Better Security With Two Factor Authentication (PHP Unconference 2013)

ENTER

Better Security WithTwo Factor Authentication

Norman Soetbeer22.09.2013

Norman Soetbeer 222.09.2013

Who am I?

Norman Soetbeer

Computer Science StudentGame Developer @ InnoGames

Twitter: @TheBattleRattleGithub: BattleRattle

Table of Contents

What is TFA?1

TFA for Web Applications2

HOTP3

TOTP4

Example Implementation5

22.09.2013 Norman Soetbeer 3

Table of Contents

What is TFA?1


HOTP3

TOTP4



Norman Soetbeer 5

What is TFA?

22.09.2013

John Doe

********

submit

LOGIN

743503

submit

Enter your CodeAn authenticator isconnected to your account

WelcomeHey, John Doe!You successfully logged in

1 2

Norman Soetbeer 6

What is TFA?

also known as

TFA, 2FATwo-Step Authentication

Two-Step Verification (Google)Two Factor Verification (Dropbox, Twitter)

Login Approvals (Facebook)Code Generator (Facebook)

22.09.2013

7

What is TFA?

three factorsconsider two (or more)

22.09.2013 Norman Soetbeer

8

What is TFA?

knowledge factor„something only the user knows“

PINpasswordpattern

„What was the name of your first pet?“


9

What is TFA?

possession factor„something only the user has“


key

smart card

ATM card

mobile phone

hard tokens

USB tokens

10

What is TFA?

inherence factor„something only the user is“

finger printiris

voiceDNA


11

What is TFA?

Automatic Teller MachineATM card + PIN

=„something only the user has“

+„something only the user knows“


12

What is TFA?

requirements for secure factors

strong entropy on secrets


13

What is TFA?


high resistance of a tokens to be cloned


14

What is TFA?


uniqueness and reliability of biometrics


15

What is TFA?


secure transport (tokens, passwords, etc.)


16

What is TFA?


additional management:disable lost tokens

determine steps for password resetwithdraw credentials, if no longer required


17

What is TFA?


fraud detection:monitor failed attempts, lock account


What is TFA?1


HOTP3

TOTP4



19

TFA in Web Applications

what is possible?


20


knowledge factorPIN?


21


knowledge factorpassword?


22


knowledge factorpattern?

requires javascript / flash, but


23


knowledge factor„What was the name of your first pet“?

does not fulfill„something only the user knows“


24


possession factorkey?

difficult to check


25


possession factorsmart card?

requires additional hardwarenot usable in web browser (maybe with plugin)

costs (card, card reader, transport of card)


26


possession factorUSB token?

not usable in web browser (maybe with plugin)costs (token + transfer)


27


possession factorhard token?

costs (token itself, transport)

?22.09.2013 Norman Soetbeer

28


possession factormobile phone?

SMS?

Costs


29



Give us your phone number?

30



voice message?

same as SMS


31



code generator (smart phone)



What is TFA?1


HOTP3

TOTP4


32

33

HMAC-Based One-Time Password algorithm


secret key

secret counter value

public serial

new code on key press

(counter increases)

34



HMAC-Based One-Time Password

hash = hmac_sha1(key, counter)

offset = last 4 bits of hash

number = 4 bytes from hash, beginning at offset

pad numbers to given length

35



example

hash = hmac_sha1(„12345“, 1)20 d4 c6 b0 32 ea 01 da 02 6ea8 a9 f6 f4 00 41 d0 95 6d 08offset = last 4 bits of hash

8number = 4 bytes from hash, beginning at

offset02 6e a8 a9

pad numbers to given length40806569

36



usage

serial key counter uid

FOO-BAR-BAZ

43A7B66200DD

7 42456

ABCD-EFGH-IJKL

AF3A77E8D638

19 87632

MNOP-QRST-UVWX

74DA39355CB6

2 24572

SERIALABCD-EFGH-IJKL

KEY (secret)AF3A77E8D638COUNTER (secret)

19

authenticator web application

37



generate a new code


FOO-BAR-BAZ

43A7B66200DD

7 42456

ABCD-EFGH-IJKL

AF3A77E8D638

19 87632

MNOP-QRST-UVWX

74DA39355CB6

2 24572



20


830429 830429

38



code was correct


FOO-BAR-BAZ

43A7B66200DD

7 42456

ABCD-EFGH-IJKL

AF3A77E8D638

20 87632

MNOP-QRST-UVWX

74DA39355CB6

2 24572



20


830429 830429

39



code was incorrect (e.g. typo)


FOO-BAR-BAZ

43A7B66200DD

7 42456

ABCD-EFGH-IJKL

AF3A77E8D638

19 87632

MNOP-QRST-UVWX

74DA39355CB6

2 24572



20


830428 830429

40



code was incorrect (e.g. typo)


FOO-BAR-BAZ

43A7B66200DD

7 42456

ABCD-EFGH-IJKL

AF3A77E8D638

19 87632

MNOP-QRST-UVWX

74DA39355CB6

2 24572



20


830428 830429

counters out of sync

41



solutionalso check up to 10 upcoming codes

and update counter


What is TFA?1


HOTP3

TOTP4


42

43

Time-Based One-Time Password algorithm


secret key

internal clock

new code every 30 seconds

44

Time-Based One-Time Password algorithm


Time-Based One-Time Password

time_frame = floor (unix_timestamp / time_step)

hash = hmac_sha1(key, time_frame)

offset = last 4 bits of hash

number = 4 bytes from hash, beginning at offset

pad numbers to given length

45



usage

key uid

43A7B66200DD 42456

AF3A77E8D638 87632

74DA39355CB6 24572

KEY (maybe secret)AF3A77E8D638

UNIX TIMESTAMP1234567890


692113 692113

code must be marked as used,because „one-time password“

46



wrong code

key uid

43A7B66200DD 42456

AF3A77E8D638 87632

74DA39355CB6 24572

KEY (maybe secret)AF3A77E8D638

UNIX TIMESTAMP1234567890


849372 692113

you should lock the accountfor current time frame

47



what about delays?clocks out of sync?

48



simplejust also check one time framebefore and after current one


What is TFA?1


HOTP3

TOTP4


49

50

Example


demo time

51

Example


// Check Credentials (Step 1)$username = $_POST['username'];$password = $_POST['password'];

$user = getUserByCredentials($username, $password);

if (!$user) { redirect('/login/');}

if ($user->hasAuthenticator()) { $session->set('authenticated', false);} else { $session->set('authenticated', true);}

52

Example


// Check for Authenticationif (!$session->get('authenticated')) {

redirect('/tfa-code/');}

53

Example


// Check Code (Step 2)use BattleRattle\Doorman\Authentication\GoogleAuthenticator;

// get the code from user input$code = $_POST['code'];

// get the associated key for the current user$key = 'ONETIMEPASSWORDS';

$authenticator = new GoogleAuthenticator();$result = $authenticator->authenticate($key, $code);

if ($result) { echo 'Welcome, you successfully logged in';} else { echo 'Nope, try again';}

54

Example


installation via composer / packagist

“require”: { “battlerattle/doorman”: “dev-master” }


questions?


thank you

Better Security With Two Factor Authentication (PHP Unconference 2013)

Technology

Transcript of Better Security With Two Factor Authentication (PHP Unconference 2013)