Two-factor authentication

Slides:



Advertisements
Similar presentations
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
Advertisements

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
1 of 39 DA1245 Enhanced Transaction Tracking Last updated: March-2009 DA1245 Enhanced Transaction Tracking.
Guide to Network Defense and Countermeasures Second Edition
Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
Members Only & Login Modules Members Only works with the Login module to provide password protection to Web pages and files. Login Groups may be created.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Tutorial 6 & 7 Symbol Table
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
For Sage MIP Fund Accounting
Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io
Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
DICOM Security Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington University in St. Louis School of Medicine.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
JAVA SERVER PAGES. 2 SERVLETS The purpose of a servlet is to create a Web page in response to a client request Servlets are written in Java, with a little.
Secure Operating Systems Lesson C: Linux Security Features.
Secure Credential Manager Claes Nilsson - Sony Ericsson
Simple MVC. An example: join.jsp
Shibboleth: An Introduction
Dynamic web content HTTP and HTML: Berners-Lee’s Basics.
Legal Issues Legal issues include copyright / intellectual property infringements, libel / defamation, disability discrimination and data protection. Any.
_______________________________________________________________________________________________________________ PHP Bible, 2 nd Edition1  Wiley and the.
© 2006 Intland Software1 Aron Gombas Architect, Intland Software Extending & customizing CodeBeamer.
ICM – API Server & Forms Gary Ratcliffe.
M1G Introduction to Programming 2 3. Creating Classes: Room and Item.
Web Server Design Week 12 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein 3/31/10.
SAP R/3 User Administration1. 2 User administration in a productive environment is an ongoing process of creating, deleting, changing, and monitoring.
1 Example security systems n Kerberos n Secure shell.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarksEGEE-III INFSO-RI MPI on the grid:
Compliance Management System. Intelex System Overview Focus Modules: –Permits Management –Monitoring & Measurement –Training Management –Document Control.
Proposed solutions to comments on section 7
SASL GSS-API Bridge: GS2
2 Factor & Multi Factor Authentication
Ask the Experts – Building Login-Based Sites in AEM
Module: Software Engineering of Web Applications
In this session, you will learn to:
Chopping and Releasing HAZREPs
Instructor Materials Chapter 6 Building a Home Network
CollegeSource Security Application &
OGF PGI – EDGI Security Use Case and Requirements
AuthLite 2-Factor for Windows Administration
Federation made simple
World Wide Web policy.
Web Development Web Servers.
Module 30 (Unix/Linux Security Issues II)
The Joy of Breaking Code Testing Logic and Case Selection
Section 13 - Integrating with Third Party Tools
Global Grid Forum GridForge
CAS and Web Single Sign-on at UConn
Radius, LDAP, Radius used in Authenticating Users
Server Concepts Dr. Charles W. Kann.
Processes The most important processes used in Web-based systems and their internal organization.
Jekyll Documentation Theme
Two-factor authentication
SSSD and OpenSSH Integration
Tenant Access Portal Trainer: Krissy Gray. Tenant Access Portal Trainer: Krissy Gray.
Overview & Basic Functionality
Using the Online Ag Business Planning Tool “AGPLAN
doc.: IEEE xxx Bob Beach Symbol Technologies
PHP: Security issues FdSc Module 109 Server side scripting and
PAM Pluggable Autthentication Modules
Software Verification, Validation, and Acceptance Testing
Web Server Design Week 13 Old Dominion University
What is it for? Where to find it How to use the forum
BPSec: AD Review Comments and Responses
Global Evaluation of Websites for Acceptance of Addresses in 2019
Presentation transcript:

Two-factor authentication Ian Durkacz Development Meeting, 3rd December 2014

Review Want two-factor authentication – and propose to do so using Yubikeys. Reminder: what is a Yubikey, and how does it work? We have a working implementation of two-factor authentication for ssh using Yubikey. Idea now is to get similar authentication working for Cosign-protected websites.

Cosign Cosign documentation is scattered ... Local cosign mods are also not very well-documented ... It turns out that, since v2, Cosign has had (some) support for multi-factor authentication.

Cosign 'factors' (1) Cosign “factor” = “authentication type” “factor” is an overloaded term which means: an arbitrary string which is returned by an external authenticator on success. the external authenticator itself. But there are also “Legacy factors”: e.g. if Kerberos is used to authenticate the account, the “factor” is set to the Kerberos realm used. Enforced per client by apache filter directive: CosignRequireFactor Can have 'and' and 'or' combinations. In our case, this is typically null – but sometimes we declare CosignRequireFactor INF.ED.AC.UK in order to exclude iFriend users. Note: a null CosignRequireFactor means that authentication against any available factor is deemed sufficient. We need to be careful ... Relevant doc: “Cosign Multi-Factor Specification, 20 March 2006, Draft 6”

Cosign 'factors' (2) External authenticator(s) declared in /etc/cosign.conf: factor <pathname> [-2] <form- field1> <formfield2> … Will be invoked if (and only if) all listed form-fields contain posted data. If authentication is successful: writes factor name on stdout exits with 0 Otherwise: writes an error message on stdout exits with 1

Yubikey cosign factor Could write this from scratch according to the protocol above ... … however: we already have a Yubikey PAM module – and it turns out that a Universal Cosign PAM factoradaptor is available. So we can use that to get started. Finally takes the form: factor /usr/local/cosign/otp login passcode where otp is symlinked to the Universal adaptor, and a new 'otp' PAM service using the Yubikey PAM has been declared.

Demo Uses: Cosign-supplied HTML templates Yubikey in standard configuration, authenticating against Yubico 'cloud' service Target service configured as: CosignRequireFactor INF.ED.AC.UK otp

General Cosign observations Our current Cosign HTML is a little ugly. We need to change it to allow the use of one time passwords; perhaps it ought to be completely reviewed? (IS'es EASE layout seems cleaner, for example. Do we want to include Javascript at all? Etc.) Are we sure that we're handling iFriends correctly? Are we permitting them access to only what we want? How do we check and/or audit? The various 'Require's in the Apache config seem a little confusing ...

Specific two-factor questions (1) The design of Cosign means that the OTP input field will be visible to all users (modulo some Javascript magic.) That's a bit messy: are we happy with it? Whether or not the OTP field is relevant for any particular target website depends entirely on the configuration of that target. So: what site can we / should we use for a COs 'test' site?

Specific two-factor questions (2) Cosign does not (currently) allow configurable auth/auth options per user. So how do we handle an 'opt-in' two factor auth system? How do we handle the specific use case(s) we have? What are they? (Comment: Yubikeys probably wouldn't be affordable for a site-wide roll-out.) One suggestion: we could 'wrap' our OTP factor with a test which returns 'success' if a user has not opted in. A hack – but should work …