Everyone has at least one password, but that's not enough anymore. When is that not enough? Passwords get out of your hands all the time. You know your password, but what about using something you have in addition to what you know. Let's look at how you can leverage your mobile device for added security, and implement it in your projects. This talk will cover how two factor auth works, how to use it and the ins and outs of rolling your own solution using Time-based One-time Password (TOTP) (and the Google Authenticator app) or a third party service and the pitfalls of both. AWS, Mailchimp, Dropbox and Facebook integrate two factor authentication and you can too! There's no reason not to use it!

1. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 1
TWO-FACTOR AUTHENTICATION
AND YOU
https://joind.in/10645

2. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 2
WHO AM I?
•President and Co-Founder of E-Moxie - www.emoxie.com
•Baltimore, MD
•PHP Developer, System Administrator,Tinkerer
•Meetup Organizer - Baltimore PHP/Mobile/API
•Trainer
•Maximize efficiencies and make life easier (mainly mine)
•I’ve seen things, and learned a bit on the way
!
chris@emoxie.com
Twitter: @cmstone

3. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 3
BACKGROUND OFTHISTALK

4. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 4
WHAT ISTWO FACTOR AUTH?
•Not a new concept
•Two pieces of information needed (in addition to a username)
•Something you know and something you have
•First factor is typically a password (The know)
•Second factor is typically a uniquely generated code (The have)

5. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 5
WHAT’S THE MOST COMMON EXAMPLE
OF TWO-FACTOR AUTHENTICATION?

6. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 6
ATM
•Requires something you have (ATM Card)
•Requires something you know (Pin Code)

7. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 7
How do you get that second factor?
DELIVERY MECHANISMS
•E-Mail
•SMS/Voice
•App

8. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 8
E-MAIL -THE GOOD :)
•Wide adoption
•Everyone has an email address (or a few)
•If you don’t, it’s pretty easy to get one

9. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 9
E-MAIL -THE BAD :(
•Prone to failure
•Delivery problems
•Message blocking
•SPAM
•Send/Receive Problems
•Requires Internet/Network Access
•More mail?? Who really wants to get more?

10. SMS

11. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 11
SMS - GOODTHINGS!
•Mobile device required (or a service like GoogleVoice)
•SMS Penetration is high
•Easy to implement
•Global support

12. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 12
SMS - BADTHINGS :(
•Can’t receive SMS
•Could cost money
•Network
•Delivery delays
•Lost messages
•Power?
•Threat could have access to a web front end!
•Susceptible to architecture issues

13. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 13
TWILIO
•REST API
•Get your own number
•Send a text message just like you would with any other app

14. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 14
NEXMO
•php[tek] Sponsor - yay!
•Shared short code
•REST API
!
•API Key & Secret
•Destination & Pin
curl "https://rest.nexmo.com/sc/us/2fa/json?api_key={api_key}
&api_secret={api_secret}&to=14435281326&pin=1234"

15. MOBILE APP

16. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 16
MOBILE APP
•RollYour Own
•Push Notices
•Login Approvals
•Authy
•Duosecurity
•Google Authenticator

17. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 17
MOBILE APP

18. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 18
•Easy to use
•DOES NOT rely on an Internet connection
•DOES NOT rely on cellular connection
•Google just provides the app
•Implements time-based on-time passwords (TOTP)
•Open source (kind of)
•All of those password thefts? Could be kind of a non-issue
•Not just for websites
GOOGLE AUTHENTICATOR

19. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 19
•No power!
•Lost phone/device
•Broken phone/device
•Susceptible to architecture and workflow issues
GOOGLE AUTHENTICATOR - PITFALLS

20. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 20
TOTP
•Time-based One-time Password Algorithm
•Computed from a shared secret key and the current time.
•Combines secret with timestamp using a cryptographic hash func
•Typically increases in 30-second intervals
•Allows for a time drift
•RFC 6238

21. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 21
APPLICATION
•base32 encoding and decoding
•random secret key
•timestamp
•~30 lines of code

22. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 22
https://github.com/cmstone/phptek2014-two-factor

23. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645
https://github.com/cmstone/phptek2014-­‐two-­‐factor/
23
WORKFLOW OVERVIEW
$username
=
'chris@baltimorephp.org';
$userkey
=
TwoFactor::generateKey();
$timestamp
=
TwoFactor::getTimestamp();
!
$secretKey
=
Base32::decode($userkey);
$currentPassword
=
TwoFactor::getSecret($secretKey,
$timestamp);

24. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645
https://github.com/cmstone/phptek2014-­‐two-­‐factor/
24
Step 1 - Generate a random secret key
TwoFactor::generateKey();
———————
public
static
function
generateKey($length
=
16)
{
$key
=
"";
!
for
($i
=
0;
$i
<
$length;
$i++)
{
$key
.=
Base32::getRandom();
}
!
return
$key;
}
!
//
Gives
you
something
like:
CHBEYSUCFDAECIHM
WORKFLOW

25. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645
https://github.com/cmstone/phptek2014-­‐two-­‐factor/
25
Step 1 - Generate a random secret key
//
Gives
you
something
like:
CHBEYSUCFDAECIHM
WORKFLOW

26. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645
https://github.com/cmstone/phptek2014-­‐two-­‐factor/
26
Step 2 - Get the current timestamp
TwoFactor::getTimestamp();
———————
public
static
function
getTimestamp()
{
return
floor(microtime(true)
/
self::keyRegeneration);
}
!
//
Gives
you
something
like:
46692614
WORKFLOW

27. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645
https://github.com/cmstone/phptek2014-­‐two-­‐factor/
27
WORKFLOW
Step 3 - Decode
$userkey
=
TwoFactor::generateKey();
$timestamp
=
TwoFactor::getTimestamp();
!
$secretKey
=
Base32::decode($userkey);
!
//
$secretKey
=
?LJ?(?A
?

28. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645
https://github.com/cmstone/phptek2014-­‐two-­‐factor/
28
WORKFLOW
$currentPassword
=
TwoFactor::getSecret($secretKey,
$timestamp);
———————
public
static
function
getSecret($key,
$counter)
{
if
(strlen($key)
<
8)
{
throw
new
Exception('Secret
key
is
too
short.
Must
be
at
least
16
base
32
characters');
}
!
$bin_counter
=
pack('N*',
0)
.
pack('N*',
$counter);
//
Counter
must
be
64-­‐bit
int
$hash
=
hash_hmac('sha1',
$bin_counter,
$key,
true);
!
return
str_pad(self::oathTruncate($hash),
self::otpLength,
'0',
STR_PAD_LEFT);
}
!
//
$currentPassword
=
373604
Step 4 - Decode

29. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 29
ADDITIONAL RESOURCES
Bypassing two-factor authentication
http://shubh.am/how-i-bypassed-2-factor-authentication-on-google-
yahoo-linkedin-and-many-others/
!
Google Authenticator Code:
https://code.google.com/p/google-authenticator/

30. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 30
QUESTIONS?

31. Chris Stone | E-Moxie | @cmstone | php[tek] 2014 | Two Factor Authentication and You | https://joind.in/10645 31
THANKS!
Please reach out to me @cmstone or chris@emoxie.com
Please rate and give feedback!!
https://joind.in/10645