SlideShare a Scribd company logo

Cost-Effective Two-Factor Authentication

Waihon Yew
Waihon Yew

Implementing two-factor authentication for a web app using Ruby on Rails web framework, active_model_otp gem, and Google Authenticator app.

Software
1 of 16
Download to read offline
COST-EFFECTIVE TWO-FACTOR AUTHENTICATION
ABOUT ME ● Waihon Yew ● Rapid River Software ● Connect with me: ○ GitHub: waihon ○ Twitter: waihon ○ LinkedIn: waihonyew
WHAT IS TWO-FACTOR AUTHENTICATION? ● Two-factor authentication (2FA) is a way to add additional security to your account. ● The first "factor" is your usual password that is standard for any account. ● A common second "factor" is a verification code retrieved from an app on a mobile device or computer. ● 2FA is conceptually similar to a security token device that certain banks in some countries require for online banking. ● Other names for 2FA systems include OTP (one-time password) and TOTP (Time-based One-time Password algorithm).
● Business ○ Compatible with Google Authenticator which is available for free on both Google Play and App Store ● Technical ○ A gem/library that: ■ Makes adding 2FA to a user model simple ■ Is not tightly coupled with any authentication gems such as Devise REQUIREMENTS/CONSTRAINTS
2FA GEM: ACTIVEMODEL::OTP ● GitHub ○ https://github.com/heapsource/active_model_otp ● Key dependency ○ ROTP 4.0 or higher ■ A Ruby library for generating and validating one time passwords according to RFC 4226 (HOTP) and RFC 6238 (TOTP). ● Installation ○ gem 'active_model_otp'
● Add otp_secret_key to your user model ○ rails g migration AddOtpSecretKeyToUsers otp_secret_key:string ○ rails db:migrate ● Add has_one_time_password directive to your user model. ○ It provides a few useful methods in order to implement your 2FA SETTING UP YOUR MODEL
● The otp_secret_key is saved automatically when an object is created. ● If you're adding this to an existing user model, you could: ○ Generate otp_secret_key with a migration like: ■ User.find_each { |user| user.update_attribute(:otp_secret_key, ROTP::Base32.random_base32) } ○ Generate otp_secret_key when users enable 2FA OTP SECRET KEY
● user.otp_code #=> 225681 ● sleep 30 # let's wait 30 secs ● user.otp_code #=> 837058 GETTING CURRENT CODE
● user.otp_code(time: Time.now) #=> 417714 ● user.otp_code(time: Time.now + 3600) #=> 766675 OVERRIDE CURRENT TIME
● user.authenticate_otp('186522') # => truthy ● sleep 30 # let's wait 30 secs ● user.authenticate_otp('186522') # => falsey AUTHENTICATING USING A CODE
● user.authenticate_otp('186522') # => truthy ● sleep 30 # let’s wait again ● user.authenticate_otp('186522', drift: 60) # => truthy AUTHENTICATING USING A SLIGHTLY OLD CODE
● Recovery codes ○ Used to access your account in the event you cannot receive two-factor authentication codes. ADDITIONAL 2FA OPTIONS
● Live ○ https://tfademo.herokuapp.com ● Source code ○ https://github.com/waihon/tfa-demo 2FA DEMO
● Aaron Lim ● Adeline Lim ● Hakim Ahmad ● Tamer Shlash ACKNOWLEDGEMENTS
QUESTIONS & ANSWERS
THANK YOU!

Recommended

Entender React Native
Entender React NativeEntender React Native
Entender React NativeSantex Group
 
Riccardo Tempesta - The right tools for the right job (or: surviving Magento ...
Riccardo Tempesta - The right tools for the right job (or: surviving Magento ...Riccardo Tempesta - The right tools for the right job (or: surviving Magento ...
Riccardo Tempesta - The right tools for the right job (or: surviving Magento ...Meet Magento Italy
 
How to keep modules up to date
How to keep modules up to dateHow to keep modules up to date
How to keep modules up to dateThomas Fleck
 
PANIC Project - BRUCon 2012 Presentation
PANIC Project - BRUCon 2012 PresentationPANIC Project - BRUCon 2012 Presentation
PANIC Project - BRUCon 2012 Presentationbiosshadow
 
App Security and Securing App
App Security and Securing AppApp Security and Securing App
App Security and Securing AppAndreas Schranzhofer
 
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...Icinga
 
PyConUK 2014 - PostMortem Debugging and Web Development Updated
PyConUK 2014 - PostMortem Debugging and Web Development UpdatedPyConUK 2014 - PostMortem Debugging and Web Development Updated
PyConUK 2014 - PostMortem Debugging and Web Development UpdatedAlessandro Molina
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at DecisivTeleport
 

Recommended

Entender React Native
Entender React NativeEntender React Native
Entender React NativeSantex Group
 
Riccardo Tempesta - The right tools for the right job (or: surviving Magento ...
Riccardo Tempesta - The right tools for the right job (or: surviving Magento ...Riccardo Tempesta - The right tools for the right job (or: surviving Magento ...
Riccardo Tempesta - The right tools for the right job (or: surviving Magento ...Meet Magento Italy
 
How to keep modules up to date
How to keep modules up to dateHow to keep modules up to date
How to keep modules up to dateThomas Fleck
 
PANIC Project - BRUCon 2012 Presentation
PANIC Project - BRUCon 2012 PresentationPANIC Project - BRUCon 2012 Presentation
PANIC Project - BRUCon 2012 Presentationbiosshadow
 
App Security and Securing App
App Security and Securing AppApp Security and Securing App
App Security and Securing AppAndreas Schranzhofer
 
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...Icinga
 
PyConUK 2014 - PostMortem Debugging and Web Development Updated
PyConUK 2014 - PostMortem Debugging and Web Development UpdatedPyConUK 2014 - PostMortem Debugging and Web Development Updated
PyConUK 2014 - PostMortem Debugging and Web Development UpdatedAlessandro Molina
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at DecisivTeleport
 
Data Engineer's Lunch #37: Pipedream: Serverless Integration and Compute Plat...
Data Engineer's Lunch #37: Pipedream: Serverless Integration and Compute Plat...Data Engineer's Lunch #37: Pipedream: Serverless Integration and Compute Plat...
Data Engineer's Lunch #37: Pipedream: Serverless Integration and Compute Plat...Anant Corporation
 
Devoxx : being productive with JHipster
Devoxx : being productive with JHipsterDevoxx : being productive with JHipster
Devoxx : being productive with JHipsterJulien Dubois
 
Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...
Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...
Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...Tanya Denisyuk
 
Programming for non tech entrepreneurs
Programming for non tech entrepreneursProgramming for non tech entrepreneurs
Programming for non tech entrepreneursRodrigo Gil
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
 
Rapid app building with loopback framework
Rapid app building with loopback frameworkRapid app building with loopback framework
Rapid app building with loopback frameworkThomas Papaspiros
 
EuroPython 2013 - Python3 TurboGears Training
EuroPython 2013 - Python3 TurboGears TrainingEuroPython 2013 - Python3 TurboGears Training
EuroPython 2013 - Python3 TurboGears TrainingAlessandro Molina
 
Post-Mortem Debugging and Web Development
Post-Mortem Debugging and Web DevelopmentPost-Mortem Debugging and Web Development
Post-Mortem Debugging and Web DevelopmentAlessandro Molina
 
Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)abend_cve_9999_0001
 
Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...
Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...
Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...eMadrid network
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Integrating Okta with Anypoint Platform for a mobile security use case
Integrating Okta with Anypoint Platform for a mobile security use caseIntegrating Okta with Anypoint Platform for a mobile security use case
Integrating Okta with Anypoint Platform for a mobile security use caseBahman Kalali
 
2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabiRafik HARABI
 
Google authentication
Google authenticationGoogle authentication
Google authenticationNexThoughts Technologies
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdfAbhi Jain
 
Building Open Source Identity Infrastructures
Building Open Source Identity InfrastructuresBuilding Open Source Identity Infrastructures
Building Open Source Identity InfrastructuresMisagh Moayyed
 
Safe Community Call #13.pdf
Safe Community Call #13.pdfSafe Community Call #13.pdf
Safe Community Call #13.pdfLornyPfeifer
 
The New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonThe New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonAll Things Open
 
MuleSoft Manchester Meetup #2 slides 29th October 2019
MuleSoft Manchester Meetup #2 slides 29th October 2019MuleSoft Manchester Meetup #2 slides 29th October 2019
MuleSoft Manchester Meetup #2 slides 29th October 2019Ieva Navickaite
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 

More Related Content

Similar to Cost-Effective Two-Factor Authentication

Data Engineer's Lunch #37: Pipedream: Serverless Integration and Compute Plat...
Data Engineer's Lunch #37: Pipedream: Serverless Integration and Compute Plat...Data Engineer's Lunch #37: Pipedream: Serverless Integration and Compute Plat...
Data Engineer's Lunch #37: Pipedream: Serverless Integration and Compute Plat...Anant Corporation
 
Devoxx : being productive with JHipster
Devoxx : being productive with JHipsterDevoxx : being productive with JHipster
Devoxx : being productive with JHipsterJulien Dubois
 
Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...
Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...
Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...Tanya Denisyuk
 
Programming for non tech entrepreneurs
Programming for non tech entrepreneursProgramming for non tech entrepreneurs
Programming for non tech entrepreneursRodrigo Gil
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
 
Rapid app building with loopback framework
Rapid app building with loopback frameworkRapid app building with loopback framework
Rapid app building with loopback frameworkThomas Papaspiros
 
EuroPython 2013 - Python3 TurboGears Training
EuroPython 2013 - Python3 TurboGears TrainingEuroPython 2013 - Python3 TurboGears Training
EuroPython 2013 - Python3 TurboGears TrainingAlessandro Molina
 
Post-Mortem Debugging and Web Development
Post-Mortem Debugging and Web DevelopmentPost-Mortem Debugging and Web Development
Post-Mortem Debugging and Web DevelopmentAlessandro Molina
 
Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)abend_cve_9999_0001
 
Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...
Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...
Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...eMadrid network
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Integrating Okta with Anypoint Platform for a mobile security use case
Integrating Okta with Anypoint Platform for a mobile security use caseIntegrating Okta with Anypoint Platform for a mobile security use case
Integrating Okta with Anypoint Platform for a mobile security use caseBahman Kalali
 
2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabiRafik HARABI
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdfAbhi Jain
 
Building Open Source Identity Infrastructures
Building Open Source Identity InfrastructuresBuilding Open Source Identity Infrastructures
Building Open Source Identity InfrastructuresMisagh Moayyed
 
Safe Community Call #13.pdf
Safe Community Call #13.pdfSafe Community Call #13.pdf
Safe Community Call #13.pdfLornyPfeifer
 
The New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonThe New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonAll Things Open
 
MuleSoft Manchester Meetup #2 slides 29th October 2019
MuleSoft Manchester Meetup #2 slides 29th October 2019MuleSoft Manchester Meetup #2 slides 29th October 2019
MuleSoft Manchester Meetup #2 slides 29th October 2019Ieva Navickaite
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 

Similar to Cost-Effective Two-Factor Authentication (20)

Data Engineer's Lunch #37: Pipedream: Serverless Integration and Compute Plat...
Data Engineer's Lunch #37: Pipedream: Serverless Integration and Compute Plat...Data Engineer's Lunch #37: Pipedream: Serverless Integration and Compute Plat...
Data Engineer's Lunch #37: Pipedream: Serverless Integration and Compute Plat...
 
Devoxx : being productive with JHipster
Devoxx : being productive with JHipsterDevoxx : being productive with JHipster
Devoxx : being productive with JHipster
 
Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...
Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...
Дмитрий Хоревич "Cloud native security with UAA \ Как защитить микросервисы с...
 
Programming for non tech entrepreneurs
Programming for non tech entrepreneursProgramming for non tech entrepreneurs
Programming for non tech entrepreneurs
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
Rapid app building with loopback framework
Rapid app building with loopback frameworkRapid app building with loopback framework
Rapid app building with loopback framework
 
EuroPython 2013 - Python3 TurboGears Training
EuroPython 2013 - Python3 TurboGears TrainingEuroPython 2013 - Python3 TurboGears Training
EuroPython 2013 - Python3 TurboGears Training
 
Post-Mortem Debugging and Web Development
Post-Mortem Debugging and Web DevelopmentPost-Mortem Debugging and Web Development
Post-Mortem Debugging and Web Development
 
Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)
 
Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...
Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...
Seminario eMadrid 2015 09 10 sobre Serious Games (UCM) Manuel Freire - RAGE:...
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Integrating Okta with Anypoint Platform for a mobile security use case
Integrating Okta with Anypoint Platform for a mobile security use caseIntegrating Okta with Anypoint Platform for a mobile security use case
Integrating Okta with Anypoint Platform for a mobile security use case
 
2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi2013.devcon3 liferay and google authenticator integration rafik_harabi
2013.devcon3 liferay and google authenticator integration rafik_harabi
 
Google authentication
Google authenticationGoogle authentication
Google authentication
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdf
 
Building Open Source Identity Infrastructures
Building Open Source Identity InfrastructuresBuilding Open Source Identity Infrastructures
Building Open Source Identity Infrastructures
 
Safe Community Call #13.pdf
Safe Community Call #13.pdfSafe Community Call #13.pdf
Safe Community Call #13.pdf
 
The New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by PythonThe New York Times: Sustainable Systems, Powered by Python
The New York Times: Sustainable Systems, Powered by Python
 
MuleSoft Manchester Meetup #2 slides 29th October 2019
MuleSoft Manchester Meetup #2 slides 29th October 2019MuleSoft Manchester Meetup #2 slides 29th October 2019
MuleSoft Manchester Meetup #2 slides 29th October 2019
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 

Recently uploaded

What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 

Recently uploaded (20)

What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 

Cost-Effective Two-Factor Authentication

  • 2. ABOUT ME ● Waihon Yew ● Rapid River Software ● Connect with me: ○ GitHub: waihon ○ Twitter: waihon ○ LinkedIn: waihonyew
  • 3. WHAT IS TWO-FACTOR AUTHENTICATION? ● Two-factor authentication (2FA) is a way to add additional security to your account. ● The first "factor" is your usual password that is standard for any account. ● A common second "factor" is a verification code retrieved from an app on a mobile device or computer. ● 2FA is conceptually similar to a security token device that certain banks in some countries require for online banking. ● Other names for 2FA systems include OTP (one-time password) and TOTP (Time-based One-time Password algorithm).
  • 4. ● Business ○ Compatible with Google Authenticator which is available for free on both Google Play and App Store ● Technical ○ A gem/library that: ■ Makes adding 2FA to a user model simple ■ Is not tightly coupled with any authentication gems such as Devise REQUIREMENTS/CONSTRAINTS
  • 5. 2FA GEM: ACTIVEMODEL::OTP ● GitHub ○ https://github.com/heapsource/active_model_otp ● Key dependency ○ ROTP 4.0 or higher ■ A Ruby library for generating and validating one time passwords according to RFC 4226 (HOTP) and RFC 6238 (TOTP). ● Installation ○ gem 'active_model_otp'
  • 6. ● Add otp_secret_key to your user model ○ rails g migration AddOtpSecretKeyToUsers otp_secret_key:string ○ rails db:migrate ● Add has_one_time_password directive to your user model. ○ It provides a few useful methods in order to implement your 2FA SETTING UP YOUR MODEL
  • 7. ● The otp_secret_key is saved automatically when an object is created. ● If you're adding this to an existing user model, you could: ○ Generate otp_secret_key with a migration like: ■ User.find_each { |user| user.update_attribute(:otp_secret_key, ROTP::Base32.random_base32) } ○ Generate otp_secret_key when users enable 2FA OTP SECRET KEY
  • 8. ● user.otp_code #=> 225681 ● sleep 30 # let's wait 30 secs ● user.otp_code #=> 837058 GETTING CURRENT CODE
  • 9. ● user.otp_code(time: Time.now) #=> 417714 ● user.otp_code(time: Time.now + 3600) #=> 766675 OVERRIDE CURRENT TIME
  • 10. ● user.authenticate_otp('186522') # => truthy ● sleep 30 # let's wait 30 secs ● user.authenticate_otp('186522') # => falsey AUTHENTICATING USING A CODE
  • 11. ● user.authenticate_otp('186522') # => truthy ● sleep 30 # let’s wait again ● user.authenticate_otp('186522', drift: 60) # => truthy AUTHENTICATING USING A SLIGHTLY OLD CODE
  • 12. ● Recovery codes ○ Used to access your account in the event you cannot receive two-factor authentication codes. ADDITIONAL 2FA OPTIONS
  • 13. ● Live ○ https://tfademo.herokuapp.com ● Source code ○ https://github.com/waihon/tfa-demo 2FA DEMO
  • 14. ● Aaron Lim ● Adeline Lim ● Hakim Ahmad ● Tamer Shlash ACKNOWLEDGEMENTS