lascon 2013 talk: user auth for winners, how to get it right the first time!
DESCRIPTION
In this talk, I will outline the best practices to build out a secure user management and authentication platforms for your products. At the end of this talk, you’ll have the knowledge to implement (or fix) a stronger user authentication system for your startup or enterprise!TRANSCRIPT
User Authentication for Winners!
Speaker:
Password:
Karthik Gaekwad
LASCON 2013
Remember this stuff when you code
@iteration1 #UserAuth101Friday, October 25, 13
Karthik Gaekwad
************
Remember this stuff when you code
Well played security guru; well played!
User Authentication for Winners!
Speaker:
Password:
@iteration1 #UserAuth101Friday, October 25, 13
Howdy!• I’m Karthik Gaekwad
• Senior Web Engineer
• Mentor Graphics Embedded
#UserAuth101@iteration1 LASCON 2013
• From Austin, TX
• Spent the last 3 years writing/refining cloud based user auth systems
Friday, October 25, 13
#UserAuth101@iteration1 LASCON 2013
Audience Survey
Friday, October 25, 13
My agenda• Developers and DevOps
• Build better auth systems
• Security Pro’s
• Give you developer insight, new ideas to attack auth systems
• Management
• Give this ppt to your dev teams.
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
Authentication Mechanisms
• Write your own
• OpenID
• OAuth
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
Authentication Mechanisms
• Write your own
• OpenID
• OAuth
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
#UserAuth101@iteration1 LASCON 2013
Common Perception
“Building a User Authentication system is easy.
It’s just a username and password, stored somewhere”
Friday, October 25, 13
API (PaaS)
Workflows
User Interface(s)
+
+
#UserAuth101@iteration1 LASCON 2013
Reality
Friday, October 25, 13
Designing Auth Systems
• Login/Logout
• Session Management (Remember Me etc)
• User Creation
• Password Reset
#UserAuth101@iteration1 LASCON 2013
API: How your system is used
Friday, October 25, 13
Designing Auth Systems
• Account Creation
• Password Reset
• Account Recovery
#UserAuth101@iteration1 LASCON 2013
Workflows: Rules for how the system works
Friday, October 25, 13
Designing Auth Systems
• Where users can create account
• Login screens
• My Profile Page
• End applications using the API’s
#UserAuth101@iteration1 LASCON 2013
User Interface: What end user will actually see
Friday, October 25, 13
High Level Design
#UserAuth101@iteration1 LASCON 2013
Data store(s)
Email Web Services
API Web Services(Login/Logout)
App 1
App 2
User Portal
App 3...
Friday, October 25, 13
High Level Design
#UserAuth101@iteration1 LASCON 2013
Data store(s)
Email Web Services
API Web Services(Login/Logout)
App 1
App 2
User Portal
App 3...
Friday, October 25, 13
High Level Design
#UserAuth101@iteration1 LASCON 2013
Data store(s)
Email Web Services
API Web Services(Login/Logout)
App 1
App 2
User Portal
App 3...
Friday, October 25, 13
Quick look @data
• username
• first name
• last name
• password
• {id}
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
Quick look @dataKeep your auth data separate
• You don’t want to clutter your auth data with ecommerce/address/whatever other data
• Not rocket science.
• It’s called normalization
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
Breaking it down
#UserAuth101@iteration1 LASCON 2013
API Web Services(Login/Logout)
Friday, October 25, 13
Login Web Services
#UserAuth101@iteration1 LASCON 2013
Keep user credentials as safe as possible in transit
API Web Services(Login/Logout)
The Goal:
Friday, October 25, 13
Login Web Services
#UserAuth101@iteration1 LASCON 2013
API Web Services(Login/Logout)App 1
POST /login
encodedusername:password
Request
Response
Session tokenSession Id expirationFirst name, Last name
HTTP 200/201
Friday, October 25, 13
Login Web Services
#UserAuth101@iteration1 LASCON 2013
API Web Services(Login/Logout)App 1
GET /login/(session token)
Request
ResponseHTTP 200/201 (success)
HTTP 401 (failures)
Session tokenSession Id expirationFirst name, Last name
Friday, October 25, 13
Login Web Services
• Minimize sending username, passwords over the wire.
• Harder to sniff if it’s rarely there
• Don’t put this in the URL (server logs)
• Session tokens: Set an expiration time.
• Client can re-login if necessary
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
Login Web Services
#UserAuth101@iteration1 LASCON 2013
HTTP?
Friday, October 25, 13
“That’s great, but I can brute force the endpoint”
--JoeHacker
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
Rate Limiting• “Only x number of calls per minute to the
endpoint”
• Recommended for all login and session token endpoints.
• Can be complicated to implement, but worth it and reusable.
• http://www.client9.com/2012/05/01/rate-limiting-at-scale/ Thanks @NGalbreath!
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
Note on Session Tokens
#UserAuth101@iteration1 LASCON 2013
Use something cryptographically secure
Keep them 128bit or greater
How I really feel...
about rand() and guid() functions
Yuck
Friday, October 25, 13
Login Hack #1
• Often, the end (web)application will store the username and session token in a cookie.
• Hack: Create 2 accounts, and login with both and store the cookies. Trade the session token of one account with the other, and see if you can see other account data...
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
Login Hack #1
• Developers have good intentions but....
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
Login Hack #2
#UserAuth101@iteration1 LASCON 2013
• Verify that session tokens actually expire!
• Try using the same session token even after you’ve hit “log out” in the application.
• cookies.clear() is easier than actually calling the /logout endpoint to invalidate tokens.
Friday, October 25, 13
Let’s move on..
#UserAuth101@iteration1 LASCON 2013
Account CreationPassword Reset
Friday, October 25, 13
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
#UserAuth101@iteration1 LASCON 2013
"We try to solve very complicated problems without letting people know how complicated the problem was. That's the appropriate thing."
Friday, October 25, 13
#UserAuth101@iteration1 LASCON 2013
--Usability Jack and Jill
Friday, October 25, 13
#UserAuth101@iteration1 LASCON 2013
“Remembering passwords is a pain. Let’s make our system have a minimum 4 letter passwords because it’s more usable.”
--Usability Jack and Jill
Friday, October 25, 13
Security + Usability
• The days of the 4 character password is over.
• UX team interactions:
• 8+ characters is accepted now
• Show by example
• Use “sentences” versus “words” for passwords
#UserAuth101@iteration1 LASCON 2013
Security and Usability: Designing Secure Systems That People Can UseLorrie Faith Cranor
Friday, October 25, 13
Account Creation
• Typically : accept user data, provision account...
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
Account Creation
• Sanitize inputs for XSS.
• If you are asking for user email, validate email actually belongs to the user.
• May have multiple data stores in play here.
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
Account Creation
• Case Sensitivity...
• Hack: Register with [email protected] and [email protected]. You may be able to register as both if the case sensitivity check isn’t turned on.
• Hack: Use foreign characters to sniff if the datastore is older (LDAP v2)
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
Passwords
Friday, October 25, 13
#UserAuth101@iteration1 LASCON 2013
“I'm gonna pop some tagsOnly got clear text passwords in my dbI - I - I'm hunting, looking for a reason
to get f*** fired.”
Storing Passwords
-The Macklemore stance
Friday, October 25, 13
#UserAuth101@iteration1 LASCON 2013
Storing Passwords
Please don’t go “thrift shop” your password storage
Friday, October 25, 13
Storing Passwords
• Store only hashed passwords
• Use a unique, per user salt.
• use bcrypt/scrypt to generate your hash
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
“That’s great, but I’ll just figure out your
Cloud DB credentials”--JoeHacker
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
Storing Passwords• A technique that I like..
• Break up your data into different storesStore the password hash in data store #1
• Store the salt used to compute the hash in data store #2
• Store the # of hash iterations in data store #3 (application config?)
• Have the value stored in #1 not be the password hash itself, but a MAC (Message Authentication Code, aka 'keyed hash') using an application-private MAC key.
• http://www.stormpath.com/blog/strong-password-hashing-part-2 Thanks @Stormpath
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
Storing Passwords• http://www.codinghorror.com/blog/2007/09/
youre-probably-storing-passwords-incorrectly.html
• http://stackoverflow.com/questions/1054022/best-way-to-store-password-in-database
• http://www.stormpath.com/blog/strong-password-hashing-apache-shiro
• https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Authentication
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
Reset or Restore?
• I prefer Password Reset.
• “Personal challenge questions” aren’t so personal anymore with Facebook and Twitter.
• Make sure Password Reset tokens are one use only and expire “super fast”
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
Account Creation Workflow
#UserAuth101@iteration1 LASCON 2013
Get User Credentials Validate Email
Create Password
Get User Credentials
and PasswordValidate Email Allow Login
OR
Friday, October 25, 13
Account Creation Workflow
• Winner!
• Data to support that more users convert to creating accounts this way.
• http://www.stormpath.com/blog/how-we-increased-new-user-registration-27 Thanks @chunsaker
#UserAuth101@iteration1 LASCON 2013
Get User Credentials
and PasswordValidate Email Allow Login
Friday, October 25, 13
Final Thoughts
• AKA I have to present in a few hours, but I have no time to worry about flow.. #FreeStyling
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
Final Thoughts
• If you have many apps with login screens/ create account screens- keep these consistent.
• Users lose trust if login screens are different across apps by same company
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
Final Thoughts
• If you’re a Java shop, check out Apache Shiro Framework- it’s made for the authentication usecase.
• SaaS version: Stormpath
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
Final Thoughts
• 2 factor auth
• Definitely strengthens the security.
• Usability verdict is still out.
• Challenging to implement, but a good idea.
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
Final Thoughts
• Login Dashboards in “My Profile” with last login information, geo location, timestamp is more popular.
• You have all this data anyways, so why not show it?
#UserAuth101@iteration1 LASCON 2013Friday, October 25, 13
PSA on OAuth
#UserAuth101@iteration1 LASCON 2013
“Why does this random website need read and write OAuth access to my twitter / facebook account?”
Friday, October 25, 13
Thank You for your time!
@iteration1
Lunch?
LASCON 2013 #UserAuth101Friday, October 25, 13