The Internet belongs to everyone. Let’s keep it that way.

Protect Net Neutrality
Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Spring Security OTP Plugin for Grails

No description

Rafael Luque

on 20 November 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Spring Security OTP Plugin for Grails

Our Motivations What is 2FA? "An approach to authentication which requires the presentation of two or more of the three authentication factors." One-Time Passwords "A one-time password (OTP) is a password that is valid for only one login session or transaction." Spring Security OTP Plugin Adds One-Time Password authentication to Grails applications using Spring Security.
Implements Oath Time-based OTP (RFC 6238). Spring Security OTP Plugin Rafael Luque On Strengthening Authentication for Grails Applications Passwords are easier
to crack than ever Secure Access
to Backends A single factor is easy to

Let's use 2 factors ! In complex webapps we usually provide web-based tools for administrators Clients not always are security-conscious Very powerful tools: Weak passwords
Shared passwords
Access from shared computers
Access from non-secure environments How secure is your password? Modern Hardware (GPUs) Growing list of leaked passwords allows programmers to write rules to make cracking algorithms faster "The average web user maintains 25 separate accounts but uses just 6.5 passwords." Landmark Study (2007) AMD Radeon HD7970 GPU can try on average 8.2 billion of passwords each second. Project Erebus 8 GPUs: 12 hours to brute force all keyspace for any 8-char password. Brute Force Applying rules learnt by leaked passwords E.g. Jesus1975 62^9 passwords to try.
19 days in AMD Radeon HD7970. Only 90 seconds running ocl-hashcat "Crack Me If You Can" contest at DEFCON 2011 winners cracked 88,546 passwords in 48 hours. Just six days after the leak of 6,5 million LinkedIn password hashes more than 90% of them were cracked. --- Wikipedia Posession Factor Inherent Factor Knowledge Factor "Something the user knows" "Something the user has" "Something the user is" password
PIN keys
PKI certificate
credit card
phone fingerprints
facial look
retina vessels 2FA 2FA 2FA 3FA --- Wikipedia OTP Pros/Cons Avoid classic attacks Cons Keyloggers
Shoulder surfing
Social engineering
Brute force
MITB & MITM (only out-of-band channel). Difficult to memorize.
You need a paper list or an electronic generator.
Easyly lost. Where Can You Use OTP Today? Google/Gmail
...and in your Grails apps Installation Configuration Sample App Using install-plugin command or adding the following to BuildConfig.groovy: Available at OSOCO's GitHub: Planning to publish in Grails central repo in the following days. Sample application spring-security-otp-sample:

At GitHub:

Deployed on CloudFoundry: Check your passwords now at: @rafael_luque CMS
Feature switching
etc. Built during OSOCO Hacker Fridays.
Full transcript