Dylan  Iqbal

Dylan Iqbal

1624505624

What is 2FA?

Maybe you’ve heard the term 2FA (or two-factor authentication) or MFA (multi-factor authentication) but weren’t sure what was involved with it. Or perhaps, you are already familiar with implementing 2FA but want to know more about the best practices. Either way, this video from Kelley Robinson is just for you!

Sign up for a free Twilio API key: https://www.twilio.com/try-twilio?utm_source=morioh.com

Check out the Related Links section of this description for more information on 2FA.

Authentication needs to be usable for it to be successful. Unfortunately, passwords are pretty insecure. Not only do some users choose guessable passwords but they tend to use them all over the internet as well. 2FA adds an extra layer of security by requiring at least two types of authentication. Like all security, authentication is all about finding the right balance between usability and friction. In this video Kelley walks through the why’s and how’s behind 2FA, some data around implementation stats, and the different options for adding 2FA to your applications.

Thanks for watching!

=== TIMESTAMPS ===

  • 0:00 What is 2FA?
  • 0:59 Passwords are insecure!
  • 1:29 Password re-use leads to account takeovers
  • 2:01 Other types of authentication factors
  • 2:34 Examples of 2FA
  • 3:09 Methods for adding 2FA to your applications
  • 3:33 SMS 2FA
  • 4:03 Email 2FA
  • 4:18 Time-based one-time passcodes (TOTP)
  • 4:49 Push authentication
  • 5:30 Users must opt-in for 2FA to be effective
  • 7:04 Tips for implementing 2FA
  • 7:41 Incentivizing users to opt-in

#security #developer

What is GEEK

Buddha Community

What is 2FA?
Web  Dev

Web Dev

1626428204

How 2FA without SMS or Email | TypingDNA Verify

TypingDNA Verify is an interesting way to do 2FA through Typing Biometrics instead of the traditional SMS or Email authentication verification methods.

TypingDNA:
https://www.typingdna.com/verify

  • 00:00 - Introduction
  • 02:35 - What is TypingDNA Verify
  • 03:48 - How the 2FA method works
  • 06:46 - Setting up Verify Client
  • 10:11 - Coding example of Verify Authentication
  • 28:30 - Conclusion

Github NodeJs Demo Code:
https://github.com/adriantwarog/typingdna-verify-nodejs-example

#security #web-development #webdev #2fa

Martin  Soit

Martin Soit

1595466017

How to Build an Interactive 2FA Screen using Flutter

An interactive 2FA screen is table stakes with the SignUp/SignIn flow these days especially if you’re building an app that requires high levels of security.

Note: If you came for the code, skip to the bottom of this post for a link to my GitHub repo.

Image for post

End result of this post

In this post, I will walk you through the process of building a screen that looks like the one above. So let’s get started.

So, let’s go ahead and declare it in our pub_spec.yaml file and do a ‘flutter packages get’

Since, this is clearly a stateful widget, let’s go ahead and declare a stateful widget,

Image for post

We have created a basic stateful widget that has a TextEditingController so that we can use it for a TextField for the user to type the code, a FocusNode that can be attached to the TextField, a ‘code’ string which will hold the value of the code, a ‘loaded’, ‘shake’ and ‘valid’ boolean variables for toggling the state based on whether the backend returned after validating the code, the text fields must shake(animate with a red) for invalid code and if the code is valid or not respectively.

Now, for the onChange() callback of the TextField, let’s define a method that takes the current value of the code and sets the state of the **_code _**variable to that value.

Image for post

For the onClick() callback of the **_Verify _**button, let’s go ahead and define a function where we will make the backend call, **_validate2FaCode(code) _**which is asynchronous.

Image for post

#flutter #2fa #ios #mobile-app-development

How to Implement 2FA Functionality with A Soft Token & Spring Security

1. Overview

In this tutorial, we're going to implement Two Factor Authentication functionality with a Soft Token and Spring Security.

We're going to be adding the new functionality into an existing, simple login flow and use the Google Authenticator app to generate the tokens.

Simply put, two factor authentication is a verification process which follows the well known principle of “something the user knows and something the user has”.

And so, users provide an extra “verification token” during authentication – a one-time password verification code based on Time-based One-time Password TOTP algorithm.

2. Maven Configuration

First, in order to use Google Authenticator in our app we need to:

  • Generate secret key
  • Provide secret key to the user via QR-code
  • Verify token entered by the user using this secret key.

We will use a simple server-side library to generate/verify one-time password by adding the following dependency to our pom.xml:

<dependency>
    <groupId>org.jboss.aerogear</groupId>
    <artifactId>aerogear-otp-java</artifactId>
    <version>1.0.0</version>
</dependency>

3. User Entity

Next, we will modify our user entity to hold extra information – as follows:

@Entity
public class User {
    ...
    private boolean isUsing2FA;
    private String secret;

    public User() {
        super();
        this.secret = Base32.random();
        ...
    }
}

Note that:

  • We save a random secret code for each user to be used later in generating verification code
  • Our 2-step verification is optional

4. Extra Login Parameter

First, we will need to adjust our security configuration to accept extra parameter – verification token. We can accomplish that by using custom AuthenticationDetailsSource:

Here is our CustomWebAuthenticationDetailsSource:

@Component
public class CustomWebAuthenticationDetailsSource implements 
  AuthenticationDetailsSource<HttpServletRequest, WebAuthenticationDetails> {
    
    @Override
    public WebAuthenticationDetails buildDetails(HttpServletRequest context) {
        return new CustomWebAuthenticationDetails(context);
    }
}

and here is CustomWebAuthenticationDetails:

public class CustomWebAuthenticationDetails extends WebAuthenticationDetails {

    private String verificationCode;

    public CustomWebAuthenticationDetails(HttpServletRequest request) {
        super(request);
        verificationCode = request.getParameter("code");
    }

    public String getVerificationCode() {
        return verificationCode;
    }
}

And our security configuration:

@Configuration
@EnableWebSecurity
public class LssSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private CustomWebAuthenticationDetailsSource authenticationDetailsSource;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.formLogin()
            .authenticationDetailsSource(authenticationDetailsSource)
            ...
    } 
}

And finally add the extra parameter to our login form:

<labelth:text="#{label.form.login2fa}">
    Google Authenticator Verification Code
</label>
<input type='text' name='code'/>

Note: We need to set our custom AuthenticationDetailsSource in our security configuration.

5. Custom Authentication Provider

Next, we'll need a custom AuthenticationProvider to handle extra parameter validation:

public class CustomAuthenticationProvider extends DaoAuthenticationProvider {

    @Autowired
    private UserRepository userRepository;

    @Override
    public Authentication authenticate(Authentication auth)
      throws AuthenticationException {
        String verificationCode 
          = ((CustomWebAuthenticationDetails) auth.getDetails())
            .getVerificationCode();
        User user = userRepository.findByEmail(auth.getName());
        if ((user == null)) {
            throw new BadCredentialsException("Invalid username or password");
        }
        if (user.isUsing2FA()) {
            Totp totp = new Totp(user.getSecret());
            if (!isValidLong(verificationCode) || !totp.verify(verificationCode)) {
                throw new BadCredentialsException("Invalid verfication code");
            }
        }
        
        Authentication result = super.authenticate(auth);
        return new UsernamePasswordAuthenticationToken(
          user, result.getCredentials(), result.getAuthorities());
    }

    private boolean isValidLong(String code) {
        try {
            Long.parseLong(code);
        } catch (NumberFormatException e) {
            return false;
        }
        return true;
    }

    @Override
    public boolean supports(Class<?> authentication) {
        return authentication.equals(UsernamePasswordAuthenticationToken.class);
    }
}

Note that – after we verified the one-time-password verification code, we simply delegated authentication downstream.

Here is our Authentication Provider bean

@Bean
public DaoAuthenticationProvider authProvider() {
    CustomAuthenticationProvider authProvider = new CustomAuthenticationProvider();
    authProvider.setUserDetailsService(userDetailsService);
    authProvider.setPasswordEncoder(encoder());
    return authProvider;
}

6. Registration Process

Now, in order for users to be able to use the application to generate the tokens, they'll need to set things up properly when they register.

And so, we'll need to do few simple modifications to the registration process – to allow users who have chosen to use 2-step verification to scan the QR-code they need to login later.

First, we add this simple input to our registration form:

Use Two step verification <input type="checkbox" name="using2FA" value="true"/>

Then, in our RegistrationController – we redirect users based on their choices after confirming registration:

@GetMapping("/registrationConfirm")
public String confirmRegistration(@RequestParam("token") String token, ...) {
    String result = userService.validateVerificationToken(token);
    if(result.equals("valid")) {
        User user = userService.getUser(token);
        if (user.isUsing2FA()) {
            model.addAttribute("qr", userService.generateQRUrl(user));
            return "redirect:/qrcode.html?lang=" + locale.getLanguage();
        }
        
        model.addAttribute(
          "message", messages.getMessage("message.accountVerified", null, locale));
        return "redirect:/login?lang=" + locale.getLanguage();
    }
    ...
}

And here is our method generateQRUrl():

public static String QR_PREFIX = 
  "https://chart.googleapis.com/chart?chs=200x200&chld=M%%7C0&cht=qr&chl=";

@Override
public String generateQRUrl(User user) {
    return QR_PREFIX + URLEncoder.encode(String.format(
      "otpauth://totp/%s:%s?secret=%s&issuer=%s", 
      APP_NAME, user.getEmail(), user.getSecret(), APP_NAME),
      "UTF-8");
}

And here is our qrcode.html:

<html>
<body>
<div id="qr">
    <p>
        Scan this Barcode using Google Authenticator app on your phone 
        to use it later in login
    </p>
    <img th:src="${param.qr[0]}"/>
</div>
<a href="/login" class="btn btn-primary">Go to login page</a>
</body>
</html>

Note that:

  • generateQRUrl() method is used to generate QR-code URL
  • This QR-code will be scanned by users mobile phones using Google Authenticator app
  • The app will generate a 6-digit code that is valid for only 30 seconds which is desired verification code
  • This verification code will be verified while login using our custom AuthenticationProvider

7. Enable Two Step Verification

Next, we will make sure that users can change their login preferences at any time – as follows:

@PostMapping("/user/update/2fa")
public GenericResponse modifyUser2FA(@RequestParam("use2FA") boolean use2FA) 
  throws UnsupportedEncodingException {
    User user = userService.updateUser2FA(use2FA);
    if (use2FA) {
        return new GenericResponse(userService.generateQRUrl(user));
    }
    return null;
}

And here is updateUser2FA():

@Override
public User updateUser2FA(boolean use2FA) {
    Authentication curAuth = SecurityContextHolder.getContext().getAuthentication();
    User currentUser = (User) curAuth.getPrincipal();
    currentUser.setUsing2FA(use2FA);
    currentUser = repository.save(currentUser);
    
    Authentication auth = new UsernamePasswordAuthenticationToken(
      currentUser, currentUser.getPassword(), curAuth.getAuthorities());
    SecurityContextHolder.getContext().setAuthentication(auth);
    return currentUser;
}

And here is the front-end:

<div th:if="${#authentication.principal.using2FA}">
    You are using Two-step authentication 
    <a href="#" onclick="disable2FA()">Disable 2FA</a> 
</div>
<div th:if="${! #authentication.principal.using2FA}">
    You are not using Two-step authentication 
    <a href="#" onclick="enable2FA()">Enable 2FA</a> 
</div>
<br/>
<div id="qr" style="display:none;">
    <p>Scan this Barcode using Google Authenticator app on your phone </p>
</div>

<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>
<script type="text/javascript">
function enable2FA(){
    set2FA(true);
}
function disable2FA(){
    set2FA(false);
}
function set2FA(use2FA){
    $.post( "/user/update/2fa", { use2FA: use2FA } , function( data ) {
        if(use2FA){
        	$("#qr").append('<img src="'+data.message+'" />').show();
        }else{
            window.location.reload();
        }
    });
}
</script>

8. Conclusion

In this quick tutorial, we illustrated how to do a two-factor authentication implementation using a Soft Token with Spring Security.

Link: https://www.baeldung.com/spring-security-two-factor-authentication-with-soft-token

#authentication #spring  #spring-boot  #java #2fa 

Joseph  Norton

Joseph Norton

1626661139

TypingDNA Verify Tutorial - Simple, User Friendly 2FA

Welcome back to another video! In this video, I’ll be showing you typing biometrics which can be used as two-factor authentication that can be used when signing into or creating an account. This is possible through TypingDNA, they have both an authentication API and the verify API.

Thanks to TypingDNA for sponsoring this video! Create a FREE account today at: https://www.typingdna.com/

📄 Resources 📄
TypingDNA Authentication API Tutorial: https://www.youtube.com/watch?v=SFgEPbmeJOk
TypingDNA Docs: https://verify.typingdna.com/docs/
SendGrid Website: https://sendgrid.com/
Download ngrok: https://ngrok.com/download
Download Node.js: https://nodejs.org/en/
Code In This Video: https://github.com/techwithtim/TypingDNA-Verify-API-Tutorial

⭐️ Timestamps ⭐️

  • 00:00 | Verify Users With TypingDNA
  • 01:54 | TypingDNA Demo
  • 04:41 | Advantages of Typing Biometrics 2FA
  • 05:55| TypingDNA Setup
  • 07:27 | SendGrid Setup
  • 10:24 | Creating an Integration
  • 14:11 | Installing Node.js
  • 14:45 | Express Server Setup
  • 20:31 | Creating PUG Templates
  • 21:45 | Setting Up HTTP Routes
  • 23:55 | Integrating TypingDNA (Backend)
  • 33:15 | Integrating TypingDNA (Front-End)
  • 40:34 | Validating One-Time-Password
  • 52:30 | Conclusion

#typingdna #2fa #security #developer

Kim Hans  Jin

Kim Hans Jin

1597374154

Python Tutorial - Integrating 2FA/MFA using PyOTP

You must have come across buzzwords such as “MFA”, “2FA” at some point but what do they really mean? Why are they so popular these days? And why is it becoming such a focal point in the security layer?

What is 2FA/MFA?

2FA/MFA stands for 2-Factor/ Multi Factor Authentication. Conventional authentication system require only your username and password. We call such type of Auth Systems as “SFA” (Single Factor Authentication).In MFA, multiple factors combine together to prove that it’s actually you who’s trying to access the system. Currently there are three types:

  • Something that you know (your password, maybe a couple of security questions.)
  • Something that you own/ Something that you have (your mobile phone).
  • Something that you are (Thumb Print/ Face recognition etc.)

2FA is just a subset of MFA. It involves 2 factors while authenticating a user:

  • Username/password.
  • One time password sent to your device.

Standards for generating an OTP

One Time Password (OTP) is generated using a shared secret key and another factor such as counter or time. Two main standards for generating an OTP are HOTP and TOTP. Event-based OTP (also called HOTP) is the original One-Time Password algorithm and relies on two pieces of information: A shared secret and a counter. The first step involves generating an HMAC hash from the shared secret and counter. In the next step we truncate the resultant HMAC hash to our desired length (6 digits preferably) to obtain an OTP. The counter is then incremented on the server side to obtain a new OTP.

HOTP is great but incrementing the counter can become a headache. Also, HOTP pass-codes can be valid for a pretty long time, hence putting our system at risk. To solve these problems, we are going to discuss the second standard known as TOTP.

#python #2fa #django #pyotp #mfa