Two-factor authentication via SMS with the ladies and preference

This is a story about how the elementary field "enter the code from SMS" was the bike built with a large number of wheels of irregular shape. I invite you to criticize universal module for two-factor authentication.

image


Problem


One day the chief asked to tie one to a web service two-factor authentication. Users have long been included by login and password, and you needed to add login validation by SMS. A suitable ready-made solutions in the network is not found, then you need to do yourself. What is there to do in the evening everything will be! In General, three days later, the login form is requested the cell phone number and demanded to enter the code from SMS. The SMS went through the API of one of the many SMS providers for little money.

Soon the decision was with a file transferred to another web admin panel on PHP. In a few weeks began to fall a lot of complaints that text messages arrive with a huge delay, or not come at all. Decided to change the gateway to send messages. Of course, at both services. Helped not for a long time, it has become clear that we need backup channel send. Spend a day or two. Next few months one of the services the malefactor had clical all the money that was on account of the SMS provider. I had a little more to complicate the system, and duplicate the solution. The following failure occurred when the mobile operators switched to new rules for sending SMS regarding the content of the sender field. At the same time accidentally it was discovered that the two colleagues in the office doesn't come free for the entrance of the Bank-customers of two different very large banks. Then it became clear – enough is enough, the world needs a universal solution for two-factor authentication via SMS!

problem Statement


It was decided to make a super versatile and reliable module two-factor authentication via SMS, which is easy to embed on any website, and sell it by subscription! Long live startup!

For portability and security resolved all that is possible to make the server send the SMS in JavaScript, to on the site server as much as possible code. After thoughtful reflection happened here-this architecture.

image

It is understood that the site server to connect two-factor authentication only checks the username and password. After you connect, check username, password and approval from the authorization server by SMS. The authorization server via SMS will store user IDs and telephone numbers, and usernames and passwords will remain to him is not known.

Request from the website to the authorization server goes through the user's browser. The site server is completely abstracted from the concept of SMS and only gets approval from the authorization server. The site server sets cookie with the request for confirmation by SMS. JavaScript detects the cookie and initiates interaction with the server sending SMS via AJAX. A success message check SMS sent to the server of the website also use cookies. The website produces an authorization when it is passed the correct username, password and the cookie confirmation from the authorization server by SMS.

Security


Requests between site servers and authorization are passed through the user's browser. So he couldn't replace them, will each request to sign a key that you know both servers, but does not know the browser. We will also set the expiration date of a data packet, transmitted between servers. After these restrictions, the maximum that can be done after the full compromise of the browser to intercept your login, password and approval from the authorization server. This will allow you to log into the attacked website from another computer. It is assumed that the attacker in this case will go easier, and just want the session!

If compromised, the authorization server, the attacker learns the user phone and will be able to forge responses from the authorization server. However, to access accounts on the website this is not enough, you need to know logins and passwords, which the authorization server.
The browser and the authorization server communicate via AJAX over https, intercepting their data is problematic. If the authorization form on the website also works for HTTPS, here to attack hard, otherwise the two-factor authentication will not benefit from more than simple theft of session.

In sum, this approach to two-factor authentication although it looks confusing, but the impression is very safe.

done


Actually look and you can download it on magiclogin.ru.

image

At the moment the module is two-factor authentication via SMS brought to a healthy state and is running on several sites.

the
    the
  • Written a PHP class for installation on the site server, there are detailed installation instructions.
  • the
  • Interface "Enter the code from SMS" is implemented as a modal window, which is generated from JavaScript.
  • the
  • Support IE 7+, modern Chrome, Firefox, Opera, Safari, Android.
  • the
  • the User can change the phone number.
  • the
  • you Can allow users to opt out of two-factor authentication.
  • the
  • Have admin panel to view statistics and payment.

future plans


the
    the
  • to Make plugins for the main engines in PHP.
  • the
  • like to make the class for the site server in C#, Java, Python.
  • the
  • to Make a designer color scheme modal window.

If You have suggestions for functionality, please leave feedback in the comments.
Article based on information from habrahabr.ru

Комментарии

Популярные сообщения из этого блога

ODBC Firebird, Postgresql, executing queries in Powershell

garage48 for the first time in Kiev!

The Ministry of communications wants to ban phones without GLONASS