Cost-Effective Two-Factor Authentication

•

0 likes•367 views

Implementing two-factor authentication for a web app using Ruby on Rails web framework, active_model_otp gem, and Google Authenticator app.

Software

COST-EFFECTIVE
TWO-FACTOR
AUTHENTICATION

WHAT IS TWO-FACTOR AUTHENTICATION?
● Two-factor authentication (2FA) is a way to add additional
security to your account.
● The ﬁrst "factor" is your usual password that is standard for
any account.
● A common second "factor" is a veriﬁcation code retrieved
from an app on a mobile device or computer.
● 2FA is conceptually similar to a security token device that
certain banks in some countries require for online banking.
● Other names for 2FA systems include OTP (one-time
password) and TOTP (Time-based One-time Password
algorithm).

● Business
○ Compatible with Google Authenticator which is
available for free on both Google Play and App Store
● Technical
○ A gem/library that:
■ Makes adding 2FA to a user model simple
■ Is not tightly coupled with any authentication gems
such as Devise
REQUIREMENTS/CONSTRAINTS

2FA GEM: ACTIVEMODEL::OTP
● GitHub
○ https://github.com/heapsource/active_model_otp
● Key dependency
○ ROTP 4.0 or higher
■ A Ruby library for generating and validating one
time passwords according to RFC 4226 (HOTP) and
RFC 6238 (TOTP).
● Installation
○ gem 'active_model_otp'

● Add otp_secret_key to your user model
○ rails g migration AddOtpSecretKeyToUsers
otp_secret_key:string
○ rails db:migrate
● Add has_one_time_password directive to your user model.
○ It provides a few useful methods in order to implement
your 2FA
SETTING UP YOUR MODEL

$● The otp_secret_key is saved automatically when an object is created. ● If you're adding this to an existing user model, you could: ○ Generate otp_secret_key with a migration like: ■ User.find_each { |user| user.update_attribute(:otp_secret_key, ROTP::Base32.random_base32) } ○ Generate otp_secret_key when users enable 2FA OTP SECRET KEY$

● user.otp_code #=> 225681
● sleep 30 # let's wait 30 secs
● user.otp_code #=> 837058
GETTING CURRENT CODE

● user.otp_code(time: Time.now) #=> 417714
● user.otp_code(time: Time.now + 3600) #=> 766675
OVERRIDE CURRENT TIME

● user.authenticate_otp('186522') # => truthy
● sleep 30 # let's wait 30 secs
● user.authenticate_otp('186522') # => falsey
AUTHENTICATING USING A CODE

● user.authenticate_otp('186522') # => truthy
● sleep 30 # let’s wait again
● user.authenticate_otp('186522', drift: 60) # =>
truthy
AUTHENTICATING USING A SLIGHTLY OLD CODE

● Recovery codes
○ Used to access your account in the event you cannot
receive two-factor authentication codes.
ADDITIONAL 2FA OPTIONS

● Live
○ https://tfademo.herokuapp.com
● Source code
○ https://github.com/waihon/tfa-demo
2FA DEMO

● Aaron Lim
● Adeline Lim
● Hakim Ahmad
● Tamer Shlash
ACKNOWLEDGEMENTS

Developing in Magento 2 requires higher and more interdisciplinary skills compared to those required for M1. Templating is more complex and involved and it is more difficult to exactly tell what piece of code does what; furthermore, in some cases the boilerplate code assumed really remarkable dimensions. However, the customization possibility in M2 are even more extensive than it was in M1. So how it’s possible for the M2 full stack developer to do the job? With the right tools to have the job done, of course! Riccardo Tempesta has presented a selection of tools and plugins to help M2 developers disentangle themselves in the forest of M2 codebase: PHP Storm, Magicento 2, Xdebug, GIT, Pestle, CodeMonkey, MSP DevTools; each of these with applied examples and real-life case studies.

How to keep modules up to date

Thomas Fleck

PANIC Project - BRUCon 2012 Presentationbiosshadow

App Security and Securing App

Andreas Schranzhofer

Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...

Icinga

PyConUK 2014 - PostMortem Debugging and Web Development Updated

Alessandro Molina

Secure Developer Access at Decisiv

Teleport

In Data Engineer's Lunch #37, we discussed Pipedream, a serverless integration and compute platform that is free for individual developers to use. https://github.com/pipedreamhq/pipedream/ Accompanying Blog: https://blog.anant.us/data-engineers-lunch-37-pipedream-serverless-integration-and-compute-platform Accompanying YouTube: https://youtu.be/I9pGvCeDNJs Sign Up For Our Newsletter: http://eepurl.com/grdMkn Join Data Engineer’s Lunch Weekly at 12 PM EST Every Monday: https://www.meetup.com/Data-Wranglers-DC/events/ Cassandra.Link: https://cassandra.link/ Follow Us and Reach Us At: Anant: https://www.anant.us/ Awesome Cassandra: https://github.com/Anant/awesome-cassandra Email: solutions@anant.us LinkedIn: https://www.linkedin.com/company/anant/ Twitter: https://twitter.com/anantcorp Eventbrite: https://www.eventbrite.com/o/anant-1072927283 Facebook: https://www.facebook.com/AnantCorp/

Devoxx : being productive with JHipster

Julien Dubois

$Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...$ $Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...$

Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...

Tanya Denisyuk

Вопросы безопасности в больших корпоративных приложениях всегда стоят на первом плане. В монолитной архитектуре эти вопросы решаются достаточно единообразно, так как приложение является единым целым. Но сложности начинаются, когда мы решаем перейти к микросервисной архитектуре. Ведь по сути мы имеем дело с несколькими приложениями, доступ к которым нужно контролировать. В докладе мы обсудим: · Какие существуют подходы обеспечения безопасности микросервисных приложений · Их достоинства и недостатки · Как защитить микросервесы с помощью CloudFoundry User Account and Authentication (UAA) Server

Programming for non tech entrepreneursRodrigo Gil

XP Days 2019: First secret delivery for modern cloud-native applications

Vlad Fedosov

In this talk we’ll see how Authentication and Secrets delivery work in distributed containerized applications from the inside. We’ll start from the theory of security and will go through the topics like Container Auth Role, Static & Dynamic secrets, Env vars/volumes for secret delivery, Vault & K8S secrets. After this talk you’ll get an understanding how to securely deploy your containerized workloads.

Rapid app building with loopback framework

Thomas Papaspiros

EuroPython 2013 - Python3 TurboGears Training

Alessandro Molina

Post-Mortem Debugging and Web Development

Alessandro Molina

Bypassing Windows Security Functions(en)

abend_cve_9999_0001

Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...

eMadrid network

Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA

shyamraj55

Integrating Okta with Anypoint Platform for a mobile security use case

Bahman Kalali

2013.devcon3 liferay and google authenticator integration rafik_harabi

Rafik HARABI

Today, with expand of the web portal, many customers are seeking for more secure solutions to access to their web portal outside of their own networks. For Liferay portal customers, this request has been increased due to the number of portal deployed on Cloud and the increase of deployment of Liferay portal for internet sites (B2C …). One of the proposed solutions is the use of Multi-factor authentication mechanism. Google Authenticator is one of the lead open source dual factor authentication systems. In this presentation, we will explain the integration technical solution of Liferay and Google Authenticator in order to deliver a two-factor authentication system. The presentation will be followed by a live demo.

Google authentication

NexThoughts Technologies

Security .NET.pdf

Abhi Jain

Building Open Source Identity Infrastructures

Misagh Moayyed

Safe Community Call #13.pdf

LornyPfeifer

The New York Times: Sustainable Systems, Powered by Python

All Things Open

MuleSoft Manchester Meetup #2 slides 29th October 2019

Ieva Navickaite

Shift Left Security

gjdevos

Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...

Globus

The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.

Cyaniclab : Software Development Agency Portfolio.pdf

Cyanic lab

CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.

Similar to Cost-Effective Two-Factor Authentication

Data Engineer's Lunch #37: Pipedream: Serverless Integration and Compute Plat...

Anant Corporation

Devoxx : being productive with JHipster

Julien Dubois

Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...

Tanya Denisyuk

Programming for non tech entrepreneursRodrigo Gil

XP Days 2019: First secret delivery for modern cloud-native applications

Vlad Fedosov

Rapid app building with loopback framework

Thomas Papaspiros

EuroPython 2013 - Python3 TurboGears Training

Alessandro Molina

Post-Mortem Debugging and Web Development

Alessandro Molina

Bypassing Windows Security Functions(en)

abend_cve_9999_0001

Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...

eMadrid network

Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA

shyamraj55

Integrating Okta with Anypoint Platform for a mobile security use case

Bahman Kalali

2013.devcon3 liferay and google authenticator integration rafik_harabi

Rafik HARABI

Google authentication

NexThoughts Technologies

Security .NET.pdf

Abhi Jain

Building Open Source Identity Infrastructures

Misagh Moayyed

Safe Community Call #13.pdf

LornyPfeifer

The New York Times: Sustainable Systems, Powered by Python

All Things Open

MuleSoft Manchester Meetup #2 slides 29th October 2019

Ieva Navickaite

Shift Left Security

gjdevos

Similar to Cost-Effective Two-Factor Authentication (20)

Data Engineer's Lunch #37: Pipedream: Serverless Integration and Compute Plat...

Devoxx : being productive with JHipster

Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...

Programming for non tech entrepreneurs

XP Days 2019: First secret delivery for modern cloud-native applications

Rapid app building with loopback framework

EuroPython 2013 - Python3 TurboGears Training

Post-Mortem Debugging and Web Development

Bypassing Windows Security Functions(en)

Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...

Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA

Integrating Okta with Anypoint Platform for a mobile security use case

2013.devcon3 liferay and google authenticator integration rafik_harabi

Google authentication

Security .NET.pdf

Building Open Source Identity Infrastructures

Safe Community Call #13.pdf

The New York Times: Sustainable Systems, Powered by Python

MuleSoft Manchester Meetup #2 slides 29th October 2019

Shift Left Security

Recently uploaded

Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...

Globus

Cyaniclab : Software Development Agency Portfolio.pdf

Cyanic lab

Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL

Natan Silnitsky

In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey. Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience. Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system. Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.

Prosigns: Transforming Business with Tailored Technology Solutions

Prosigns

Unlocking Business Potential: Tailored Technology Solutions by Prosigns Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support. Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth. Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices. AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making. Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency. DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration. Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly. Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business. Join us on a journey of innovation and growth. Let's partner for success with Prosigns.

May Marketo Masterclass, London MUG May 22 2024.pdf

Adele Miller

AI Pilot Review: The World’s First Virtual Assistant Marketing Suite

Google

AI Pilot Review: The World’s First Virtual Assistant Marketing Suite 👉👉 Click Here To Get More Info 👇👇 https://sumonreview.com/ai-pilot-review/ AI Pilot Review: Key Features ✅Deploy AI expert bots in Any Niche With Just A Click ✅With one keyword, generate complete funnels, websites, landing pages, and more. ✅More than 85 AI features are included in the AI pilot. ✅No setup or configuration; use your voice (like Siri) to do whatever you want. ✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It… ✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again. ✅ZERO Limits On Features Or Usages ✅Use Our AI-powered Traffic To Get Hundreds Of Customers ✅No Complicated Setup: Get Up And Running In 2 Minutes ✅99.99% Up-Time Guaranteed ✅30 Days Money-Back Guarantee ✅ZERO Upfront Cost See My Other Reviews Article: (1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review (2) SocioWave Review: https://sumonreview.com/sociowave-review (3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review (4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review

Graphic Design Crash Course for beginners

e20449

Globus Compute Introduction - GlobusWorld 2024

Globus

Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...

Globus

The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.

Vitthal Shirke Microservices Resume Montevideo

Vitthal Shirke

Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...

Shahin Sheidaei

Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.

Understanding Globus Data Transfers with NetSage

Globus

NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?

Developing Distributed High-performance Computing Capabilities of an Open Sci...

Globus

COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.

Lecture 1 Introduction to games development

abdulrafaychaudhry

Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better

XfilesPro

A Sighting of filterA in Typelevel Rite of Passage

Philip Schwarz

Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...

Globus

Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.

How to Position Your Globus Data Portal for Success Ten Good Practices

Globus

Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.

RISE with SAP and Journey to the Intelligent Enterprise

Srikant77

SOCRadar Research Team: Latest Activities of IntelBroker

SOCRadar

The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month. The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies. However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News. Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!

Recently uploaded (20)

Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...

Cyaniclab : Software Development Agency Portfolio.pdf

Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL

Prosigns: Transforming Business with Tailored Technology Solutions

May Marketo Masterclass, London MUG May 22 2024.pdf

AI Pilot Review: The World’s First Virtual Assistant Marketing Suite

Graphic Design Crash Course for beginners

Globus Compute Introduction - GlobusWorld 2024

Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...

Vitthal Shirke Microservices Resume Montevideo

Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...

Understanding Globus Data Transfers with NetSage

Developing Distributed High-performance Computing Capabilities of an Open Sci...

Lecture 1 Introduction to games development

Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better

A Sighting of filterA in Typelevel Rite of Passage

Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...

How to Position Your Globus Data Portal for Success Ten Good Practices

RISE with SAP and Journey to the Intelligent Enterprise

SOCRadar Research Team: Latest Activities of IntelBroker

Cost-Effective Two-Factor Authentication

1. COST-EFFECTIVE TWO-FACTOR AUTHENTICATION

2. ABOUT ME ● Waihon Yew ● Rapid River Software ● Connect with me: ○ GitHub: waihon ○ Twitter: waihon ○ LinkedIn: waihonyew

3. WHAT IS TWO-FACTOR AUTHENTICATION? ● Two-factor authentication (2FA) is a way to add additional security to your account. ● The ﬁrst "factor" is your usual password that is standard for any account. ● A common second "factor" is a veriﬁcation code retrieved from an app on a mobile device or computer. ● 2FA is conceptually similar to a security token device that certain banks in some countries require for online banking. ● Other names for 2FA systems include OTP (one-time password) and TOTP (Time-based One-time Password algorithm).

4. ● Business ○ Compatible with Google Authenticator which is available for free on both Google Play and App Store ● Technical ○ A gem/library that: ■ Makes adding 2FA to a user model simple ■ Is not tightly coupled with any authentication gems such as Devise REQUIREMENTS/CONSTRAINTS

5. 2FA GEM: ACTIVEMODEL::OTP ● GitHub ○ https://github.com/heapsource/active_model_otp ● Key dependency ○ ROTP 4.0 or higher ■ A Ruby library for generating and validating one time passwords according to RFC 4226 (HOTP) and RFC 6238 (TOTP). ● Installation ○ gem 'active_model_otp'

6. ● Add otp_secret_key to your user model ○ rails g migration AddOtpSecretKeyToUsers otp_secret_key:string ○ rails db:migrate ● Add has_one_time_password directive to your user model. ○ It provides a few useful methods in order to implement your 2FA SETTING UP YOUR MODEL

7. ● The otp_secret_key is saved automatically when an object is created. ● If you're adding this to an existing user model, you could: ○ Generate otp_secret_key with a migration like: ■ User.find_each { |user| user.update_attribute(:otp_secret_key, ROTP::Base32.random_base32) } ○ Generate otp_secret_key when users enable 2FA OTP SECRET KEY

8. ● user.otp_code #=> 225681 ● sleep 30 # let's wait 30 secs ● user.otp_code #=> 837058 GETTING CURRENT CODE

9. ● user.otp_code(time: Time.now) #=> 417714 ● user.otp_code(time: Time.now + 3600) #=> 766675 OVERRIDE CURRENT TIME

10. ● user.authenticate_otp('186522') # => truthy ● sleep 30 # let's wait 30 secs ● user.authenticate_otp('186522') # => falsey AUTHENTICATING USING A CODE

11. ● user.authenticate_otp('186522') # => truthy ● sleep 30 # let’s wait again ● user.authenticate_otp('186522', drift: 60) # => truthy AUTHENTICATING USING A SLIGHTLY OLD CODE

12. ● Recovery codes ○ Used to access your account in the event you cannot receive two-factor authentication codes. ADDITIONAL 2FA OPTIONS

13. ● Live ○ https://tfademo.herokuapp.com ● Source code ○ https://github.com/waihon/tfa-demo 2FA DEMO

14. ● Aaron Lim ● Adeline Lim ● Hakim Ahmad ● Tamer Shlash ACKNOWLEDGEMENTS

15. QUESTIONS & ANSWERS

16. THANK YOU!

Cost-Effective Two-Factor Authentication

Recommended

Recommended

More Related Content

Similar to Cost-Effective Two-Factor Authentication

Similar to Cost-Effective Two-Factor Authentication (20)

Recently uploaded

Recently uploaded (20)

Cost-Effective Two-Factor Authentication