User Auth for Winners, how to get it right the first time!

User Authentication for Winners! Speaker: Karthik Gaekwad Password: LASCON 2013 Remember this stuff when you code @iteration1 Friday, October 25, 13 #UserAuth101

User Authentication for Winners! Speaker: Karthik Gaekwad Password: ************ Well played security Remember stuffplayed! when you code guru; this well @iteration1 Friday, October 25, 13 #UserAuth101

Howdy! • I’m Karthik Gaekwad • Senior Web Engineer • Mentor Graphics Embedded • • @iteration1 Friday, October 25, 13 LASCON 2013 From Austin, TX Spent the last 3 years writing/refining cloud based user auth systems #UserAuth101

Audience Survey @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

My agenda • Developers and DevOps • Build better auth systems • Security Pro’s • Give you developer insight, new ideas to attack auth systems • Management • Give this ppt to your dev teams. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Authentication Mechanisms • Write your own • OpenID • OAuth @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Common Perception “Building a User Authentication system is easy. It’s just a username and password, stored somewhere” @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Reality API (PaaS) + Workflows + User Interface(s) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Designing Auth Systems API: How your system is used • Login/Logout • Session Management (Remember Me etc) • User Creation • Password Reset @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Designing Auth Systems Workflows: Rules for how the system works • Account Creation • Password Reset • Account Recovery @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Designing Auth Systems User Interface: What end user will actually see • Where users can create account • Login screens • My Profile Page • End applications using the API’s @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

High Level Design Email Web Services API Web Services (Login/Logout) User Portal App 1 App 2 Data store(s) @iteration1 Friday, October 25, 13 App 3… LASCON 2013 #UserAuth101

High Level Design Email Web Services API Web Services (Login/Logout) User Portal App 1 App 2 App 3… Data store(s) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Quick look @data • email • username • first name • last name • password • {id} @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Quick look @data Keep your auth data separate • You don’t want to clutter your auth data with ecommerce/address/whatever other data • Not rocket science. • It’s called normalization @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Breaking it down API Web Services (Login/Logout) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Login Web Services API Web Services (Login/Logout) The Goal: Keep user credentials as safe as possible in transit @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Login Web Services Request POST /login encoded username:password App 1 Response HTTP 200/201 API Web Services (Login/Logout) Session token Session Id expiration First name, Last name @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Login Web Services Request GET /login/(session token) App 1 Response HTTP 200/201 (success) HTTP 401 (failures) API Web Services (Login/Logout) Session token Session Id expiration First name, Last name @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Login Web Services • Minimize sending username, passwords over the wire. • Harder to sniff if it’s rarely there • Don’t put this in the URL (server logs) • Session tokens: Set an expiration time. • Client can re-login if necessary @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Login Web Services ? P T T H @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

“That’s great, but I can brute force the endpoint” —JoeHacker @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Rate Limiting • “Only x number of calls per minute to the endpoint” • Recommended for all login and session token endpoints. • Can be complicated to implement, but worth it and reusable. • http://www.client9.com/2012/05/01/ratelimiting-at-scale/ Thanks @NGalbreath! @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Note on Session Tokens How I really feel… Yuck about rand() and guid() functions Use something cryptographically secure Keep them 128bit or greater @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Login Hack #1 • Often, the end (web)application will store the username and session token in a cookie. • Hack: Create 2 accounts, and login with both and store the cookies. Trade the session token of one account with the other, and see if you can see other account data… @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Login Hack #1 • Developers have good intentions but…. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Login Hack #2 • Verify that session tokens actually expire! • Try using the same session token even after you’ve hit “log out” in the application. • cookies.clear() is easier than actually calling the /logout endpoint to invalidate tokens. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Let’s move on.. Account Creation Password Reset @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

@iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

“We try to solve very complicated problems without letting people know how complicated the problem was. That’s the appropriate thing.” @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

—Usability Jack and Jill @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

“Remembering passwords is a pain. Let’s make our system have a minimum 4 letter passwords because it’s more usable.” —Usability Jack and Jill @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Security + Usability • The days of the 4 character password is over. • UX team interactions: • 8+ characters is accepted now • Show by example • Use “sentences” versus “words” for Security and Usability: Designing Secure Systems That People Can Use Lorrie Faith Cranor passwords @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Account Creation • Typically : accept user data, provision account… @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Account Creation • Sanitize inputs for XSS. • If you are asking for user email, validate email actually belongs to the user. • May have multiple data stores in play here. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Account Creation • Case Sensitivity… • Hack: Register with user@email.com and UsEr@email.com.You may be able to register as both if the case sensitivity check isn’t turned on. • Hack: Use foreign characters to sniff if the datastore is older (LDAP v2) @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Passwords Friday, October 25, 13

Storing Passwords “I’m gonna pop some tags Only got clear text passwords in my db I - I - I’m hunting, looking for a reason to get f*** fired.” -The Macklemore stance @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Storing Passwords Please don’t go “thrift shop” your password storage @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Storing Passwords • Store only hashed passwords • Use a unique, per user salt. • use bcrypt/scrypt to generate your hash @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

“That’s great, but I’ll just figure out your Cloud DB credentials” —JoeHacker @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Storing Passwords • • A technique that I like.. • Break up your data into different stores Store the password hash in data store #1 • Store the salt used to compute the hash in data store #2 • Store the # of hash iterations in data store #3 (application config?) • Have the value stored in #1 not be the password hash itself, but a MAC (Message Authentication Code, aka ‘keyed hash’) using an application-private MAC key. http://www.stormpath.com/blog/strong-passwordhashing-part-2 Thanks @Stormpath @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Storing Passwords • http://www.codinghorror.com/blog/2007/09/ youre-probably-storing-passwordsincorrectly.html • http://stackoverflow.com/questions/1054022/bestway-to-store-password-in-database • http://www.stormpath.com/blog/strong-passwordhashing-apache-shiro • https://wiki.mozilla.org/WebAppSec/ Secure_Coding_Guidelines#Authentication @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Reset or Restore? • I prefer Password Reset. • “Personal challenge questions” aren’t so personal anymore with Facebook and Twitter. • Make sure Password Reset tokens are one use only and expire “super fast” @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Account Creation Workflow Get User Credentials Validate Email Create Password OR Get User Credentials and Password @iteration1 Friday, October 25, 13 Validate Email LASCON 2013 Allow Login #UserAuth101

Account Creation Workflow Get User Credentials and Password Allow Login • • Winner! • http://www.stormpath.com/blog/how-weincreased-new-user-registration-27 Thanks @chunsaker Data to support that more users convert to creating accounts this way. @iteration1 Friday, October 25, 13 Validate Email LASCON 2013 #UserAuth101

Final Thoughts • AKA I have to present in a few hours, but I have no time to worry about flow.. #FreeStyling @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Final Thoughts • If you have many apps with login screens/ create account screens- keep these consistent. • Users lose trust if login screens are different across apps by same company @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Final Thoughts • If you’re a Java shop, check out Apache Shiro Framework- it’s made for the authentication usecase. • SaaS version: Stormpath @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Final Thoughts • 2 factor auth • Definitely strengthens the security. • Usability verdict is still out. • Challenging to implement, but a good idea. @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Final Thoughts • Login Dashboards in “My Profile” with last login information, geo location, timestamp is more popular. • You have all this data anyways, so why not show it? @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

PSA on OAuth “Why does this random website need read and write OAuth access to my twitter / facebook account?” @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

Thank You for your time! Lunch? @iteration1 Friday, October 25, 13 LASCON 2013 #UserAuth101

User Auth for Winners, how to get it right the first time!

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55