All geek questions in one place

Two-factor authentication system

I am trying to create a two-factor authentication system (in PHP) using SMS as the second auth method. This is for a test project, can someone help me in developing this service?

This will be a web system, and below is what I have done so far.

  • As soon as the client enters the username and password, the website will send a secure HTTP request to our server using MSISDN, UID (for session identification), their UserID and PassWord.

  • Our server will add a query to the MySQL database and respond to the site with a code, UID, and some other information.

  • Our server will send an SMS with a one-time password to the client.

  • As soon as the client enters OTP to the website, the website will send another HTTPS request with encrypted OTP to our server, and we will send a response code in response with a successful completion or failure.

This is the thread I was thinking about. Does anyone have a better thread? or suggestions?

Thanks.

+6
source share
6 answers

Sounds like a valid mechanism. But what if the SMS device is not in the service area? Or a dead battery?

+4
source

This may work fine, however this is not two-factor authentication .

In addition to the password, a second factor may be:

  • What you have (e.g. secureid, smartcard, etc.).
  • Something you (i.e. various forms of biometrics).

Since I assume that you are not biometric-oriented;), let me explain why I say that this is not the second factor (you have something).

To qualify for the 2nd factor, you need to ensure that the owner of the device (i.e. a pre-registered cell phone) is the only one who could receive SMS.
In today's cellular networks, this is simply not the case. There are ruts for copying, for example. SIM card mobile operators may intercept; smartphones may have applications that intercept and resubmit; etc.
In addition, if the user enters the code back to the site, he allows all standard web attacks on this additional password: sniffing, interception, MITM, session capture, etc.

Now, to be clear, this still definitely has value - out-of-band communication can help ensure that the obvious user is not the victim of a simple web attack, XSS, etc.
I have worked with a large number of telecommunications companies that love this solution (it can also be part of their business model, but whatever;))

However, depending on your situation, in some places (for example, in banks, gov't) a real 2nd factor is required - that is, cryptographic proof (usually). And this is not so.

+6
source

I would add that sending OTP via SMS is still considered two-factor authentication. Comment by Avid is simple.

The second factor, you will need to ensure that the owner of the device (i.e. a pre-registered cell phone) is the only one who could receive an SMS.

But the same applies, say, to the 2FA hardware marker base. How can we guarantee that a hardware token is used by only one person? Stealing a key (or searching for OTP on its screen) is even easier than intercepting SMS

@megazoid, have you considered using 2FA as a service providers? For example Authy.com , Token2.com, or DuoSecurity ?

+1
source

Everyone still loves SMS, but in my opinion it sucks. No matter how many SMS Passcode is trying to improve the workflow.

An attacker can request an SMS message and intercept SMS without notifying the user. To do this, he does not even need to steal the phone. And, in my opinion, this is the worst attack since the victim does not realize that he was at risk.

When a key is stolen, the user knows that it has been compromised, and appropriate counter measures can be taken.

Theft of seeds from a key from a supplier is a much better attack vector, which has also been shown in the past; -)

This is why you should think about using hardware tokens that you can sow yourself. Therefore, you can be sure that the seed belongs to you only. Sown tokens are the anniversary, eToken Pass and eToken NG OTP.

In any case, for an environment with "low security" even using SMS may be okay. But you must be aware of the consequences. By the way, all of the same tokens are supported by the privacyIDEA open source project.

+1
source

I invite you to look for ideas for customers that we have opened for Duo with our two-factor authentication system:

https://github.com/duosecurity/duo_web

Another place to search is with existing third-party authentication protocols such as OAuth and OpenID.

Two things you didn't mention:

  • The signed response must contain a user ID to compare with the local user (possibly stored in a secure session) to avoid duplicates
  • A signed response must include the expiration or return of a request not specified in the signed request
0
source

Ricky from Twilio is here.

We just released a non-trivial, production-ready example of two-factor authentication , in which you can check if you are looking for some inspiration for how to create such a system.

0
source

Source: https://habr.com/ru/post/886678/

More articles:


All Articles