Two Factor Authentication and You

861 views

Published on

Everyone has at least one password, but that's not enough anymore. When is that not enough? Passwords get out of your hands all the time. You know your password, but what about using something you have in addition to what you know. Let's look at how you can leverage your mobile device for added security, and implement it in your projects. This talk will cover how two factor auth works, how to use it and the ins and outs of rolling your own solution using Time-based One-time Password (TOTP) (and the Google Authenticator app) or a third party service and the pitfalls of both. AWS, Mailchimp, Dropbox and Facebook integrate two factor authentication and you can too! There's no reason not to use it!

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
861
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
39
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Two Factor Authentication and You

  1. 1. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 1 TWO-FACTOR AUTHENTICATION AND YOU https://joind.in/10645
  2. 2. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 2 WHO AM I? •President and Co-Founder of E-Moxie - www.emoxie.com •Baltimore, MD •PHP Developer, System Administrator,Tinkerer •Meetup Organizer - Baltimore PHP/Mobile/API •Trainer •Maximize efficiencies and make life easier (mainly mine) •I’ve seen things, and learned a bit on the way ! chris@emoxie.com Twitter: @cmstone
  3. 3. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 3 BACKGROUND OFTHISTALK
  4. 4. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 4 WHAT ISTWO FACTOR AUTH? •Not a new concept •Two pieces of information needed (in addition to a username) •Something you know and something you have •First factor is typically a password (The know) •Second factor is typically a uniquely generated code (The have)
  5. 5. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 5 WHAT’S THE MOST COMMON EXAMPLE OF TWO-FACTOR AUTHENTICATION?
  6. 6. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 6 ATM •Requires something you have (ATM Card) •Requires something you know (Pin Code)
  7. 7. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 7 How do you get that second factor? DELIVERY MECHANISMS •E-Mail •SMS/Voice •App
  8. 8. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 8 E-MAIL -THE GOOD :) •Wide adoption •Everyone has an email address (or a few) •If you don’t, it’s pretty easy to get one
  9. 9. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 9 E-MAIL -THE BAD :( •Prone to failure •Delivery problems •Message blocking •SPAM •Send/Receive Problems •Requires Internet/Network Access •More mail?? Who really wants to get more?
  10. 10. SMS
  11. 11. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 11 SMS - GOODTHINGS! •Mobile device required (or a service like GoogleVoice) •SMS Penetration is high •Easy to implement •Global support
  12. 12. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 12 SMS - BADTHINGS :( •Can’t receive SMS •Could cost money •Network •Delivery delays •Lost messages •Power? •Threat could have access to a web front end! •Susceptible to architecture issues
  13. 13. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 13 TWILIO •REST API •Get your own number •Send a text message just like you would with any other app
  14. 14. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 14 NEXMO •php[tek] Sponsor - yay! •Shared short code •REST API ! •API Key & Secret •Destination & Pin curl "https://rest.nexmo.com/sc/us/2fa/json?api_key={api_key} &api_secret={api_secret}&to=14435281326&pin=1234"
  15. 15. MOBILE APP
  16. 16. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 16 MOBILE APP •RollYour Own •Push Notices •Login Approvals •Authy •Duosecurity •Google Authenticator
  17. 17. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 17 MOBILE APP
  18. 18. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 18 •Easy to use •DOES NOT rely on an Internet connection •DOES NOT rely on cellular connection •Google just provides the app •Implements time-based on-time passwords (TOTP) •Open source (kind of) •All of those password thefts? Could be kind of a non-issue •Not just for websites GOOGLE AUTHENTICATOR
  19. 19. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 19 •No power! •Lost phone/device •Broken phone/device •Susceptible to architecture and workflow issues GOOGLE AUTHENTICATOR - PITFALLS
  20. 20. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 20 TOTP •Time-based One-time Password Algorithm •Computed from a shared secret key and the current time. •Combines secret with timestamp using a cryptographic hash func •Typically increases in 30-second intervals •Allows for a time drift •RFC 6238
  21. 21. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 21 APPLICATION •base32 encoding and decoding •random secret key •timestamp •~30 lines of code
  22. 22. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 22 https://github.com/cmstone/phptek2014-two-factor
  23. 23. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 https://github.com/cmstone/phptek2014-­‐two-­‐factor/ 23 WORKFLOW OVERVIEW $username  =  'chris@baltimorephp.org';   $userkey  =  TwoFactor::generateKey();   $timestamp  =  TwoFactor::getTimestamp();   ! $secretKey  =  Base32::decode($userkey);   $currentPassword  =  TwoFactor::getSecret($secretKey,  $timestamp);
  24. 24. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 https://github.com/cmstone/phptek2014-­‐two-­‐factor/ 24 Step 1 - Generate a random secret key TwoFactor::generateKey();   ———————   public  static  function  generateKey($length  =  16)  {                  $key  =  "";   !                for  ($i  =  0;  $i  <  $length;  $i++)  {                          $key  .=  Base32::getRandom();                  }   !                return  $key;   }   ! //  Gives  you  something  like:  CHBEYSUCFDAECIHM WORKFLOW
  25. 25. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 https://github.com/cmstone/phptek2014-­‐two-­‐factor/ 25 Step 1 - Generate a random secret key //  Gives  you  something  like:  CHBEYSUCFDAECIHM WORKFLOW
  26. 26. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 https://github.com/cmstone/phptek2014-­‐two-­‐factor/ 26 Step 2 - Get the current timestamp TwoFactor::getTimestamp();   ———————   public  static  function  getTimestamp()  {          return  floor(microtime(true)  /  self::keyRegeneration);   }   ! //  Gives  you  something  like:  46692614 WORKFLOW
  27. 27. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 https://github.com/cmstone/phptek2014-­‐two-­‐factor/ 27 WORKFLOW Step 3 - Decode $userkey  =  TwoFactor::generateKey();   $timestamp  =  TwoFactor::getTimestamp();   ! $secretKey  =  Base32::decode($userkey);   ! //  $secretKey  =  ?LJ?(?A  ?
  28. 28. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 https://github.com/cmstone/phptek2014-­‐two-­‐factor/ 28 WORKFLOW $currentPassword  =  TwoFactor::getSecret($secretKey,  $timestamp);   ———————   public  static  function  getSecret($key,  $counter)  {                  if  (strlen($key)  <  8)  {                          throw  new  Exception('Secret  key  is  too  short.  Must  be  at  least  16  base  32  characters');                  }   !                $bin_counter  =  pack('N*',  0)  .  pack('N*',  $counter);    //  Counter  must  be  64-­‐bit  int                  $hash  =  hash_hmac('sha1',  $bin_counter,  $key,  true);   !                return  str_pad(self::oathTruncate($hash),  self::otpLength,  '0',  STR_PAD_LEFT);   }   ! //  $currentPassword  =  373604 Step 4 - Decode
  29. 29. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 29 ADDITIONAL RESOURCES Bypassing two-factor authentication http://shubh.am/how-i-bypassed-2-factor-authentication-on-google- yahoo-linkedin-and-many-others/ ! Google Authenticator Code: https://code.google.com/p/google-authenticator/
  30. 30. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 30 QUESTIONS?
  31. 31. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 31 THANKS! Please reach out to me @cmstone or chris@emoxie.com Please rate and give feedback!! https://joind.in/10645

×