Multi Factor Authetification - ZendCon 2017

1. MULTI-FACTOR AUTHENTICATION AND STRONG AUTHENTICATION

2. ABOUT ME PHILIPPE GAMACHE HI I’M PHILIPPE I’m a Developer Evangelist for kuzzle.io. Long-time internet developer, author, screen caster, podcaster and speaker. I’m specializes in PHP, Symfony, Kuzzle, security, code quality, performance, real time and geolocation. • Sécurité PHP 5 et MySQL 5 • OWASP Montreal • PHP Quebec • Table Top Game Developer • Pen & Paper RPG Writer

4. I'M MISLEADING YOU THIS IS NOT THE EIFFEL TOWER

5. WHERE IN LAS VEGAS EIFFEL TOWER RESTAURANT

6. AGENDA • Authentication vs Authorization • Authentication's Problems • The solutions • Strong Authentication • Solutions for all budgets

7. AUTHENTICATION VS AUTHORIZATION • Authentication • Procedure that veriﬁes the identity of an entity (person, computer ...) to allow access to resources (systems, networks, applications ...) • Authorization • Procedure that allows access to resources only to those authorized to use. AUTHORIZATION

8. AUTHENTICATION'S PROBLEMS • Accurately identify the entity • Accurately identify the entity type • Accessibility • Broken Password A SIMPLE LIST

9. • People use easy to ﬁnd password • Easily give their passwords to strangers • without reason • 45 % of woman1 • 10 % of man1 • For a chocolate bar • 64 % of people1 • 21% have 10+ years old password2 • 47% have 5+ years old password2 • 73% use duplicated password2 • 54% have 5 or fewer passwords across the entire life2 • On average, only 6 unique passwords are used to guard 24 online account2 BROKEN PASSWORD THE HUMAN FACTOR 1 Infosec Europe Conference 2008 2 TeleSign Customer Account Security Report 2015

10. – Chris Nickerson - Exotic Liability #37 “In the middle of talking to him, he gives me, is online banking username and password.”

11. – Chris Nickerson - Exotic Liability #37 “In the middle of talking to him, he gives me, is online banking username and password.”

12. THE SOLUTION USE SECURITY QUESTIONS?

13. THE SOLUTION USE SECURITY QUESTIONS?

14. THE SOLUTIONS SIGN THE FORM <?php $code = hash_hmac( 'sha256', json_encode([ $verifierNonce, $userID, $expiration->format('Y-m-dTH:i:s') ]), $tokenSigningKey ]);

15. THE SOLUTIONS HTTP://WWW.CAPTCHA.NET/

16. CAPTCHA IMAGES

17. CAPTCHA HOT OR NOT

18. GOOGLE RECAPTCHA HTTPS://WWW.GOOGLE.COM/RECAPTCHA/

19. GOOGLE RECAPTCHA HTTPS://WWW.GOOGLE.COM/RECAPTCHA/

20. FAITHFULLY IDENTIFY THE ENTITY AND SHOVE THE SECURITY PROBLEM AWAY

21. STRONG AUTHENTICATION • Method of computer access control; • User is granted access; • After successfully presenting several separate pieces of evidence MULTI-FACTOR AUTHENTICATION

22. MULTI-FACTOR AUTHENTICATION MEMORIAL FACTOR Memorial factor

28. MULTI-FACTOR AUTHENTICATION PHYSICAL FACTOR Memorial factor Physical Factor

37. MULTI-FACTOR AUTHENTICATION REACTIONAL FACTOR Memorial factor Reactional factor Physical Factor

38. MULTI-FACTOR AUTHENTICATION REACTIONAL FACTOR Memorial factor Reactional factor Physical Factor

39. MULTI-FACTOR AUTHENTICATION MATERIAL FACTOR Memorial factor Reactional factor Physical FactorMaterial factor

51. MULTI-FACTOR AUTHENTICATION TWO-FACTOR AUTHENTICATION Memorial factor Reactional factor Physical FactorMaterial factor

52. TWO-FACTOR AUTHENTICATION EXAMPLES? Memorial factor Reactional factor Physical FactorMaterial factor

53. SOLUTIONS FOR ALL BUDGETS PERFECT PAPER PASSWORDS

54. PERFECT PAPER PASSWORDS HTTPS://WWW.GRC.COM/PPP.HTM

57. SOLUTIONS FOR ALL BUDGETS YUBIKEY

58. YUBIKEY HTTP://WWW.YUBICO.COM/PRODUCTS/YUBIKEY/

59. tgbvgflvvndijcfhftgnnldhgviktivhdvnekehejceh tgbvgflvvndiknblilkrtbdvflbdhvdvutlblkfuueel cccccccclildcuhrrhneenjbrrbbnikcvhvbgbcbnvhn cccccccclildibndgdgihuvdcggthnjrbcujdkujnblv YUBIKEY HTTP://WWW.YUBICO.COM/PRODUCTS/YUBIKEY/

60. SOLUTIONS FOR ALL BUDGETS OATH OPEN AUTHENTICATION

61. SOLUTIONS FOR ALL BUDGETS OATH OPEN AUTHENTICATION

62. SOLUTIONS FOR ALL BUDGETS OATH OPEN AUTHENTICATION https://openauthentication.org

63. STRONG AUTHENTICATION • Man-in-the-middle attacks • Session or cookies thefts • Data theft if site not protected • Advance Phishing DOESN'T PROTECT YOU...

64. ANY QUESTIONS? THANK YOU! If you want to talk more, feel free to contact me. http://kuzzle.io This presentation was created using Keynote. The text is set in Oswald and Ubuntu. The source code is set in Ubuntu Mono. The iconography is provided by Keynote, kuzzle.io and Font Awesome. Unless otherwise noted, all photographs are used by permission under a Creative Commons license. Please refer to the Photo Credits slide for more information. Copyright © This work is licensed under Creative Commons Attribution-ShareAlike 4.0 International. For uses not covered under this license, please contact the author. [email protected] @kuzzleio Kuzzle kuzzleio http://kuzzle.io Presentation © Format_Informations [email protected] @kuzzleio philippegamache joind.in/talk/b21f7 Please visit us at:

65. PHOTO CREDITS • Page 3 to 5: By Simeon87 (Own work) [CC BY-SA 3.0 (http:// creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons • Page 11: http://failblog.cheezburger.com/

Multi Factor Authetification - ZendCon 2017

More Related Content

Similar to Multi Factor Authetification - ZendCon 2017 (20)

More from Philippe Gamache (19)

Recently uploaded (20)

Multi Factor Authetification - ZendCon 2017