Philippe Gamache discusses the importance of multi-factor authentication and the differences between authentication and authorization in his presentation. He highlights common problems with password security and presents various solutions for strong authentication that cater to different budgets. The presentation emphasizes the necessity of using multiple pieces of evidence to verify user identity to enhance security against threats such as phishing and data theft.

1. MULTI-FACTOR AUTHENTICATION
AND STRONG AUTHENTICATION

2. ABOUT ME
PHILIPPE GAMACHE
HI I’M PHILIPPE
I’m a Developer Evangelist for kuzzle.io.
Long-time internet developer, author,
screen caster, podcaster and speaker. I’m
specializes in PHP, Symfony, Kuzzle,
security, code quality, performance, real
time and geolocation.
• Sécurité PHP 5 et MySQL 5
• OWASP Montreal
• PHP Quebec
• Table Top Game Developer
• Pen & Paper RPG Writer

4. I'M MISLEADING YOU
THIS IS NOT THE EIFFEL TOWER

5. WHERE IN LAS VEGAS
EIFFEL TOWER RESTAURANT

6. AGENDA
• Authentication vs Authorization
• Authentication's Problems
• The solutions
• Strong Authentication
• Solutions for all budgets

7. AUTHENTICATION VS AUTHORIZATION
• Authentication
• Procedure that verifies the identity of an entity (person, computer ...)
to allow access to resources (systems, networks, applications ...)
• Authorization
• Procedure that allows access to resources only to those authorized to
use.
AUTHORIZATION

8. AUTHENTICATION'S PROBLEMS
• Accurately identify the entity
• Accurately identify the entity type
• Accessibility
• Broken Password
A SIMPLE LIST

9. • People use easy to find password
• Easily give their passwords to
strangers
• without reason
• 45 % of woman1
• 10 % of man1
• For a chocolate bar
• 64 % of people1
• 21% have 10+ years old
password2
• 47% have 5+ years old password2
• 73% use duplicated password2
• 54% have 5 or fewer passwords
across the entire life2
• On average, only 6 unique
passwords are used to guard 24
online account2
BROKEN PASSWORD
THE HUMAN FACTOR
1 Infosec Europe Conference 2008
2 TeleSign Customer Account Security Report 2015

10. – Chris Nickerson - Exotic Liability #37
“In the middle of talking to him, he gives me, is online banking
username and password.”

11. – Chris Nickerson - Exotic Liability #37
“In the middle of talking to him, he gives me, is online banking
username and password.”

12. THE SOLUTION
USE SECURITY QUESTIONS?

13. THE SOLUTION
USE SECURITY QUESTIONS?

14. THE SOLUTIONS
SIGN THE FORM
<?php
$code = hash_hmac(
'sha256',
json_encode([
$verifierNonce,
$userID,
$expiration->format('Y-m-dTH:i:s')
]),
$tokenSigningKey
]);

15. THE SOLUTIONS
HTTP://WWW.CAPTCHA.NET/

16. CAPTCHA
IMAGES

17. CAPTCHA
HOT OR NOT

18. GOOGLE RECAPTCHA
HTTPS://WWW.GOOGLE.COM/RECAPTCHA/

19. GOOGLE RECAPTCHA
HTTPS://WWW.GOOGLE.COM/RECAPTCHA/

20. FAITHFULLY IDENTIFY THE ENTITY
AND SHOVE THE SECURITY PROBLEM AWAY

21. STRONG AUTHENTICATION
• Method of computer access control;
• User is granted access;
• After successfully presenting several separate pieces of evidence
MULTI-FACTOR AUTHENTICATION

22. MULTI-FACTOR AUTHENTICATION
MEMORIAL FACTOR
Memorial factor

23. MULTI-FACTOR AUTHENTICATION
MEMORIAL FACTOR
Memorial factor

24. MULTI-FACTOR AUTHENTICATION
MEMORIAL FACTOR
Memorial factor

25. MULTI-FACTOR AUTHENTICATION
MEMORIAL FACTOR
Memorial factor

26. MULTI-FACTOR AUTHENTICATION
MEMORIAL FACTOR
Memorial factor

27. MULTI-FACTOR AUTHENTICATION
MEMORIAL FACTOR
Memorial factor

28. MULTI-FACTOR AUTHENTICATION
PHYSICAL FACTOR
Memorial factor
Physical Factor

29. MULTI-FACTOR AUTHENTICATION
PHYSICAL FACTOR
Memorial factor
Physical Factor

30. MULTI-FACTOR AUTHENTICATION
PHYSICAL FACTOR
Memorial factor
Physical Factor

31. MULTI-FACTOR AUTHENTICATION
PHYSICAL FACTOR
Memorial factor
Physical Factor

32. MULTI-FACTOR AUTHENTICATION
PHYSICAL FACTOR
Memorial factor
Physical Factor

33. MULTI-FACTOR AUTHENTICATION
PHYSICAL FACTOR
Memorial factor
Physical Factor

34. MULTI-FACTOR AUTHENTICATION
PHYSICAL FACTOR
Memorial factor
Physical Factor

35. MULTI-FACTOR AUTHENTICATION
PHYSICAL FACTOR
Memorial factor
Physical Factor

36. MULTI-FACTOR AUTHENTICATION
PHYSICAL FACTOR
Memorial factor
Physical Factor

37. MULTI-FACTOR AUTHENTICATION
REACTIONAL FACTOR
Memorial factor
Reactional factor
Physical Factor

38. MULTI-FACTOR AUTHENTICATION
REACTIONAL FACTOR
Memorial factor
Reactional factor
Physical Factor

39. MULTI-FACTOR AUTHENTICATION
MATERIAL FACTOR
Memorial factor
Reactional factor
Physical FactorMaterial factor

40. MULTI-FACTOR AUTHENTICATION
MATERIAL FACTOR
Memorial factor
Reactional factor
Physical FactorMaterial factor

41. MULTI-FACTOR AUTHENTICATION
MATERIAL FACTOR
Memorial factor
Reactional factor
Physical FactorMaterial factor

42. MULTI-FACTOR AUTHENTICATION
MATERIAL FACTOR
Memorial factor
Reactional factor
Physical FactorMaterial factor

43. MULTI-FACTOR AUTHENTICATION
MATERIAL FACTOR
Memorial factor
Reactional factor
Physical FactorMaterial factor

44. MULTI-FACTOR AUTHENTICATION
MATERIAL FACTOR
Memorial factor
Reactional factor
Physical FactorMaterial factor

45. MULTI-FACTOR AUTHENTICATION
MATERIAL FACTOR
Memorial factor
Reactional factor
Physical FactorMaterial factor

46. MULTI-FACTOR AUTHENTICATION
MATERIAL FACTOR
Memorial factor
Reactional factor
Physical FactorMaterial factor

47. MULTI-FACTOR AUTHENTICATION
MATERIAL FACTOR
Memorial factor
Reactional factor
Physical FactorMaterial factor

48. MULTI-FACTOR AUTHENTICATION
MATERIAL FACTOR
Memorial factor
Reactional factor
Physical FactorMaterial factor

49. MULTI-FACTOR AUTHENTICATION
MATERIAL FACTOR
Memorial factor
Reactional factor
Physical FactorMaterial factor

50. MULTI-FACTOR AUTHENTICATION
MATERIAL FACTOR
Memorial factor
Reactional factor
Physical FactorMaterial factor

51. MULTI-FACTOR AUTHENTICATION
TWO-FACTOR AUTHENTICATION
Memorial factor
Reactional factor
Physical FactorMaterial factor

52. TWO-FACTOR AUTHENTICATION
EXAMPLES?
Memorial factor
Reactional factor
Physical FactorMaterial factor

53. SOLUTIONS FOR ALL BUDGETS
PERFECT PAPER PASSWORDS

54. PERFECT PAPER PASSWORDS
HTTPS://WWW.GRC.COM/PPP.HTM

55. PERFECT PAPER PASSWORDS
HTTPS://WWW.GRC.COM/PPP.HTM

56. PERFECT PAPER PASSWORDS
HTTPS://WWW.GRC.COM/PPP.HTM

57. SOLUTIONS FOR ALL BUDGETS
YUBIKEY

58. YUBIKEY
HTTP://WWW.YUBICO.COM/PRODUCTS/YUBIKEY/

59. tgbvgflvvndijcfhftgnnldhgviktivhdvnekehejceh
tgbvgflvvndiknblilkrtbdvflbdhvdvutlblkfuueel
cccccccclildcuhrrhneenjbrrbbnikcvhvbgbcbnvhn
cccccccclildibndgdgihuvdcggthnjrbcujdkujnblv
YUBIKEY
HTTP://WWW.YUBICO.COM/PRODUCTS/YUBIKEY/

60. SOLUTIONS FOR ALL BUDGETS
OATH OPEN AUTHENTICATION

61. SOLUTIONS FOR ALL BUDGETS
OATH OPEN AUTHENTICATION

62. SOLUTIONS FOR ALL BUDGETS
OATH OPEN AUTHENTICATION
https://openauthentication.org

63. STRONG AUTHENTICATION
• Man-in-the-middle attacks
• Session or cookies thefts
• Data theft if site not protected
• Advance Phishing
DOESN'T PROTECT YOU...

64. ANY QUESTIONS?
THANK YOU!
If you want to talk more,
feel free to contact me.
http://kuzzle.io
This presentation was created using Keynote. The text
is set in Oswald and Ubuntu. The source code is set in
Ubuntu Mono. The iconography is provided by Keynote,
kuzzle.io and Font Awesome.
Unless otherwise noted, all photographs are used by
permission under a Creative Commons license. Please
refer to the Photo Credits slide for more information.
Copyright ©
This work is licensed under Creative Commons
Attribution-ShareAlike 4.0 International. For uses not
covered under this license, please contact the author.
hello@kuzzle.io
@kuzzleio
Kuzzle
kuzzleio
http://kuzzle.io
Presentation
©
Format_Informations
hello@kuzzle.io
@kuzzleio
philippegamache
joind.in/talk/b21f7
Please visit us at:

65. PHOTO CREDITS
• Page 3 to 5: By Simeon87 (Own work) [CC BY-SA 3.0 (http://
creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons
• Page 11: http://failblog.cheezburger.com/