The Internet belongs to everyone. Let’s keep it that way.

Protect Net Neutrality
Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Spring Security OTP Plugin for Grails

No description
by

Rafael Luque

on 20 November 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Spring Security OTP Plugin for Grails

Our Motivations What is 2FA? "An approach to authentication which requires the presentation of two or more of the three authentication factors." One-Time Passwords "A one-time password (OTP) is a password that is valid for only one login session or transaction." Spring Security OTP Plugin Adds One-Time Password authentication to Grails applications using Spring Security.
Implements Oath Time-based OTP (RFC 6238). Spring Security OTP Plugin Rafael Luque On Strengthening Authentication for Grails Applications Passwords are easier
to crack than ever Secure Access
to Backends A single factor is easy to
compromise.

Let's use 2 factors ! In complex webapps we usually provide web-based tools for administrators Clients not always are security-conscious Very powerful tools: Weak passwords
Shared passwords
Access from shared computers
Access from non-secure environments How secure is your password? Modern Hardware (GPUs) Growing list of leaked passwords allows programmers to write rules to make cracking algorithms faster "The average web user maintains 25 separate accounts but uses just 6.5 passwords." Landmark Study (2007)
https://research.microsoft.com/pubs/74164/www2007.pdf AMD Radeon HD7970 GPU can try on average 8.2 billion of passwords each second. Project Erebus 8 GPUs: 12 hours to brute force all keyspace for any 8-char password. Brute Force Applying rules learnt by leaked passwords E.g. Jesus1975 62^9 passwords to try.
19 days in AMD Radeon HD7970. Only 90 seconds running ocl-hashcat
http://hashcat.net/oclhashcat-plus/ http://ob-security.info/?p=546 "Crack Me If You Can" contest at DEFCON 2011 winners cracked 88,546 passwords in 48 hours. http://contest-2011.korelogic.com/stats_CCDE2FAB9599C0A6.html Just six days after the leak of 6,5 million LinkedIn password hashes more than 90% of them were cracked. http://arstechnica.com/security/2012/08/passwords-under-assault/ --- Wikipedia Posession Factor Inherent Factor Knowledge Factor "Something the user knows" "Something the user has" "Something the user is" password
passphrase
PIN keys
PKI certificate
credit card
smartcard
phone fingerprints
iris
facial look
retina vessels 2FA 2FA 2FA 3FA --- Wikipedia OTP Pros/Cons Avoid classic attacks Cons Keyloggers
Shoulder surfing
Social engineering
Brute force
MITB & MITM (only out-of-band channel). Difficult to memorize.
You need a paper list or an electronic generator.
Easyly lost. Where Can You Use OTP Today? Google/Gmail
AWS
LastPass
Facebook
Dropbox
...and in your Grails apps Installation Configuration Sample App Using install-plugin command or adding the following to BuildConfig.groovy: Available at OSOCO's GitHub:
https://github.com/osoco/grails-spring-security-otp Planning to publish in Grails central repo in the following days. Sample application spring-security-otp-sample:

At GitHub:
https://github.com/osoco/spring-security-otp-sample

Deployed on CloudFoundry:
http://spring-security-otp-sample.cloudfoundry.com Check your passwords now at: http://howsecureismypassword.net/ @rafael_luque CMS
CRM
Feature switching
Reporting
KPI's
etc. Built during OSOCO Hacker Fridays.
http://mindfood.osoco.es/index.php/hacker-fridays-o-catalizadores-de-la-innovacin/
Full transcript