In this talk, I will outline the best practices to build out a secure user management and authentication platforms for your products.
At the end of this talk, you’ll have the knowledge to implement (or fix) a stronger user authentication system for your startup or enterprise!
2. User Authentication for
Winners!
Speaker:
Karthik Gaekwad
Password:
************
Well played security
Remember this stuffplayed!
guru; well when you code
@iteration1
Friday, October 25, 13
#UserAuth101
3. Howdy!
• I’m Karthik Gaekwad
• Senior Web Engineer
• Mentor Graphics Embedded
•
•
@iteration1
Friday, October 25, 13
LASCON 2013
From Austin, TX
Spent the last 3 years
writing/refining cloud
based user auth systems
#UserAuth101
5. My agenda
• Developers and DevOps
• Build better auth systems
• Security Pro’s
• Give you developer insight, new ideas to
attack auth systems
• Management
• Give this ppt to your dev teams.
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
8. Common Perception
“Building a User Authentication system
is easy.
It’s just a username and password,
stored somewhere”
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
10. Designing Auth Systems
API: How your system is used
• Login/Logout
• Session Management (Remember Me etc)
• User Creation
• Password Reset
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
11. Designing Auth Systems
Workflows: Rules for how the system works
• Account Creation
• Password Reset
• Account Recovery
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
12. Designing Auth Systems
User Interface: What end user will actually see
• Where users can create account
• Login screens
• My Profile Page
• End applications using the API’s
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
13. High Level Design
Email Web Services
API Web Services
(Login/Logout)
User Portal
App 1
App 2
Data store(s)
@iteration1
Friday, October 25, 13
App 3...
LASCON 2013
#UserAuth101
14. High Level Design
Email Web Services
API Web Services
(Login/Logout)
User Portal
App 1
App 2
App 3...
Data store(s)
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
15. High Level Design
Email Web Services
API Web Services
(Login/Logout)
User Portal
App 1
App 2
App 3...
Data store(s)
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
16. Quick look @data
• email
• username
• first name
• last name
• password
• {id}
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
17. Quick look @data
Keep your auth data separate
• You don’t want to clutter your auth data
with ecommerce/address/whatever other
data
• Not rocket science.
• It’s called normalization
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
18. Breaking it down
API Web Services
(Login/Logout)
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
19. Login Web Services
API Web Services
(Login/Logout)
The Goal:
Keep user credentials as safe as possible
in transit
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
20. Login Web Services
Request
POST /login
encoded
username:password
App 1
Response
HTTP 200/201
API Web Services
(Login/Logout)
Session token
Session Id expiration
First name, Last name
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
21. Login Web Services
Request
GET /login/(session token)
App 1
Response
HTTP 200/201 (success)
HTTP 401 (failures)
API Web Services
(Login/Logout)
Session token
Session Id expiration
First name, Last name
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
22. Login Web Services
• Minimize sending username, passwords
over the wire.
• Harder to sniff if it’s rarely there
• Don’t put this in the URL (server logs)
• Session tokens: Set an expiration time.
• Client can re-login if necessary
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
24. “That’s great, but I can
brute force the endpoint”
--JoeHacker
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
25. Rate Limiting
• “Only x number of calls per minute to the
endpoint”
• Recommended for all login and session
token endpoints.
• Can be complicated to implement, but
worth it and reusable.
• http://www.client9.com/2012/05/01/ratelimiting-at-scale/ Thanks @NGalbreath!
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
26. Note on Session Tokens
How I really feel...
Yuck
about rand() and guid() functions
Use something cryptographically secure
Keep them 128bit or greater
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
27. Login Hack #1
• Often, the end (web)application will store
the username and session token in a
cookie.
• Hack: Create 2 accounts, and login with
both and store the cookies. Trade the
session token of one account with the
other, and see if you can see other account
data...
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
28. Login Hack #1
• Developers have good intentions but....
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
29. Login Hack #2
• Verify that session tokens actually expire!
• Try using the same session token even after
you’ve hit “log out” in the application.
• cookies.clear() is easier than actually calling
the /logout endpoint to invalidate tokens.
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
32. "We try to solve very
complicated problems
without letting people
know how complicated
the problem was. That's
the appropriate thing."
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
33. --Usability Jack and Jill
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
34. “Remembering passwords is a pain.
Let’s make our system have a
minimum 4 letter passwords because
it’s more usable.”
--Usability Jack and Jill
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
35. Security + Usability
• The days of the 4 character password
is over.
• UX team interactions:
• 8+ characters is accepted now
• Show by example
• Use “sentences” versus “words” for
Security and
Usability: Designing
Secure Systems That
People Can Use
Lorrie Faith Cranor
passwords
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
36. Account Creation
• Typically : accept user data, provision
account...
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
37. Account Creation
• Sanitize inputs for XSS.
• If you are asking for user email, validate
email actually belongs to the user.
• May have multiple data stores in play here.
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
38. Account Creation
• Case Sensitivity...
• Hack: Register with user@email.com and
UsEr@email.com.You may be able to
register as both if the case sensitivity check
isn’t turned on.
• Hack: Use foreign characters to sniff if the
datastore is older (LDAP v2)
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
40. Storing Passwords
“I'm gonna pop some tags
Only got clear text passwords in my db
I - I - I'm hunting, looking for a reason
to get f*** fired.”
-The Macklemore stance
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
41. Storing Passwords
Please don’t go “thrift shop”
your password storage
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
42. Storing Passwords
• Store only hashed passwords
• Use a unique, per user salt.
• use bcrypt/scrypt to generate your hash
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
43. “That’s great, but I’ll
just figure out your
Cloud DB credentials”
--JoeHacker
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
44. Storing Passwords
•
A technique that I like..
Break up your data into different stores
Store the password hash in data store #1
•
Store the salt used to compute the hash in data store
#2
•
Store the # of hash iterations in data store #3
(application config?)
•
•
•
Have the value stored in #1 not be the password hash
itself, but a MAC (Message Authentication Code, aka
'keyed hash') using an application-private MAC key.
http://www.stormpath.com/blog/strong-passwordhashing-part-2 Thanks @Stormpath
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
46. Reset or Restore?
• I prefer Password Reset.
• “Personal challenge questions” aren’t so
personal anymore with Facebook and
Twitter.
• Make sure Password Reset tokens are one
use only and expire “super fast”
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
48. Account Creation
Workflow
Get User
Credentials
and Password
Validate Email
Allow Login
•
•
Winner!
•
http://www.stormpath.com/blog/how-weincreased-new-user-registration-27 Thanks
@chunsaker
Data to support that more users convert to
creating accounts this way.
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
49. Final Thoughts
• AKA I have to present in a few hours, but I
have no time to worry about flow..
#FreeStyling
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
50. Final Thoughts
• If you have many apps with login screens/
create account screens- keep these
consistent.
• Users lose trust if login screens are
different across apps by same company
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
51. Final Thoughts
• If you’re a Java shop, check out Apache
Shiro Framework- it’s made for the
authentication usecase.
• SaaS version: Stormpath
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
52. Final Thoughts
• 2 factor auth
• Definitely strengthens the security.
• Usability verdict is still out.
• Challenging to implement, but a good
idea.
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
53. Final Thoughts
• Login Dashboards in “My Profile” with last
login information, geo location, timestamp
is more popular.
• You have all this data anyways, so why not
show it?
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
54. PSA on OAuth
“Why does this random
website need read and write
OAuth access to my twitter /
facebook account?”
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101
55. Thank You for
your time!
Lunch?
@iteration1
Friday, October 25, 13
LASCON 2013
#UserAuth101