Presentation is loading. Please wait.

Presentation is loading. Please wait.

Two-factor authentication

Published byRandall Riley Modified over 6 years ago

Similar presentations

Presentation on theme: "Two-factor authentication"— Presentation transcript:

1 Two-factor authentication
Ian Durkacz Development Meeting, 3rd December 2014

2 Review Want two-factor authentication – and propose to do so using Yubikeys. Reminder: what is a Yubikey, and how does it work? We have a working implementation of two-factor authentication for ssh using Yubikey. Idea now is to get similar authentication working for Cosign-protected websites.

3 Cosign Cosign documentation is scattered ...
Local cosign mods are also not very well-documented ... It turns out that, since v2, Cosign has had (some) support for multi-factor authentication.

4 Cosign 'factors' (1) Cosign “factor” = “authentication type”
“factor” is an overloaded term which means: an arbitrary string which is returned by an external authenticator on success. the external authenticator itself. But there are also “Legacy factors”: e.g. if Kerberos is used to authenticate the account, the “factor” is set to the Kerberos realm used. Enforced per client by apache filter directive: CosignRequireFactor Can have 'and' and 'or' combinations. In our case, this is typically null – but sometimes we declare CosignRequireFactor INF.ED.AC.UK in order to exclude iFriend users. Note: a null CosignRequireFactor means that authentication against any available factor is deemed sufficient. We need to be careful ... Relevant doc: “Cosign Multi-Factor Specification, 20 March 2006, Draft 6”

5 Cosign 'factors' (2) External authenticator(s) declared in /etc/cosign.conf: factor <pathname> [-2] <form- field1> <formfield2> … Will be invoked if (and only if) all listed form-fields contain posted data. If authentication is successful: writes factor name on stdout exits with 0 Otherwise: writes an error message on stdout exits with 1

6 Yubikey cosign factor Could write this from scratch according to the protocol above ... … however: we already have a Yubikey PAM module – and it turns out that a Universal Cosign PAM factoradaptor is available. So we can use that to get started. Finally takes the form: factor /usr/local/cosign/otp login passcode where otp is symlinked to the Universal adaptor, and a new 'otp' PAM service using the Yubikey PAM has been declared.

7 Demo Uses: Cosign-supplied HTML templates
Yubikey in standard configuration, authenticating against Yubico 'cloud' service Target service configured as: CosignRequireFactor INF.ED.AC.UK otp

8 General Cosign observations
Our current Cosign HTML is a little ugly. We need to change it to allow the use of one time passwords; perhaps it ought to be completely reviewed? (IS'es EASE layout seems cleaner, for example. Do we want to include Javascript at all? Etc.) Are we sure that we're handling iFriends correctly? Are we permitting them access to only what we want? How do we check and/or audit? The various 'Require's in the Apache config seem a little confusing ...

9 Specific two-factor questions (1)
The design of Cosign means that the OTP input field will be visible to all users (modulo some Javascript magic.) That's a bit messy: are we happy with it? Whether or not the OTP field is relevant for any particular target website depends entirely on the configuration of that target. So: what site can we / should we use for a COs 'test' site?

10 Specific two-factor questions (2)
Cosign does not (currently) allow configurable auth/auth options per user. So how do we handle an 'opt-in' two factor auth system? How do we handle the specific use case(s) we have? What are they? (Comment: Yubikeys probably wouldn't be affordable for a site-wide roll-out.) One suggestion: we could 'wrap' our OTP factor with a test which returns 'success' if a user has not opted in. A hack – but should work …

Download ppt "Two-factor authentication"

Similar presentations

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
1 of 39 DA1245 Enhanced Transaction Tracking Last updated: March-2009 DA1245 Enhanced Transaction Tracking.

1 of 39 DA1245 Enhanced Transaction Tracking Last updated: March-2009 DA1245 Enhanced Transaction Tracking.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.

Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
Members Only & Login Modules Members Only works with the Login module to provide password protection to Web pages and files. Login Groups may be created.

Members Only & Login Modules Members Only works with the Login module to provide password protection to Web pages and files. Login Groups may be created.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Tutorial 6 & 7 Symbol Table

Tutorial 6 & 7 Symbol Table
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
For Sage MIP Fund Accounting

For Sage MIP Fund Accounting
Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io

Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io
Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.

Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
DICOM Security Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington University in St. Louis School of Medicine.

DICOM Security Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington University in St. Louis School of Medicine.
1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.

1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.

COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
JAVA SERVER PAGES. 2 SERVLETS The purpose of a servlet is to create a Web page in response to a client request Servlets are written in Java, with a little.

JAVA SERVER PAGES. 2 SERVLETS The purpose of a servlet is to create a Web page in response to a client request Servlets are written in Java, with a little.
Secure Operating Systems Lesson C: Linux Security Features.

Secure Operating Systems Lesson C: Linux Security Features.

Similar presentations

Ads by Google