Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Better Security With Two Factor Authentication (PHP Unconference 2013)

39,186 views

Published on

What does Two Factor Authentication mean? How does it work and how difficult is it to integrate it into your own web application?

Published in: Technology
  • Be the first to comment

Better Security With Two Factor Authentication (PHP Unconference 2013)

  1. 1. Who am I? Norman Soetbeer Computer Science Student Game Developer @ InnoGames Twitter: @TheBattleRattle Github: BattleRattle
  2. 2. John Doe ******** submit LOGIN 743503 submit Enter your Code An authenticator is connected to your account Welcome Hey, John Doe! You successfully logged in 1 2
  3. 3. also known as TFA, 2FA Two-Step Authentication Two-Step Verification (Google) Two Factor Verification (Dropbox, Twitter) Login Approvals (Facebook) Code Generator (Facebook)
  4. 4. three factors consider two (or more)
  5. 5. knowledge factor „something only the user knows“ PIN password pattern „What was the name of your first pet?“
  6. 6. possession factor „something only the user has“ key smart card ATM card mobile phone hard tokens USB tokens
  7. 7. inherence factor „something only the user is“ finger print iris voice DNA
  8. 8. Automatic Teller Machine ATM card + PIN = „something only the user has“ + „something only the user knows“
  9. 9. requirements for secure factors strong entropy on secrets
  10. 10. requirements for secure factors high resistance of a tokens to be cloned
  11. 11. requirements for secure factors uniqueness and reliability of biometrics
  12. 12. requirements for secure factors secure transport (tokens, passwords, etc.)
  13. 13. requirements for secure factors additional management: disable lost tokens determine steps for password reset withdraw credentials, if no longer required
  14. 14. requirements for secure factors fraud detection: monitor failed attempts, lock account
  15. 15. what is possible?
  16. 16. knowledge factor PIN?
  17. 17. knowledge factor password?
  18. 18. knowledge factor pattern? requires javascript / flash, but
  19. 19. knowledge factor „What was the name of your first pet“? does not fulfill „something only the user knows“
  20. 20. possession factor key? difficult to check
  21. 21. possession factor smart card? requires additional hardware not usable in web browser (maybe with plugin) costs (card, card reader, transport of card)
  22. 22. possession factor USB token? not usable in web browser (maybe with plugin) costs (token + transfer)
  23. 23. possession factor hard token? costs (token itself, transport)
  24. 24. possession factor mobile phone? SMS? Costs
  25. 25. Give us your phone number?
  26. 26. possession factor mobile phone? voice message? same as SMS
  27. 27. possession factor mobile phone? code generator (smart phone)
  28. 28. secret key secret counter value public serial new code on key press (counter increases)
  29. 29. HMAC-Based One-Time Password hash = hmac_sha1(key, counter) offset = last 4 bits of hash number = 4 bytes from hash, beginning at offset pad numbers to given length
  30. 30. example hash = hmac_sha1(„12345“, 1) 20 d4 c6 b0 32 ea 01 da 02 6e a8 a9 f6 f4 00 41 d0 95 6d 08 offset = last 4 bits of hash 8 number = 4 bytes from hash, beginning at offset 02 6e a8 a9 pad numbers to given length 40806569
  31. 31. usage serial key counter uid FOO-BAR- BAZ 43A7B66 200DD 7 42456 ABCD- EFGH-IJKL AF3A77E 8D638 19 87632 MNOP- QRST- UVWX 74DA393 55CB6 2 24572 SERIAL ABCD-EFGH-IJKL KEY (secret) AF3A77E8D638 COUNTER (secret) 19 authenticator web application
  32. 32. generate a new code serial key counter uid FOO-BAR- BAZ 43A7B66 200DD 7 42456 ABCD- EFGH-IJKL AF3A77E 8D638 19 87632 MNOP- QRST- UVWX 74DA393 55CB6 2 24572 SERIAL ABCD-EFGH-IJKL KEY (secret) AF3A77E8D638 COUNTER (secret) 20 authenticator web application 830429 830429
  33. 33. code was correct serial key counter uid FOO-BAR- BAZ 43A7B66 200DD 7 42456 ABCD- EFGH-IJKL AF3A77E 8D638 20 87632 MNOP- QRST- UVWX 74DA393 55CB6 2 24572 SERIAL ABCD-EFGH-IJKL KEY (secret) AF3A77E8D638 COUNTER (secret) 20 authenticator web application 830429 830429
  34. 34. code was incorrect (e.g. typo) serial key counter uid FOO-BAR- BAZ 43A7B66 200DD 7 42456 ABCD- EFGH-IJKL AF3A77E 8D638 19 87632 MNOP- QRST- UVWX 74DA393 55CB6 2 24572 SERIAL ABCD-EFGH-IJKL KEY (secret) AF3A77E8D638 COUNTER (secret) 20 authenticator web application 830428 830429
  35. 35. code was incorrect (e.g. typo) serial key counter uid FOO-BAR- BAZ 43A7B66 200DD 7 42456 ABCD- EFGH-IJKL AF3A77E 8D638 19 87632 MNOP- QRST- UVWX 74DA393 55CB6 2 24572 SERIAL ABCD-EFGH-IJKL KEY (secret) AF3A77E8D638 COUNTER (secret) 20 authenticator web application 830428 830429 counters out of sync
  36. 36. solution also check up to 10 upcoming codes and update counter
  37. 37. secret key internal clock new code every 30 seconds
  38. 38. Time-Based One-Time Password time_frame = floor (unix_timestamp / time_step) hash = hmac_sha1(key, time_frame) offset = last 4 bits of hash number = 4 bytes from hash, beginning at offset pad numbers to given length
  39. 39. usage key uid 43A7B66200DD 42456 AF3A77E8D638 87632 74DA39355CB6 24572 KEY (maybe secret) AF3A77E8D638 UNIX TIMESTAMP 1234567890 authenticator web application 692113 692113 code must be marked as used, because „one-time password“
  40. 40. wrong code key uid 43A7B66200DD 42456 AF3A77E8D638 87632 74DA39355CB6 24572 KEY (maybe secret) AF3A77E8D638 UNIX TIMESTAMP 1234567890 authenticator web application 849372 692113 you should lock the account for current time frame
  41. 41. what about delays? clocks out of sync?
  42. 42. simple just also check one time frame before and after current one
  43. 43. demo time
  44. 44. // Check Credentials (Step 1) $username = $_POST['username']; $password = $_POST['password']; $user = getUserByCredentials($username, $password); if (!$user) { redirect('/login/'); } if ($user->hasAuthenticator()) { $session->set('authenticated', false); } else { $session->set('authenticated', true); }
  45. 45. // Check for Authentication if (!$session->get('authenticated')) { redirect('/tfa-code/'); }
  46. 46. // Check Code (Step 2) use BattleRattleDoormanAuthenticationGoogleAuthenticator; // get the code from user input $code = $_POST['code']; // get the associated key for the current user $key = 'ONETIMEPASSWORDS'; $authenticator = new GoogleAuthenticator(); $result = $authenticator->authenticate($key, $code); if ($result) { echo 'Welcome, you successfully logged in'; } else { echo 'Nope, try again'; }
  47. 47. installation via composer / packagist “require”: { “battlerattle/doorman”: “dev-master” }
  48. 48. questions?
  49. 49. thank you

×