SlideShare a Scribd company logo

[Pass The SALT 2018] Second factor authentication in LemonLDAP::NG

Worteks
Worteks

Mutli factor authentication (OTP, U2F, ...) and their implementation in LL::NG

Software
1 of 19
Download to read offline
Second factor authentication in LemonLDAP::NG Pass the SALT 2018 Xavier GUIMARD Clément OUDOT
MFA / 2FA / OTP / U2F ?
Multi Factor Authentication Multi-factor authentication (MFA) is a method of confrming a user's claimed identity in which a user is granted access only after successfully presenting 2 or more pieces of evidence (or factors) to an authentication mechanism: ● knowledge (something they and only they know) ● possession (something they and only they have) ● inherence (something they and only they are) Definition from Wikipedia
Why you need it ● Passwords are still the main security token used to authenticate ● With GPU and rainbow tables it is more and more easy to crack a password ● A password base can be stolen ● Second factor authentication is hype (see Twitter, Github, LinkedIn...)
One-Time Password ● One-Time Password (OTP) is a password that is valid for only one login session or transaction ● Two standards: – HOTP (RFC 4226): HMAC-Based One-Time Password – TOTP (RFC 6238): Time-Based One-Time Password ● Rely on a secret shared between user and server
TOTP ● Shared secret key K ● T0: start time ● TI: time interval ● Time Counter TC = foor((unixtime(now) − unixtime(T0)) / TI) ● TOTP = Truncate( SHA1(K 0x5c5c… SHA1(K⊕ ∥ 0x3636… TC)) ) & 0x7FFFFFFF⊕ ∥ ● TOTP Value = TOTP mod 10d, where d is the desired number of digits of the one-time password
Using a TOTP ● Registration on client: shared key can be registered manually or using a QR code ● Server associates shared secret to user ● At next authentication, TOTP value is computed by client and server
Universal Second Factor ● Universal 2nd Factor (U2F) is an open authentication standard that strengthens and simplifes two-factor authentication using specialized USB or NFC devices. ● Managed by FIDO Alliance https://fdoalliance.org/ ● Support in modern browsers: – Chrome/Chromium ≥ 38 – Firefox: ● 38 to 56 with U2F Support Add-on ● 57 to 59, with “security.webauth.u2f” set to “true” in “about:confg” ● probably enabled by default for versions ≥ 60 – Opera ≥ 40
Using U2F ● Registration: Token generates private/public keys and a handle and send public key and handle to server ● The server associates the public key and the handle to user ● At next authentication, server sends the handle and a crypto challenge and the U2F token signs the challenge and sends it back
Implementation in LemonLDAP::NG
LemonLDAP::NG ● WebSSO, Access Control and Identity Provider ● Apache, Nginx, Node.js, Plack support ● Default protection by Handler, identity forwarded trough HTTP headers ● Standard protocols: CAS, SAML and OpenID Connect ● Self services (password change, password lost, account registration) ● GPL License ● https://lemonldap-ng.org
2FA implementation ● New feature for 2.0 major version ● Possibility to add a second authentication step to any current authentication method ● A lot of possibilities to ask a second factor: – U2F tokens – TOTP (to use with FreeOTP, Google-Authenticator,…) – U2F-or-TOTP (enable both U2F and TOTP) – Yubikey tokens provide by Yubico – REST (Remote REST app) – External 2F (to call an external command)
Ask for second factor
User self registration
User self management
2FA sessions explorer
[Pass The SALT 2018] Second factor authentication in LemonLDAP::NG

Recommended

MQTT security
MQTT securityMQTT security
MQTT security
Anthony Chow
 
The Easy Way to Secure Microservices
The Easy Way to Secure MicroservicesThe Easy Way to Secure Microservices
The Easy Way to Secure Microservices
Michael Hofmann
 
Last mile authentication problem: Exploiting the missing link in end-to-end s...
Last mile authentication problem: Exploiting the missing link in end-to-end s...Last mile authentication problem: Exploiting the missing link in end-to-end s...
Last mile authentication problem: Exploiting the missing link in end-to-end s...
Priyanka Aash
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure Enclave
wolfSSL
 
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
Worteks
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3
wolfSSL
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
Nishant Pahad
 
Bitcoin cryptography
Bitcoin cryptographyBitcoin cryptography
Bitcoin cryptography
Vadym Hrusha
 

Recommended

MQTT security
MQTT securityMQTT security
MQTT security
Anthony Chow
 
The Easy Way to Secure Microservices
The Easy Way to Secure MicroservicesThe Easy Way to Secure Microservices
The Easy Way to Secure Microservices
Michael Hofmann
 
Last mile authentication problem: Exploiting the missing link in end-to-end s...
Last mile authentication problem: Exploiting the missing link in end-to-end s...Last mile authentication problem: Exploiting the missing link in end-to-end s...
Last mile authentication problem: Exploiting the missing link in end-to-end s...
Priyanka Aash
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure Enclave
wolfSSL
 
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
Worteks
 
wolfSSL and TLS 1.3
wolfSSL and TLS 1.3wolfSSL and TLS 1.3
wolfSSL and TLS 1.3
wolfSSL
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
Nishant Pahad
 
Bitcoin cryptography
Bitcoin cryptographyBitcoin cryptography
Bitcoin cryptography
Vadym Hrusha
 
Google authentication
Google authenticationGoogle authentication
Google authentication
NexThoughts Technologies
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect Protocol
Clément OUDOT
 
Fido U2F PROTOCOL
Fido U2F PROTOCOLFido U2F PROTOCOL
Fido U2F PROTOCOL
Ather Ali
 
Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali
OWASP Delhi
 
DFIR Training: RDP Triage
DFIR Training: RDP TriageDFIR Training: RDP Triage
DFIR Training: RDP Triage
Christopher Gerritz
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Digital authentication
Digital authenticationDigital authentication
Digital authentication
allanh0526
 
WebAuthn & FIDO2
WebAuthn & FIDO2WebAuthn & FIDO2
WebAuthn & FIDO2
Leonard Moustacchis
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition System
Inductive Automation
 
FIDO U2F 1.0 Specs: Overview and Insights
FIDO U2F 1.0 Specs: Overview and InsightsFIDO U2F 1.0 Specs: Overview and Insights
FIDO U2F 1.0 Specs: Overview and Insights
FIDO Alliance
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!
All Things Open
 
Industry Best Practices For SSH - DevOps.com Webinar
Industry Best Practices For SSH - DevOps.com WebinarIndustry Best Practices For SSH - DevOps.com Webinar
Industry Best Practices For SSH - DevOps.com Webinar
Teleport
 
Industry Best Practices for SSH Access
Industry Best Practices for SSH AccessIndustry Best Practices for SSH Access
Industry Best Practices for SSH Access
DevOps.com
 
Creating OTP with free software
Creating OTP with free softwareCreating OTP with free software
Creating OTP with free software
Giuseppe Paterno'
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
apidays
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
Fast IDentity Online New wave of open authentication standards
Fast IDentity Online New wave of open authentication standardsFast IDentity Online New wave of open authentication standards
Fast IDentity Online New wave of open authentication standards
.NET Crowd
 
FIDO2 and Microsoft
FIDO2 and MicrosoftFIDO2 and Microsoft
FIDO2 and Microsoft
FIDO Alliance
 
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) SpecificationCIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CloudIDSummit
 
[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
Worteks
 
[Identity Days 2021] W'IDaaS - Identity as a Service
[Identity Days 2021] W'IDaaS - Identity as a Service[Identity Days 2021] W'IDaaS - Identity as a Service
[Identity Days 2021] W'IDaaS - Identity as a Service
Worteks
 

More Related Content

Similar to [Pass The SALT 2018] Second factor authentication in LemonLDAP::NG

The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect Protocol
Clément OUDOT
 
Industry Best Practices For SSH - DevOps.com Webinar
Industry Best Practices For SSH - DevOps.com WebinarIndustry Best Practices For SSH - DevOps.com Webinar
Industry Best Practices For SSH - DevOps.com Webinar
Teleport
 
Industry Best Practices for SSH Access
Industry Best Practices for SSH AccessIndustry Best Practices for SSH Access
Industry Best Practices for SSH Access
DevOps.com
 
Creating OTP with free software
Creating OTP with free softwareCreating OTP with free software
Creating OTP with free software
Giuseppe Paterno'
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 

Similar to [Pass The SALT 2018] Second factor authentication in LemonLDAP::NG (20)

Google authentication
Google authenticationGoogle authentication
Google authentication
 
The OpenID Connect Protocol
The OpenID Connect ProtocolThe OpenID Connect Protocol
The OpenID Connect Protocol
 
Fido U2F PROTOCOL
Fido U2F PROTOCOLFido U2F PROTOCOL
Fido U2F PROTOCOL
 
Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali
 
DFIR Training: RDP Triage
DFIR Training: RDP TriageDFIR Training: RDP Triage
DFIR Training: RDP Triage
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Digital authentication
Digital authenticationDigital authentication
Digital authentication
 
WebAuthn & FIDO2
WebAuthn & FIDO2WebAuthn & FIDO2
WebAuthn & FIDO2
 
Security Best Practices for Your Ignition System
Security Best Practices for Your Ignition SystemSecurity Best Practices for Your Ignition System
Security Best Practices for Your Ignition System
 
FIDO U2F 1.0 Specs: Overview and Insights
FIDO U2F 1.0 Specs: Overview and InsightsFIDO U2F 1.0 Specs: Overview and Insights
FIDO U2F 1.0 Specs: Overview and Insights
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!Securing Your Resources with Short-Lived Certificates!
Securing Your Resources with Short-Lived Certificates!
 
Industry Best Practices For SSH - DevOps.com Webinar
Industry Best Practices For SSH - DevOps.com WebinarIndustry Best Practices For SSH - DevOps.com Webinar
Industry Best Practices For SSH - DevOps.com Webinar
 
Industry Best Practices for SSH Access
Industry Best Practices for SSH AccessIndustry Best Practices for SSH Access
Industry Best Practices for SSH Access
 
Creating OTP with free software
Creating OTP with free softwareCreating OTP with free software
Creating OTP with free software
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
 
Fast IDentity Online New wave of open authentication standards
Fast IDentity Online New wave of open authentication standardsFast IDentity Online New wave of open authentication standards
Fast IDentity Online New wave of open authentication standards
 
FIDO2 and Microsoft
FIDO2 and MicrosoftFIDO2 and Microsoft
FIDO2 and Microsoft
 
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) SpecificationCIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
 

More from Worteks

More from Worteks (20)

[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
 
[Identity Days 2021] W'IDaaS - Identity as a Service
[Identity Days 2021] W'IDaaS - Identity as a Service[Identity Days 2021] W'IDaaS - Identity as a Service
[Identity Days 2021] W'IDaaS - Identity as a Service
 
[Identity Days 2021] Quel avenir pour OpenLDAP ?
[Identity Days 2021] Quel avenir pour OpenLDAP ?[Identity Days 2021] Quel avenir pour OpenLDAP ?
[Identity Days 2021] Quel avenir pour OpenLDAP ?
 
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
 
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares
 
[AFUP Lyon 2021] LDAP Tool Box Self Service Password
[AFUP Lyon 2021] LDAP Tool Box Self Service Password[AFUP Lyon 2021] LDAP Tool Box Self Service Password
[AFUP Lyon 2021] LDAP Tool Box Self Service Password
 
[OpenDay 2021] Logiciel libre, entreprises et modèles économiques
[OpenDay 2021] Logiciel libre, entreprises et modèles économiques[OpenDay 2021] Logiciel libre, entreprises et modèles économiques
[OpenDay 2021] Logiciel libre, entreprises et modèles économiques
 
[Campus du Libre 2020] Présentation de la solution W'Sweet
[Campus du Libre 2020] Présentation de la solution W'Sweet[Campus du Libre 2020] Présentation de la solution W'Sweet
[Campus du Libre 2020] Présentation de la solution W'Sweet
 
[Identity Days 2020] Politique des mots de passe des annuaires LDAP et outils...
[Identity Days 2020] Politique des mots de passe des annuaires LDAP et outils...[Identity Days 2020] Politique des mots de passe des annuaires LDAP et outils...
[Identity Days 2020] Politique des mots de passe des annuaires LDAP et outils...
 
[Université Lyon 1] Exemples de logiciels libres : LemonLDAP::NG et W'Sweet
[Université Lyon 1] Exemples de logiciels libres : LemonLDAP::NG et W'Sweet[Université Lyon 1] Exemples de logiciels libres : LemonLDAP::NG et W'Sweet
[Université Lyon 1] Exemples de logiciels libres : LemonLDAP::NG et W'Sweet
 
[Pass the SALT 2020] Understand password policy in OpenLDAP and discover tool...
[Pass the SALT 2020] Understand password policy in OpenLDAP and discover tool...[Pass the SALT 2020] Understand password policy in OpenLDAP and discover tool...
[Pass the SALT 2020] Understand password policy in OpenLDAP and discover tool...
 
[OW2online 2020] LDAP Synchronization Connector
[OW2online 2020] LDAP Synchronization Connector[OW2online 2020] LDAP Synchronization Connector
[OW2online 2020] LDAP Synchronization Connector
 
[Aperhologramme 2020] Comment faire du logiciel libre ?
[Aperhologramme 2020] Comment faire du logiciel libre ?[Aperhologramme 2020] Comment faire du logiciel libre ?
[Aperhologramme 2020] Comment faire du logiciel libre ?
 
[POSS 2019] OVirt and Ceph: Perfect Combination.?
[POSS 2019] OVirt and Ceph: Perfect Combination.?[POSS 2019] OVirt and Ceph: Perfect Combination.?
[POSS 2019] OVirt and Ceph: Perfect Combination.?
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
 
[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies
 
[POSS 2019] Learn AWK in 15 minutes
[POSS 2019] Learn AWK in 15 minutes[POSS 2019] Learn AWK in 15 minutes
[POSS 2019] Learn AWK in 15 minutes
 
[LDAPCon 2019] The FusionIAM initiative
[LDAPCon 2019] The FusionIAM initiative[LDAPCon 2019] The FusionIAM initiative
[LDAPCon 2019] The FusionIAM initiative
 
[Identity Days 2019] Maîtrisez les accès à vos applications Web (Cloud et On...
[Identity Days 2019] Maîtrisez les accès à vos applications Web (Cloud et On...[Identity Days 2019] Maîtrisez les accès à vos applications Web (Cloud et On...
[Identity Days 2019] Maîtrisez les accès à vos applications Web (Cloud et On...
 
[RedHat Forum 2019] REX - COMMENT MONTER UNE OFFRE DE CLOUD EN MARQUE BLANCHE...
[RedHat Forum 2019] REX - COMMENT MONTER UNE OFFRE DE CLOUD EN MARQUE BLANCHE...[RedHat Forum 2019] REX - COMMENT MONTER UNE OFFRE DE CLOUD EN MARQUE BLANCHE...
[RedHat Forum 2019] REX - COMMENT MONTER UNE OFFRE DE CLOUD EN MARQUE BLANCHE...
 

Recently uploaded

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 

Recently uploaded (20)

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Generic or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisions
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban%in Durban+277-882-255-28 abortion pills for sale in Durban
%in Durban+277-882-255-28 abortion pills for sale in Durban
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
SHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions PresentationSHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions Presentation
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Vancouver Psychic Readings, Attraction spells,Br...
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 

[Pass The SALT 2018] Second factor authentication in LemonLDAP::NG

  • 1. Second factor authentication in LemonLDAP::NG Pass the SALT 2018 Xavier GUIMARD Clément OUDOT
  • 2. MFA / 2FA / OTP / U2F ?
  • 3. Multi Factor Authentication Multi-factor authentication (MFA) is a method of confrming a user's claimed identity in which a user is granted access only after successfully presenting 2 or more pieces of evidence (or factors) to an authentication mechanism: ● knowledge (something they and only they know) ● possession (something they and only they have) ● inherence (something they and only they are) Definition from Wikipedia
  • 4. Why you need it ● Passwords are still the main security token used to authenticate ● With GPU and rainbow tables it is more and more easy to crack a password ● A password base can be stolen ● Second factor authentication is hype (see Twitter, Github, LinkedIn...)
  • 5. One-Time Password ● One-Time Password (OTP) is a password that is valid for only one login session or transaction ● Two standards: – HOTP (RFC 4226): HMAC-Based One-Time Password – TOTP (RFC 6238): Time-Based One-Time Password ● Rely on a secret shared between user and server
  • 6. TOTP ● Shared secret key K ● T0: start time ● TI: time interval ● Time Counter TC = foor((unixtime(now) − unixtime(T0)) / TI) ● TOTP = Truncate( SHA1(K 0x5c5c… SHA1(K⊕ ∥ 0x3636… TC)) ) & 0x7FFFFFFF⊕ ∥ ● TOTP Value = TOTP mod 10d, where d is the desired number of digits of the one-time password
  • 7. Using a TOTP ● Registration on client: shared key can be registered manually or using a QR code ● Server associates shared secret to user ● At next authentication, TOTP value is computed by client and server
  • 8. Universal Second Factor ● Universal 2nd Factor (U2F) is an open authentication standard that strengthens and simplifes two-factor authentication using specialized USB or NFC devices. ● Managed by FIDO Alliance https://fdoalliance.org/ ● Support in modern browsers: – Chrome/Chromium ≥ 38 – Firefox: ● 38 to 56 with U2F Support Add-on ● 57 to 59, with “security.webauth.u2f” set to “true” in “about:confg” ● probably enabled by default for versions ≥ 60 – Opera ≥ 40
  • 9. Using U2F ● Registration: Token generates private/public keys and a handle and send public key and handle to server ● The server associates the public key and the handle to user ● At next authentication, server sends the handle and a crypto challenge and the U2F token signs the challenge and sends it back
  • 10.
  • 11.
  • 13. LemonLDAP::NG ● WebSSO, Access Control and Identity Provider ● Apache, Nginx, Node.js, Plack support ● Default protection by Handler, identity forwarded trough HTTP headers ● Standard protocols: CAS, SAML and OpenID Connect ● Self services (password change, password lost, account registration) ● GPL License ● https://lemonldap-ng.org
  • 14. 2FA implementation ● New feature for 2.0 major version ● Possibility to add a second authentication step to any current authentication method ● A lot of possibilities to ask a second factor: – U2F tokens – TOTP (to use with FreeOTP, Google-Authenticator,…) – U2F-or-TOTP (enable both U2F and TOTP) – Yubikey tokens provide by Yubico – REST (Remote REST app) – External 2F (to call an external command)
  • 15. Ask for second factor