• What is Two-factor Authentication ("2-FA")

• Authentication Workflow

• Demo

• Security considerations

• Max Maischein

• CPAN/PAUSE: CORION

• DZ BANK Frankfurt

• Informationsmanagement TxB

• Who gets access?

• Everybody

• Passwords

• SSL-Certificates

• ...

You are identified by something you

• Know (Password)

• Have (Item)

• Are (Fingerprint)

• Keyboard sniffer

• Passwords get shared

• Monthly Password Change

• Weak passwords

• One-time Pads

• More convenient: Automatic Password Change

• Real One Time Pad (Codebook, "iTan")

• Secondary channel (SMS to Mobile, "mTan")

• Generate Pass-Code dynamically (RSA Token, YubiKey, Battle.Net Authenticator (WoW), ...)

• (Mobile) device as Physical Token

• Also available for iDevices

• Initiative for Open Authentication

• TOTP algorithm, RFC 6238

• No network connection used

• "Google Authenticator" app in Google Play Store

• http://www.dynalogin.org - compatible alternative

• UTC is the same around the globe

• Secret + UTC = Code

• UTC is the same around the globe

• Secret + UTC = Code

• UTC is the same around the globe

• Secret + UTC = Code

• UTC is the same around the globe

• Secret + UTC = Code

• Everybody who knows the secret can generate the Code!

• Log on with password

• Set up two-factor authentication ("2-FA")

• ... later ...

• Log on with password and mobile phone

• Setup needs to be easy

• Manual entry of Shared Secret

• Long base32 strings (RFC 3548)

• Example: oyztamdsmjtwymtr

• Setup needs to be easy

• Manual entry of Shared Secret

Easier with QRCode

Easier with QRCode

CPAN has our back.

 1:    # Per-user secret
 2:    my $auth = Auth::GoogleAuthenticator->new(
 3:        secret => 'test@example.com'
 4:    );

 1:    # Per-user secret
 2:    my $auth = Auth::GoogleAuthenticator->new(
 3:        secret => 'test@example.com'
 4:    );
 5:    print "Registration key " . $auth->registration_key() . "\n";

 1:    # Per-user secret
 2:    my $auth = Auth::GoogleAuthenticator->new(
 3:        secret => 'test@example.com'
 4:    );
 5:    print "Registration key " . $auth->registration_key() . "\n";
 6:    print "Expected OTP value " . $auth->totp() . "\n";

 1:    # Per-user secret
 2:    my $auth = Auth::GoogleAuthenticator->new(
 3:        secret => 'test@example.com'
 4:    );
 5:    print "Registration key " . $auth->registration_key() . "\n";
 6:    print "Expected OTP value " . $auth->totp() . "\n";
 7:
 8:    my $verified = $auth->verify( $user_input )
 9:            ? 'verified'
10:            : 'not verified';
11:    print "$verified\n";

 1:  ->registration_url( $label, $type )

Generates the otpauth:// URL

 1:  ->registration_url( "test2 <OTP>" )

Generates the otpauth:// URL

 1:  my $au=Auth::GoogleAuthenticator->new(
 2:    secret=>'test@example.com'
 3:  );
 4:  print $au->registration_url('test2 <OTP>')

 1:  ->registration_url( "test2 <OTP>" )

Generates the otpauth:// URL

 1:  my $au=Auth::GoogleAuthenticator->new(
 2:    secret=>'test@example.com'
 3:  );
 4:  print $au->registration_url('test2 <OTP>')
 5:    
 6:  otpauth://totp/test2 <OTP>?secret=orsxg5camv4gc3lqnrss4y3pnu

 1:  ->registration_url( "test2 <OTP>" )

Generates the otpauth:// URL

 1:  print $au->registration_url('test2 <OTP>')
 2:    
 3:  otpauth://totp/test2 <OTP>?secret=orsxg5camv4gc3lqnrss4y3pnu

• Secret is password-equivalent

• no hashing possible

• RFC 6238 has no handling advice for the secret!

• Secret-change is easy

• Always use a second mechanism!

• time limit for Two-Factor Sessions

 1:               Password    TOTP       2-FA

 1:               Password    TOTP       2-FA
 2:   
 3:  Change

 1:               Password    TOTP       2-FA
 2:   
 3:  Change        medium

 1:               Password    TOTP       2-FA
 2:   
 3:  Change        medium     easy

 1:               Password    TOTP       2-FA
 2:   
 3:  Change        medium     easy       easy

 1:               Password    TOTP       2-FA
 2:   
 3:  Change        medium     easy       easy
 4:    
 5:  Data leak
 6:   attack

 1:               Password    TOTP       2-FA
 2:   
 3:  Change        medium     easy       easy
 4:    
 5:  Data leak     hard
 6:   attack      (bcrypt)

 1:               Password    TOTP       2-FA
 2:   
 3:  Change        medium     easy       easy
 4:    
 5:  Data leak     hard       trivial
 6:   attack      (bcrypt)

 1:               Password    TOTP       2-FA
 2:   
 3:  Change        medium     easy       easy
 4:    
 5:  Data leak     hard       trivial    hard
 6:   attack      (bcrypt)

• Google - "Password-protocols" (IMAP, POP3, ...) circumvent 2-FA

• EverNote - direct links to files circumvent 2-FA

• Authy.com - Synchronizes your tokens with their server

• ...

• Change ALL access (Google!)

• Store shared secret encrypted on disk, decrypt only in memory

• Password reset / lost mobile phone?!

• Idea: 3 master-reset passwords for printing (PUK)

Auth::GoogleAuthenticator uses

Authen::OATH

Imager::QRCode

Dancer

"Google Authenticator" in Google Play Store

http://code.google.com/p/google-authenticator/

Available for iDevices

Sample code and module is online on CPAN in

Auth::GoogleAuthenticator

http://www.dynalogin.org - another Android Soft-Token

"Google Authenticator" in Google Play Store

http://code.google.com/p/google-authenticator/

Available for iDevices

Sample code and module is online on CPAN in

Auth::GoogleAuthenticator

http://www.dynalogin.org - another Android Soft-Token

Questions?

Max Maischein (corion@cpan.org)