Next Generation Authentication

Bugs in Rails, design flaws, ways to fix

Bugs!MongoDB Hash Injection

Rails query parameters are not strongly typed

User.where(email: params[:email])?email[$regex]=.*@google.com.

Bypass any token or cause DoS

Bugs!ActiveRecord injection in MySQL

User.find_by_token(params[:token])

curl app -H 'content-type:application/json' --data '{"token":0}'

curl app?token[] //fixed

Bugs!Omniauth is full of bugs:/auth/facebook?state=123/auth/facebook/callback?state=123&code=mycode

Do not ever use Facebook Login for loginhttp://sakurity.com/reconnect

Authenticate/authorize

"Who you are" vs "what you can do"

Sign Up = create a recordSign In = use that record

BiometricsReal world authentication vs remote authentication

Every part of human body is static and observable"Fingerprint is username"Except passwords in our mind

>>P4$$word$<<Not going away. All we have is "knowledge" (=possession), and password is best kind of possession. Every other private key / secret data still depends on your password.

Security keys are useless, impossible to backup and expensive

>>P4$$word$<<Now

>>P4$$word$<<Password managers are a monkey patch(1% penetration rate). Authentication must be built-in and easy to use

Truefactor.ioPassword reuse, bruteforce < Password managers---CSRF < Time based TOTP---XSS, MitM, client side bugs, external JS < Truefactor Web---UXSS, MitB, malicious extensions < Truefactor Desktop---Device compromise < Paired Truefactors---Both devices are compromised < Nobody

Truefactor.ioOut of band transaction verification

+

Truefactor.io

Truefactor.ioIntegration:

user = User.find_by_email(params[:user][:email]) if user if user.encrypted_password.starts_with? "truefactor:" str = "truefactor:#{params[:otp0]}:#{params[:otp1]}" if user.valid_signatures?("login", str) sign_in User, user return redirect_to root_path.....

Protect critical actions and responses:

Truefactor.ioZero-knowledge backup. The server knows *nothing* about you and your passwords.