next generation authentication
TRANSCRIPT
![Page 1: Next Generation Authentication](https://reader034.vdocuments.us/reader034/viewer/2022042907/58780e051a28ab971e8b664b/html5/thumbnails/1.jpg)
Next Generation Authentication
Bugs in Rails, design flaws, ways to fix
![Page 2: Next Generation Authentication](https://reader034.vdocuments.us/reader034/viewer/2022042907/58780e051a28ab971e8b664b/html5/thumbnails/2.jpg)
Bugs!MongoDB Hash Injection
Rails query parameters are not strongly typed
User.where(email: params[:email])?email[$regex]=.*@google.com.
Bypass any token or cause DoS
![Page 3: Next Generation Authentication](https://reader034.vdocuments.us/reader034/viewer/2022042907/58780e051a28ab971e8b664b/html5/thumbnails/3.jpg)
Bugs!ActiveRecord injection in MySQL
User.find_by_token(params[:token])
curl app -H 'content-type:application/json' --data '{"token":0}'
curl app?token[] //fixed
![Page 4: Next Generation Authentication](https://reader034.vdocuments.us/reader034/viewer/2022042907/58780e051a28ab971e8b664b/html5/thumbnails/4.jpg)
Bugs!Omniauth is full of bugs:/auth/facebook?state=123/auth/facebook/callback?state=123&code=mycode
Do not ever use Facebook Login for loginhttp://sakurity.com/reconnect
![Page 5: Next Generation Authentication](https://reader034.vdocuments.us/reader034/viewer/2022042907/58780e051a28ab971e8b664b/html5/thumbnails/5.jpg)
Authenticate/authorize
"Who you are" vs "what you can do"
Sign Up = create a recordSign In = use that record
![Page 6: Next Generation Authentication](https://reader034.vdocuments.us/reader034/viewer/2022042907/58780e051a28ab971e8b664b/html5/thumbnails/6.jpg)
BiometricsReal world authentication vs remote authentication
Every part of human body is static and observable"Fingerprint is username"Except passwords in our mind
![Page 7: Next Generation Authentication](https://reader034.vdocuments.us/reader034/viewer/2022042907/58780e051a28ab971e8b664b/html5/thumbnails/7.jpg)
>>P4$$word$<<Not going away. All we have is "knowledge" (=possession), and password is best kind of possession. Every other private key / secret data still depends on your password.
Security keys are useless, impossible to backup and expensive
![Page 8: Next Generation Authentication](https://reader034.vdocuments.us/reader034/viewer/2022042907/58780e051a28ab971e8b664b/html5/thumbnails/8.jpg)
>>P4$$word$<<Now
![Page 9: Next Generation Authentication](https://reader034.vdocuments.us/reader034/viewer/2022042907/58780e051a28ab971e8b664b/html5/thumbnails/9.jpg)
>>P4$$word$<<Password managers are a monkey patch(1% penetration rate). Authentication must be built-in and easy to use
![Page 10: Next Generation Authentication](https://reader034.vdocuments.us/reader034/viewer/2022042907/58780e051a28ab971e8b664b/html5/thumbnails/10.jpg)
Truefactor.ioPassword reuse, bruteforce < Password managers---CSRF < Time based TOTP---XSS, MitM, client side bugs, external JS < Truefactor Web---UXSS, MitB, malicious extensions < Truefactor Desktop---Device compromise < Paired Truefactors---Both devices are compromised < Nobody
![Page 11: Next Generation Authentication](https://reader034.vdocuments.us/reader034/viewer/2022042907/58780e051a28ab971e8b664b/html5/thumbnails/11.jpg)
Truefactor.ioOut of band transaction verification
+
![Page 12: Next Generation Authentication](https://reader034.vdocuments.us/reader034/viewer/2022042907/58780e051a28ab971e8b664b/html5/thumbnails/12.jpg)
Truefactor.io
![Page 13: Next Generation Authentication](https://reader034.vdocuments.us/reader034/viewer/2022042907/58780e051a28ab971e8b664b/html5/thumbnails/13.jpg)
Truefactor.ioIntegration:
user = User.find_by_email(params[:user][:email]) if user if user.encrypted_password.starts_with? "truefactor:" str = "truefactor:#{params[:otp0]}:#{params[:otp1]}" if user.valid_signatures?("login", str) sign_in User, user return redirect_to root_path.....
Protect critical actions and responses:
![Page 14: Next Generation Authentication](https://reader034.vdocuments.us/reader034/viewer/2022042907/58780e051a28ab971e8b664b/html5/thumbnails/14.jpg)
Truefactor.ioZero-knowledge backup. The server knows *nothing* about you and your passwords.