16. requirements for secure factors
additional management:
disable lost tokens
determine steps for password reset
withdraw credentials, if no longer required
34. HMAC-Based One-Time Password
hash = hmac_sha1(key, counter)
offset = last 4 bits of hash
number = 4 bytes from hash, beginning at offset
pad numbers to given length
35. example
hash = hmac_sha1(„12345“, 1)
20 d4 c6 b0 32 ea 01 da 02 6e
a8 a9 f6 f4 00 41 d0 95 6d 08
offset = last 4 bits of hash
8
number = 4 bytes from hash, beginning at
offset
02 6e a8 a9
pad numbers to given length
40806569
44. Time-Based One-Time Password
time_frame = floor (unix_timestamp / time_step)
hash = hmac_sha1(key, time_frame)
offset = last 4 bits of hash
number = 4 bytes from hash, beginning at offset
pad numbers to given length
45. usage
key uid
43A7B66200DD 42456
AF3A77E8D638 87632
74DA39355CB6 24572
KEY (maybe secret)
AF3A77E8D638
UNIX TIMESTAMP
1234567890
authenticator web application
692113 692113
code must be marked as used,
because „one-time password“
46. wrong code
key uid
43A7B66200DD 42456
AF3A77E8D638 87632
74DA39355CB6 24572
KEY (maybe secret)
AF3A77E8D638
UNIX TIMESTAMP
1234567890
authenticator web application
849372 692113
you should lock the account
for current time frame
52. // Check for Authentication
if (!$session->get('authenticated')) {
redirect('/tfa-code/');
}
53. // Check Code (Step 2)
use BattleRattleDoormanAuthenticationGoogleAuthenticator;
// get the code from user input
$code = $_POST['code'];
// get the associated key for the current user
$key = 'ONETIMEPASSWORDS';
$authenticator = new GoogleAuthenticator();
$result = $authenticator->authenticate($key, $code);
if ($result) {
echo 'Welcome, you successfully logged in';
} else {
echo 'Nope, try again';
}