next generation authentication
TRANSCRIPT
Next Generation Authentication
Bugs in Rails, design flaws, ways to fix
Bugs!MongoDB Hash Injection
Rails query parameters are not strongly typed
User.where(email: params[:email])?email[$regex]=.*@google.com.
Bypass any token or cause DoS
Bugs!ActiveRecord injection in MySQL
User.find_by_token(params[:token])
curl app -H 'content-type:application/json' --data '{"token":0}'
curl app?token[] //fixed
Bugs!Omniauth is full of bugs:/auth/facebook?state=123/auth/facebook/callback?state=123&code=mycode
Do not ever use Facebook Login for loginhttp://sakurity.com/reconnect
Authenticate/authorize
"Who you are" vs "what you can do"
Sign Up = create a recordSign In = use that record
BiometricsReal world authentication vs remote authentication
Every part of human body is static and observable"Fingerprint is username"Except passwords in our mind
>>P4$$word$<<Not going away. All we have is "knowledge" (=possession), and password is best kind of possession. Every other private key / secret data still depends on your password.
Security keys are useless, impossible to backup and expensive
>>P4$$word$<<Now
>>P4$$word$<<Password managers are a monkey patch(1% penetration rate). Authentication must be built-in and easy to use
Truefactor.ioPassword reuse, bruteforce < Password managers---CSRF < Time based TOTP---XSS, MitM, client side bugs, external JS < Truefactor Web---UXSS, MitB, malicious extensions < Truefactor Desktop---Device compromise < Paired Truefactors---Both devices are compromised < Nobody
Truefactor.ioOut of band transaction verification
+
Truefactor.io
Truefactor.ioIntegration:
user = User.find_by_email(params[:user][:email]) if user if user.encrypted_password.starts_with? "truefactor:" str = "truefactor:#{params[:otp0]}:#{params[:otp1]}" if user.valid_signatures?("login", str) sign_in User, user return redirect_to root_path.....
Protect critical actions and responses:
Truefactor.ioZero-knowledge backup. The server knows *nothing* about you and your passwords.