Two Factor Authentication

TasLUG 21 Nov 2012

Obligatory intro slide

• Small-to-medium web app development
• ... so systems administration
• Project management
• Lawyerin'
• Fancy tea

What is Two Factor Authentication?

I'll call it 2FA

1. What's authentication?
2. What are these factors?

What is authentication?

the act of confirming the truth of an attribute of a datum or entity

Wikipedia

Who is this schmuck?

What factors?

How do we know this schmuck is who they say they are?

Shared secrets

• Something you know (password)
• Something you have (smartcard)
• Something you are (fingerprint)

We want two of these

Some examples

What good is it?

• Authenticating in software only
• Protects against compromised passwords
• Can protects against replay attacks

How do we do it?

Lots of ways but we will focus on two similar methods

Google Authenticator

• Supports both HOTP and TOTP
• Supports PAM
• Open-source PAM, Android app, iOS app, Blackberry app
• Stored in secure phone memory (Android at least)
• Emergency scratch codes
• QR code key provisioning
• Compatible with any RFC-compliant app

Use case: required for SSH logins

1. Download, compile and install module
2. Create user key (in ~/.google_authenticator)
3. Scan key onto phone
4. Require correct code for login

Demo: Step 1

Download, compile and install module

Demo: Step 2

Create user key

Demo: Step 3

Scan key onto phone

Demo: Step 3

Scan key onto phone

Demo: Step 3

Scan key onto phone

Demo: Step 3

Scan key onto phone

Step 4

Require correct code to login

• In /etc/pam.d/sshd add auth required pam_google_authenticator.so
• In /etc/ssh/sshd_config ensure ChallengeResponseAuthentication yes is set

Questions?

Links

• Slides: mjec.net/talks/2fa
• Google Authenticator: code.google.com/p/google-authenticator
• Me: mjec.net

Slideshow made with deck.js & playitagainsam

Slides are CC-BY-SA 3.0 AU