User Authentication for
Winners!
Speaker:

Karthik Gaekwad
Password:

LASCON 2013
Remember this stuff when you code

@iter...
User Authentication for
Winners!
Speaker:

Karthik Gaekwad
Password:

************
Well played security
Remember this stuf...
Howdy!
• I’m Karthik Gaekwad
• Senior Web Engineer
• Mentor Graphics Embedded
•
•
@iteration1
Friday, October 25, 13

LASC...
Audience Survey

@iteration1
Friday, October 25, 13

LASCON 2013

#UserAuth101
My agenda
• Developers and DevOps
• Build better auth systems
• Security Pro’s
• Give you developer insight, new ideas to
...
Authentication
Mechanisms
• Write your own
• OpenID
• OAuth
@iteration1
Friday, October 25, 13

LASCON 2013

#UserAuth101
Authentication
Mechanisms
• Write your own
• OpenID
• OAuth
@iteration1
Friday, October 25, 13

LASCON 2013

#UserAuth101
Common Perception
“Building a User Authentication system
is easy.
It’s just a username and password,
stored somewhere”

@i...
Reality
API (PaaS)
+

Workflows
+

User Interface(s)
@iteration1
Friday, October 25, 13

LASCON 2013

#UserAuth101
Designing Auth Systems
API: How your system is used

• Login/Logout
• Session Management (Remember Me etc)
• User Creation...
Designing Auth Systems
Workflows: Rules for how the system works

• Account Creation
• Password Reset
• Account Recovery
@i...
Designing Auth Systems
User Interface: What end user will actually see

• Where users can create account
• Login screens
•...
High Level Design
Email Web Services

API Web Services
(Login/Logout)

User Portal

App 1

App 2

Data store(s)

@iteratio...
High Level Design
Email Web Services

API Web Services
(Login/Logout)

User Portal

App 1

App 2

App 3...

Data store(s)
...
High Level Design
Email Web Services

API Web Services
(Login/Logout)

User Portal

App 1

App 2

App 3...

Data store(s)
...
Quick look @data
• email
• username
• first name
• last name
• password
• {id}
@iteration1
Friday, October 25, 13

LASCON 2...
Quick look @data
Keep your auth data separate

• You don’t want to clutter your auth data

with ecommerce/address/whatever...
Breaking it down
API Web Services
(Login/Logout)

@iteration1
Friday, October 25, 13

LASCON 2013

#UserAuth101
Login Web Services
API Web Services
(Login/Logout)

The Goal:
Keep user credentials as safe as possible
in transit

@itera...
Login Web Services
Request
POST /login
encoded
username:password

App 1

Response
HTTP 200/201

API Web Services
(Login/Lo...
Login Web Services
Request
GET /login/(session token)

App 1

Response

HTTP 200/201 (success)
HTTP 401 (failures)

API We...
Login Web Services
• Minimize sending username, passwords
over the wire.

• Harder to sniff if it’s rarely there
• Don’t p...
Login Web Services
?
P
T
T
H

@iteration1
Friday, October 25, 13

LASCON 2013

#UserAuth101
“That’s great, but I can
brute force the endpoint”
--JoeHacker

@iteration1
Friday, October 25, 13

LASCON 2013

#UserAuth...
Rate Limiting
• “Only x number of calls per minute to the
endpoint”

• Recommended for all login and session
token endpoin...
Note on Session Tokens
How I really feel...

Yuck

about rand() and guid() functions

Use something cryptographically secu...
Login Hack #1
• Often, the end (web)application will store
the username and session token in a
cookie.

• Hack: Create 2 a...
Login Hack #1
• Developers have good intentions but....

@iteration1
Friday, October 25, 13

LASCON 2013

#UserAuth101
Login Hack #2
• Verify that session tokens actually expire!
• Try using the same session token even after
you’ve hit “log ...
Let’s move on..
Account Creation
Password Reset

@iteration1
Friday, October 25, 13

LASCON 2013

#UserAuth101
@iteration1
Friday, October 25, 13

LASCON 2013

#UserAuth101
"We try to solve very
complicated problems
without letting people
know how complicated
the problem was. That's
the appropr...
--Usability Jack and Jill

@iteration1
Friday, October 25, 13

LASCON 2013

#UserAuth101
“Remembering passwords is a pain.
Let’s make our system have a
minimum 4 letter passwords because
it’s more usable.”
--Usa...
Security + Usability
• The days of the 4 character password
is over.

• UX team interactions:
• 8+ characters is accepted ...
Account Creation
• Typically : accept user data, provision
account...

@iteration1
Friday, October 25, 13

LASCON 2013

#U...
Account Creation
• Sanitize inputs for XSS.
• If you are asking for user email, validate
email actually belongs to the use...
Account Creation
• Case Sensitivity...
• Hack: Register with user@email.com and

UsEr@email.com.You may be able to
registe...
Passwords

Friday, October 25, 13
Storing Passwords
“I'm gonna pop some tags
Only got clear text passwords in my db
I - I - I'm hunting, looking for a reaso...
Storing Passwords

Please don’t go “thrift shop”
your password storage
@iteration1
Friday, October 25, 13

LASCON 2013

#U...
Storing Passwords
• Store only hashed passwords
• Use a unique, per user salt.
• use bcrypt/scrypt to generate your hash

...
“That’s great, but I’ll
just figure out your
Cloud DB credentials”
--JoeHacker
@iteration1
Friday, October 25, 13

LASCON 2...
Storing Passwords
•

A technique that I like..
Break up your data into different stores
Store the password hash in data st...
Storing Passwords
•

http://www.codinghorror.com/blog/2007/09/
youre-probably-storing-passwordsincorrectly.html

•

http:/...
Reset or Restore?
• I prefer Password Reset.
• “Personal challenge questions” aren’t so
personal anymore with Facebook and...
Account Creation
Workflow
Get User
Credentials

Validate Email

Create
Password

OR
Get User
Credentials
and Password

@ite...
Account Creation
Workflow
Get User
Credentials
and Password

Validate Email

Allow Login

•
•

Winner!

•

http://www.storm...
Final Thoughts
• AKA I have to present in a few hours, but I
have no time to worry about flow..
#FreeStyling

@iteration1
F...
Final Thoughts
• If you have many apps with login screens/
create account screens- keep these
consistent.

• Users lose tr...
Final Thoughts
• If you’re a Java shop, check out Apache
Shiro Framework- it’s made for the
authentication usecase.

• Saa...
Final Thoughts
• 2 factor auth
• Definitely strengthens the security.
• Usability verdict is still out.
• Challenging to im...
Final Thoughts
• Login Dashboards in “My Profile” with last
login information, geo location, timestamp
is more popular.

• ...
PSA on OAuth
“Why does this random
website need read and write
OAuth access to my twitter /
facebook account?”

@iteration...
Thank You for
your time!
Lunch?

@iteration1
Friday, October 25, 13

LASCON 2013

#UserAuth101
Upcoming SlideShare
Loading in...5
×

LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!

988

Published on

In this talk, I will outline the best practices to build out a secure user management and authentication platforms for your products.

At the end of this talk, you’ll have the knowledge to implement (or fix) a stronger user authentication system for your startup or enterprise!

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
988
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!

  1. 1. User Authentication for Winners! Speaker: Karthik Gaekwad Password: LASCON 2013 Remember this stuff when you code @iteration1 Friday, October 25, 13 #UserAuth101
  2. 2. User Authentication for Winners! Speaker: Karthik Gaekwad Password: ************ Well played security Remember this stuffplayed! guru; well when you code @iteration1 Friday, October 25, 13 #UserAuth101
  3. 3. Howdy! • I’m Karthik Gaekwad • Senior Web Engineer • Mentor Graphics Embedded • • @iteration1 Friday, October 25, 13 LASCON 2013 From Austin, TX Spent the last 3 years writing/refining cloud based user auth systems #UserAuth101
  4. 4. Audience Survey @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  5. 5. My agenda • Developers and DevOps • Build better auth systems • Security Pro’s • Give you developer insight, new ideas to attack auth systems • Management • Give this ppt to your dev teams. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  6. 6. Authentication Mechanisms • Write your own • OpenID • OAuth @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  7. 7. Authentication Mechanisms • Write your own • OpenID • OAuth @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  8. 8. Common Perception “Building a User Authentication system is easy. It’s just a username and password, stored somewhere” @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  9. 9. Reality API (PaaS) + Workflows + User Interface(s) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  10. 10. Designing Auth Systems API: How your system is used • Login/Logout • Session Management (Remember Me etc) • User Creation • Password Reset @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  11. 11. Designing Auth Systems Workflows: Rules for how the system works • Account Creation • Password Reset • Account Recovery @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  12. 12. Designing Auth Systems User Interface: What end user will actually see • Where users can create account • Login screens • My Profile Page • End applications using the API’s @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  13. 13. High Level Design Email Web Services API Web Services (Login/Logout) User Portal App 1 App 2 Data store(s) @iteration1 Friday, October 25, 13 App 3... LASCON 2013 #UserAuth101
  14. 14. High Level Design Email Web Services API Web Services (Login/Logout) User Portal App 1 App 2 App 3... Data store(s) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  15. 15. High Level Design Email Web Services API Web Services (Login/Logout) User Portal App 1 App 2 App 3... Data store(s) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  16. 16. Quick look @data • email • username • first name • last name • password • {id} @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  17. 17. Quick look @data Keep your auth data separate • You don’t want to clutter your auth data with ecommerce/address/whatever other data • Not rocket science. • It’s called normalization @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  18. 18. Breaking it down API Web Services (Login/Logout) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  19. 19. Login Web Services API Web Services (Login/Logout) The Goal: Keep user credentials as safe as possible in transit @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  20. 20. Login Web Services Request POST /login encoded username:password App 1 Response HTTP 200/201 API Web Services (Login/Logout) Session token Session Id expiration First name, Last name @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  21. 21. Login Web Services Request GET /login/(session token) App 1 Response HTTP 200/201 (success) HTTP 401 (failures) API Web Services (Login/Logout) Session token Session Id expiration First name, Last name @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  22. 22. Login Web Services • Minimize sending username, passwords over the wire. • Harder to sniff if it’s rarely there • Don’t put this in the URL (server logs) • Session tokens: Set an expiration time. • Client can re-login if necessary @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  23. 23. Login Web Services ? P T T H @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  24. 24. “That’s great, but I can brute force the endpoint” --JoeHacker @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  25. 25. Rate Limiting • “Only x number of calls per minute to the endpoint” • Recommended for all login and session token endpoints. • Can be complicated to implement, but worth it and reusable. • http://www.client9.com/2012/05/01/ratelimiting-at-scale/ Thanks @NGalbreath! @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  26. 26. Note on Session Tokens How I really feel... Yuck about rand() and guid() functions Use something cryptographically secure Keep them 128bit or greater @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  27. 27. Login Hack #1 • Often, the end (web)application will store the username and session token in a cookie. • Hack: Create 2 accounts, and login with both and store the cookies. Trade the session token of one account with the other, and see if you can see other account data... @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  28. 28. Login Hack #1 • Developers have good intentions but.... @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  29. 29. Login Hack #2 • Verify that session tokens actually expire! • Try using the same session token even after you’ve hit “log out” in the application. • cookies.clear() is easier than actually calling the /logout endpoint to invalidate tokens. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  30. 30. Let’s move on.. Account Creation Password Reset @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  31. 31. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  32. 32. "We try to solve very complicated problems without letting people know how complicated the problem was. That's the appropriate thing." @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  33. 33. --Usability Jack and Jill @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  34. 34. “Remembering passwords is a pain. Let’s make our system have a minimum 4 letter passwords because it’s more usable.” --Usability Jack and Jill @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  35. 35. Security + Usability • The days of the 4 character password is over. • UX team interactions: • 8+ characters is accepted now • Show by example • Use “sentences” versus “words” for Security and Usability: Designing Secure Systems That People Can Use Lorrie Faith Cranor passwords @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  36. 36. Account Creation • Typically : accept user data, provision account... @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  37. 37. Account Creation • Sanitize inputs for XSS. • If you are asking for user email, validate email actually belongs to the user. • May have multiple data stores in play here. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  38. 38. Account Creation • Case Sensitivity... • Hack: Register with user@email.com and UsEr@email.com.You may be able to register as both if the case sensitivity check isn’t turned on. • Hack: Use foreign characters to sniff if the datastore is older (LDAP v2) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  39. 39. Passwords Friday, October 25, 13
  40. 40. Storing Passwords “I'm gonna pop some tags Only got clear text passwords in my db I - I - I'm hunting, looking for a reason to get f*** fired.” -The Macklemore stance @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  41. 41. Storing Passwords Please don’t go “thrift shop” your password storage @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  42. 42. Storing Passwords • Store only hashed passwords • Use a unique, per user salt. • use bcrypt/scrypt to generate your hash @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  43. 43. “That’s great, but I’ll just figure out your Cloud DB credentials” --JoeHacker @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  44. 44. Storing Passwords • A technique that I like.. Break up your data into different stores Store the password hash in data store #1 • Store the salt used to compute the hash in data store #2 • Store the # of hash iterations in data store #3 (application config?) • • • Have the value stored in #1 not be the password hash itself, but a MAC (Message Authentication Code, aka 'keyed hash') using an application-private MAC key. http://www.stormpath.com/blog/strong-passwordhashing-part-2 Thanks @Stormpath @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  45. 45. Storing Passwords • http://www.codinghorror.com/blog/2007/09/ youre-probably-storing-passwordsincorrectly.html • http://stackoverflow.com/questions/1054022/bestway-to-store-password-in-database • http://www.stormpath.com/blog/strong-passwordhashing-apache-shiro • https://wiki.mozilla.org/WebAppSec/ Secure_Coding_Guidelines#Authentication @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  46. 46. Reset or Restore? • I prefer Password Reset. • “Personal challenge questions” aren’t so personal anymore with Facebook and Twitter. • Make sure Password Reset tokens are one use only and expire “super fast” @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  47. 47. Account Creation Workflow Get User Credentials Validate Email Create Password OR Get User Credentials and Password @iteration1 Friday, October 25, 13 Validate Email LASCON 2013 Allow Login #UserAuth101
  48. 48. Account Creation Workflow Get User Credentials and Password Validate Email Allow Login • • Winner! • http://www.stormpath.com/blog/how-weincreased-new-user-registration-27 Thanks @chunsaker Data to support that more users convert to creating accounts this way. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  49. 49. Final Thoughts • AKA I have to present in a few hours, but I have no time to worry about flow.. #FreeStyling @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  50. 50. Final Thoughts • If you have many apps with login screens/ create account screens- keep these consistent. • Users lose trust if login screens are different across apps by same company @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  51. 51. Final Thoughts • If you’re a Java shop, check out Apache Shiro Framework- it’s made for the authentication usecase. • SaaS version: Stormpath @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  52. 52. Final Thoughts • 2 factor auth • Definitely strengthens the security. • Usability verdict is still out. • Challenging to implement, but a good idea. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  53. 53. Final Thoughts • Login Dashboards in “My Profile” with last login information, geo location, timestamp is more popular. • You have all this data anyways, so why not show it? @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  54. 54. PSA on OAuth “Why does this random website need read and write OAuth access to my twitter / facebook account?” @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  55. 55. Thank You for your time! Lunch? @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×