Simple Two Factor Authentication

2,884
-1

Published on

My presentation at SDPHP went well. I definitely could improve on this presentation.

I missed the mark on the general workflow. How the customers and developers are impacted.

I made assumptions that I shouldn't have, such as everyone already knew what Two Factor Authentication (2fa) was.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,884
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
88
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Simple Two Factor Authentication

  1. 1. Simple Two Factor Authentication Secure Your Life
  2. 2. About Me John Congdon IRC: johncongdon Twitter: @johncongdon john@sdphp.org Ultimate Frisbee Player
  3. 3. Authentication
  4. 4. Passwords “Something the user knows” Susceptible to Brute force attacks Phishing Social engineering Data breaches
  5. 5. Recent Web Data Exploits Thousands of vBulletin websites hacked http://krebsonsecurity.com/2013/10/thousands-of-sites-hacked-via-vbulletin-hole/ Evernote (50,000,000 accounts) Washington state Administrative Office of the Courts 160,000 Names, Social Security numbers, and driver’s license numbers were accessed http://jrcon.me/1phbN9U Living Social (50,000,000 accounts) Adobe (38,000,000 accounts) So many more… http://jrcon.me/1phdJ24
  6. 6. Two Factor Authentication “Something the user has” Tokens Hardware (Hard tokens, USB, Cards) Software Mobile phone
  7. 7. Concerns Key Logging Man-in-the-middle Attacks Man-in-the-browser Attacks Recovery of lost token (broken phone)
  8. 8. Two+ Factor Authentication Why stop at just two? “Something the user is” Biometrics Finger print Voice print Retina scan DNA?
  9. 9. Simple 2FA TOTP - Time based One Time Password Combines a secret with the current time New code is generated every 30 seconds
  10. 10. Software Token Google Authenticator Simple and free Secure No backup Authy Multi Device Easy backup
  11. 11. What’s Needed? A “Secret” is used to create the TOTP Base 32 Encoder/Decoder Accurate clock QR Code
  12. 12. Create The Secret public function createSecret($secretLength = 16) { $validChars = $this->_getBase32LookupTable(); unset($validChars[32]); $secret = ''; for ($i = 0; $i < $secretLength; $i++) { $secret .= $validChars[array_rand($validChars)]; } return $secret; }
  13. 13. Generate QR Code function getQRCodeGoogleUrl($name, $secret) { $urlencoded = urlencode('otpauth://totp/'.$name.'? secret='.$secret.''); return 'https://chart.googleapis.com/chart? chs=200x200&chld=M|0&cht=qr&chl='. $urlencoded.''; } $image = getQRCodeGoogleUrl(‘SDPHP’, $secret); echo “<img src=‘$image’/>”;
  14. 14. Authentication Steps <?php if ($user->auth($username, $password)) { if ($user->two_factor_secret) { showTwoFactorForm(); } return true; } return false;
  15. 15. Verify The Code <?php //after password authentication $secret = $user->two_factor_secret; $auth_code = $_POST[‘auth_code’]; if ($secret && $auth_code) { if ($auth->verifyCode($secret, $auth_code)) { return true; } } return false;
  16. 16. Verify With Discrepancy Range <?php function verifyCode($secret, $code, $discrepancy = 1) { $currentTimeSlice = floor(time() / 30); for ($i = -$discrepancy; $i <= $discrepancy; $i++) { // -1, 0, 1 by default $calculatedCode = $this->getCode($secret, $currentTimeSlice + $i); if ($calculatedCode == $code) { return true; } } return false; }
  17. 17. Considerations Don’t Annoy Your Users #1 Reason People Hate 2FA Make it optional and easy Add a remember me for X days option
  18. 18. Questions?
  19. 19. Thank You!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×