Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!

1,437 views

Published on

In this talk, I will outline the best practices to build out a secure user management and authentication platforms for your products.

At the end of this talk, you’ll have the knowledge to implement (or fix) a stronger user authentication system for your startup or enterprise!

Published in: Technology
  • Be the first to comment

LASCON 2013 Talk: User Auth for Winners, how to get it right the first time!

  1. 1. User Authentication for Winners! Speaker: Karthik Gaekwad Password: LASCON 2013 Remember this stuff when you code @iteration1 Friday, October 25, 13 #UserAuth101
  2. 2. User Authentication for Winners! Speaker: Karthik Gaekwad Password: ************ Well played security Remember this stuffplayed! guru; well when you code @iteration1 Friday, October 25, 13 #UserAuth101
  3. 3. Howdy! • I’m Karthik Gaekwad • Senior Web Engineer • Mentor Graphics Embedded • • @iteration1 Friday, October 25, 13 LASCON 2013 From Austin, TX Spent the last 3 years writing/refining cloud based user auth systems #UserAuth101
  4. 4. Audience Survey @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  5. 5. My agenda • Developers and DevOps • Build better auth systems • Security Pro’s • Give you developer insight, new ideas to attack auth systems • Management • Give this ppt to your dev teams. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  6. 6. Authentication Mechanisms • Write your own • OpenID • OAuth @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  7. 7. Authentication Mechanisms • Write your own • OpenID • OAuth @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  8. 8. Common Perception “Building a User Authentication system is easy. It’s just a username and password, stored somewhere” @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  9. 9. Reality API (PaaS) + Workflows + User Interface(s) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  10. 10. Designing Auth Systems API: How your system is used • Login/Logout • Session Management (Remember Me etc) • User Creation • Password Reset @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  11. 11. Designing Auth Systems Workflows: Rules for how the system works • Account Creation • Password Reset • Account Recovery @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  12. 12. Designing Auth Systems User Interface: What end user will actually see • Where users can create account • Login screens • My Profile Page • End applications using the API’s @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  13. 13. High Level Design Email Web Services API Web Services (Login/Logout) User Portal App 1 App 2 Data store(s) @iteration1 Friday, October 25, 13 App 3... LASCON 2013 #UserAuth101
  14. 14. High Level Design Email Web Services API Web Services (Login/Logout) User Portal App 1 App 2 App 3... Data store(s) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  15. 15. High Level Design Email Web Services API Web Services (Login/Logout) User Portal App 1 App 2 App 3... Data store(s) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  16. 16. Quick look @data • email • username • first name • last name • password • {id} @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  17. 17. Quick look @data Keep your auth data separate • You don’t want to clutter your auth data with ecommerce/address/whatever other data • Not rocket science. • It’s called normalization @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  18. 18. Breaking it down API Web Services (Login/Logout) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  19. 19. Login Web Services API Web Services (Login/Logout) The Goal: Keep user credentials as safe as possible in transit @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  20. 20. Login Web Services Request POST /login encoded username:password App 1 Response HTTP 200/201 API Web Services (Login/Logout) Session token Session Id expiration First name, Last name @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  21. 21. Login Web Services Request GET /login/(session token) App 1 Response HTTP 200/201 (success) HTTP 401 (failures) API Web Services (Login/Logout) Session token Session Id expiration First name, Last name @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  22. 22. Login Web Services • Minimize sending username, passwords over the wire. • Harder to sniff if it’s rarely there • Don’t put this in the URL (server logs) • Session tokens: Set an expiration time. • Client can re-login if necessary @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  23. 23. Login Web Services ? P T T H @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  24. 24. “That’s great, but I can brute force the endpoint” --JoeHacker @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  25. 25. Rate Limiting • “Only x number of calls per minute to the endpoint” • Recommended for all login and session token endpoints. • Can be complicated to implement, but worth it and reusable. • http://www.client9.com/2012/05/01/ratelimiting-at-scale/ Thanks @NGalbreath! @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  26. 26. Note on Session Tokens How I really feel... Yuck about rand() and guid() functions Use something cryptographically secure Keep them 128bit or greater @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  27. 27. Login Hack #1 • Often, the end (web)application will store the username and session token in a cookie. • Hack: Create 2 accounts, and login with both and store the cookies. Trade the session token of one account with the other, and see if you can see other account data... @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  28. 28. Login Hack #1 • Developers have good intentions but.... @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  29. 29. Login Hack #2 • Verify that session tokens actually expire! • Try using the same session token even after you’ve hit “log out” in the application. • cookies.clear() is easier than actually calling the /logout endpoint to invalidate tokens. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  30. 30. Let’s move on.. Account Creation Password Reset @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  31. 31. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  32. 32. "We try to solve very complicated problems without letting people know how complicated the problem was. That's the appropriate thing." @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  33. 33. --Usability Jack and Jill @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  34. 34. “Remembering passwords is a pain. Let’s make our system have a minimum 4 letter passwords because it’s more usable.” --Usability Jack and Jill @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  35. 35. Security + Usability • The days of the 4 character password is over. • UX team interactions: • 8+ characters is accepted now • Show by example • Use “sentences” versus “words” for Security and Usability: Designing Secure Systems That People Can Use Lorrie Faith Cranor passwords @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  36. 36. Account Creation • Typically : accept user data, provision account... @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  37. 37. Account Creation • Sanitize inputs for XSS. • If you are asking for user email, validate email actually belongs to the user. • May have multiple data stores in play here. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  38. 38. Account Creation • Case Sensitivity... • Hack: Register with user@email.com and UsEr@email.com.You may be able to register as both if the case sensitivity check isn’t turned on. • Hack: Use foreign characters to sniff if the datastore is older (LDAP v2) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  39. 39. Passwords Friday, October 25, 13
  40. 40. Storing Passwords “I'm gonna pop some tags Only got clear text passwords in my db I - I - I'm hunting, looking for a reason to get f*** fired.” -The Macklemore stance @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  41. 41. Storing Passwords Please don’t go “thrift shop” your password storage @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  42. 42. Storing Passwords • Store only hashed passwords • Use a unique, per user salt. • use bcrypt/scrypt to generate your hash @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  43. 43. “That’s great, but I’ll just figure out your Cloud DB credentials” --JoeHacker @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  44. 44. Storing Passwords • A technique that I like.. Break up your data into different stores Store the password hash in data store #1 • Store the salt used to compute the hash in data store #2 • Store the # of hash iterations in data store #3 (application config?) • • • Have the value stored in #1 not be the password hash itself, but a MAC (Message Authentication Code, aka 'keyed hash') using an application-private MAC key. http://www.stormpath.com/blog/strong-passwordhashing-part-2 Thanks @Stormpath @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  45. 45. Storing Passwords • http://www.codinghorror.com/blog/2007/09/ youre-probably-storing-passwordsincorrectly.html • http://stackoverflow.com/questions/1054022/bestway-to-store-password-in-database • http://www.stormpath.com/blog/strong-passwordhashing-apache-shiro • https://wiki.mozilla.org/WebAppSec/ Secure_Coding_Guidelines#Authentication @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  46. 46. Reset or Restore? • I prefer Password Reset. • “Personal challenge questions” aren’t so personal anymore with Facebook and Twitter. • Make sure Password Reset tokens are one use only and expire “super fast” @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  47. 47. Account Creation Workflow Get User Credentials Validate Email Create Password OR Get User Credentials and Password @iteration1 Friday, October 25, 13 Validate Email LASCON 2013 Allow Login #UserAuth101
  48. 48. Account Creation Workflow Get User Credentials and Password Validate Email Allow Login • • Winner! • http://www.stormpath.com/blog/how-weincreased-new-user-registration-27 Thanks @chunsaker Data to support that more users convert to creating accounts this way. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  49. 49. Final Thoughts • AKA I have to present in a few hours, but I have no time to worry about flow.. #FreeStyling @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  50. 50. Final Thoughts • If you have many apps with login screens/ create account screens- keep these consistent. • Users lose trust if login screens are different across apps by same company @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  51. 51. Final Thoughts • If you’re a Java shop, check out Apache Shiro Framework- it’s made for the authentication usecase. • SaaS version: Stormpath @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  52. 52. Final Thoughts • 2 factor auth • Definitely strengthens the security. • Usability verdict is still out. • Challenging to implement, but a good idea. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  53. 53. Final Thoughts • Login Dashboards in “My Profile” with last login information, geo location, timestamp is more popular. • You have all this data anyways, so why not show it? @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  54. 54. PSA on OAuth “Why does this random website need read and write OAuth access to my twitter / facebook account?” @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101
  55. 55. Thank You for your time! Lunch? @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

×