Two Factor Authentication and You

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 1

TWO-FACTOR AUTHENTICATION AND YOU

https://joind.in/10645



WHO AM I?•President and Co-Founder of E-Moxie - www.emoxie.com •Baltimore, MD •PHP Developer, System Administrator, Tinkerer •Meetup Organizer - Baltimore PHP/Mobile/API •Trainer •Maximize efficiencies and make life easier (mainly mine) •I’ve seen things, and learned a bit on the way !

[email protected] Twitter : @cmstone


http://www.emoxie.com

mailto:[email protected]


BACKGROUND OF THIS TALK



WHAT IS TWO FACTOR AUTH?

•Not a new concept •Two pieces of information needed (in addition to a username) •Something you know and something you have •First factor is typically a password (The know) •Second factor is typically a uniquely generated code (The have)



WHAT’S THE MOST COMMON EXAMPLE OF TWO-FACTOR AUTHENTICATION?



ATM

•Requires something you have (ATM Card) •Requires something you know (Pin Code)



How do you get that second factor?

DELIVERY MECHANISMS

•E-Mail •SMS/Voice •App



E-MAIL -THE GOOD :)

•Wide adoption •Everyone has an email address (or a few) •If you don’t, it’s pretty easy to get one



E-MAIL - THE BAD :(•Prone to failure •Delivery problems •Message blocking •SPAM •Send/Receive Problems •Requires Internet/Network Access •More mail?? Who really wants to get more?


SMS


SMS - GOOD THINGS!

•Mobile device required (or a service like Google Voice) •SMS Penetration is high •Easy to implement •Global support



SMS - BAD THINGS :(•Can’t receive SMS •Could cost money •Network •Delivery delays •Lost messages •Power? •Threat could have access to a web front end! •Susceptible to architecture issues



TWILIO•REST API •Get your own number •Send a text message just like you would with any other app



NEXMO•php[tek] Sponsor - yay! •Shared short code •REST API

!

•API Key & Secret •Destination & Pin

curl "https://rest.nexmo.com/sc/us/2fa/json?api_key={api_key}&api_secret={api_secret}&to=14435281326&pin=1234"


https://rest.nexmo.com/sc/us/2fa/json?api_key=%7Bapi_key%7D&api_secret=%7Bapi_secret%7D&to=14435281326&pin=1234

MOBILE APP


MOBILE APP•Roll Your Own •Push Notices •Login Approvals •Authy •Duosecurity •Google Authenticator



MOBILE APP



•Easy to use •DOES NOT rely on an Internet connection •DOES NOT rely on cellular connection •Google just provides the app •Implements time-based on-time passwords (TOTP) •Open source (kind of) •All of those password thefts? Could be kind of a non-issue •Not just for websites

GOOGLE AUTHENTICATOR



•No power! •Lost phone/device •Broken phone/device •Susceptible to architecture and workflow issues

GOOGLE AUTHENTICATOR - PITFALLS



TOTP•Time-based One-time Password Algorithm •Computed from a shared secret key and the current time. •Combines secret with timestamp using a cryptographic hash func •Typically increases in 30-second intervals •Allows for a time drift •RFC 6238



APPLICATION

•base32 encoding and decoding •random secret key •timestamp •~30 lines of code



https://github.com/cmstone/phptek2014-two-factor


https://github.com/cmstone/phptek2014-two-factor

Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645

https://github.com/cmstone/phptek2014-‐two-‐factor/

23

WORKFLOW OVERVIEW

$username = '[email protected]'; $userkey = TwoFactor::generateKey(); $timestamp = TwoFactor::getTimestamp(); !

$secretKey = Base32::decode($userkey); $currentPassword = TwoFactor::getSecret($secretKey, $timestamp);


https://github.com/cmstone/phptek2014-two-factor/



24

Step 1 - Generate a random secret keyTwoFactor::generateKey(); ——————— public static function generateKey($length = 16) { $key = ""; !

for ($i = 0; $i < $length; $i++) { $key .= Base32::getRandom(); } !

return $key; } !

// Gives you something like: CHBEYSUCFDAECIHM

WORKFLOW





25

Step 1 - Generate a random secret key

// Gives you something like: CHBEYSUCFDAECIHM

WORKFLOW





26

Step 2 - Get the current timestamp

TwoFactor::getTimestamp(); ——————— public static function getTimestamp() { return floor(microtime(true) / self::keyRegeneration); } !

// Gives you something like: 46692614

WORKFLOW





27

WORKFLOWStep 3 - Decode

$userkey = TwoFactor::generateKey(); $timestamp = TwoFactor::getTimestamp(); !

$secretKey = Base32::decode($userkey); !

// $secretKey = ?LJ?(?A ?





28

WORKFLOW

$currentPassword = TwoFactor::getSecret($secretKey, $timestamp); ——————— public static function getSecret($key, $counter) { if (strlen($key) < 8) { throw new Exception('Secret key is too short. Must be at least 16 base 32 characters'); } ! $bin_counter = pack('N*', 0) . pack('N*', $counter); // Counter must be 64-‐bit int $hash = hash_hmac('sha1', $bin_counter, $key, true); ! return str_pad(self::oathTruncate($hash), self::otpLength, '0', STR_PAD_LEFT); } !

// $currentPassword = 373604

Step 4 - Decode




ADDITIONAL RESOURCESBypassing two-factor authentication http://shubh.am/how-i-bypassed-2-factor-authentication-on-google-yahoo-linkedin-and-many-others/ !

Google Authenticator Code: https://code.google.com/p/google-authenticator/


http://shubh.am/how-i-bypassed-2-factor-authentication-on-google-yahoo-linkedin-and-many-others/

https://code.google.com/p/google-authenticator/


QUESTIONS?



THANKS!

Please reach out to me @cmstone or [email protected]

Please rate and give feedback!!https://joind.in/10645


mailto:[email protected]


Technology

Two Factor Authentication and You