LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!

  • 740 views
Uploaded on

In this talk, I will outline the best practices to build out a secure user management and authentication platforms for your products. …

In this talk, I will outline the best practices to build out a secure user management and authentication platforms for your products.

At the end of this talk, you’ll have the knowledge to implement (or fix) a stronger user authentication system for your startup or enterprise!

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
740
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
1
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. User Authentication for Winners! Speaker: Karthik Gaekwad Password: LASCON 2013 Remember this stuff when you code @iteration1 Friday, October 25, 13 #UserAuth101
  • 2. User Authentication for Winners! Speaker: Karthik Gaekwad Password: ************ Well played security Remember this stuffplayed! guru; well when you code @iteration1 Friday, October 25, 13 #UserAuth101
  • 3. Howdy! • I’m Karthik Gaekwad • Senior Web Engineer • Mentor Graphics Embedded • • @iteration1 Friday, October 25, 13 LASCON 2013 From Austin, TX Spent the last 3 years writing/refining cloud based user auth systems #UserAuth101
  • 4. Audience Survey @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 5. My agenda • Developers and DevOps • Build better auth systems • Security Pro’s • Give you developer insight, new ideas to attack auth systems • Management • Give this ppt to your dev teams. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 6. Authentication Mechanisms • Write your own • OpenID • OAuth @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 7. Authentication Mechanisms • Write your own • OpenID • OAuth @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 8. Common Perception “Building a User Authentication system is easy. It’s just a username and password, stored somewhere” @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 9. Reality API (PaaS) + Workflows + User Interface(s) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 10. Designing Auth Systems API: How your system is used • Login/Logout • Session Management (Remember Me etc) • User Creation • Password Reset @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 11. Designing Auth Systems Workflows: Rules for how the system works • Account Creation • Password Reset • Account Recovery @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 12. Designing Auth Systems User Interface: What end user will actually see • Where users can create account • Login screens • My Profile Page • End applications using the API’s @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 13. High Level Design Email Web Services API Web Services (Login/Logout) User Portal App 1 App 2 Data store(s) @iteration1 Friday, October 25, 13 App 3... LASCON 2013 #UserAuth101
  • 14. High Level Design Email Web Services API Web Services (Login/Logout) User Portal App 1 App 2 App 3... Data store(s) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 15. High Level Design Email Web Services API Web Services (Login/Logout) User Portal App 1 App 2 App 3... Data store(s) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 16. Quick look @data • email • username • first name • last name • password • {id} @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 17. Quick look @data Keep your auth data separate • You don’t want to clutter your auth data with ecommerce/address/whatever other data • Not rocket science. • It’s called normalization @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 18. Breaking it down API Web Services (Login/Logout) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 19. Login Web Services API Web Services (Login/Logout) The Goal: Keep user credentials as safe as possible in transit @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 20. Login Web Services Request POST /login encoded username:password App 1 Response HTTP 200/201 API Web Services (Login/Logout) Session token Session Id expiration First name, Last name @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 21. Login Web Services Request GET /login/(session token) App 1 Response HTTP 200/201 (success) HTTP 401 (failures) API Web Services (Login/Logout) Session token Session Id expiration First name, Last name @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 22. Login Web Services • Minimize sending username, passwords over the wire. • Harder to sniff if it’s rarely there • Don’t put this in the URL (server logs) • Session tokens: Set an expiration time. • Client can re-login if necessary @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 23. Login Web Services ? P T T H @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 24. “That’s great, but I can brute force the endpoint” --JoeHacker @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 25. Rate Limiting • “Only x number of calls per minute to the endpoint” • Recommended for all login and session token endpoints. • Can be complicated to implement, but worth it and reusable. • http://www.client9.com/2012/05/01/ratelimiting-at-scale/ Thanks @NGalbreath! @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 26. Note on Session Tokens How I really feel... Yuck about rand() and guid() functions Use something cryptographically secure Keep them 128bit or greater @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 27. Login Hack #1 • Often, the end (web)application will store the username and session token in a cookie. • Hack: Create 2 accounts, and login with both and store the cookies. Trade the session token of one account with the other, and see if you can see other account data... @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 28. Login Hack #1 • Developers have good intentions but.... @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 29. Login Hack #2 • Verify that session tokens actually expire! • Try using the same session token even after you’ve hit “log out” in the application. • cookies.clear() is easier than actually calling the /logout endpoint to invalidate tokens. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 30. Let’s move on.. Account Creation Password Reset @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 31. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 32. "We try to solve very complicated problems without letting people know how complicated the problem was. That's the appropriate thing." @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 33. --Usability Jack and Jill @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 34. “Remembering passwords is a pain. Let’s make our system have a minimum 4 letter passwords because it’s more usable.” --Usability Jack and Jill @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 35. Security + Usability • The days of the 4 character password is over. • UX team interactions: • 8+ characters is accepted now • Show by example • Use “sentences” versus “words” for Security and Usability: Designing Secure Systems That People Can Use Lorrie Faith Cranor passwords @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 36. Account Creation • Typically : accept user data, provision account... @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 37. Account Creation • Sanitize inputs for XSS. • If you are asking for user email, validate email actually belongs to the user. • May have multiple data stores in play here. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 38. Account Creation • Case Sensitivity... • Hack: Register with user@email.com and UsEr@email.com.You may be able to register as both if the case sensitivity check isn’t turned on. • Hack: Use foreign characters to sniff if the datastore is older (LDAP v2) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 39. Passwords Friday, October 25, 13
  • 40. Storing Passwords “I'm gonna pop some tags Only got clear text passwords in my db I - I - I'm hunting, looking for a reason to get f*** fired.” -The Macklemore stance @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 41. Storing Passwords Please don’t go “thrift shop” your password storage @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 42. Storing Passwords • Store only hashed passwords • Use a unique, per user salt. • use bcrypt/scrypt to generate your hash @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 43. “That’s great, but I’ll just figure out your Cloud DB credentials” --JoeHacker @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 44. Storing Passwords • A technique that I like.. Break up your data into different stores Store the password hash in data store #1 • Store the salt used to compute the hash in data store #2 • Store the # of hash iterations in data store #3 (application config?) • • • Have the value stored in #1 not be the password hash itself, but a MAC (Message Authentication Code, aka 'keyed hash') using an application-private MAC key. http://www.stormpath.com/blog/strong-passwordhashing-part-2 Thanks @Stormpath @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 45. Storing Passwords • http://www.codinghorror.com/blog/2007/09/ youre-probably-storing-passwordsincorrectly.html • http://stackoverflow.com/questions/1054022/bestway-to-store-password-in-database • http://www.stormpath.com/blog/strong-passwordhashing-apache-shiro • https://wiki.mozilla.org/WebAppSec/ Secure_Coding_Guidelines#Authentication @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 46. Reset or Restore? • I prefer Password Reset. • “Personal challenge questions” aren’t so personal anymore with Facebook and Twitter. • Make sure Password Reset tokens are one use only and expire “super fast” @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 47. Account Creation Workflow Get User Credentials Validate Email Create Password OR Get User Credentials and Password @iteration1 Friday, October 25, 13 Validate Email LASCON 2013 Allow Login #UserAuth101
  • 48. Account Creation Workflow Get User Credentials and Password Validate Email Allow Login • • Winner! • http://www.stormpath.com/blog/how-weincreased-new-user-registration-27 Thanks @chunsaker Data to support that more users convert to creating accounts this way. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 49. Final Thoughts • AKA I have to present in a few hours, but I have no time to worry about flow.. #FreeStyling @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 50. Final Thoughts • If you have many apps with login screens/ create account screens- keep these consistent. • Users lose trust if login screens are different across apps by same company @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 51. Final Thoughts • If you’re a Java shop, check out Apache Shiro Framework- it’s made for the authentication usecase. • SaaS version: Stormpath @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 52. Final Thoughts • 2 factor auth • Definitely strengthens the security. • Usability verdict is still out. • Challenging to implement, but a good idea. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 53. Final Thoughts • Login Dashboards in “My Profile” with last login information, geo location, timestamp is more popular. • You have all this data anyways, so why not show it? @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 54. PSA on OAuth “Why does this random website need read and write OAuth access to my twitter / facebook account?” @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 55. Thank You for your time! Lunch? @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101