Simple Two Factor Authentication

•Descargar como PPT, PDF•

2 recomendaciones•4,241 vistas

My presentation at SDPHP went well. I definitely could improve on this presentation. I missed the mark on the general workflow. How the customers and developers are impacted. I made assumptions that I shouldn't have, such as everyone already knew what Two Factor Authentication (2fa) was.

Tecnología

Simple Two Factor
Authentication
Secure Your Life

About Me
John Congdon
IRC: johncongdon
Twitter: @johncongdon
john@sdphp.org
Ultimate Frisbee Player

Passwords
“Something the user knows”
Susceptible to
Brute force attacks
Phishing
Social engineering
Data breaches

Recent Web Data Exploits
Thousands of vBulletin websites hacked
http://krebsonsecurity.com/2013/10/thousands-of-sites-hacked-via-vbulletin-hole/

Evernote (50,000,000 accounts)
Washington state Administrative Office of the Courts
160,000 Names, Social Security numbers, and driver’s license numbers were accessed
http://jrcon.me/1phbN9U

Living Social (50,000,000 accounts)
Adobe (38,000,000 accounts)
So many more…
http://jrcon.me/1phdJ24

Two Factor Authentication
“Something the user has”
Tokens
Hardware (Hard tokens, USB, Cards)
Software
Mobile phone

Concerns
Key Logging
Man-in-the-middle Attacks
Man-in-the-browser Attacks
Recovery of lost token (broken phone)

Two+ Factor
Authentication
Why stop at just two?
“Something the user is”
Biometrics
Finger print
Voice print
Retina scan
DNA?

Simple 2FA

TOTP - Time based One Time Password
Combines a secret with the current time
New code is generated every 30 seconds

Software Token
Google Authenticator
Simple and free
Secure
No backup
Authy
Multi Device
Easy backup

What’s Needed?
A “Secret” is used to create the TOTP
Base 32 Encoder/Decoder
Accurate clock
QR Code

$Create The Secret public function createSecret($secretLength = 16) { $validChars = $this->_getBase32LookupTable(); unset($validChars[32]); $secret = ''; for ($i = 0; $i < $secretLength; $i++) { $secret .= $validChars[array_rand($validChars)]; } return $secret; }$

Generate QR Code
function getQRCodeGoogleUrl($name, $secret) {
$urlencoded = urlencode('otpauth://totp/'.$name.'?
secret='.$secret.'');
return 'https://chart.googleapis.com/chart?
chs=200x200&chld=M|0&cht=qr&chl='.
$urlencoded.'';
}
$image = getQRCodeGoogleUrl(‘SDPHP’, $secret);
echo “<img src=‘$image’/>”;

$Authentication Steps <?php if ($user->auth($username, $password)) { if ($user->two_factor_secret) { showTwoFactorForm(); } return true; } return false;$

$Verify The Code <?php //after password authentication $secret = $user->two_factor_secret; $auth_code = $_POST[‘auth_code’]; if ($secret && $auth_code) { if ($auth->verifyCode($secret, $auth_code)) { return true; } } return false;$

Verify With Discrepancy
Range
<?php
function verifyCode($secret, $code, $discrepancy = 1) {
$currentTimeSlice = floor(time() / 30);
for ($i = -$discrepancy; $i <= $discrepancy; $i++) {
// -1, 0, 1 by default
$calculatedCode = $this->getCode($secret, $currentTimeSlice + $i);
if ($calculatedCode == $code) {
return true;
}
}
return false;
}

Considerations
Don’t Annoy Your Users
#1 Reason People Hate 2FA
Make it optional and easy
Add a remember me for X days option

Más contenido relacionado

Destacado

Two factor authentication

Hai Nguyen

Better Security With Two Factor Authentication (PHP Unconference 2013)

Norman Soetbeer

Two factor authentication-in_your_network_e_guide

Nick Owen

otp-sms-two-factor-authentication

Nikos Ioannou 123RF.com

Seminar-Two Factor Authentication

Dilip Kr. Jangir

Impact of digital certificate in network security

rhassan84

Login security breaches have become commonplace in recent years. We hear about phishing attacks, stolen passwords and malware that collects all of our keystrokes. Once these data breaches would have instigated a call to use stronger and more complex passwords, however research has shown that two-thirds of all breaches are specifically the result of weak or stolen passwords. The one-time reliable password has become the weakest link. This is where two-factor authentication (2FA) steps in. Two-factor authentication is a simple yet an extremely powerful way of increasing security via the user logon sequence by simply adding a second factor of authentication to the standard username and password.

3 reasons your business can't ignore Two-Factor Authentication

Fortytwo

An in-depth look at Facebook's easy-to-use internal multi-factor authentication deployment. We will discuss our motivations, how our solution works, technical and security trade-offs, deployment problems, and outstanding issues. Bio Chad Greene: A security manager at Facebook, Chad Greene focuses on security engineering, intrusion detection and incident response at scale. Protecting user data for over 1 billion active users of the social network, his teams are responsible for building creative security solutions that balance rapid growth and innovation with a strong security posture. Prior to Facebook, for more than seven years Chad worked at eBay, where he worked on solving product security and security operations challenges. Chad holds a Bachelor's degree in Management Information Systems from The University of Notre Dame.

"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre...

Yandex

Jasig Central Authentication Service in Ten Minutes

Andrew Petro

Google Authenticator, possible attacks and prevention

Boštjan Cigan

Today, with expand of the web portal, many customers are seeking for more secure solutions to access to their web portal outside of their own networks. For Liferay portal customers, this request has been increased due to the number of portal deployed on Cloud and the increase of deployment of Liferay portal for internet sites (B2C …). One of the proposed solutions is the use of Multi-factor authentication mechanism. Google Authenticator is one of the lead open source dual factor authentication systems. In this presentation, we will explain the integration technical solution of Liferay and Google Authenticator in order to deliver a two-factor authentication system. The presentation will be followed by a live demo.

2013.devcon3 liferay and google authenticator integration rafik_harabi

Rafik HARABI

Everyone has at least one password, but that's not enough anymore. When is that not enough? Passwords get out of your hands all the time. You know your password, but what about using something you have in addition to what you know. Let's look at how you can leverage your mobile device for added security, and implement it in your projects. This talk will cover how two factor auth works, how to use it and the ins and outs of rolling your own solution using Time-based One-time Password (TOTP) (and the Google Authenticator app) or a third party service and the pitfalls of both. AWS, Mailchimp, Dropbox and Facebook integrate two factor authentication and you can too! There's no reason not to use it!

Two Factor Authentication and You

Chris Stone

SSO using CAS + two-factor authentication (PyGrunn 2014 talk)

Artur Barseghyan

Hackers are seemingly everywhere and we can't escape news droning on about breached companies and lost data. Two Factor Authentication is a critical security process to ensure that only your users gain access to the appropriate information. Join us as we not only walk through why deploying stronger authentication is important, but also demonstrate some of the new technologies and features in the Salesforce Platform that you can deploy today. Finally, get a glimpse of the future as we demonstrate the latest Salesforce Authenticator.

Securing Your Salesforce Deployment with Two Factor Authentication

Salesforce Developers

2 factor authentication 3 [compatibility mode]

Hai Nguyen

In the wake of 2005 FFIEC regulation calling for stronger security methods, financial institutions have adopted two-factor authentication (2FA) as a means to mitigate online fraud. Historically 2FA measures such as security questions, one time passwords, physical tokens, SMS authentications and USB tokens have been able to effectively stop fraud attacks. However, in the fast paced arms race that is the war against financial crime, cybercriminals are starting to take the upper hand by developing increasingly sophisticated techniques that bypass 2FA. In this presentation, Ori Bach, Senior Security Strategist at IBM Trusteer demonstrates several of the 2FA beating techniques and explains how cybercriminals: - Highjack authenticated banking sessions by directly taking over victims computers - Make use fake overlay messages to trick victims to surrender their tokens - Beat one time passwords sent to mobile devices - Purchase fraud tool-kits to bypass 2FA View the on-demand recording: https://attendee.gotowebinar.com/recording/6080887905844019714

Combat the Latest Two-Factor Authentication Evasion Techniques

IBM Security

Elixir Elevated: The Ups and Downs of OTP at ElixirConf2014

Greg Vaughn

Two Factor Authentication: Easy Setup, Major Impact

Salesforce Admins

Plex Systems EECS 441 Company Presentation

johntyu

Secured qr code [Pankaj Jeswani and Team]

Pank Jes

Destacado (20)

Two factor authentication

Better Security With Two Factor Authentication (PHP Unconference 2013)

Two factor authentication-in_your_network_e_guide

otp-sms-two-factor-authentication

Seminar-Two Factor Authentication

Impact of digital certificate in network security

3 reasons your business can't ignore Two-Factor Authentication

"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre...

Jasig Central Authentication Service in Ten Minutes

Google Authenticator, possible attacks and prevention

2013.devcon3 liferay and google authenticator integration rafik_harabi

Two Factor Authentication and You

SSO using CAS + two-factor authentication (PyGrunn 2014 talk)

Securing Your Salesforce Deployment with Two Factor Authentication

2 factor authentication 3 [compatibility mode]

Combat the Latest Two-Factor Authentication Evasion Techniques

Elixir Elevated: The Ups and Downs of OTP at ElixirConf2014

Two Factor Authentication: Easy Setup, Major Impact

Plex Systems EECS 441 Company Presentation

Secured qr code [Pankaj Jeswani and Team]

Similar a Simple Two Factor Authentication

News Bytes by Jaskaran Narula - Null Meet Bhopal

Jaskaran Narula

Operations security (OPSEC)

Botnets

Ethical Hacking

Network security

How Hackers Can Use Your Data Against You + Tips to Protect Yourself

Antoine Moyroud

Mitigating Malware Presentation Jkd 11 10 08 Aitp

Joann Davis

cyber crime technology

Binu p jayan

Internet Banking Attacks (Karel Miko)

DCIT, a.s.

Lecture about network and host security to NII students

Akiumi Hasegawa

Cyber Crime and Security

Md Nishad

Introduction: Welcome to the enlightening presentation on "Safety and Online Awareness of Operation and Security of Digital Devices." This informative session was held at Chhayanaut Shangskriti-Bhavan, where we discussed crucial aspects related to the safe usage of digital devices and increasing awareness about online security. In this presentation, we will explore the potential risks associated with digital technologies and how to safeguard ourselves while navigating the vast online landscape. Let's delve into the essential concepts that promote a secure and responsible digital presence. Section 1: Understanding the Digital Landscape In this section, we take a closer look at the dynamic and evolving digital landscape. We discuss the significant growth of internet users worldwide and the increasing reliance on digital devices, such as computers, smartphones, tablets, and IoT devices. The benefits of technology are undeniable, but it's equally crucial to comprehend the potential threats lurking in the online world, including cyber-attacks, data breaches, and identity theft. Section 2: Recognizing Online Threats Here, we identify common online threats and their impact on individuals and organizations. Participants are educated on different types of cyber threats, such as malware, phishing, social engineering, and ransomware. We emphasize the importance of being vigilant and staying informed about the latest threats to protect ourselves effectively. Section 3: Strengthening Device Security This segment delves into best practices for securing digital devices. We discuss the significance of strong passwords, enabling two-factor authentication, keeping software up-to-date, and the use of reputable antivirus and security software. Practical tips are shared on securing smartphones and other mobile devices against theft or unauthorized access. Section 4: Safe Internet Practices In this part, we focus on safe internet practices to maintain privacy and security. We discuss the risks associated with oversharing personal information on social media and how to configure privacy settings effectively. Additionally, participants learn about safe browsing habits, avoiding suspicious websites, and using secure Wi-Fi connections. Section 5: Social Engineering and Phishing Awareness Social engineering is a deceptive technique used by cybercriminals to manipulate individuals into divulging sensitive information. We highlight common social engineering tactics and educate participants on how to recognize and avoid falling victim to these scams. We also emphasize the importance of being cautious while responding to emails, texts, or calls from unknown sources. Section 6: Responsible Use of Public Wi-Fi Public Wi-Fi networks can be convenient but are often unsecured, making users vulnerable to potential attacks.

ONLINE SEFTY AND AWARNESS OF OPERATION AND SECURITY OF DIGITAL DEVICES

Mehedi Hasan

Cyber crime and cyber security

Keshab Nath

Risk base approach for security management fujitsu-fms event 15 aug 2011

IbuSrikandi

E security and payment 2013-1

Abdelfatah hegazy

ccs12-18022310494mghmgmyy3 (1).pdf

KALPITKALPIT1

Information security awareness

CAS

Botnet

prisonbreak4950

Operations Security - SF Bitcoin Hackday March 2015

Mikko Ohtamaa

Building on Social Application Platforms

Jonathan LeBlanc

Similar a Simple Two Factor Authentication (20)

News Bytes by Jaskaran Narula - Null Meet Bhopal

Operations security (OPSEC)

Botnets

Ethical Hacking

Network security

How Hackers Can Use Your Data Against You + Tips to Protect Yourself

Mitigating Malware Presentation Jkd 11 10 08 Aitp

cyber crime technology

Internet Banking Attacks (Karel Miko)

Lecture about network and host security to NII students

Cyber Crime and Security

ONLINE SEFTY AND AWARNESS OF OPERATION AND SECURITY OF DIGITAL DEVICES

Cyber crime and cyber security

Risk base approach for security management fujitsu-fms event 15 aug 2011

E security and payment 2013-1

ccs12-18022310494mghmgmyy3 (1).pdf

Information security awareness

Botnet

Operations Security - SF Bitcoin Hackday March 2015

Building on Social Application Platforms

Último

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

ICT role in 21st century education and its challenges

rafiqahmad00786416

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?

Ransomware_Q4_2023. The report. [EN].pdf

Overkill Security

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Passkeys: Developing APIs to enable passwordless authentication Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

apidays

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

apidays

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

When you’re building (micro)services, you have lots of framework options. Spring Boot is no doubt a popular choice. But there’s more! Take Quarkus, a framework that’s considered the rising star for Kubernetes-native Java. It always depends on what's best for your situation, but how to choose the best solution if you're comparing 2 frameworks? Both Spring Boot and Quarkus have their positives and negatives. Let us compare the two by live coding a couple of common use cases in Spring Boot and Quarkus. After this talk, you’ll be ready to get started with Quarkus yourself, and know when to select Quarkus or Spring Boot.

Spring Boot vs Quarkus the ultimate battle - DevoxxUK

Jago de Vreede

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

AXA XL - Insurer Innovation Award Americas 2024

The Digital Insurer

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

DBX First Quarter 2024 Investor Presentation

Dropbox

Axa Assurance Maroc - Insurer Innovation Award 2024

The Digital Insurer

Simple Two Factor Authentication

1. Simple Two Factor Authentication Secure Your Life

2. About Me John Congdon IRC: johncongdon Twitter: @johncongdon john@sdphp.org Ultimate Frisbee Player

3. Authentication

4. Passwords “Something the user knows” Susceptible to Brute force attacks Phishing Social engineering Data breaches

5. Recent Web Data Exploits Thousands of vBulletin websites hacked http://krebsonsecurity.com/2013/10/thousands-of-sites-hacked-via-vbulletin-hole/ Evernote (50,000,000 accounts) Washington state Administrative Office of the Courts 160,000 Names, Social Security numbers, and driver’s license numbers were accessed http://jrcon.me/1phbN9U Living Social (50,000,000 accounts) Adobe (38,000,000 accounts) So many more… http://jrcon.me/1phdJ24

7. Two Factor Authentication “Something the user has” Tokens Hardware (Hard tokens, USB, Cards) Software Mobile phone

8. Concerns Key Logging Man-in-the-middle Attacks Man-in-the-browser Attacks Recovery of lost token (broken phone)

9. Two+ Factor Authentication Why stop at just two? “Something the user is” Biometrics Finger print Voice print Retina scan DNA?

10. Simple 2FA TOTP - Time based One Time Password Combines a secret with the current time New code is generated every 30 seconds

11. Software Token Google Authenticator Simple and free Secure No backup Authy Multi Device Easy backup

12. What’s Needed? A “Secret” is used to create the TOTP Base 32 Encoder/Decoder Accurate clock QR Code

13. Create The Secret public function createSecret($secretLength = 16) { $validChars = $this->_getBase32LookupTable(); unset($validChars[32]); $secret = ''; for ($i = 0; $i < $secretLength; $i++) { $secret .= $validChars[array_rand($validChars)]; } return $secret; }

14. Generate QR Code function getQRCodeGoogleUrl($name, $secret) { $urlencoded = urlencode('otpauth://totp/'.$name.'? secret='.$secret.''); return 'https://chart.googleapis.com/chart? chs=200x200&chld=M|0&cht=qr&chl='. $urlencoded.''; } $image = getQRCodeGoogleUrl(‘SDPHP’, $secret); echo “<img src=‘$image’/>”;

15. Authentication Steps <?php if ($user->auth($username, $password)) { if ($user->two_factor_secret) { showTwoFactorForm(); } return true; } return false;

16. Verify The Code <?php //after password authentication $secret = $user->two_factor_secret; $auth_code = $_POST[‘auth_code’]; if ($secret && $auth_code) { if ($auth->verifyCode($secret, $auth_code)) { return true; } } return false;

17. Verify With Discrepancy Range <?php function verifyCode($secret, $code, $discrepancy = 1) { $currentTimeSlice = floor(time() / 30); for ($i = -$discrepancy; $i <= $discrepancy; $i++) { // -1, 0, 1 by default $calculatedCode = $this->getCode($secret, $currentTimeSlice + $i); if ($calculatedCode == $code) { return true; } } return false; }

18. Considerations Don’t Annoy Your Users #1 Reason People Hate 2FA Make it optional and easy Add a remember me for X days option

19. Questions?

20. Thank You!

Simple Two Factor Authentication

Recomendados

Recomendados

Más contenido relacionado

Destacado

Destacado (20)

Similar a Simple Two Factor Authentication

Similar a Simple Two Factor Authentication (20)

Último

Último (20)

Simple Two Factor Authentication