Доклад для RailsClub 2015. Тема: Next Generation Authentication - bugs in Rails, design flaws, ways to fix.

1. Next Generation
Authentication
Bugs in Rails, design flaws, ways to fix

2. Bugs!
MongoDB Hash Injection
Rails query parameters are not strongly typed
User.where(email: params[:email])
?email[$regex]=.*@google.com.
Bypass any token or cause DoS

3. Bugs!
ActiveRecord injection in MySQL
User.find_by_token(params[:token])
curl app -H 'content-type:application/json' --data '{"token":0}'
curl app?token[] //fixed

4. Bugs!
Omniauth is full of bugs:
/auth/facebook?state=123
/auth/facebook/callback?state=123&code=mycode
Do not ever use Facebook Login for login
http://sakurity.com/reconnect

5. Authenticate/authorize
"Who you are" vs "what you can do"
Sign Up = create a record
Sign In = use that record

6. Biometrics
Real world authentication vs remote authentication
Every part of human body is static and observable
"Fingerprint is username"
Except passwords in our mind

7. >>P4$$word$<<
Not going away.
All we have is "knowledge" (=possession), and password is best
kind of possession. Every other private key / secret data still
depends on your password.
Security keys are useless, impossible to backup and expensive

8. >>P4$$word$<<
Now

9. >>P4$$word$<<
Password managers are a monkey patch(1% penetration
rate). Authentication must be built-in and easy to use

10. Truefactor.io
Password reuse, bruteforce < Password managers
---
CSRF < Time based TOTP
---
XSS, MitM, client side bugs, external JS < Truefactor Web
---
UXSS, MitB, malicious extensions < Truefactor Desktop
---
Device compromise < Paired Truefactors
---
Both devices are compromised < Nobody

11. Truefactor.io
Out of band transaction verification
+

12. Truefactor.io

13. Truefactor.io
Integration:
user = User.find_by_email(params[:user][:email])
if user
if user.encrypted_password.starts_with? "truefactor:"
str = "truefactor:#{params[:otp0]}:#{params[:otp1]}"
if user.valid_signatures?("login", str)
sign_in User, user
return redirect_to root_path
.....
Protect critical actions and responses:

14. Truefactor.io
Zero-knowledge backup. The server knows *nothing*
about you and your passwords.