • 28. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 https://github.com/cmstone/phptek2014-­‐two-­‐factor/ 28 WORKFLOW $currentPassword  =  TwoFactor::getSecret($secretKey,  $timestamp);   ———————   public  static  function  getSecret($key,  $counter)  {                  if  (strlen($key)  <  8)  {                          throw  new  Exception('Secret  key  is  too  short.  Must  be  at  least  16  base  32  characters');                  }   !                $bin_counter  =  pack('N*',  0)  .  pack('N*',  $counter);    //  Counter  must  be  64-­‐bit  int                  $hash  =  hash_hmac('sha1',  $bin_counter,  $key,  true);   !                return  str_pad(self::oathTruncate($hash),  self::otpLength,  '0',  STR_PAD_LEFT);   }   ! //  $currentPassword  =  373604 Step 4 - Decode
  • 29. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 29 ADDITIONAL RESOURCES Bypassing two-factor authentication http://shubh.am/how-i-bypassed-2-factor-authentication-on-google- yahoo-linkedin-and-many-others/ ! Google Authenticator Code: https://code.google.com/p/google-authenticator/
  • 30. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 30 QUESTIONS?
  • 31. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 31 THANKS! Please reach out to me @cmstone or chris@emoxie.com Please rate and give feedback!! https://joind.in/10645