SlideShare a Scribd company logo

An open source strong authentication server for less than $100!

Download as PPTX, PDF
André Liechti, profile picture
André Liechti

- The document describes an open source strong authentication solution called multiOTP that can be used to setup a two-factor authentication server for less than $100 using a Raspberry Pi. - multiOTP is a PHP library that implements one-time password standards like HOTP and TOTP to provide strong authentication via methods such as QR codes, hardware tokens, and SMS tokens. - The document outlines how to install multiOTP on a Raspberry Pi along with other low-cost hardware to create a fully functional two-factor authentication server for network and application access.

Technology
1 of 38
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
An open source strong authentication server for less than $100! André Liechti, CTO SysCo systèmes de communication sa (Neuchâtel, Switzerland) Dev(Talks): Bucharest, Romania 2015-06-11 http://www.multiOTP.net
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! Schedule – Why regular passwords are never strong enough ? – What about a different solution for more security ? – multiOTP, an open source library solution – How to setup an authentication device for less than $100 ? – Live-Demo with multiOTP installed on a Raspberry Pi – Some questions ?
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! WHY REGULAR PASSWORDS ARE NEVER STRONG ENOUGH ? (on the Internet, but elsewhere too…)
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! Why regular passwords are never strong enough ? Same password for a lot of applications…
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! Some nice hardware tools… Key logger… Camera in car key…
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! ... and some «nicer» hardware tools… ;-) fake USB Keyboard mounted in a memory stick… wireless Key logger… and so on …
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! WHAT ABOUT A DIFFERENT SOLUTION FOR MORE SECURITY ?
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! What about a different solution for more security ? • Two-factor authentication • A daily usage for the combination of knowledge and possession factors. The ATM machine – We have the physical ATM card and we know our personal PIN
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! Strong authentication with one-time password • No software installation is required for the user (compatible with all OS and Internet navigator) • Secret PIN + scratch passwords list
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! Passwords list usage • Login = username + secret PIN + next password on the list Lists on the server List for User A
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! Historical market leader • Time-based automatic generator with a secret algorithm – 70% of the market in 2003 (25 mio of devices have been sold up to 2003)
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! First open-source one-time password solution • Mobile-OTP (2003) – Hash (md5) of a “PIN code + time based algorithm” – open source, more than 40 different implementations – Java J2ME for mobile phones – Unix shell script on server side
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! Standardized one-time password generator • HOTP : HMAC-based One-time Password Algorithm (2005) – code construction is based on a HMAC hash function – open standard (OATH: Initiative for open authentication) – RFC 4226 Counter Secret seed HMAC hash 0379
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! HOTP authentication mechanism User Server 0382 754812 0380-0384 0379 0383-0387
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! No synchronization problem anymore with TOTP • TOTP : Time-based One-time Password Algorithm (2008) – based on HOTP – The counter is now the time divided in slices of 30 seconds – RFC 6238 Secret seed HMAC hash Time counter
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! TOTP authentication mechanism User Server 754812
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! Yubico OTP
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! Yubico OTP code
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! YubiCloud
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! Some HOTP and TOTP tokens
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! SMS-token Auth. Server     username + password + SMS-token SMS-token
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! multiOTP - A PHP OPEN SOURCE LIBRARY SOLUTION
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! History of the multiOTP package • 2009 PHP PoC implementing the Mobile-OTP protocol • 2010 class creation with basic TOTP/HOTP • 2011 Workshop during ASFWS 2011 (Application Security Forum) • 2012 Wider deployment in the community and feedbacks • 2013 New functionalities – SMS tokens – scratch passwords list – QRcode/URL provisioning – Client/server implementation with local cache – MySQL backend support
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! History of the multiOTP package /2 • 2014 Certification and more functionalities – OATH certified – Yubico OTP support (YubiKey) – Active Directory and LDAP synchronization – Support for Active Directory / LDAP passwords (instead of PIN) – First Raspberry Pi implementation • 2015 Enhancements – More options based on users feedback – Better performance on Raspberry Pi with special proxy – More AD / LDAP fields support – Web GUI enhancements
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! multiOTP • Why did we develop the multiOTP package ? – no free and easy to use solution for small companies – a lot of existing commercial products need Windows Server – Existing products need a lot of resources • Why open source ? – To receive feedbacks and proposals from the users – security issues are analyzed by other developers – users can be sure that there is no Trojan and other NSA-friendly “tools” in our code
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! multiOTP concept • open source PHP class (embedded in only one file) – OS independent – Works also on any web server, including in shared hosting • data or stored in flat files or in a MySQL database • all methods are implemented in a command line tool – Command line tool is compatible with the centralized open source authentication server FreeRADIUS – The system administrator can create scripts in order to handle the package and to create users
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! multiOTP concept (2) • common standards are supported – Mobile-OTP, HOTP, TOTP, Yubico OTP – SMS tokens – scratch passwords list • simple web GUI for all common tasks (since 2014) • HOTP and TOTP software tokens can simply be configured by flashing a QRcode generated by multiOTP • hardware tokens definition files can be imported – some proprietary files are supported (Authenex or SafeNet definition files) – any standard PSKC files (since December 2013) – Yubico log file in Traditional format (since November 2014)
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! multiOTP library website integration in 4 lines ! • require_once('multiotp.class.php'); • $multiotp = new Multiotp('MyPersonalEncryptionKey'); * $multiotp->SetUser($user); • $result = $multiotp->CheckToken($tokens);
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! multiOTP package can be installed on Windows • RADIUS authenticator installed in 3 minutes ! • surf on http://www.multiOTP.net • download the last version • unpack the files in the C:multiotp folder • read the readme file ;-) • install the FreeRADIUS service – C:multiotpradius_install.cmd • that’s it !
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! multiOTP How to create a user • create the user on the server side C:multiotp>multiotp -fastcreate devtalks 11 INFO: User successfully created or updated • save the QRcode image in a file C:multiotp>multiotp -qrcode devtalks C:multiotpdevtalks.png 16 INFO: QRcode successfully created • Send the QRcode to the user (using a secure channel !) • … or simply use the web interface to create a user and print a nice HTML provisioning page;-) !
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! multiOTP simple web GUI
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! multiOTP easy QRcode provisioning Flash it with Google Authenticator App !
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! multiOTP Typical usage
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! HOW TO SETUP AN AUTHENTICATION DEVICE FOR LESS THAN $100 ?
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! Hardware selection • Raspberry Pi – very cheap (< $ 40) – no OS licence (Debian Linux or others) – widely distributed – community support – microUSB powered – CPU 700 MHz (ARM) – RAM 512 MB
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! 5V power supply ($10) SD card with Debian Linux for Raspberry Pi ($10) Raspberry Pi enclosure ($10) How to make your own strong authentication server ? + multiOTP ($0) 80
Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! LIVE-DEMO WITH multiOTP INSTALLED ON A Raspberry Pi
Thanks for your attention ! André Liechti SysCo systèmes de communication sa www.multiOTP.net slideshare.net/andreliechti @andreliechti @multiotp Dev(Talks): Bucharest, Romania 2015-06-11

More Related Content

PDF
Powering up on PowerShell - BSides Charleston - Nov 2018
Fernando Tomlinson, CISSP, MBA
 
PPTX
Mediakit2016
associatepublisher
 
PPT
SSAT ICT Register Keynote
Dannno
 
POTX
Social media _bishophaley
Haley Bishop
 
PDF
IT Resume - Joshy
Joshy Mathai
 
PPTX
Engaging Developing Regions for Effective Global One Health implementation - ...
Global Risk Forum GRFDavos
 
DOCX
Job Tracking Form - Markiis Consulting
Shanta Markiis
 
PPT
Stud team (Институт социально-гуманитарного образования МПГУ)
MPGU_edu
 
Powering up on PowerShell - BSides Charleston - Nov 2018
Fernando Tomlinson, CISSP, MBA
 
Mediakit2016
associatepublisher
 
SSAT ICT Register Keynote
Dannno
 
Social media _bishophaley
Haley Bishop
 
IT Resume - Joshy
Joshy Mathai
 
Engaging Developing Regions for Effective Global One Health implementation - ...
Global Risk Forum GRFDavos
 
Job Tracking Form - Markiis Consulting
Shanta Markiis
 
Stud team (Институт социально-гуманитарного образования МПГУ)
MPGU_edu
 

Viewers also liked (8)

PDF
MA Thesis Abstract
Alex Copp
 
PPTX
What is tap?
Jake Slatnick
 
PDF
La presi¢n arterial y su salud
Hellen La Torre
 
DOC
jimresume2
Jim howard Howard
 
DOCX
CV updated 2016
Shanea Parker
 
DOCX
Karen_V_CV_2016 (3)
Karen Vargas Daza
 
PPTX
Physical features of Bangladesh
Mahamudul Sohan
 
PPTX
Hipertensión arterial
mkjoo_24
 
MA Thesis Abstract
Alex Copp
 
What is tap?
Jake Slatnick
 
La presi¢n arterial y su salud
Hellen La Torre
 
jimresume2
Jim howard Howard
 
CV updated 2016
Shanea Parker
 
Karen_V_CV_2016 (3)
Karen Vargas Daza
 
Physical features of Bangladesh
Mahamudul Sohan
 
Hipertensión arterial
mkjoo_24
 
Ad

Similar to An open source strong authentication server for less than $100! (20)

PDF
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Cyber Security Alliance
 
PPT
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
CASCouncil
 
PPT
Open Source in the Enterprise
Social Media Performance Group
 
PDF
Open Source Software, Distributed Systems, Database as a Cloud Service
SATOSHI TAGOMORI
 
PPTX
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Richard Bullington-McGuire
 
PPTX
Mihai tataran developing modern web applications
ITCamp
 
PDF
Introduction to Kong API Gateway
Yohann Ciurlik
 
PPTX
Tecnologias Free e Open Source na Plataforma Microsoft
Gustavo Malheiros
 
PPT
Open Audit
ncspa
 
PDF
PHP is the King, nodejs is the Prince and Lua is the fool
Alessandro Cinelli (cirpo)
 
PPTX
Mah tweets oss wp7
Nick Hodge
 
PPTX
API City 2019 Presentation - Delivering Developer Tools at Scale: Microsoft A...
Joe Levy
 
PPTX
[Mas 500] Various Topics
rahulbot
 
PDF
PHP is the King, nodejs the prince and python the fool
Alessandro Cinelli (cirpo)
 
PDF
PHP is the king, nodejs is the prince and Python is the fool - Alessandro Cin...
Codemotion
 
PDF
Real-World, Open Source, End-to-End JavaScript in IoT
All Things Open
 
PPTX
ASP.NET MVC 4 Overview
Gunnar Peipman
 
PDF
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
sparkfabrik
 
PDF
Blockstrap at FOSS Asia - 2015 - Building Browser-Based Blockchain Applications
Mark Smalley
 
PDF
Second screen iot_day_stockholm_2014
Steffen Larsen
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Cyber Security Alliance
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
CASCouncil
 
Open Source in the Enterprise
Social Media Performance Group
 
Open Source Software, Distributed Systems, Database as a Cloud Service
SATOSHI TAGOMORI
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Richard Bullington-McGuire
 
Mihai tataran developing modern web applications
ITCamp
 
Introduction to Kong API Gateway
Yohann Ciurlik
 
Tecnologias Free e Open Source na Plataforma Microsoft
Gustavo Malheiros
 
Open Audit
ncspa
 
PHP is the King, nodejs is the Prince and Lua is the fool
Alessandro Cinelli (cirpo)
 
Mah tweets oss wp7
Nick Hodge
 
API City 2019 Presentation - Delivering Developer Tools at Scale: Microsoft A...
Joe Levy
 
[Mas 500] Various Topics
rahulbot
 
PHP is the King, nodejs the prince and python the fool
Alessandro Cinelli (cirpo)
 
PHP is the king, nodejs is the prince and Python is the fool - Alessandro Cin...
Codemotion
 
Real-World, Open Source, End-to-End JavaScript in IoT
All Things Open
 
ASP.NET MVC 4 Overview
Gunnar Peipman
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
sparkfabrik
 
Blockstrap at FOSS Asia - 2015 - Building Browser-Based Blockchain Applications
Mark Smalley
 
Second screen iot_day_stockholm_2014
Steffen Larsen
 
Ad

Recently uploaded (20)

PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Cloud computing and distributed systems.
kkkkkhan
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 

An open source strong authentication server for less than $100!

  • 1. An open source strong authentication server for less than $100! André Liechti, CTO SysCo systèmes de communication sa (Neuchâtel, Switzerland) Dev(Talks): Bucharest, Romania 2015-06-11 http://www.multiOTP.net
  • 2. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! Schedule – Why regular passwords are never strong enough ? – What about a different solution for more security ? – multiOTP, an open source library solution – How to setup an authentication device for less than $100 ? – Live-Demo with multiOTP installed on a Raspberry Pi – Some questions ?
  • 3. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! WHY REGULAR PASSWORDS ARE NEVER STRONG ENOUGH ? (on the Internet, but elsewhere too…)
  • 4. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! Why regular passwords are never strong enough ? Same password for a lot of applications…
  • 5. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! Some nice hardware tools… Key logger… Camera in car key…
  • 6. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! ... and some «nicer» hardware tools… ;-) fake USB Keyboard mounted in a memory stick… wireless Key logger… and so on …
  • 7. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! WHAT ABOUT A DIFFERENT SOLUTION FOR MORE SECURITY ?
  • 8. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! What about a different solution for more security ? • Two-factor authentication • A daily usage for the combination of knowledge and possession factors. The ATM machine – We have the physical ATM card and we know our personal PIN
  • 9. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! Strong authentication with one-time password • No software installation is required for the user (compatible with all OS and Internet navigator) • Secret PIN + scratch passwords list
  • 10. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! Passwords list usage • Login = username + secret PIN + next password on the list Lists on the server List for User A
  • 11. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! Historical market leader • Time-based automatic generator with a secret algorithm – 70% of the market in 2003 (25 mio of devices have been sold up to 2003)
  • 12. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! First open-source one-time password solution • Mobile-OTP (2003) – Hash (md5) of a “PIN code + time based algorithm” – open source, more than 40 different implementations – Java J2ME for mobile phones – Unix shell script on server side
  • 13. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! Standardized one-time password generator • HOTP : HMAC-based One-time Password Algorithm (2005) – code construction is based on a HMAC hash function – open standard (OATH: Initiative for open authentication) – RFC 4226 Counter Secret seed HMAC hash 0379
  • 14. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! HOTP authentication mechanism User Server 0382 754812 0380-0384 0379 0383-0387
  • 15. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! No synchronization problem anymore with TOTP • TOTP : Time-based One-time Password Algorithm (2008) – based on HOTP – The counter is now the time divided in slices of 30 seconds – RFC 6238 Secret seed HMAC hash Time counter
  • 16. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! TOTP authentication mechanism User Server 754812
  • 17. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! Yubico OTP
  • 18. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! Yubico OTP code
  • 19. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! YubiCloud
  • 20. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! Some HOTP and TOTP tokens
  • 21. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! SMS-token Auth. Server     username + password + SMS-token SMS-token
  • 22. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! multiOTP - A PHP OPEN SOURCE LIBRARY SOLUTION
  • 23. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! History of the multiOTP package • 2009 PHP PoC implementing the Mobile-OTP protocol • 2010 class creation with basic TOTP/HOTP • 2011 Workshop during ASFWS 2011 (Application Security Forum) • 2012 Wider deployment in the community and feedbacks • 2013 New functionalities – SMS tokens – scratch passwords list – QRcode/URL provisioning – Client/server implementation with local cache – MySQL backend support
  • 24. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! History of the multiOTP package /2 • 2014 Certification and more functionalities – OATH certified – Yubico OTP support (YubiKey) – Active Directory and LDAP synchronization – Support for Active Directory / LDAP passwords (instead of PIN) – First Raspberry Pi implementation • 2015 Enhancements – More options based on users feedback – Better performance on Raspberry Pi with special proxy – More AD / LDAP fields support – Web GUI enhancements
  • 25. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! multiOTP • Why did we develop the multiOTP package ? – no free and easy to use solution for small companies – a lot of existing commercial products need Windows Server – Existing products need a lot of resources • Why open source ? – To receive feedbacks and proposals from the users – security issues are analyzed by other developers – users can be sure that there is no Trojan and other NSA-friendly “tools” in our code
  • 26. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! multiOTP concept • open source PHP class (embedded in only one file) – OS independent – Works also on any web server, including in shared hosting • data or stored in flat files or in a MySQL database • all methods are implemented in a command line tool – Command line tool is compatible with the centralized open source authentication server FreeRADIUS – The system administrator can create scripts in order to handle the package and to create users
  • 27. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! multiOTP concept (2) • common standards are supported – Mobile-OTP, HOTP, TOTP, Yubico OTP – SMS tokens – scratch passwords list • simple web GUI for all common tasks (since 2014) • HOTP and TOTP software tokens can simply be configured by flashing a QRcode generated by multiOTP • hardware tokens definition files can be imported – some proprietary files are supported (Authenex or SafeNet definition files) – any standard PSKC files (since December 2013) – Yubico log file in Traditional format (since November 2014)
  • 28. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! multiOTP library website integration in 4 lines ! • require_once('multiotp.class.php'); • $multiotp = new Multiotp('MyPersonalEncryptionKey'); * $multiotp->SetUser($user); • $result = $multiotp->CheckToken($tokens);
  • 29. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! multiOTP package can be installed on Windows • RADIUS authenticator installed in 3 minutes ! • surf on http://www.multiOTP.net • download the last version • unpack the files in the C:multiotp folder • read the readme file ;-) • install the FreeRADIUS service – C:multiotpradius_install.cmd • that’s it !
  • 30. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! multiOTP How to create a user • create the user on the server side C:multiotp>multiotp -fastcreate devtalks 11 INFO: User successfully created or updated • save the QRcode image in a file C:multiotp>multiotp -qrcode devtalks C:multiotpdevtalks.png 16 INFO: QRcode successfully created • Send the QRcode to the user (using a secure channel !) • … or simply use the web interface to create a user and print a nice HTML provisioning page;-) !
  • 31. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! multiOTP simple web GUI
  • 32. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! multiOTP easy QRcode provisioning Flash it with Google Authenticator App !
  • 33. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! multiOTP Typical usage
  • 34. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! HOW TO SETUP AN AUTHENTICATION DEVICE FOR LESS THAN $100 ?
  • 35. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! Hardware selection • Raspberry Pi – very cheap (< $ 40) – no OS licence (Debian Linux or others) – widely distributed – community support – microUSB powered – CPU 700 MHz (ARM) – RAM 512 MB
  • 36. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! 5V power supply ($10) SD card with Debian Linux for Raspberry Pi ($10) Raspberry Pi enclosure ($10) How to make your own strong authentication server ? + multiOTP ($0) 80
  • 37. Dev(Talks): Bucharest, Romania, 2015-06-11 An open source strong authentication server for less than $100! LIVE-DEMO WITH multiOTP INSTALLED ON A Raspberry Pi
  • 38. Thanks for your attention ! André Liechti SysCo systèmes de communication sa www.multiOTP.net slideshare.net/andreliechti @andreliechti @multiotp Dev(Talks): Bucharest, Romania 2015-06-11

Editor's Notes

  • #2: French part of Switzerland MSc in communication systems BSc in Electronics
  • #3: Questions can also be asked during the talk.
  • #5: … it could be Santa Claus … or not ! Everybody knows that hacker have a hood :_)
  • #10: We only need to print some papers. Banks were using this solution widely at the beginning
  • #13: First iPhone : June 2007 Android, iOS, Windows Mobile, Palm, Maemo, HTML5, Java, etc.
  • #14: Initiative For Open Authentication (OATH)
  • #15: Synchronization problem may occur (button pressed in the pocket, connect to two different services)
  • #17: Time resync after each successful synchronization (delta calculation)
  • #24: Qurstions can also be asked during the talk.
  • #25: The Initiative for Open Authentication (OATH)
  • #26: The Initiative for Open Authentication (OATH)
  • #27: FreeRADIUS is also available for Windows