Your SlideShare is downloading. ×
  • Like
LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!

  • 868 views
Published

In this talk, I will outline the best practices to build out a secure user management and authentication platforms for your products. …

In this talk, I will outline the best practices to build out a secure user management and authentication platforms for your products.

At the end of this talk, you’ll have the knowledge to implement (or fix) a stronger user authentication system for your startup or enterprise!

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
868
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
1
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. User Authentication for Winners! Speaker: Karthik Gaekwad Password: LASCON 2013 Remember this stuff when you code @iteration1 Friday, October 25, 13 #UserAuth101
  • 2. User Authentication for Winners! Speaker: Karthik Gaekwad Password: ************ Well played security Remember this stuffplayed! guru; well when you code @iteration1 Friday, October 25, 13 #UserAuth101
  • 3. Howdy! • I’m Karthik Gaekwad • Senior Web Engineer • Mentor Graphics Embedded • • @iteration1 Friday, October 25, 13 LASCON 2013 From Austin, TX Spent the last 3 years writing/refining cloud based user auth systems #UserAuth101
  • 4. Audience Survey @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 5. My agenda • Developers and DevOps • Build better auth systems • Security Pro’s • Give you developer insight, new ideas to attack auth systems • Management • Give this ppt to your dev teams. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 6. Authentication Mechanisms • Write your own • OpenID • OAuth @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 7. Authentication Mechanisms • Write your own • OpenID • OAuth @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 8. Common Perception “Building a User Authentication system is easy. It’s just a username and password, stored somewhere” @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 9. Reality API (PaaS) + Workflows + User Interface(s) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 10. Designing Auth Systems API: How your system is used • Login/Logout • Session Management (Remember Me etc) • User Creation • Password Reset @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 11. Designing Auth Systems Workflows: Rules for how the system works • Account Creation • Password Reset • Account Recovery @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 12. Designing Auth Systems User Interface: What end user will actually see • Where users can create account • Login screens • My Profile Page • End applications using the API’s @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 13. High Level Design Email Web Services API Web Services (Login/Logout) User Portal App 1 App 2 Data store(s) @iteration1 Friday, October 25, 13 App 3... LASCON 2013 #UserAuth101
  • 14. High Level Design Email Web Services API Web Services (Login/Logout) User Portal App 1 App 2 App 3... Data store(s) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 15. High Level Design Email Web Services API Web Services (Login/Logout) User Portal App 1 App 2 App 3... Data store(s) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 16. Quick look @data • email • username • first name • last name • password • {id} @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 17. Quick look @data Keep your auth data separate • You don’t want to clutter your auth data with ecommerce/address/whatever other data • Not rocket science. • It’s called normalization @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 18. Breaking it down API Web Services (Login/Logout) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 19. Login Web Services API Web Services (Login/Logout) The Goal: Keep user credentials as safe as possible in transit @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 20. Login Web Services Request POST /login encoded username:password App 1 Response HTTP 200/201 API Web Services (Login/Logout) Session token Session Id expiration First name, Last name @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 21. Login Web Services Request GET /login/(session token) App 1 Response HTTP 200/201 (success) HTTP 401 (failures) API Web Services (Login/Logout) Session token Session Id expiration First name, Last name @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 22. Login Web Services • Minimize sending username, passwords over the wire. • Harder to sniff if it’s rarely there • Don’t put this in the URL (server logs) • Session tokens: Set an expiration time. • Client can re-login if necessary @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 23. Login Web Services ? P T T H @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 24. “That’s great, but I can brute force the endpoint” --JoeHacker @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 25. Rate Limiting • “Only x number of calls per minute to the endpoint” • Recommended for all login and session token endpoints. • Can be complicated to implement, but worth it and reusable. • http://www.client9.com/2012/05/01/ratelimiting-at-scale/ Thanks @NGalbreath! @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 26. Note on Session Tokens How I really feel... Yuck about rand() and guid() functions Use something cryptographically secure Keep them 128bit or greater @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 27. Login Hack #1 • Often, the end (web)application will store the username and session token in a cookie. • Hack: Create 2 accounts, and login with both and store the cookies. Trade the session token of one account with the other, and see if you can see other account data... @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 28. Login Hack #1 • Developers have good intentions but.... @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 29. Login Hack #2 • Verify that session tokens actually expire! • Try using the same session token even after you’ve hit “log out” in the application. • cookies.clear() is easier than actually calling the /logout endpoint to invalidate tokens. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 30. Let’s move on.. Account Creation Password Reset @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 31. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 32. "We try to solve very complicated problems without letting people know how complicated the problem was. That's the appropriate thing." @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 33. --Usability Jack and Jill @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 34. “Remembering passwords is a pain. Let’s make our system have a minimum 4 letter passwords because it’s more usable.” --Usability Jack and Jill @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 35. Security + Usability • The days of the 4 character password is over. • UX team interactions: • 8+ characters is accepted now • Show by example • Use “sentences” versus “words” for Security and Usability: Designing Secure Systems That People Can Use Lorrie Faith Cranor passwords @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 36. Account Creation • Typically : accept user data, provision account... @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 37. Account Creation • Sanitize inputs for XSS. • If you are asking for user email, validate email actually belongs to the user. • May have multiple data stores in play here. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 38. Account Creation • Case Sensitivity... • Hack: Register with user@email.com and UsEr@email.com.You may be able to register as both if the case sensitivity check isn’t turned on. • Hack: Use foreign characters to sniff if the datastore is older (LDAP v2) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 39. Passwords Friday, October 25, 13
  • 40. Storing Passwords “I'm gonna pop some tags Only got clear text passwords in my db I - I - I'm hunting, looking for a reason to get f*** fired.” -The Macklemore stance @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 41. Storing Passwords Please don’t go “thrift shop” your password storage @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 42. Storing Passwords • Store only hashed passwords • Use a unique, per user salt. • use bcrypt/scrypt to generate your hash @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 43. “That’s great, but I’ll just figure out your Cloud DB credentials” --JoeHacker @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 44. Storing Passwords • A technique that I like.. Break up your data into different stores Store the password hash in data store #1 • Store the salt used to compute the hash in data store #2 • Store the # of hash iterations in data store #3 (application config?) • • • Have the value stored in #1 not be the password hash itself, but a MAC (Message Authentication Code, aka 'keyed hash') using an application-private MAC key. http://www.stormpath.com/blog/strong-passwordhashing-part-2 Thanks @Stormpath @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 45. Storing Passwords • http://www.codinghorror.com/blog/2007/09/ youre-probably-storing-passwordsincorrectly.html • http://stackoverflow.com/questions/1054022/bestway-to-store-password-in-database • http://www.stormpath.com/blog/strong-passwordhashing-apache-shiro • https://wiki.mozilla.org/WebAppSec/ Secure_Coding_Guidelines#Authentication @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 46. Reset or Restore? • I prefer Password Reset. • “Personal challenge questions” aren’t so personal anymore with Facebook and Twitter. • Make sure Password Reset tokens are one use only and expire “super fast” @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 47. Account Creation Workflow Get User Credentials Validate Email Create Password OR Get User Credentials and Password @iteration1 Friday, October 25, 13 Validate Email LASCON 2013 Allow Login #UserAuth101
  • 48. Account Creation Workflow Get User Credentials and Password Validate Email Allow Login • • Winner! • http://www.stormpath.com/blog/how-weincreased-new-user-registration-27 Thanks @chunsaker Data to support that more users convert to creating accounts this way. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 49. Final Thoughts • AKA I have to present in a few hours, but I have no time to worry about flow.. #FreeStyling @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 50. Final Thoughts • If you have many apps with login screens/ create account screens- keep these consistent. • Users lose trust if login screens are different across apps by same company @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 51. Final Thoughts • If you’re a Java shop, check out Apache Shiro Framework- it’s made for the authentication usecase. • SaaS version: Stormpath @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 52. Final Thoughts • 2 factor auth • Definitely strengthens the security. • Usability verdict is still out. • Challenging to implement, but a good idea. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 53. Final Thoughts • Login Dashboards in “My Profile” with last login information, geo location, timestamp is more popular. • You have all this data anyways, so why not show it? @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 54. PSA on OAuth “Why does this random website need read and write OAuth access to my twitter / facebook account?” @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  • 55. Thank You for your time! Lunch? @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101