2. Bugs!
MongoDB Hash Injection
Rails query parameters are not strongly typed
User.where(email: params[:email])
?email[$regex]=.*@google.com.
Bypass any token or cause DoS
3. Bugs!
ActiveRecord injection in MySQL
User.find_by_token(params[:token])
curl app -H 'content-type:application/json' --data '{"token":0}'
curl app?token[] //fixed
4. Bugs!
Omniauth is full of bugs:
/auth/facebook?state=123
/auth/facebook/callback?state=123&code=mycode
Do not ever use Facebook Login for login
http://sakurity.com/reconnect
6. Biometrics
Real world authentication vs remote authentication
Every part of human body is static and observable
"Fingerprint is username"
Except passwords in our mind
7. >>P4$$word$<<
Not going away.
All we have is "knowledge" (=possession), and password is best
kind of possession. Every other private key / secret data still
depends on your password.
Security keys are useless, impossible to backup and expensive
13. Truefactor.io
Integration:
user = User.find_by_email(params[:user][:email])
if user
if user.encrypted_password.starts_with? "truefactor:"
str = "truefactor:#{params[:otp0]}:#{params[:otp1]}"
if user.valid_signatures?("login", str)
sign_in User, user
return redirect_to root_path
.....
Protect critical actions and responses: