Delivered at CFCamp 2018 in Munich Germany.
Security is getting more and more important. A 2-factor authentication will help you securing your logins.
In this Session Rob shows you how to implement a 2-factor authentication for your own website. Learn about the different protocols FIDO U2F, Yubico OTP, Challenge-Response, etc.
See how you can use your personal YubiKey for your own website.
5. We secure by
Hiding things
Making them hard to
access
Making them dangerous
to access
6. How do we secure computers?
• We didn’t
• Usernames
• Usernames & passwords
(secrets)
• More complex
passwords?
7. 2018 Cost of Data Breach Study, Ponemon Institute Research Report
2017 Data Breach Investigations Report 10th Edition, Verizon
“A single corporate security breach costs an
average of $3.86M , and 81% of breaches
are caused by stolen or weak passwords. ”
Still not secure enough!
30. What doesn’t this do?
• No ID verification
• No MITM protection!
• Doesn’t make tea, or coffee
What does this do?
• Types really fast
• Verifies the OTP against the
private key
• Replay protection
• Makes you look cool
35. Why do we need WebAuthN?
• More than just YubiKeys
• Fingerprint
• Face Unlock
• Others?
• End to end assurance
through key exchange /
signing
• W3C standard(s)
• Common device support
46. YubiKey 4 also does…
• PGP Key storage for use in signing / encryption
• Challenge Response HMAC for use with PAM
• Static password output for use with … long
passwords
47. Resources
Yubico Dev Portal
https://developers.yubico.com/
Expanding YubiKey Keyboard Support (for AZERTY / Non QWERTY)
https://www.yubico.com/2013/07/yubikey-keyboard-layouts/
WebAuthN on MDN
https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
Updated version of the YubiKey OTP CFC (ColdBox compatible)
https://github.com/akitogo/cbYubikey