I updated the authentication features of CodeWatch over the weekend to support two-factor authentication (2FA). This is an update I’ve wanted to make for a while but never seemed to have the time due to other commitments or projects. I waited a few days so that I could test before posting. If you have an account, you can now go into the “Account” tab and click the “Two Factor” option to configure this setting.
What this means is that you can add a second factor of authentication to your account. For more information on 2FA, see this Wikipedia entry. The system currently supports two different 2FA options; SMS based phone 2FA and email based 2FA. All you have to do is enable 2FA for your account, configure email or phone based 2FA, and then enter a PIN. The PIN can really be any value and might be a little overkill (think second password, but without the same complexity and length requirements).
I am using the Time-based One Time Password Algorithm (TOTP) to create the 2FA token. You can read more about this here. I leveraged information from the PHP site here as well as this Github project here for implementation in my app.
Additional security properties include:
- The token length is 8 digits.
- I am using the openssl_random_pseudo_bytes function with a 32 byte length value to generate a random key to seed each TOTP token.
- The token is only valid for 180 seconds. I felt this was a reasonable time to receive and enter the token.
- The token is stored in memory and is single use only; it is removed after the first successful usage or after the 180 seconds has expired.
- The PIN used in combination with the token is stored as a hash using bcrypt, an IV unique to each account, and a work factor.
I decided to use Twilio for SMS based integration. I had never used Twilio before but was happy to find that for my simple purposes it was crazy easy. It took maybe a few minutes to figure out, implement, and test.
- Apache Security
- OWASP 2010 A1
- OWASP 2010 A10
- OWASP 2010 A2
- OWASP 2010 A3
- OWASP 2010 A4
- OWASP 2010 A5
- OWASP 2010 A6
- OWASP 2010 A7
- OWASP 2010 A9
- OWASP 2013 A9
- Penetration Testing
- PHP Security
- Social Engineering
Top TagsASVS 3.1 ASVS 3.2 ASVS 3.3 ASVS 3.4 ASVS 3.5 ASVS 3.6 ASVS 3.7 ASVS 3.8 ASVS 3.9 ASVS 3.10 ASVS 3.11 ASVS 3.12 ASVS 3.13 ASVS 11.4 bcrypt Burp Suite Pro CodeWatch CryptoPP Hashcat Hyperion Java Linux Metasploit Meterpreter mimikatz msfencode msfpayload Ophcrack OWASP 2010 A1 - Injection OWASP 2010 A2 - Cross-Site Scripting (XSS) OWASP 2010 A3 - Broken Authentication and Session Management Penetration Testing Phishing PHP Powershell Python SET Shellcodeexec Social Engineering Unix Veil VirusTotal WAF Web App Pentesting Windows