1. 17 Wed '13

    Effortless Two-Factor Authentication in Rails

    #ruby #rubygems #rails #open source

    Today’s web applications are facing all kind of security intrusions commonly derived from Password cracking attacks. The user itself could even write the password somewhere accessible to untrusted parties making it easy for identity thieves access private information or worst, take over the user account.

    One of the most effective ways to address this situation is requiring additional secrets that real account owners could obtain from other channels after they signed in with their regular email and password. These additional secrets are known as One-Time-Passwords and are the keystone of Two Factor Authentication.

    Implementing One-Time-Password should not be a painful task, this is why we are introducing the ActiveModel::Otp gem.

    ActiveModel::Otp works on any Rails application and can be configured in just a few steps. First we’re going to add a field to our User Model, so each user can have an otp secret key.

    We’ll then need to run rake db:migrate to update the users table in the database. The next step is to update the model code. We need to use has_one_time_password to tell it will be use TFA.

    The has_one_time_password sentence provides to the model some useful methods in order to implement our TFA system. The otp_secret_key is saved automatically when a object is created, otp_secret_key is generated according to RFC 4226 and the HOTP RFC. This is compatible with Google Authenticator apps available for Android and iPhone, and now in use on GMail.

    • Getting the current code (also you can send it via SMS)
    • Authenticating using a code
    • Authenticating using a slightly old code

    Google Authenticator Compatible

    The library works with the Google Authenticator iPhone and Android app, and also includes the ability to generate provisioning URI’s to use with the QR Code scanner built into the app.

    This can then be rendered as a QR Code which can then be scanned and added to the users list of OTP credentials.

    Working example

    Scan the following barcode with your phone, using Google Authenticator.

    QRCODE

    Now run the following and compare the output:

    You can fork the Google Authentication application for iPhone & Android and customize it.

    We’ll probably enhance the gem with nice rails generators and client libraries for iOS and Android. Follow this blog and to get updates on this gem and other open-source initiatives of our company.

    Posted by Roberto Miranda | robermiranda