Upload File

next generation authentication

14
Next Generation Authentication Bugs in Rails, design flaws, ways to fix

Upload: -

Post on 13-Jan-2017

90 views

Category:

Data & Analytics


0 download

Report

TRANSCRIPT

Page 1: Next Generation Authentication

Next Generation Authentication

Bugs in Rails, design flaws, ways to fix

Page 2: Next Generation Authentication

Bugs!MongoDB Hash Injection

Rails query parameters are not strongly typed

User.where(email: params[:email])?email[$regex]=.*@google.com.

Bypass any token or cause DoS

http://google.com/
Page 3: Next Generation Authentication

Bugs!ActiveRecord injection in MySQL

User.find_by_token(params[:token])

curl app -H 'content-type:application/json' --data '{"token":0}'

curl app?token[] //fixed

Page 4: Next Generation Authentication

Bugs!Omniauth is full of bugs:/auth/facebook?state=123/auth/facebook/callback?state=123&code=mycode

Do not ever use Facebook Login for loginhttp://sakurity.com/reconnect

http://sakurity.com/reconnect
Page 5: Next Generation Authentication

Authenticate/authorize

"Who you are" vs "what you can do"

Sign Up = create a recordSign In = use that record

Page 6: Next Generation Authentication

BiometricsReal world authentication vs remote authentication

Every part of human body is static and observable"Fingerprint is username"Except passwords in our mind

Page 7: Next Generation Authentication

>>P4$$word$<<Not going away. All we have is "knowledge" (=possession), and password is best kind of possession. Every other private key / secret data still depends on your password.

Security keys are useless, impossible to backup and expensive

Page 8: Next Generation Authentication

>>P4$$word$<<Now

Page 9: Next Generation Authentication

>>P4$$word$<<Password managers are a monkey patch(1% penetration rate). Authentication must be built-in and easy to use

Page 10: Next Generation Authentication

Truefactor.ioPassword reuse, bruteforce < Password managers---CSRF < Time based TOTP---XSS, MitM, client side bugs, external JS < Truefactor Web---UXSS, MitB, malicious extensions < Truefactor Desktop---Device compromise < Paired Truefactors---Both devices are compromised < Nobody

Page 11: Next Generation Authentication

Truefactor.ioOut of band transaction verification

+

Page 12: Next Generation Authentication

Truefactor.io

Page 13: Next Generation Authentication

Truefactor.ioIntegration:

user = User.find_by_email(params[:user][:email]) if user if user.encrypted_password.starts_with? "truefactor:" str = "truefactor:#{params[:otp0]}:#{params[:otp1]}" if user.valid_signatures?("login", str) sign_in User, user return redirect_to root_path.....

Protect critical actions and responses:

Page 14: Next Generation Authentication

Truefactor.ioZero-knowledge backup. The server knows *nothing* about you and your passwords.


Next-Generation Reading Next-Generation Advanced Algebra

RC the Next Generation 20111RC - The Next Generation

Next Generation Storage Networking for Next Generation Data Centers

Authentication for the Next Generation - VASCO · PDF fileAuthentication for the Next Generation ... authenticating to your corporate network or your bank or ... voiceprint ID or using

Agenda · Vision: Reinvent call center authentication and fraud prevention ! Technology: Next-generation “passive” voice biometrics enhanced with predictive analytics ! Solutions:

Next Generation Corona Discharge Next Generation Corona

Next-gen API authentication

Goode Intelligence: Next-Generation Authentication for the Mobile-Ready Enterprise

Next Generation Airmen, Next Generation Fighter! 138th

MULTIFACTOR AUTHENTICATION WITH FORTITOKEN & … Info-Byte... · FortiToken 200 series performing a TOTP generation for Multi-Factor Authentication (MFA) ... Next-gen Firewall (NGFW)

Introduce the next generation technology for veterinary ... · Introduce the next generation technology for veterinary drug residues detection and food authentication Dr. John Xue

The Next Generation - The Next Generation School

2013-14 School Year. Unbridled Learning Next Generation Learners (100%) Next Generation Support (23%) Next Generation Professionals (10%) Next Generation

Cognizance Identity and Access Management Identity Management ● Authentication ● Authorization ● Administration The next generation security solution

Next Generation Network For Next Generation Students

Authentication and Transaction Security in E-Business...1 next generation of access control Authentication and Transaction Security in E-Business AXSionics AG, BFH Spin-off Park, Seevorstadt

Next Generation Workflows for Next Generation Libraries

Next Generation Product Authentication · 2019-03-08 · 2016 OECD Statistics by Country Percent of total value of seizures. 4 5 NET GENERATION PRODUCT AUTHENTICATION AUTHENTIC VISION

Next-Generation Food Authentication Analysis Technologyfplreflib.findlay.co.uk/images/pdf/mab-conference/... · Food Scanner research. Food Authenticity & Analysis 3 Determining value

Cryptocard Next Generation Authentication

Next Generation Intel MPI product for next generation

The Next Generation of Next Generation Learning

NEXT GENERATION UNITED generation... · 2019. 5. 21. · NEXT GENERATION UNITED Next Generation United engages the knowledge, skills and creative energy of the next generation to

Next Generation Media. Next Generation Regulation.epra3-production.s3.amazonaws.com/attachments/files/2414/origina… · Next Generation Media. Next Generation Regulation. 39th epra

Next Generation Literacy Tools for Next Generation Literacy Assessments

Fast and Secure Intelligence Re-authentication …serialsjournals.com/serialjournalmanager/pdf/1474438526.pdfRe-authentication Mechanism for Next Generation ... (e.g. Cellular Network)

Next Generation Security Solutions Next Generation Controllers January 2013

The next evolution of authentication

Next Generation Endpoint Protection INFO... · Next-Generation Endpoint Security NEXT-GENERATION ENDPOINT SECURITY Desktop Laptop Mobile Server Virtual Embedded Data Center NEXT-GENERATION

Formula E: Next Generation Motorsport with Next Generation

Authentication and Transaction Security in E-Business€¦ · 1 next generation of access control Authentication and Transaction Security in E-Business AXSionics AG, BFH Spin-off

Next generation genetics for the next generation: Dr David

Hillstone E Series Next-Generation Firewallactive.it/wp-content/uploads/documentazione/brochures/...Hillstone E Series Next-Generation Firewall E-Series • 2-factor authentication:

Next-Generation Sequencing Next-Generation Sequencing Technologies

Authentication On-Boarding. Aadhaar Authentication Enrolment Aadhaar Generation Update Secure Aadhaar Authentication Framework Aadhaar Authentication