SlideShare a Scribd company logo

SSO using CAS + two-factor authentication (PyGrunn 2014 talk)

Artur Barseghyan
Artur Barseghyan

Modern authentication techniques in Python web applications. PyGrunn talk by Artur Barseghyan. Year 2014.

Technology
1 of 38
Download to read offline
Modern authentication techniques in Python web applications Artur Barseghyan Goldmund, Wyldebeast & Wunderliebe http://www.goldmund-wyldebeast-wunderliebe.nl/ artur.barseghyan@gmail.com https://github.com/barseghyanartur
Part 1 Single Sign-on using Central Authentication Service
A single framework/application User base Framework/application Authentication system Other importants parts not related to this talk
Typical framework/application authentication flow User requests content requiring authentication User gets the content requested Is user authenticated? Authenticate user User provides credentials (login page) Are credentials correct? Yes No Yes No
Multiple web frameworks/applications User base 1 Framework/application 1 Authentication system 1 Other importants parts not related to this talk User base 2 Framework/application 2 Authentication system 2 Other importants parts not related to this talk User base N Framework/application N Authentication system N Other importants parts not related to this talk ... Web portal (ex. DMS, intranet, wiki, etc.)
Without Single Sign-on... ● Use a single framework/application and write lots of apps OR ● Use multiple frameworks/applications and: ○ Hack their authentication systems OR ○ Expect users to login into each of them OR ○ Make them communicate via customly built API ● More (bad) ideas?
With Single Sign-on... ● User logs in once and gains access to all systems without being prompted to log in again.
(JaSig) CAS Enterprise Single Sign-on solution ● Open source ● Well documented ● Scalable ● Modular and highly pluggable (MySQL, PostgreSQL, Oracle, LDAP, SPINEGO, RADIUS, etc.) ● Lots of ready-to-use clients and plugins
(JaSig) CAS CAS involves at least three parties: ● A client web browser ● Web application requesting authentication ● The CAS server It also optionally may involve: ● Back-end service, such as a database server
CAS authentication flow
CAS authentication schema User requests content which requires authentication User is asked to provide credentials (login page) Create SSO token and redirect User gets the content requested No Yes No Yes Is user authenticated into app? No Yes Authenticate user (CAS) CAS server Authenticate user (locally) Are credentials correct? Is user authenticated into CAS? CAS client (web application)
Pros of CAS Pros ● Centralised authentication for all frameworks/applications. ● Actively maintained and developed. Large community. ● Modular and highly pluggable (MySQL, PostgreSQL, Oracle, Active Directory, LDAP, SPINEGO, RADIUS, etc.). ● Lots of ready-to-use packages for many frameworks/applications. ● Less passwords to retype, remember and recover. ● More of your own code is reusable. ● Happier end-users. ● REST API.
Cons of CAS Cons ● SSO availability becomes critical. ● SSO security becomes critical.
Our use case Dashboard app ● Django Server A CAS server Server C User base ● Active Directory Server D VPN ● Apache ● Tomcat ● Debian ● Java ● CAS ● OpenVPN ● AJP ● Python ● Django ● Plone More to come Server X DMS ● Plone Server B
Conclusion
CAS alternatives 1 / n JOSSO http://www.josso.org OpenAM (formerly known as OpenSSO) http://openam.forgerock.org Pubcookie http://www.pubcookie.org CoSign http://weblogin.org
Linkodrome 1 / n Software packages JaSig CAS http://www.jasig.org/cas Django CAS client https://github.com/Goldmund-Wyldebeast-Wunderliebe/django-cas-consumer Plone CAS client https://github.com/collective/anz.casclient Detailed installation instructions http://bit.ly/1uuk2BS
Part 2 Two-step verification (Two-factor authentication)
Standard authentication flow User requests content requiring authentication User gets the content requested Is user authenticated? Authenticate user User provides credentials (login page) Are credentials correct? Yes Yes No No
● Knowledge factor ("something only the user knows"): a password or a PIN. ● Possession factor ("something only the user has"): ATM card, smart card, mobile phone. ● Inherence factor ("something only the user is"): Fingerprint or voiceprint. Standard authentication factors
Common advises on remembering many passwords ● Use complex passwords and have them saved in password managers. ● Use complex passwords, write them on paper and carry them in your wallet. Passwords aren’t enough!
Two-factor authentication ● Knowledge factor ("something only the user knows"): a password or a PIN. ● Possession factor ("something only the user has"): ATM card, smart card, mobile phone. ● Inherence factor ("something only the user is"): Fingerprint or voiceprint.
Standard authentication flow User requests content requiring authentication User provides credentials No Yes Is user authenticated ? Authenticate user Yes No Are credentials correct? User gets the content requested
Two-factor authentication flow User requests content requiring authentication User provides credentials No Yes User provides second factor token Is token correct ? Yes No Second factor Is user authenticated ? Authenticate user Yes No Are credentials correct? User gets the content requested
(Common) solutions ● SMS authentication ● Google Authenticator (mobile app) ● Hardware token generators
Google Authenticator
Hardware token generators
Our use cases ● collective.googleauthenticator (uses Google Authenticator app) ● collective.smsauthenticator (login codes sent by SMS)
collective.googleauthenticator
Setup two-step verification
Authenticate
Verify
Conclusion
Alternatives ● Risk-based authentication (based on behavioral biometrics, keystroke dynamics, etc.) ● Strong authentication ● Reliance authentication
Linkodrome Plone ● collective.googleauthenticator (two-factor authentication using Google Authenticator app) https://pypi.python.org/pypi/collective.googleauthenticator ● collective.smsauthenticator (two-factor authentication using login codes sent by SMS) https://pypi.python.org/pypi/collective.smsauthenticator Django ● django-two-factor-auth (two-factor authentication using Google Authenticator or login codes sent by SMS) https://pypi.python.org/pypi/django-two-factor-auth ● django-otp (pluggable framework for adding two-factor authentication using OTP.) https://pypi.python.org/pypi/django-otp
Questions?
Thank you! Artur Barseghyan Goldmund, Wyldebeast & Wunderliebe artur.barseghyan@gmail.com https://github.com/barseghyanartur
SSO using CAS + two-factor authentication (PyGrunn 2014 talk)

Recommended

A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Kerberos protocol
Kerberos protocolKerberos protocol
Kerberos protocolAjit Dadresa
 
Introducing CAS 3.0 Protocol: Security and Performance
Introducing CAS 3.0 Protocol: Security and PerformanceIntroducing CAS 3.0 Protocol: Security and Performance
Introducing CAS 3.0 Protocol: Security and PerformanceAmin Saqi
 
Java Virtual Machine, Call stack, Java Byte Code
Java Virtual Machine, Call stack, Java Byte CodeJava Virtual Machine, Call stack, Java Byte Code
Java Virtual Machine, Call stack, Java Byte CodeJavajigi Jaesung
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goMichael Furman
 

Recommended

A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Kerberos protocol
Kerberos protocolKerberos protocol
Kerberos protocolAjit Dadresa
 
Introducing CAS 3.0 Protocol: Security and Performance
Introducing CAS 3.0 Protocol: Security and PerformanceIntroducing CAS 3.0 Protocol: Security and Performance
Introducing CAS 3.0 Protocol: Security and PerformanceAmin Saqi
 
Java Virtual Machine, Call stack, Java Byte Code
Java Virtual Machine, Call stack, Java Byte CodeJava Virtual Machine, Call stack, Java Byte Code
Java Virtual Machine, Call stack, Java Byte CodeJavajigi Jaesung
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goMichael Furman
 
JSON WEB TOKEN
JSON WEB TOKENJSON WEB TOKEN
JSON WEB TOKENKnoldus Inc.
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
OAuth
OAuthOAuth
OAuthIván Fernández Perea
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 
What is a malware attack?
What is a malware attack?What is a malware attack?
What is a malware attack?AariyaRathi
 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the WildVictor Rentea
 
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy WalkthroughAzure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy WalkthroughVinu Gunasekaran
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetShivanand Arur
 
Same origin policy
Same origin policySame origin policy
Same origin policyVivek Madurai
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Spring - Part 2 - Autowiring, Annotations, Java based Configuration - slides
Spring - Part 2 - Autowiring, Annotations, Java based Configuration - slidesSpring - Part 2 - Autowiring, Annotations, Java based Configuration - slides
Spring - Part 2 - Autowiring, Annotations, Java based Configuration - slidesHitesh-Java
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web AttacksVivek Sinha Anurag
 
Click jacking
Click jackingClick jacking
Click jackingRonan Dunne, CEH, SSCP
 
Consuming Web Services in Android
Consuming Web Services in AndroidConsuming Web Services in Android
Consuming Web Services in AndroidDavid Truxall
 
Google authentication
Google authenticationGoogle authentication
Google authenticationNexThoughts Technologies
 
Jasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesJasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesAndrew Petro
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcitmmubashirkhan
 

More Related Content

What's hot

Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Dom based xss
Dom based xssDom based xss
Dom based xssLê Giáp
 
What is a malware attack?
What is a malware attack?What is a malware attack?
What is a malware attack?AariyaRathi
 
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy WalkthroughAzure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy WalkthroughVinu Gunasekaran
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetShivanand Arur
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Spring - Part 2 - Autowiring, Annotations, Java based Configuration - slides
Spring - Part 2 - Autowiring, Annotations, Java based Configuration - slidesSpring - Part 2 - Autowiring, Annotations, Java based Configuration - slides
Spring - Part 2 - Autowiring, Annotations, Java based Configuration - slidesHitesh-Java
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Consuming Web Services in Android
Consuming Web Services in AndroidConsuming Web Services in Android
Consuming Web Services in AndroidDavid Truxall
 

What's hot (20)

JSON WEB TOKEN
JSON WEB TOKENJSON WEB TOKEN
JSON WEB TOKEN
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
 
OAuth
OAuthOAuth
OAuth
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
Dom based xss
Dom based xssDom based xss
Dom based xss
 
What is a malware attack?
What is a malware attack?What is a malware attack?
What is a malware attack?
 
OAuth in the Wild
OAuth in the WildOAuth in the Wild
OAuth in the Wild
 
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy WalkthroughAzure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
 
Authentication and Authorization in Asp.Net
Authentication and Authorization in Asp.NetAuthentication and Authorization in Asp.Net
Authentication and Authorization in Asp.Net
 
Same origin policy
Same origin policySame origin policy
Same origin policy
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Spring - Part 2 - Autowiring, Annotations, Java based Configuration - slides
Spring - Part 2 - Autowiring, Annotations, Java based Configuration - slidesSpring - Part 2 - Autowiring, Annotations, Java based Configuration - slides
Spring - Part 2 - Autowiring, Annotations, Java based Configuration - slides
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 
Click jacking
Click jackingClick jacking
Click jacking
 
Consuming Web Services in Android
Consuming Web Services in AndroidConsuming Web Services in Android
Consuming Web Services in Android
 
Google authentication
Google authenticationGoogle authentication
Google authentication
 

Viewers also liked

Jasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesJasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesAndrew Petro
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcitmmubashirkhan
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsApigee | Google Cloud
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS EnhancementGuo Albert
 
Authentication with zend framework
Authentication with zend frameworkAuthentication with zend framework
Authentication with zend frameworkGeorge Mihailov
 
Central Authentication Service (CAS) SSO for EMC Documentum Rest Services
Central Authentication Service (CAS) SSO for EMC Documentum Rest ServicesCentral Authentication Service (CAS) SSO for EMC Documentum Rest Services
Central Authentication Service (CAS) SSO for EMC Documentum Rest ServicesEMC
 
Strong Authentication in Web Applications: State of the Art 2011
Strong Authentication in Web Applications: State of the Art 2011Strong Authentication in Web Applications: State of the Art 2011
Strong Authentication in Web Applications: State of the Art 2011Sylvain Maret
 
3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor AuthenticationFortytwo
 
Google Authenticator, possible attacks and prevention
Google Authenticator, possible attacks and preventionGoogle Authenticator, possible attacks and prevention
Google Authenticator, possible attacks and preventionBoštjan Cigan
 
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre...
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre..."2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre...
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre...Yandex
 
2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabiRafik HARABI
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideNick Owen
 
Two Factor Authentication and You
Two Factor Authentication and YouTwo Factor Authentication and You
Two Factor Authentication and YouChris Stone
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor AuthenticationDilip Kr. Jangir
 
Simple Two Factor Authentication
Simple Two Factor AuthenticationSimple Two Factor Authentication
Simple Two Factor AuthenticationJohn Congdon
 
Securing Your Salesforce Deployment with Two Factor Authentication
Securing Your Salesforce Deployment with Two Factor AuthenticationSecuring Your Salesforce Deployment with Two Factor Authentication
Securing Your Salesforce Deployment with Two Factor AuthenticationSalesforce Developers
 
2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]Hai Nguyen
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesIBM Security
 

Viewers also liked (20)

Jasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten MinutesJasig Central Authentication Service in Ten Minutes
Jasig Central Authentication Service in Ten Minutes
 
Two factor authentication presentation mcit
Two factor authentication presentation mcitTwo factor authentication presentation mcit
Two factor authentication presentation mcit
 
Data-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive ThreatsData-driven Security: Protect APIs from Adaptive Threats
Data-driven Security: Protect APIs from Adaptive Threats
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS Enhancement
 
Web Sign-On with CAS
Web Sign-On with CASWeb Sign-On with CAS
Web Sign-On with CAS
 
Authentication with zend framework
Authentication with zend frameworkAuthentication with zend framework
Authentication with zend framework
 
Central Authentication Service (CAS) SSO for EMC Documentum Rest Services
Central Authentication Service (CAS) SSO for EMC Documentum Rest ServicesCentral Authentication Service (CAS) SSO for EMC Documentum Rest Services
Central Authentication Service (CAS) SSO for EMC Documentum Rest Services
 
Strong Authentication in Web Applications: State of the Art 2011
Strong Authentication in Web Applications: State of the Art 2011Strong Authentication in Web Applications: State of the Art 2011
Strong Authentication in Web Applications: State of the Art 2011
 
3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication3 reasons your business can't ignore Two-Factor Authentication
3 reasons your business can't ignore Two-Factor Authentication
 
Google Authenticator, possible attacks and prevention
Google Authenticator, possible attacks and preventionGoogle Authenticator, possible attacks and prevention
Google Authenticator, possible attacks and prevention
 
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre...
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre..."2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre...
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre...
 
2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi
 
Two factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guideTwo factor authentication-in_your_network_e_guide
Two factor authentication-in_your_network_e_guide
 
Two Factor Authentication and You
Two Factor Authentication and YouTwo Factor Authentication and You
Two Factor Authentication and You
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
 
Simple Two Factor Authentication
Simple Two Factor AuthenticationSimple Two Factor Authentication
Simple Two Factor Authentication
 
Securing Your Salesforce Deployment with Two Factor Authentication
Securing Your Salesforce Deployment with Two Factor AuthenticationSecuring Your Salesforce Deployment with Two Factor Authentication
Securing Your Salesforce Deployment with Two Factor Authentication
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
 
2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]2 factor authentication 3 [compatibility mode]
2 factor authentication 3 [compatibility mode]
 
Combat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion TechniquesCombat the Latest Two-Factor Authentication Evasion Techniques
Combat the Latest Two-Factor Authentication Evasion Techniques
 

Similar to SSO using CAS + two-factor authentication (PyGrunn 2014 talk)

Authentication without Authentication - AppSec California
Authentication without Authentication - AppSec CaliforniaAuthentication without Authentication - AppSec California
Authentication without Authentication - AppSec CaliforniaSoluto
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementManish Harsh
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxChanna Ly
 
W01 Levent Gurses X
W01 Levent Gurses XW01 Levent Gurses X
W01 Levent Gurses XMovel
 
Usability vs. Security: Find the Right Balance in Mobile Apps
Usability vs. Security: Find the Right Balance in Mobile AppsUsability vs. Security: Find the Right Balance in Mobile Apps
Usability vs. Security: Find the Right Balance in Mobile AppsJosiah Renaudin
 
validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...izzatisholehah
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native EraWSO2
 
kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...Sagara Gunathunga
 
Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application PlatformNugroho Gito
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Donald Malloy
 
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...WSO2
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
 
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...WSO2
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfNordic APIs
 
What is Full Stack with Django and how to start learning It.docx
What is Full Stack with Django and how to start learning It.docxWhat is Full Stack with Django and how to start learning It.docx
What is Full Stack with Django and how to start learning It.docxTechnogeeks
 
Making User Authentication More Usable
Making User Authentication More UsableMaking User Authentication More Usable
Making User Authentication More UsableJim Fenton
 

Similar to SSO using CAS + two-factor authentication (PyGrunn 2014 talk) (20)

Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
 
Authentication without Authentication - AppSec California
Authentication without Authentication - AppSec CaliforniaAuthentication without Authentication - AppSec California
Authentication without Authentication - AppSec California
 
SSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy ManagementSSO IN/With Drupal and Identitiy Management
SSO IN/With Drupal and Identitiy Management
 
How to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptxHow to build Simple yet powerful API.pptx
How to build Simple yet powerful API.pptx
 
W01 Levent Gurses X
W01 Levent Gurses XW01 Levent Gurses X
W01 Levent Gurses X
 
Usability vs. Security: Find the Right Balance in Mobile Apps
Usability vs. Security: Find the Right Balance in Mobile AppsUsability vs. Security: Find the Right Balance in Mobile Apps
Usability vs. Security: Find the Right Balance in Mobile Apps
 
validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...validation of user credentials in social network by using Django backend aut...
validation of user credentials in social network by using Django backend aut...
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
 
kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
 
Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application Platform
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
 
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
 
ISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de EntrustISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de Entrust
 
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
 
What is Full Stack with Django and how to start learning It.docx
What is Full Stack with Django and how to start learning It.docxWhat is Full Stack with Django and how to start learning It.docx
What is Full Stack with Django and how to start learning It.docx
 
Making User Authentication More Usable
Making User Authentication More UsableMaking User Authentication More Usable
Making User Authentication More Usable
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)
 

Recently uploaded

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 

Recently uploaded (20)

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 

SSO using CAS + two-factor authentication (PyGrunn 2014 talk)

  • 1. Modern authentication techniques in Python web applications Artur Barseghyan Goldmund, Wyldebeast & Wunderliebe http://www.goldmund-wyldebeast-wunderliebe.nl/ artur.barseghyan@gmail.com https://github.com/barseghyanartur
  • 2. Part 1 Single Sign-on using Central Authentication Service
  • 3. A single framework/application User base Framework/application Authentication system Other importants parts not related to this talk
  • 4. Typical framework/application authentication flow User requests content requiring authentication User gets the content requested Is user authenticated? Authenticate user User provides credentials (login page) Are credentials correct? Yes No Yes No
  • 5. Multiple web frameworks/applications User base 1 Framework/application 1 Authentication system 1 Other importants parts not related to this talk User base 2 Framework/application 2 Authentication system 2 Other importants parts not related to this talk User base N Framework/application N Authentication system N Other importants parts not related to this talk ... Web portal (ex. DMS, intranet, wiki, etc.)
  • 6. Without Single Sign-on... ● Use a single framework/application and write lots of apps OR ● Use multiple frameworks/applications and: ○ Hack their authentication systems OR ○ Expect users to login into each of them OR ○ Make them communicate via customly built API ● More (bad) ideas?
  • 7. With Single Sign-on... ● User logs in once and gains access to all systems without being prompted to log in again.
  • 8. (JaSig) CAS Enterprise Single Sign-on solution ● Open source ● Well documented ● Scalable ● Modular and highly pluggable (MySQL, PostgreSQL, Oracle, LDAP, SPINEGO, RADIUS, etc.) ● Lots of ready-to-use clients and plugins
  • 9. (JaSig) CAS CAS involves at least three parties: ● A client web browser ● Web application requesting authentication ● The CAS server It also optionally may involve: ● Back-end service, such as a database server
  • 11. CAS authentication schema User requests content which requires authentication User is asked to provide credentials (login page) Create SSO token and redirect User gets the content requested No Yes No Yes Is user authenticated into app? No Yes Authenticate user (CAS) CAS server Authenticate user (locally) Are credentials correct? Is user authenticated into CAS? CAS client (web application)
  • 12. Pros of CAS Pros ● Centralised authentication for all frameworks/applications. ● Actively maintained and developed. Large community. ● Modular and highly pluggable (MySQL, PostgreSQL, Oracle, Active Directory, LDAP, SPINEGO, RADIUS, etc.). ● Lots of ready-to-use packages for many frameworks/applications. ● Less passwords to retype, remember and recover. ● More of your own code is reusable. ● Happier end-users. ● REST API.
  • 13. Cons of CAS Cons ● SSO availability becomes critical. ● SSO security becomes critical.
  • 14. Our use case Dashboard app ● Django Server A CAS server Server C User base ● Active Directory Server D VPN ● Apache ● Tomcat ● Debian ● Java ● CAS ● OpenVPN ● AJP ● Python ● Django ● Plone More to come Server X DMS ● Plone Server B
  • 16. CAS alternatives 1 / n JOSSO http://www.josso.org OpenAM (formerly known as OpenSSO) http://openam.forgerock.org Pubcookie http://www.pubcookie.org CoSign http://weblogin.org
  • 17. Linkodrome 1 / n Software packages JaSig CAS http://www.jasig.org/cas Django CAS client https://github.com/Goldmund-Wyldebeast-Wunderliebe/django-cas-consumer Plone CAS client https://github.com/collective/anz.casclient Detailed installation instructions http://bit.ly/1uuk2BS
  • 19. Standard authentication flow User requests content requiring authentication User gets the content requested Is user authenticated? Authenticate user User provides credentials (login page) Are credentials correct? Yes Yes No No
  • 20. ● Knowledge factor ("something only the user knows"): a password or a PIN. ● Possession factor ("something only the user has"): ATM card, smart card, mobile phone. ● Inherence factor ("something only the user is"): Fingerprint or voiceprint. Standard authentication factors
  • 21. Common advises on remembering many passwords ● Use complex passwords and have them saved in password managers. ● Use complex passwords, write them on paper and carry them in your wallet. Passwords aren’t enough!
  • 22. Two-factor authentication ● Knowledge factor ("something only the user knows"): a password or a PIN. ● Possession factor ("something only the user has"): ATM card, smart card, mobile phone. ● Inherence factor ("something only the user is"): Fingerprint or voiceprint.
  • 23. Standard authentication flow User requests content requiring authentication User provides credentials No Yes Is user authenticated ? Authenticate user Yes No Are credentials correct? User gets the content requested
  • 24. Two-factor authentication flow User requests content requiring authentication User provides credentials No Yes User provides second factor token Is token correct ? Yes No Second factor Is user authenticated ? Authenticate user Yes No Are credentials correct? User gets the content requested
  • 25. (Common) solutions ● SMS authentication ● Google Authenticator (mobile app) ● Hardware token generators
  • 28. Our use cases ● collective.googleauthenticator (uses Google Authenticator app) ● collective.smsauthenticator (login codes sent by SMS)
  • 34. Alternatives ● Risk-based authentication (based on behavioral biometrics, keystroke dynamics, etc.) ● Strong authentication ● Reliance authentication
  • 35. Linkodrome Plone ● collective.googleauthenticator (two-factor authentication using Google Authenticator app) https://pypi.python.org/pypi/collective.googleauthenticator ● collective.smsauthenticator (two-factor authentication using login codes sent by SMS) https://pypi.python.org/pypi/collective.smsauthenticator Django ● django-two-factor-auth (two-factor authentication using Google Authenticator or login codes sent by SMS) https://pypi.python.org/pypi/django-two-factor-auth ● django-otp (pluggable framework for adding two-factor authentication using OTP.) https://pypi.python.org/pypi/django-otp
  • 37. Thank you! Artur Barseghyan Goldmund, Wyldebeast & Wunderliebe artur.barseghyan@gmail.com https://github.com/barseghyanartur