Two-factor authentication

Transcript

1. MontrealRb 2013-03 Two-factor authentication ...or getting away with a shitty

   password

2. cjoudrey   @

3. None

4. Two-factor? Something you have Something you know +

5. Two-factor? + Something you have   Something you know

6. None

7. It’s easy! Just generate random numbers!

8. It’s easy! Just generate random numbers! Sort of...

9. None

10. Time-based One-time Password

11. Shared secret Time + = 123456 Time-based One-time Password

12. ROTP gem Time-based One-time Password

13. totp = ROTP::TOTP.new('secret') totp.now # => 281918

14. New password every 30 seconds Time-based One-time Password

15. totp.now # => 281918 totp.verify(281918) # => true sleep 30

    totp.verify(281918) # => false

16. Getting the secret on the device Time-based One-time Password

17. None

18. totp.provisioning_uri('my app') # => "otpauth://totp/my%20app? secret=secret"

19. totp.provisioning_uri('Sample App ...')

20. What about SMS? Time-based One-time Password

21. totp.now # => 281918 sleep 30 totp.verify(281918) # => false

    totp.verify_with_drift(281918, 30) # => true

22. In practice

23. Demo

24. Generate user secret

25. class User < ActiveRecord::Base # ... before_create :set_auth_secret private def

    set_auth_secret self.auth_secret = ROTP::Base32.random_base32 end end
26. None

27. Validating the client

28. class AdminController < ApplicationController # ... before_filter :authenticate_user! before_filter :validate_client

    private def validate_client # ... client_id = cookies.signed[:client_id] || SecureRandom.uuid # ... end end

29. create_table 'devices' do |t| t.string 'client_id' t.integer 'user_id' t.datetime 'authenticated_at'

    # ... end

30. HTTP Cookies

31. HTTP Cookies httponly

32. HTTP Cookies secure

33. HTTP Cookies signed

34. Pitfalls

35. Pitfalls Dead phone

36. Pitfalls New phone

37. Pitfalls Time not properly set on phone

38. None

39. Thanks! Questions?