Bestand wählen
Merken

Replacing passwords with multiple factors: email, OTP, and hardware keys

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
thank you for the introduction my name is Justin mayor I'm from San market California and I work on a server security monitoring tool called monitorial . com In my limited spare time I am the primary maintainer of static site generator called pelican and I've I had the honor of presenting talks at that here in Italy at biconic tell icon Japan and various other Python conferences is my very 1st 0 I 5 so I'm super super excited to be here and I'm I'm excited to talk to you today about multi-factor authentication I have found myself for the last couple of years on an unexpected journey and there's now become a personal mission to reduce the frequency and severity of data breaches caused by a security vulnerabilities and my goal is that by the end of this talk that you will have the information that you needed to understand what are the problems that we have with uh our current authentication methods what are the various ways that that can be improved the MLE two-factor authentication the various types and have some specific projects that you can use to implement some of the solutions but more than anything else I want to walk away feeling inspired feeling inspired and and and really motivated to do something about this to improve authentication security in any of the systems that you work on any of the sites or applications that you use on a daily basis and any of the sites in applications that your friends and family use on a daily basis the so let's begin by talking a little bit about the problem there are an increasing number of breaches that are occurring in there uh that the severity of those breaches um are becoming more
severe to mention an example that's a little close to mean me and on from is a private health insurance company that's my my help insurance company right come from we don't have universal health care like some of you in and I'm very very jealous of that but them in any case this private health insurance
company was a breach they announced this breach in February of 2015 the average time to detect an attack is about 6 months um so that 6 months that someone had access to um my information and then could use that information to do other things you know I potentially access to some of my other accounts I'm obviously that's just an average could be much longer so what kind of information that is at risk what kind of information you know was potentially stolen or were actually was stolen and so there's we call personally identifiable information and I can involve birth dates and Social Security numbers street addresses e-mail addresses employment information income data there's a lot of information that's very sensitive anthem this company claims that no medical data was stolen but I don't know that anyone actually believes that there were 80 million people affected in this 1 breach and and when I thought about this a realized it's not just my data this is uh the data that you know affects my my friends are in my mother she's a 75 years old she has seen us a memory issues now and this is her information that's also been stolen and you know I decided at this point that this is this is now personal to me because you can mess with me you cannot miss my family so I decided this is something I was getting those determiner do something about this we and this is just 1 attack and you know last year 20 16 there were 1 billion records there were stolen um worldwide that's a very significant problems if you're wondering whether your data you know has been so at some point there's a useful resource that you can go to uh the skull have I been owned tone that we know how you pronounce that and . com and you can find out whether or not you've had information uh um of yours you the username or e-mail address that has appeared in some dump of us stolen information and the answer is to to the question of have you know you have no has your information been stolen is in 1 of these public available things the answer is most likely checked there was not 1 but like 7 different dumps or breaches um you know everything from Dropbox to Adobe to linked tumbler and so the in the problem with these breaches is that there are costs and when you have a system compromised you have the potential loss of system availability if your system goes down this can mean to um uh lost customers angry customers and data can be stolen as we've covered um you can also lose data if some accesses the system and as white entire database and maybe you have back ups but for some reason they don't work properly that's that can be a very significant them uh very smooth impact in terms of uh giving off a financial loss in 2019 and it's estimated if he's Your feel like counting the zeros that and the 2 trillion EUR uh will be lost as a result of these kinds of attacks 2 years later in 20 21 that numbers is expected to triple to 6 trillion euro so why why is this doesn't seem to be happening with increasing frequency and increasing severity and passwords are not the only reasons the breaches occur but I'm going to make the argument that they're not helping the the thing with passwords as they are ubiquitous we use them everywhere and it seems to be the de-facto standard authentication method that we use unfortunately password are terrible and so we use and everywhere and that same time there are awful and and I was going to make the case as to why that it's so why the terrible and usually authentication methods are evaluated using 2 important criteria security and usability traditionally this is involved some degree of trade off so that improving 1 sacrifices the other and hopefully someday will be able to fixed that a that but at the moment and in the past it has been a 0 sum game the so this is that if you have the make the case that passwords have bad security and bad usability so it's like the the worst of both worlds and we consider this is our global standard for authentication and it's uh it's kind amazing to think about that we've chosen this thing has bad security and that ability let's start by looking at the security side of it that the reason for the poor security passwords are many but 1 of the most important reasons is that people choose a really bad passwords really bad passwords and you've probably seen something like this before and you maybe even have dealt with friends or family members that couldn't get into the account when you finally got out from them what their password was you were just dumbfounded can believe that it could be something so insecure and the most common password 1 2 3 4 5 6 this accounts for 17 per cent that's nearly 1 5th of all accounts and have all passwords used by human beings and the new protected by this password so why is this bad what's better than a few reasons 1 is trivial to brute force and many machine your phone could brute force of nearly a 1 2 3 4 5 6 password and but why would you even bother brute-forcing any of these when they're so easy to guess
and you can just look them up in a password list another issue is unprotected passwords even if you've chosen a secure 1 people will write them on paper have it taped to the desk they all send them to a friend to share an account of the e-mail or via text message I've seen people send their passwords to themselves the e-mail so that when they're on vacation they can use the phone to get into the into the site and to this happens very frequently it people will reuse passwords instead of using a different password for all of the things they do and reuse once of its compromise to 1 place the attacker can use that to compromise the other accounts and this is really severe aspect particularly when combined with weak password another issue is fishing which are not familiar with what fishing is it's 1 of authentications hardest problems today an attacker can create a form that looks like this site you're used to logging in to the input in the logo of choose the fonts correctly can look exactly like Amazon or eBay a pay power or whatever it is that you are looking into and when you put your information in there they just steal it and gain access to your account and this problem is only getting worse uh Eric Lawrence wrote a really interesting article regarding uh browsers and sort of what proportion of the browser can be trusted and you refer to it as the line of death where you have everything below this line is entrusted but everything above that line is browser Chrome and cannot be manipulated uh by the you know sigh operator word whoever it is who's trying to new Fisher details but unfortunately as browsers are changing their they're modifying the way the browser from appears in changing the things that directly can be modified so now we're going from the line of death to zones of death and so the less and less of what we're looking at a browser can be trusted in it's getting even worse now where the signal fives full-screen API because now you can manipulate everything on the screen we've gone from some the death to a wall of death literally nothing at this point can actually be trusted is death all way down so we've established that in my opinion password security terrible uh what about usability if you choose a very secure password usability suffers because you're probably never going to remember and if you choose a memorable password chances are will be very secure so regardless as to whether you uh have a secure pasta not people will forget them and forget them constantly and as a result we have for security for usability worst of both worlds so why is this part of it is that authentication is hard and if we had a better solution to replace passwords directly we should have replaced passwords a long long time ago but what is inertia also plays a role I mean pass which have been around for centuries and in you know in in sort of an offline form and we've adapted that concept for you know for computers and were so used to them that we don't really think of too many other ways is kind become how we handle things the so as a result instead of replacing passwords were we've tried to do is fix the problem and all talk if you a little bit about the medications and the ways we try to fix it and how they sometimes don't work the yeah so password managers and I can explain where past Amanda is if you like everyone assumes probably aware the address some of the problems with uh you know some the security problems with passwords and the emperor perhaps a lot of them but the usability of password managers kills adoption and I feel like many of us use a password manager Republic deal comfortable with them and but the usability of having to remember a single secure password typing every time just to get into something copy and paste the password even if there's browser integration people understand how to use the browser immigration and usability really hurts the adoption of password managers I've set up passive managers for friends and family of come back months later they've never used it so limiting failed login attempts and sometimes you have a bike get 5 attempts you can if you if you fail 5 times you get locked up it seems a good idea except when you realize that now you can like other people out by just trying that and now you want them out they need to go through some process to get back and becomes a denial of service sector is a bad idea and basically no 1 does it anymore but through its noisier changing your password offered this advice you do here every once in a while even in 2017 which is kind of amazing and this is bad advice you know sort of follows the principle of unforeseen consequences people then we use the same password everywhere is the change of a tender changes you know them across the board so that they can remember the single insecure password the using across all the things security questions again probably seemed like a good idea when someone came up with that and but there are terrible because they're built in passwords that most of the time mother's maiden name your 1st pet the street you grew up 1 of these are built-in passwords that you can't revoke and if those were the only options you're given as security questions I'm obviously you can just put in gibberish that's what I do is bring random stuff in there but it's that that's not what most normal people do so as a few weeks ago security questions died more terrible because some password reset processes by instead of sending a link in the e-mail they all ask you for your security questions and so a clever attacker uh clever attacker and you really do have to admire the sinister deviousness of the person who came up with the and password reset
man-in-the-middle attack is they create a registration form for something that you want like let's say you're trying to download a book that you don't wanna pay for and you go to some sites so you can download it and I'll ask you you know for you to register Cyprinidae mod for asking for
security questions they will then simultaneously take this information and type it into other common sites in hopes of gaining access to your account and again 3 clever but also very bad for anyone who uses passwords so the industry has rallied behind you know this idea that because of all these problems that we have to somehow encourage users to come up with stronger passwords and and this solves you know 1 of the problems with passwords but it doesn't even solve that problem very well because the complexity rules and strength meters people just don't understand and they find them confusing and as a result they complain and I have friends that estimated that there are a large organization that over 50 per cent of all their support requests relate to passwords in some way or another that's a huge percentage of of support requests having to deal with this 1 and broken authentication method and my own experience that there's that information out the thing is users will leave and they at some point it will they just get frustrated you like you don't look at these rules and on the Strengthening the and and old leave and 1 of the reasons is that it's user hostile you have often complexity requirements uh that it seems totally arbitrary and to to inexperienced users and oftentimes even to experienced you know and technically inclined folks these or really arbitrary rules and it drives me insane when I see someone tell me that a 10 character password they were they require mixed uppercase lowercase a number in a symbol but that's OK that that meets their requirements but my 35 character password uh with whatever characters I wanna put in it is rejected and 1 of those is a lot more secure than the other and I think you probably know which 1 users find the strength in years really confusing they will settle for anything just to make it turned green and so we eventually get these medium-strength passwords have actually really good secure passwords so assuming you overcome all these obstacles and you actually get a secure password you still have all the other problems that go along with passwords that I mentioned and most importantly because of password resets the go to e-mail your system can only ever be as secure as the security of the e-mail account that the password reset link goes to and of course that account is protected by the user's password which is we've established generally not very good so that and it's kind of terrible all the way down so thankfully there are and some new approaches and many people have tried to replace the password nearly all of them have failed and momma talk about some that I think are and are a promising and so some of the alternatives er gaining traction 1 of them is e-mail when we created a monitorial we decided to use e-mail as the sole authentication method we collectively none of us like passwords we thought why are we going to foist passwords on our users when we eat them and in so we decided that we're going to not have them at all users never have to choose a password and never have to go into 1 and the way that registration works is the same as the weighted log n works you put in your e-mail address into the field you hit submit a link goes to your e-mail account you tap on on your registers when you come back to log in some other time the same process tap link arrives tap logged in you can decide as all talk about whether not you want to leave that session open just like any authentication method you get to decide how long you want that to be left open the links timeout so log in link when it arrives it's not good forever I think ours is 15 minutes maybe 20 minutes and which you would normally leave a log in link lying around for days or weeks or months e-mail based authentication can be used either as a single factor or in a two-factor context we've always used it as the primary um and Seoul single factor that in fact it's really the only application method and in my opinion that provides decent security and usability as a single factor um before mention that using the passwords I don't think meet that goal then and so so the other authentication methods as we'll see them are really only useful a multifactor context so whether use as either single soul factor were or 2nd factor you get good security and good usability with you know based authentication so even without adding multi-factor authentication e-mail based authentication is already an improvement over the usual username and password combination yeah but the adoption of e-mail based authentication is growing but right really really slowly um aside for her monitorial I think medium Twitter is the upside publishing tool is probably the only 1 at the top of my head that I can mention that uses this and I'll talk about some of the downside I don't know if that's why there's a slow adoption or not and 1 is in theory mail delivery so you need to be sure that these links arise e-mail and that they're not somehow rotten spam we've never had this problem are links arrived as we take you know very good care to set the right SPF and D. Kim and always different and uh you records so we don't have a problem with that but it's at least in theory an issue people are accustomed to passwords as we talked about I think inertia plays a big role in this is weird and they don't get it and that understand that and there's all like it is different yeah some experienced users don't know interior I never actually heard this could Maryjane some experienced users might not like the latency because you tap the link get way for you know arrive it's usually really fast when I do it and but if someone is used to hitting a shortcut key and having their browser integration use non password it's mostly instantaneous and this delay of however many seconds 20 seconds 30 seconds or maybe to switching to the e-mail client maybe someone is like that like a set of never heard that may In the main problem that also affects you know username password because of passive resets is the account can only be as secure as the e-mail account so that that part is shared with username password when most people think about
two-factor authentication they think about getting a code via text message sometimes you can opt to have that arrive via phone call this is a very common method unfortunately it's not a good method and SMS messages are often displayed on what strengths and is a small concerned is at least a concern slang in crowded place in that appears on the screen so most could see at a much more severe problem is that of this authentication method is tied to your phone number which you get from your phone company which means this method is not in your control and attackers will use a social engineering to call phone companies to have your accounts reset the e-mail if they've got access to Ramallah will now they bypassed the 2nd factor altogether they also uses social engineering in some cases to have a new SIM card mailed for sale I lost my SIM card no problem will send you a new 1 on now you have access to everything and phone calls and sms but it even gets worse because uh earlier in 15 months ago and it was became more widely known but there's a flaw in and Signaling System No. 7 or S S 7 would is say uh signaling language that over 800 telecommunications companies use to interoperate and this scales much better than social engineering you have to call someone and tell them to reset the counter happens in the SIM-card you can do this in a more automated fashion you can hit many more accounts and still a lot more money so this type of authentication and in my mind and many others minds is deprecated and it's just a bad idea in if someone asks for your phone number in order to set of multi-factor authentication you already know something is wrong so TO TP um or time-based 1 time password so I will just refer to this as 1 time password or OTP from now on is to save myself 1 syllable and this is based on the Internet Engineering Task Force or C and it combines they shared a secret key with the with the current timestamp and uses a cryptographic hash function to generate a one-time password this is often rotated over at a certain time period some pundits 60 seconds usually it's 30 seconds they are usually also comes with a static token back so if you don't have your phone if you lose your phone and you really need to get access immediately you can use these static um uh tokens they're sort of 1 time use it once and you can use again and to get to regain access to your this is really starting to gain momentum and so we've seen folks uh get Havlin noted Google Microsoft Amazon Dropbox WordPress Facebook Rackspace goes on and on so a lot of people are starting to use that in part because everyone has more fun and it doesn't provide good security and the union the way that this works on and you know on a phone is you'll use something like Google Authenticator or or the and I use passive manager called 1 password and their iPhone app version and of the passive manager has support and actually the the Mac version probably the other all the desktop versions also have support for 1 passwords for uh folks the more of the Linux free software crowd and keep pass ecstasy just released version 2 . 2 containing support for one-time password which is sigh so in terms of how it's used and this is an example of how it's done with get how you sign in with your username and password and as a 2nd step you are prompted to put in the 6 digit and number in order to to complete application to proceed and I think with get how how recall at the time that this is feels persistent I feel like I never impromptu do it again Emerson using a new device but maybe such really long and I and I don't remember Lin noted is another example and they often do they offer a trusted agent setting and that's explicit or you can check the box were not checked the box the beer using a public computer you don't want any any persistence and uh you want trust this particular browser instance and the default this is 30 days so good security there there are some problems with that and so it is subject and vulnerable to fishing and man-in-the-middle attacks just like someone who creates a form to try to capture your username and password they can do the same thing to capture your one-time obviously they need to be quick about it because it the codes only used for a certain period of time but in today's day and age it's not too hard automate and in theory this could be and to get access just like if you didn't have 1 time passwords and the usability is also a big problem and with one-time password so it's just too complicated for most people and scanning QR codes and then a player found and looking at the entry and finding the codon copying the current pacing the code if people I can use password managers they're probably not going to use this hardware keys so there are various different kinds of some of which support 1 time passwords as well and I'm not gonna cover most of those including the one-time passwords because in theory it's subject to the same phishing attack them as a software-based one-time passwords so instead I'm a focus on universal 2nd factor or you to have you to F is a few SVD-based very tiny portable uh device is very hard for someone to get at the data that's contained within and is supported by get home google drop box and a few others it's slowly getting steam much more slowly than one-time passwords but it's seems to be catching on a little bit and the way it works is there's a challenge response authentication flow is based on public key cryptography and you to that device generates a new key pair and key handle for each registration for each of the different sites replications applications that you're using and these application-specific keys prevent tracking a user across different user accounts so there's also a privacy benefit as well this provides a really good security is virtually impervious to fishing and man-in-the-middle attacks and the cryptographic handshake happens automatically behind the scenes without having to copy and paste anything so there's a really nice usability component to it as well and Google did a study over 2 years across 50 thousand
employees and they were uh they concluded this worked really well for them that it was better than any of the other available options and and they use it and as far as I know
across the company so good security good usability to when when there are some downsides and 1 of the biggest today is browser support only had 27
per cent of the current global population uses a browser that supports you to at and all of that is essentially Google Chrome because there's only 2 browsers Chrome and Opera that support you to f and the guy said 47 % that's all basically ground that there is a Firefox add-on is barely
maintained and when I tested it wouldn't work with registering you to have key but if I used from to register it and then try to log India the Firefox extension then it would work so it that's that's not
a viable solution there is a for those that the Mac OS which is right about that
and then further no they're not much further so I'm hoping that by the end of the year will see it and in what about Microsoft and Microsoft rather support is listed as not currently planned um so to the extent that Microsoft's browser share doesn't continue to decline in you into nothing this could severely hamper adoption there and so of establishes
the you 2 have works well in a controlled environment enough of course it works well for Google the dictate policy for employees computers browsers applications everything they do so how also work outside a controlled environment how many people to go out and buy uh these this little thing that cost anywhere from you know 10 to 15 EUR and in works with 1 browser and it only works with 1 or 2 of the dozens or hundreds of sites that they log into every day and it just doesn't seem like a winning proposition uh you know it right now today what's the what's more grounds almost no 1 has a you to F
K and you can see why there's so much more support for 110 passwords then you traffic
some of the other issues are that no desktop machines are really set up for this arrangement you know I haven't I'm back on my desk and that the USB ports on I met on the back so part of the way that you to have keys work is there needs to be a minimum user input you have to put your finger on a device not long it's not going to have to push a physical but this happened at that while that on the back I can even see it so I'm unlucky I had use the extension cord lying around and I strong between my very weird keyboards and uh so I can get it through easily and the other people have that extension cord lying around what about mobile devices and you know that doesn't work found to have you were were my gonna this USB device what if you're traveling in you forget you forgot the to ask it's not good as a single factor and and you know obviously there is reason was that is a single factor someone could just walk by wire and about the antiquity walk off my mother have access to your stuff that's the only factor so the physical nature of hard work user but the strength and weakness that said were people who were in controlled environments or for people who have the knowledge and the motivation for you to have keys and have the potential to provide a really strong security and really great usability understand touch on biometric
authentication briefly and really good usability right which a thumb print you look a camera to get Iris will face recognition and great usability terrible security and the reason why the Securities bad is it it's not non-revocable you cannot revoke your fingerprints you cannot issue you once you cannot revoke your face and this so yes yes and you know you it's even worse when he use a single factor and you know the guy I have an iPhone its uses it as a single factor if I put my thumb print on it I get access to the farm and yes they periodically requirement into my password but is generally speaking this is not something we should be emulating all these different things can be used in conjunction with a trusted agent capability where you grant some trust to the browser instance or word or application for a certain period time and so that these different things are meant to be combined not use independently and and that's why we have a term multi-factor authentication i'd prefer that over 2 factor this because what this someday I decide that this thing is super important I mean I want not only you know based application but I wanna hard working on time passwords I'm I want that someday someone would mold actor authentication so there's no magic combination and by not we are still experimenting trying to figure out what works best so far I'm leaning towards the recipe that begins with you know all these application by default in in only that again because it provides better security and by itself as a single factor then user names and passwords and then optionally non-mandatory by optionally allowing the user to add a universal 2nd factor keys or one-time password so in as a mold as as a 2nd factor hi might consider adding the ability for someone to use switch to user name and password that they're really really i the satellite this method I want that you know I I too strong passwords I manage them well I might consider it but if I were to do that I would only do it if they are also enable multi-factor authentication that have to use it in conjunction with you the you to have or want passwords it so why not why why should be having this conversation why should we be considering doing something about this now the cost of not taking action as I made clear is only getting more severe these technologies are getting more mature and they're starting to be vetted by large companies in used in mass so these things are starting to become more stable and trustable and many organizations however still lag behind I was you know again this is personal to me so I started looking at my own banks and I was uh as you can imagine not pleased with the results and some of them offered a whole list of like 5 different modal mobile factor authentication methods for all of them were terrible it was you face recognition was 1 and some one-time password that was proprietary and not based on the RFC I couldn't use my built at if there's all kinds of problems with 1 of them actually supported you to ask and then required the SMS fall back rendering you to you to have support completely useless so this and this situation when I look at my own bank the it starts to get me aggravated mechanics may wanna do something about it so what can we do the 1st thing to do is to apply pressure to both sides the to use every day on the browser vendors an example is a domain name registrar I use name to and so I have a lot of domains and and those domains have value to me and if someone were to gain access to those that that can cause very significant problems for me for a uh you know for me my income for a lot of things to these are high value targets and yet most have really terrible security and you need chief added SMS the 2nd factor authentication 4 years ago people have been clamoring for them to add something stronger and more reliable in 4 years there is there's been nothing but someone complained really loudly and very publicly a few months ago the 2 months ago exactly in the ECO respondents said very publicly D was committed to the proper time password basic allocation scheme and in exactly 2 months and that 2 months is today July 10 so I'm very excited by the other day to see that they will probably not have actually implemented it's on on the other side of the equation um call of Mozilla Apple Microsoft as the laggards that they currently are out and they are lagging behind in and they need to be told that the you know be vocal be system and demanded that they add support for you to have to their browsers and that's something that we you know we can actually get them to do this type of pressure does work and but it will take time and it's not our control alternately we can be insisting that they have to actually do something but there is something that you can control and that's the things that you build the things that you work on a good 1st step 2 that is requiring will two-factor authentication for any administrative consul access so whether it's Django or whatever is you're using to do administrative level access requirement two-factor authentication for all of those things I understand that you can always insists that all of the users user but you can usually without too much fallout insists that you're administrators users and then offer that seem strong multi-factor authentication to users as an option so that if they are aware of anything we fear something that there that they want to improve the can and she good once you have
some combination of the e-mail based application uh you to have or one-time passwords so my talk a little bit about specific implementations on a focus on the web applications and specifically on GenGO and I'm I hope that there similar situations of similar situate similar solutions available for a pyramid last uh twisted and in other frameworks and but j goes from 1 another with when we built much room we used to Django no password and and this is a very good project they have the docks and fairly simple to implement for new projects obviously a little 10 more challenging if you're trying to retrofit it onto an existing project but it's still doable I would think all of the different uh and uh Mulder factor solutions that will talk about and by the way will assume and username and password authentication as the 1st factor and so that's relevant to this discussion because you know with uh yeah when you're using e-mail based authentication you're already deviating from what the other packages that offer 1 time passwords were you to have a model factor authentication your deviating from what they expect and so you have to do a little bit more work you can use some the built-in forms there's another project called Jango rest framework password list you have long and is in your project in last few months I don't have a direct experience with it and is designed for EPI applications so if you're more concerned with authenticating an API use Jentoft off request framework jingle rest framework and this is a good project for you 40 briefly it's a project by Don Callahan uh Dan Callahan of Mozilla and it's a spiritual successor to Mozilla persona if you remember that and it's an email-based passwordless authentication service that you can host yourself and if none of the other solutions the scene with a good fit for your organization maybe you should check this out when I was really looking in starting to really dig into the multi-factor authentication is uh and options at the implementation level I 1st started with Django TP and has good documentation it's updated regularly and and and the 1 of the issues at hand into interestingly enough is that and every sigh i've gone to that has a T support assumes that you only use a single device In this project has a little more foresight in assumes that you're going to be using it that you might have users who want have multiple devices you might have a unique key with OTP support you might have a no to be from and this is good and that if you decide for whatever reason that you are I want to do when get having Lin noted others are doing and it's also 1 like we assessing you're only using 1 then you're gonna have to do more work because the forms they provide assume you're going to prove that present them with multiple and the OTP devices this project has a plugin for you key hardware 0 to the support so that's nice if if that's we're into an and includes built-in forms for both the Django admin and and for non have used and again as I mentioned before these forms and fortunately assume the username and password so if if that's what you want is a 1st factor then fine if you wanna use you know based application or something else you're going to have to do some more work and more significantly these forms assuming that multi-factor authentication is required your mandating it for all the users and you can do that great need you can do that people complaining fantastic but you want to be optional opt-in teacher for users you're going to have to delve down into some level API eyes and thankfully in my experience is again I don't have access to those forms the center and apply this to you know based authentication and the lovely guys are well documented have really any trouble and implementing it and uh with as as optional multi-factor authentication with you know based amplification so after I experimented with a 1 time password I really wanted to and uh look at you to that and you because of my limited because of the limited browser support and some of the shortcomings I was skeptical and but the code repository includes a demo project I was really excited by by almost never see that and I get excited my thoughts can be up and running precision so try that project worked really well I thought the number set aside a use the Django admin project command to generate a completely fresh skeleton project intimacy what going he did you turn that into something more I can use multifactor authentication and and see how that it's so you nozzle I don't mean no we can do I demos and so the 1st that is to install generally to have and if dependencies easy enough and you to have requires securities connections even for local posts so 1 of the steps to getting up and running is by generating a self-signed certificate and and that kind of part of a process the they provide a script you run you can it does that work for you to announce so on the current go through the different changes I made just you can see we have and how little work I did into everything that all screenshot you'll see after that's about like the actual usage by literally did nothing else other than these diffs you're about to say and so and is a few things to install apps and a couple things at the bottom of the settings file In new world stop and made a couple changes to import and Django you to have the relative to their own namespace created in this is really a copy
paste from from what the project provided by and copy pasted a at based on each channel and template uh in their in their roots templates the citation now and really the only purpose here is to display messages is that there's an error so you can actually see them at that
point you run a run several plus never use 1 server plus presumably this is needed for the certificate support and you run this command and and we're off to the races
so again this assumes that you know the standard username + password combinations of 1st factor that's why we see username password field unlike Django TPD here multi-factor authentication is optional by the fall is not mandatory so you can tap manager to have these and we have added the
keys and the keys are listed so we tap on the and key link at that point and we
follow the prompts and we take the is looking stick it into the USB slot and at that point the will visual indicator on key it actually starts eliminating and and flashing this is your signal to tap the server-side topic he just make contact with the skin and then immediately we see he added shown and in the browser so from the main menu let's choose the manage backup codes option and backup codes as I mentioned before are emergency because you use them once you lose your device in you media access and so you Taffy creates a backup codes it generates list of backup codes you copy the piece them into your password manager or other secure evolved and in you have that should give them now let's 11 and
OTP device so as before we haven't set up a new be devices synonymous well if you talk to link to add 1 then you see if you work as well as a text version of the shared secret key I think your code the silly and I've never seen a good use case but if there is 1 thing might be this is this is this makes them a lot easier to get this shared the into your father and and so the way that looks from AP
interface is this is 1 is what I used the inferred from what the Kriol
login username password to secure a friend the other camp if you then edit after
you saved it this option option towards the bottom it says add new 1 time password a tap on that and then you see this little at
your code icon meet on that in your cameras activated and as you can see here I pointed at the screen the recognition happens really fast and leave out sometime it actually get a screenshot on the 1st try I don't know how and when I did so here it is and you'll see could scan thing on the top uh you once it's recognized and so now when you look at the log entry you'll see this countdown because then every 30 seconds so now that we have the token with switch back to a web application so we have a
token and we put in the form submitted it says device added if we tap on managed the OTP device length will see that we
have the device added and you can remove it will get if for somehow it gets compromised so logging out we see that with the login process now looks like it's different than before it's still going to use him a password but now when you get here you can use uh you're you to have you can use a one-time password you can use a static given of 3 options I love having all these options it reduces this like anxiety that that someone might feel so I'm really impressed with this projects simplicity in the first one experience if you're considering if you're creating a new Django project considered using this to add multi-factor authentication because you get so many things kind of built 10 were tried and a one-time password they're not interested in new draftees or raise some hell demand that your sites in your browser's support multi-factor authentication we can do better but only if the each of us individually take some action and do what we can to improve the security of our authentication not just for ourselves before the people that we care about what I'm working on a more detailed guide for implementing 2nd factor authentication so I'm reach of any of the above methods and and on the fly you once that guides available and with that we don't have the time that you then but I would love to me you I would love to talk to you so please come of evidence they low that URI much for coming to the few
Bit
Web Site
Computersicherheit
Familie <Mathematik>
Zahlenbereich
Strömungsrichtung
Kartesische Koordinaten
Physikalisches System
Bildschirmsymbol
Frequenz
Softwarewartung
Hydrostatik
Softwareschwachstelle
Speicherbereichsnetzwerk
Datentyp
Basisvektor
Server
Ablöseblase
Authentifikation
COM
Projektive Ebene
Information
Resultante
Vektorpotenzial
Subtraktion
Einfügungsdämpfung
Gewichtete Summe
Punkt
Adressraum
Familie <Mathematik>
Hyperbelfunktion
Zahlenbereich
Information
Term
Computeranimation
Virtuelle Maschine
Datensatz
Spieltheorie
Mittelwert
Adressraum
Determiniertheit <Informatik>
Computersicherheit
COM
Passwort
Passwort
Glättung
E-Mail
Grundraum
Ganze Funktion
Hilfesystem
Parametersystem
Kategorie <Mathematik>
Benutzerfreundlichkeit
Computersicherheit
Datenhaltung
Physikalisches System
Frequenz
Personenkennzeichen
Minimalgrad
Forcing
Festspeicher
Binder <Informatik>
Ablöseblase
Authentifikation
Speicherabzug
Information
Standardabweichung
Resultante
Bit
Domain <Netzwerk>
Prozess <Physik>
Punkt
Browser
Adressraum
Familie <Mathematik>
NP-hartes Problem
Computerunterstütztes Verfahren
Benutzerfreundlichkeit
Login
Computeranimation
Datenmanagement
Font
Computersicherheit
E-Mail
Gerade
DoS-Attacke
Nichtlinearer Operator
Prozess <Informatik>
Benutzerfreundlichkeit
Computersicherheit
Stichprobe
Ein-Ausgabe
Zeitzone
Konfiguration <Informatik>
Benutzerführung
Information
Message-Passing
Trägheitsmoment
Web Site
Mathematisierung
Whiteboard
Bildschirmmaske
Authentifikation
Passwort
Passwort
Leistung <Physik>
Touchscreen
Mathematisierung
Einfache Genauigkeit
Mailing-Liste
Binder <Informatik>
Quick-Sort
Gerade
Integral
Inverser Limes
Mereologie
Authentifikation
Wort <Informatik>
Resultante
Punkt
Prozess <Physik>
Browser
Adressraum
Kartesische Koordinaten
Benutzerfreundlichkeit
Komplex <Algebra>
Computeranimation
Client
Computersicherheit
Meter
E-Mail
Schnelltaste
Prozess <Informatik>
Benutzerfreundlichkeit
Computersicherheit
Güte der Anpassung
Kontextbezogenes System
Datenfeld
Twitter <Softwareplattform>
Menge
Registrierung <Bildverarbeitung>
Rechter Winkel
Information
Normalspannung
Web Site
Trägheitsmoment
Selbst organisierendes System
Schaltnetz
Zahlenbereich
Case-Modding
E-Mail
Physikalische Theorie
Bildschirmmaske
Datensatz
Datentyp
Äußere Algebra eines Moduls
Passwort
Passwort
Schreib-Lese-Kopf
Zwei
Einfache Genauigkeit
Schlussregel
Symboltabelle
Physikalisches System
Binder <Informatik>
Integral
Mereologie
Authentifikation
Registrierung <Bildverarbeitung>
Impuls
Bit
Freeware
Browser
Social Engineering <Sicherheit>
Formale Sprache
Versionsverwaltung
Kartesische Koordinaten
Computer
Computeranimation
Datenmanagement
Kryptologie
Datenreplikation
Zeitstempel
Tropfen
Default
E-Mail
App <Programm>
Zentrische Streckung
Hardware
Schlüsselverwaltung
Benutzerfreundlichkeit
Computersicherheit
Güte der Anpassung
Systemaufruf
Prozessautomation
Frequenz
Systemaufruf
Registrierung <Bildverarbeitung>
Digitalisierer
QR-Code
Ordnung <Mathematik>
Schlüsselverwaltung
Message-Passing
Instantiierung
Public-Key-Kryptosystem
Telekommunikation
Web Site
Subtraktion
Quader
Zahlenbereich
E-Mail
Term
Physikalische Theorie
Code
Demoszene <Programmierung>
Bildschirmmaske
Authentifikation
Software
Datentyp
Hash-Algorithmus
Endogene Variable
Passwort
Zusammenhängender Graph
Grundraum
Hardware
Meta-Tag
Touchscreen
NP-hartes Problem
Beobachtungsstudie
Datenmissbrauch
Zwei
Physikalisches System
Datenfluss
Fokalpunkt
Quick-Sort
Chipkarte
Mereologie
Codierung
Gamecontroller
Authentifikation
Simulation
Rückkopplung
Benutzerfreundlichkeit
Browser
Computersicherheit
Güte der Anpassung
Browser
Benutzerführung
Maßerweiterung
Benutzerführung
Computeranimation
Physikalischer Effekt
Rückkopplung
Gemeinsamer Speicher
Browser
Browser
Vorlesung/Konferenz
Maßerweiterung
Benutzerführung
Computeranimation
Web Site
Browser
Web-Applikation
Aussage <Mathematik>
Passwort
Computerunterstütztes Verfahren
Programmierumgebung
Computeranimation
Betriebsmittelverwaltung
Resultante
Satellitensystem
Vektorpotenzial
Umsetzung <Informatik>
Extrempunkt
Natürliche Zahl
Browser
Gleichungssystem
Kartesische Koordinaten
Übergang
Default
Kraftfahrzeugmechatroniker
Schnelltaste
Benutzerfreundlichkeit
Computersicherheit
Mobiles Internet
Güte der Anpassung
Systemaufruf
Ruhmasse
Nummerung
Mustererkennung
Ein-Ausgabe
SISP
Frequenz
Gruppenoperation
IRIS-T
Druckverlauf
Rechter Winkel
Programmierumgebung
Schlüsselverwaltung
Biostatistik
Instantiierung
Maschinenschreiben
Subtraktion
Selbst organisierendes System
Physikalismus
Gruppenoperation
Term
Virtuelle Maschine
Domain-Name
Endogene Variable
Datentyp
Elektronischer Fingerabdruck
Passwort
Maßerweiterung
Grundraum
NP-hartes Problem
Systemverwaltung
Einfache Genauigkeit
Physikalisches System
Modallogik
Softwareschwachstelle
Mereologie
Gamecontroller
Authentifikation
Wort <Informatik>
Eigentliche Abbildung
Demo <Programm>
Bit
Prozess <Physik>
Browser
Web-Applikation
Kartesische Koordinaten
Übergang
Skeleton <Programmierung>
Minimum
Skript <Programm>
E-Mail
Umwandlungsenthalpie
App <Programm>
Namensraum
Hardware
Dokumentenserver
Computersicherheit
Güte der Anpassung
Ähnlichkeitsgeometrie
Konfiguration <Informatik>
Dienst <Informatik>
Menge
Projektive Ebene
Schlüsselverwaltung
Fitnessfunktion
Subtraktion
Selbst organisierendes System
Schaltnetz
Mathematisierung
Zahlenbereich
Implementierung
Framework <Informatik>
Code
Demoszene <Programmierung>
Bildschirmmaske
Informationsmodellierung
Ego-Shooter
Inverser Limes
Passwort
URL
Implementierung
Einfach zusammenhängender Raum
Eindeutigkeit
Systemverwaltung
Mailing-Liste
Plug in
Fokalpunkt
Mereologie
Authentifikation
Digitales Zertifikat
Punkt
Schaltnetz
Computeranimation
Message-Passing
Datenmanagement
Datenfeld
Authentifikation
Bus <Informatik>
Ablöseblase
Server
Authentifikation
Projektive Ebene
Passwort
Wurzel <Mathematik>
Message-Passing
Fehlermeldung
Standardabweichung
Punkt
Schlüsselverwaltung
Browser
Mailing-Liste
Binder <Informatik>
Datensicherung
Computeranimation
Konfiguration <Informatik>
Datenmanagement
Hypermedia
Computersicherheit
Codierung
Passwort
Addition
Schlüsselverwaltung
Server
Element <Mathematik>
Versionsverwaltung
E-Mail
Login
Code
Computeranimation
Datenhaltung
Minimum
Passwort
Addition
Passwort
Druckertreiber
Schnittstelle
URL
Güte der Anpassung
Abelsche Kategorie
Web Site
Menge
Konfiguration <Informatik>
Token-Ring
Garbentheorie
Login
Schlüsselverwaltung
Baum <Mathematik>
Dicke
Web-Applikation
Zwei
Hausdorff-Raum
Mustererkennung
Bildschirmsymbol
Code
Computeranimation
Bildschirmmaske
Verbandstheorie
Authentifikation
Code
Touchscreen
Subtraktion
Web Site
Token-Ring
Prozess <Physik>
Browser
Computersicherheit
Programmverifikation
Authentifikation
Projektive Ebene
Passwort
Elektronischer Programmführer
Datensicherung
Konfiguration <Informatik>

Metadaten

Formale Metadaten

Titel Replacing passwords with multiple factors: email, OTP, and hardware keys
Serientitel EuroPython 2017
Autor Mayer, Justin
Lizenz CC-Namensnennung - keine kommerzielle Nutzung - Weitergabe unter gleichen Bedingungen 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen und nicht-kommerziellen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen und das Werk bzw. diesen Inhalt auch in veränderter Form nur unter den Bedingungen dieser Lizenz weitergeben
DOI 10.5446/33731
Herausgeber EuroPython
Erscheinungsjahr 2017
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Replacing passwords with multiple factors: email, OTP, and hardware keys [EuroPython 2017 - Talk - 2017-07-10 - Anfiteatro 1] [Rimini, Italy] Passwords have formed the cornerstone of I.T. system authentication for decades, but recent high-profile breaches have underscored the risks of password-based authentication systems. The good news is that we can replace passwords with other factors: email-based authentication one-time passwords (OTP) hardware keys (Yubikeys/U2F, etc.) These factors can be used independently or in conjunction with one another to provide vastly greater security than the traditional username-plus-password combination. Attendees of this talk will walk away with a detailed understanding of: why the traditional username-plus-password combination is failing us why email-based authentication provides no less security overview of one-time passwords and TOTP how to store/retrieve OTP codes, including password manager support state of hardware keys in general, and FIDO U2F standard in particular Attendees will learn how to implement these multi-factor authentication methods in their own Python-based web applications, with primary focus on methods for integrating email-based authentication, one-time passwords, and U2F hardware keys into Django-based projects

Ähnliche Filme

Loading...
Feedback