Download as PDF, PPTX
Uploaded byWaihon Yew
Cost-Effective Two-Factor Authentication
This document provides an overview of two-factor authentication (2FA), which adds an extra layer of security beyond just passwords, typically using a verification code from a mobile or computer app. It introduces a gem/library called 'active_model_otp' for implementing 2FA in user models within Ruby on Rails applications, detailing installation, configuration, and usage. Additional resources and a demo are linked for further exploration.
![OWASP Global AppSec Dublin 2023 [T]OTPs are not as secure as you might believe](https://cdn.slidesharecdn.com/ss_thumbnails/santiagokantorowicz-globalowaspappssecdublin2023totpsarenotassecureasyoumightbelieve-230228145608-3c713046-thumbnail.jpg?width=640&height=640&fit=bounds)
Cost-Effective Two-Factor Authentication
- 1.
- 2. ABOUT ME ● WaihonYew ● Rapid River Software ● Connect with me: ○ GitHub: waihon ○ Twitter: waihon ○ LinkedIn: waihonyew
- 3. WHAT IS TWO-FACTORAUTHENTICATION? ● Two-factor authentication (2FA) is a way to add additional security to your account. ● The first "factor" is your usual password that is standard for any account. ● A common second "factor" is a verification code retrieved from an app on a mobile device or computer. ● 2FA is conceptually similar to a security token device that certain banks in some countries require for online banking. ● Other names for 2FA systems include OTP (one-time password) and TOTP (Time-based One-time Password algorithm).
- 4. ● Business ○ Compatiblewith Google Authenticator which is available for free on both Google Play and App Store ● Technical ○ A gem/library that: ■ Makes adding 2FA to a user model simple ■ Is not tightly coupled with any authentication gems such as Devise REQUIREMENTS/CONSTRAINTS
- 5. 2FA GEM: ACTIVEMODEL::OTP ●GitHub ○ https://github.com/heapsource/active_model_otp ● Key dependency ○ ROTP 4.0 or higher ■ A Ruby library for generating and validating one time passwords according to RFC 4226 (HOTP) and RFC 6238 (TOTP). ● Installation ○ gem 'active_model_otp'
- 6. ● Add otp_secret_keyto your user model ○ rails g migration AddOtpSecretKeyToUsers otp_secret_key:string ○ rails db:migrate ● Add has_one_time_password directive to your user model. ○ It provides a few useful methods in order to implement your 2FA SETTING UP YOUR MODEL
- 7. ● The otp_secret_keyis saved automatically when an object is created. ● If you're adding this to an existing user model, you could: ○ Generate otp_secret_key with a migration like: ■ User.find_each { |user| user.update_attribute(:otp_secret_key, ROTP::Base32.random_base32) } ○ Generate otp_secret_key when users enable 2FA OTP SECRET KEY
- 8. ● user.otp_code #=>225681 ● sleep 30 # let's wait 30 secs ● user.otp_code #=> 837058 GETTING CURRENT CODE
- 9. ● user.otp_code(time: Time.now)#=> 417714 ● user.otp_code(time: Time.now + 3600) #=> 766675 OVERRIDE CURRENT TIME
- 10. ● user.authenticate_otp('186522') #=> truthy ● sleep 30 # let's wait 30 secs ● user.authenticate_otp('186522') # => falsey AUTHENTICATING USING A CODE
- 11. ● user.authenticate_otp('186522') #=> truthy ● sleep 30 # let’s wait again ● user.authenticate_otp('186522', drift: 60) # => truthy AUTHENTICATING USING A SLIGHTLY OLD CODE
- 12. ● Recovery codes ○Used to access your account in the event you cannot receive two-factor authentication codes. ADDITIONAL 2FA OPTIONS
- 13. ● Live ○ https://tfademo.herokuapp.com ●Source code ○ https://github.com/waihon/tfa-demo 2FA DEMO
- 14. ● Aaron Lim ●Adeline Lim ● Hakim Ahmad ● Tamer Shlash ACKNOWLEDGEMENTS
- 15.
- 16.