Secure All Teh Things - Add 2 factor authentication to your own CFML projects

•

1 j'aime•329 vues

Delivered at CFCamp 2018 in Munich Germany. Security is getting more and more important. A 2-factor authentication will help you securing your logins. In this Session Rob shows you how to implement a 2-factor authentication for your own website. Learn about the different protocols FIDO U2F, Yubico OTP, Challenge-Response, etc. See how you can use your personal YubiKey for your own website.

Technologie

Secure All Teh Things!
Add 2 factor authentication to your own projects

Who is this dude?
• @robdudley

• CTO

• Software Developer

• Co-host of the  
Localhost.fm Podcast

• Keeps the scores in
CodeMasters!

We secure by
Hiding things

Making them hard to
access

Making them dangerous
to access

How do we secure computers?
• We didn’t

• Usernames

• Usernames & passwords 
(secrets)

• More complex
passwords?

2018 Cost of Data Breach Study, Ponemon Institute Research Report
2017 Data Breach Investigations Report 10th Edition, Verizon
“A single corporate security breach costs an
average of $3.86M , and 81% of breaches
are caused by stolen or weak passwords. ”
Still not secure enough!

Something you know

Something you have

Something you are

PIN or Code
Common!

Memorable

Surely just another
password?

Biometrics
Handy (heh)

You can’t change your
ﬁnger print …

Or your DNA!

• Founded in 2007

• Leading contributor to

• FIDO U2F

• FIDO2

• Member of FIDO Alliance,
IDESG, OpenID & W3C

YubiKey
• 5 Versions

• Neo (with NFC)

• USB-A USB-C variants

• FIDO

• Multi function device

ccccccinrbeglgchferbjblkudbjtebkblggbvfdvjfg
ccccccinrbeglteudtkkccjvkjcfghbtjccbnhhkttlg
ccccccinrbegeubvhflrtecrhbkcknkfuibtilcbbifu
ccccccinrbegfdbghkgvkrvdhukdefubeigkrjrttdfh
ccccccinrbegtvgnjlfvhbituujfujutgduvdgcelcuv
Sample OTPs from a YubiKey

What doesn’t this do?
• No ID veriﬁcation

• No MITM protection!

• Doesn’t make tea, or coﬀee
What does this do?
• Types really fast

• Veriﬁes the OTP against the
private key

• Replay protection

• Makes you look cool

Why do we need WebAuthN?
• More than just YubiKeys

• Fingerprint

• Face Unlock

• Others?
• End to end assurance
through key exchange /
signing

• W3C standard(s)

• Common device support

Slightly less tedious switch to demo…
please hold

Implementation
Need to think about:

• Key issuance

• Lost / stolen key revocation

• Replacement key process

• Backup codes

YubiKey 4 also does…
• PGP Key storage for use in signing / encryption

• Challenge Response HMAC for use with PAM

• Static password output for use with … long
passwords

Resources
Yubico Dev Portal
https://developers.yubico.com/
Expanding YubiKey Keyboard Support (for AZERTY / Non QWERTY)
https://www.yubico.com/2013/07/yubikey-keyboard-layouts/
WebAuthN on MDN
https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
Updated version of the YubiKey OTP CFC (ColdBox compatible)
https://github.com/akitogo/cbYubikey

Contenu connexe

Similaire à Secure All Teh Things - Add 2 factor authentication to your own CFML projects

Chat bots been have popping up everywhere for silly things, but what if they can help us make the world more safe and secure? The work of designing secure systems often involves iterating over designs with a team but what if you don’t have a team? What if you could iterate over system design and analysis in a chat window and have a design document with safety constraints as the end product? This talk will present an original chat bot that will do just that

Safety Bot Guaranteed -- Shmoocon 2017

Richard Seymour

Passwords, Passwords and more Passwords

clcewing

Blockchain: professionalità, cultura e change management - Riccardo Spinelli ...

Riccardo Spinelli

Smart Locks - too clever by half

lokori

Zigi gseuk - open source conference 2019 presentation v1.0

Henri Kuiper

Securing Underprotected APIs - Deja vu Security

Deja vu Security

It has been estimated that the global earnings of Cyber Criminals will equal or exceed the GDP of the UK sometime in the 2022/23 window. If this was the capability of a country they would be joining the G8! Clearly, we are losing the Cyber War hands down, and the time has long passed when we might ignore the threat scenarios surrounding us. In this lecture we examine global networks from home and office through the ‘last mile,’ and on to national and international networks to identify the key vulnerabilities and points of potential ingress. We identify the cyber risks as escalating as we approach the periphery of all forms of network. For the most part, the core/carrier networks are virtually unassailable physically as they are dominated by terrestrial and undersea optical fibre cables. Throughout the ‘carrier’ network levels the difficulty of physical interception, encryption, routing, and path diversity employed renders them secure in the extreme. Attackers, therefore, tend to focus on the exploitation of people, devices, services, home, and office appliances, and latterly, a poorly engineered IoT. In reality, we are expanding the attack surface of the planet exponentially without due caution or care in the most exposed sectors and locations. And so, we explore potential tech and operational solutions for the future. NOTE: This lecture is one of a series that has examined technology design and deployment, devices and the IoT, people fallibility, deviousness, internal and external threats. In class; RED and BLUE Team Exercises have also been conducted in support of the complete Cyber Security Package to date.

Cyber Security in a Fully Mobile World

University of Hertfordshire

We are in the middle of the decades-long game of having the finalist candidates chosen for the legitimate successors not just to the decades-old character passwords but to the centuries or millennia-old seals and signatures, which will make the basic foundation for the real/cyber-fused society that may well last for more than generations or even centuries for the whole global population. With billions of people suffering the same big headache, the problem to be addressed by our solution is huge, Substantial revenues will be expected for the business of providing the most practicable solution. Please join us and support us for this nice exciting enterprise.

Business Dimension of Expanded Password System

Hitoshi Kokumai

As technology evolved, software security faced huge challenges and as the years passed, the world has seen drastic changes far too quickly. And along with these advancements, even black-hat hackers or malicious hackers have evolved also very well. Today, the internet is the place for everyone where hackers dwell almost all the time. Every day new applications are released to the web and users start using them and even get addicted to them due to outstanding UX. But, wait! Did someone think about the "security" layer of these applications? Well, we often don’t and most of the applications today suffer from "beggarly / bad security". In this talk, Santhosh Tuppad will focus on the pitfalls of bad security and why software security has failed in a pretty way. He will also shed light on how your users may be facing bigger problems than you can imagine due to bad software that lacks security testing. He will also demonstrate some of the lethal problems that exist in the industry and will talk about technical impact, business impacts like reputation damage, revenue loss and a lot more. Not only that, Santhosh won’t end his talk without some hacking demonstrations that will for sure wow you. Finally, he will tell you how you can start security testing from day 1 and start contributing in terms of building secure software. From this talk, you will gain an understanding about the problems that a lack of security testing presents and you find out about tool-assisted security testing; performing security tests through questioning. After the talk, you will be able to start identifying risks and report comm.on vulnerabilities giving you a feeling of “I can do this”

ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...

Santhosh Tuppad

Web3 + scams = It's a match

Zoltan Balazs

Two-factor authentication (2FA) is the most straightforward way for companies to drastically improve the security of their user authentication process. However, not all 2FA implementations are created equal. Thinking of quickly throwing together a workflow using SMS and calling it a day? Think again! Though popular, 2FA via SMS has many security issues and was actually deprecated by NIST in 2017. In this presentation, I dive into the technical details of the most common 2FA implementations and highlight security and usability trade-offs. You will learn how to develop a 2FA implementation strategy that will best serve your users.

Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution f...

ConorGilsenan1

So long as the biometrics is backed up by a fallback password, irrespective of which are more accurate than the others, its security is lower than that of a password-only authentication. Then, we have to wonder why and how the biometrics has been touted as a security-enhancing tool for so long, with so many security professionals being silent about the fact. It appears that we may have got some clues to this conundrum.

Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...

Hitoshi Kokumai

Basic Security for Digital Companies - #MarketersUnbound (2014)

Justin Bull

Ha(Attackers) Exposed

Eugene Tawiah

Cyber Threats and Data Privacy in a Digital World

qubanewmedia

Security everywhere digital signature and digital fingerprint v1 (personal)

Paul Yang

DEFCON 23 - Li Jun Yang Ging - I’M A NEWBIE YET I CAN HACK ZIGBEE

Felipe Prado

Data Privacy for Activists

Greg Stromire

In this presentation from his webinar, IoT Security Expert Rob Black, CISSP, Founder and Managing Principal of Fractional CISO, discusses the common thread of many of today's cyberattacks. Key themes covered include: - Post-mortem analysis of recent cybersecurity attacks and how you could mitigate against similar threats - Evaluation of password breakdowns in protecting your organization - Review of a high level threat model of privileged accounts - How Privilege Access Management can significantly reduce your attack surface and improve your cybersecurity posture

Crush Common Cybersecurity Threats with Privilege Access Management

BeyondTrust

Pre-Quiz Symantec Endpoint Encryption

Matt Dawdy

Similaire à Secure All Teh Things - Add 2 factor authentication to your own CFML projects (20)

Safety Bot Guaranteed -- Shmoocon 2017

Passwords, Passwords and more Passwords

Blockchain: professionalità, cultura e change management - Riccardo Spinelli ...

Smart Locks - too clever by half

Zigi gseuk - open source conference 2019 presentation v1.0

Securing Underprotected APIs - Deja vu Security

Cyber Security in a Fully Mobile World

Business Dimension of Expanded Password System

ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...

Web3 + scams = It's a match

Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution f...

Clues to Unravelling Conundrums - Biometrics deployed 'in parallel' as again...

Basic Security for Digital Companies - #MarketersUnbound (2014)

Ha(Attackers) Exposed

Cyber Threats and Data Privacy in a Digital World

Security everywhere digital signature and digital fingerprint v1 (personal)

DEFCON 23 - Li Jun Yang Ging - I’M A NEWBIE YET I CAN HACK ZIGBEE

Data Privacy for Activists

Crush Common Cybersecurity Threats with Privilege Access Management

Pre-Quiz Symantec Endpoint Encryption

Dernier

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

Tech Trends Report 2024 Future Today Institute.pdf

hans926745

GenCyber Cyber Security Day Presentation

Michael W. Hawkins

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

What are drone anti-jamming systems? The drone anti-jamming systems and anti-spoof technology protect against interference, jamming, and spoofing of the UAVs. To protect their security, countries are beginning to research drone anti-jamming systems, also known as drone strike weapons. The anti-jam and anti-spoof technology protects against interference, jamming and spoofing. A drone strike weapon is a drone attack weapon that can attack and destroy enemy drones. So what is so unique about this amazing system?

What Are The Drone Anti-jamming Systems Technology?

Antenna Manufacturer Coco

Handwritten Text Recognition for manuscripts and early printed texts

Maria Levchenko

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

This presentation explores the impact of HTML injection attacks on web applications, detailing how attackers exploit vulnerabilities to inject malicious code into web pages. Learn about the potential consequences of such attacks and discover effective mitigation strategies to protect your web applications from HTML injection vulnerabilities. for more information visit https://bostoninstituteofanalytics.org/category/cyber-security-ethical-hacking/

HTML Injection Attacks: Impact and Mitigation Strategies

Boston Institute of Analytics

What is a good lead in your organisation? Which leads are priority? What happens to leads? When sales and marketing give different answers to these questions, or perhaps aren't sure of the answers at all, frustrations build and opportunities are left on the table. Join us for an illuminating session with Cian McLoughlin, HubSpot Principal Customer Success Manager, as we look at that crucial piece of the customer journey in which leads are transferred from marketing to sales.

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

HampshireHUG

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Dernier (20)

Partners Life - Insurer Innovation Award 2024

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Tech Trends Report 2024 Future Today Institute.pdf

GenCyber Cyber Security Day Presentation

Data Cloud, More than a CDP by Matt Robison

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

A Year of the Servo Reboot: Where Are We Now?

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Exploring the Future Potential of AI-Enabled Smartphone Processors

How to Troubleshoot Apps for the Modern Connected Worker

Automating Google Workspace (GWS) & more with Apps Script

Apidays New York 2024 - The value of a flexible API Management solution for O...

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

What Are The Drone Anti-jamming Systems Technology?

Handwritten Text Recognition for manuscripts and early printed texts

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

HTML Injection Attacks: Impact and Mitigation Strategies

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Secure All Teh Things - Add 2 factor authentication to your own CFML projects

1. Secure All Teh Things! Add 2 factor authentication to your own projects

2. Who is this dude? • @robdudley • CTO • Software Developer • Co-host of the   Localhost.fm Podcast • Keeps the scores in CodeMasters!

3. What are we talking about?

4. A quick look at security

5. We secure by Hiding things Making them hard to access Making them dangerous to access

6. How do we secure computers? • We didn’t • Usernames • Usernames & passwords  (secrets) • More complex passwords?

7. 2018 Cost of Data Breach Study, Ponemon Institute Research Report 2017 Data Breach Investigations Report 10th Edition, Verizon “A single corporate security breach costs an average of $3.86M , and 81% of breaches are caused by stolen or weak passwords. ” Still not secure enough!

8. What is secure?

9. Something you know Something you have Something you are

10. Combine these into…

11. Multi-factor Security!

12. Common Types of MFA

13. PIN or Code Common! Memorable Surely just another password?

14. SMS Easy Slow DO NOT USE!

15.

16. TOTP Open Common Still requires phone

17. Physical Tokens Many and varied

18. Biometrics Handy (heh) You can’t change your ﬁnger print … Or your DNA!

19. Enter

20. • Founded in 2007 • Leading contributor to • FIDO U2F • FIDO2 • Member of FIDO Alliance, IDESG, OpenID & W3C

21. YubiKey • 5 Versions • Neo (with NFC) • USB-A USB-C variants • FIDO • Multi function device

22. Demo # 1 Yubikey OTP

23. OTP? WTF?

24. ccccccinrbeglgchferbjblkudbjtebkblggbvfdvjfg ccccccinrbeglteudtkkccjvkjcfghbtjccbnhhkttlg ccccccinrbegeubvhflrtecrhbkcknkfuibtilcbbifu ccccccinrbegfdbghkgvkrvdhukdefubeigkrjrttdfh ccccccinrbegtvgnjlfvhbituujfujutgduvdgcelcuv Sample OTPs from a YubiKey

25. ccccccinrbeglgchferbjblkudbjtebkblggbvfdvjfg ccccccinrbeglteudtkkccjvkjcfghbtjccbnhhkttlg ccccccinrbegeubvhflrtecrhbkcknkfuibtilcbbifu ccccccinrbegfdbghkgvkrvdhukdefubeigkrjrttdfh ccccccinrbegtvgnjlfvhbituujfujutgduvdgcelcuv Key ID and

26.

27. OLD CODE ALERT!!!

28.

29. Tedious switch to code… please hold

30. What doesn’t this do? • No ID verification • No MITM protection! • Doesn’t make tea, or coffee What does this do? • Types really fast • Verifies the OTP against the private key • Replay protection • Makes you look cool

31. https://developers.yubico.com/OTP/

32. Demo # 2 FIDO U2F

33. Demo # 2 FIDO U2F WebAuthN

34.

35. Why do we need WebAuthN? • More than just YubiKeys • Fingerprint • Face Unlock • Others? • End to end assurance through key exchange / signing • W3C standard(s) • Common device support

36. How does it work?

37. Basic FIDO2 registration sequence

38. Basic FIDO2 authentication sequence

39. Slightly less tedious switch to demo… please hold

40.

41. Browser Support

42. Implementation Need to think about: • Key issuance • Lost / stolen key revocation • Replacement key process • Backup codes

43. Wait! There’s more…

44. YubiKey Manager

45. YubiKey Personalization Tool

46. YubiKey 4 also does… • PGP Key storage for use in signing / encryption • Challenge Response HMAC for use with PAM • Static password output for use with … long passwords

47. Resources Yubico Dev Portal https://developers.yubico.com/ Expanding YubiKey Keyboard Support (for AZERTY / Non QWERTY) https://www.yubico.com/2013/07/yubikey-keyboard-layouts/ WebAuthN on MDN https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API Updated version of the YubiKey OTP CFC (ColdBox compatible) https://github.com/akitogo/cbYubikey

Secure All Teh Things - Add 2 factor authentication to your own CFML projects

Recommandé

Recommandé

Contenu connexe

Similaire à Secure All Teh Things - Add 2 factor authentication to your own CFML projects

Similaire à Secure All Teh Things - Add 2 factor authentication to your own CFML projects (20)

Dernier

Dernier (20)

Secure All Teh Things - Add 2 factor authentication to your own CFML projects