Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Secure All Teh Things - Add 2 factor authentication to your own CFML projects

212 views

Published on

Delivered at CFCamp 2018 in Munich Germany.

Security is getting more and more important. A 2-factor authentication will help you securing your logins.

In this Session Rob shows you how to implement a 2-factor authentication for your own website. Learn about the different protocols FIDO U2F, Yubico OTP, Challenge-Response, etc.

See how you can use your personal YubiKey for your own website.

Published in: Technology
  • Be the first to comment

Secure All Teh Things - Add 2 factor authentication to your own CFML projects

  1. 1. Secure All Teh Things! Add 2 factor authentication to your own projects
  2. 2. Who is this dude? • @robdudley • CTO • Software Developer • Co-host of the 
 Localhost.fm Podcast • Keeps the scores in CodeMasters!
  3. 3. What are we talking about?
  4. 4. A quick look at security
  5. 5. We secure by Hiding things Making them hard to access Making them dangerous to access
  6. 6. How do we secure computers? • We didn’t • Usernames • Usernames & passwords
 (secrets) • More complex passwords?
  7. 7. 2018 Cost of Data Breach Study, Ponemon Institute Research Report 2017 Data Breach Investigations Report 10th Edition, Verizon “A single corporate security breach costs an average of $3.86M , and 81% of breaches are caused by stolen or weak passwords. ” Still not secure enough!
  8. 8. What is secure?
  9. 9. Something you know Something you have Something you are
  10. 10. Combine these into…
  11. 11. Multi-factor Security!
  12. 12. Common Types of MFA
  13. 13. PIN or Code Common! Memorable Surely just another password?
  14. 14. SMS Easy Slow DO NOT USE!
  15. 15. TOTP Open Common Still requires phone
  16. 16. Physical Tokens Many and varied
  17. 17. Biometrics Handy (heh) You can’t change your finger print … Or your DNA!
  18. 18. Enter
  19. 19. • Founded in 2007 • Leading contributor to • FIDO U2F • FIDO2 • Member of FIDO Alliance, IDESG, OpenID & W3C
  20. 20. YubiKey • 5 Versions • Neo (with NFC) • USB-A USB-C variants • FIDO • Multi function device
  21. 21. Demo # 1 Yubikey OTP
  22. 22. OTP? WTF?
  23. 23. ccccccinrbeglgchferbjblkudbjtebkblggbvfdvjfg ccccccinrbeglteudtkkccjvkjcfghbtjccbnhhkttlg ccccccinrbegeubvhflrtecrhbkcknkfuibtilcbbifu ccccccinrbegfdbghkgvkrvdhukdefubeigkrjrttdfh ccccccinrbegtvgnjlfvhbituujfujutgduvdgcelcuv Sample OTPs from a YubiKey
  24. 24. ccccccinrbeglgchferbjblkudbjtebkblggbvfdvjfg ccccccinrbeglteudtkkccjvkjcfghbtjccbnhhkttlg ccccccinrbegeubvhflrtecrhbkcknkfuibtilcbbifu ccccccinrbegfdbghkgvkrvdhukdefubeigkrjrttdfh ccccccinrbegtvgnjlfvhbituujfujutgduvdgcelcuv Key ID and
  25. 25. OLD CODE ALERT!!!
  26. 26. Tedious switch to code… please hold
  27. 27. What doesn’t this do? • No ID verification • No MITM protection! • Doesn’t make tea, or coffee What does this do? • Types really fast • Verifies the OTP against the private key • Replay protection • Makes you look cool
  28. 28. https://developers.yubico.com/OTP/
  29. 29. Demo # 2 FIDO U2F
  30. 30. Demo # 2 FIDO U2F WebAuthN
  31. 31. Why do we need WebAuthN? • More than just YubiKeys • Fingerprint • Face Unlock • Others? • End to end assurance through key exchange / signing • W3C standard(s) • Common device support
  32. 32. How does it work?
  33. 33. Basic FIDO2 registration sequence
  34. 34. Basic FIDO2 authentication sequence
  35. 35. Slightly less tedious switch to demo… please hold
  36. 36. Browser Support
  37. 37. Implementation Need to think about: • Key issuance • Lost / stolen key revocation • Replacement key process • Backup codes
  38. 38. Wait! There’s more…
  39. 39. YubiKey Manager
  40. 40. YubiKey Personalization Tool
  41. 41. YubiKey 4 also does… • PGP Key storage for use in signing / encryption • Challenge Response HMAC for use with PAM • Static password output for use with … long passwords
  42. 42. Resources Yubico Dev Portal https://developers.yubico.com/ Expanding YubiKey Keyboard Support (for AZERTY / Non QWERTY) https://www.yubico.com/2013/07/yubikey-keyboard-layouts/ WebAuthN on MDN https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API Updated version of the YubiKey OTP CFC (ColdBox compatible) https://github.com/akitogo/cbYubikey

×