Home

Yubikey One-Time Password Authentication

Issue 177

From Issue #177
January 2009

Jan 01, 2009  By Dirk Merkel
 in
How to add one-time passwords to your own system for added security without investing in an expensive authentication infrastructure.
Adding Yubikey Authentication to Typo

Now that we have a solid understanding of the underlying technology, let's add Yubikey authentication to an existing application. I use Typo to blog. Typo is developed using Ruby on Rails, and you can check out its latest codebase via the project's public Subversion repository. Whether or not you like the structure RoR imposes on the developer, it works to our advantage in this case, because it makes it easy to locate the files we need to modify. Take a look at Figure 5 for a basic outline of the validation routine we will be implementing.

Figure 5. Yubikey OTP Validation Flow

To start, let's drop the Ruby Web services client library, yubico.rb, into the project's lib directory. After adding the corresponding require command to the config/environments.rb file, we can be assured that the library will be available throughout the application.

Two groups of settings are necessary to configure Yubikey authentication. First, there are the site-wide settings, namely the API key and corresponding ID necessary to submit authentication requests to the Web service. There also is a switch for enabling or disabling Yubikey authentication on a blog-wide level. Typo stores these blog-specific settings by serializing them and persisting them to the blogs.settings column. Lucky for us, that means we don't have to make any changes to the database. However, we do need to amend the UI and data model used to store these settings within the application. Listing 1 shows how to add these three Yubikey configuration options to the respective HTML template in the admin user interface. Similarly, Listing 2 shows how to add those same settings to the model. That's all it takes for Rails to render a form to input those settings and store them in the database for each blog. Figure 6 shows the final result.

Listing 1. Typo: Blog-Wide Yubikey Settings HTML


filename: app/views/admin/settings/index.html.erb

...
<!-- Yubikey authentication - start -->
<fieldset id="authentication" class="set" style="margin-top:10px;">
  <legend><%= _("Authentication")%></legend>
  <ul>
    <li>
      <label class="float"><%= _("Require Yubikey OTP")%>:</label>
      <input name="setting[yubikey_required]"
          id="yubikey_required" type="checkbox" value="1"
          <%= 'checked="checked"' if this_blog.yubikey_required%> />
      <input name="setting[yubikey_required]" type="hidden"
          value="0" />
    </li>
    <li>
      <label for="yubikey_api_id"
          class="float"><%= _("Yubico API ID")%>:</label>
      <input name="setting[yubikey_api_id]" id="yubikey_api_id"
          type="text" value="<%=h this_blog.yubikey_api_id %>"
          size="6" />
    </li>
    <li>
      <label for="yubikey_api_key"
          class="float"><%= _("Yubico API Key")%>:</label>
      <input name="setting[yubikey_api_key]"
          id="yubikey_api_key" type="text"
          value="<%=h this_blog.yubikey_api_key %>" size="50" />
    </li>
  </ul>
</fieldset>
<!-- Yubikey authentication - end -->
...

Listing 2. Typo: Adding Blog-Wide Yubikey Settings to Model

filename: app/model/blog.rb

...
  # Authentication
  setting :yubikey_required,       :boolean, false
  setting :yubikey_api_id,         :string, ''
  setting :yubikey_api_key,        :string, ''
...

Figure 6. Typo: Blog-Wide Yubikey Settings UI

Second, there are two user-specific settings: Yubikey ID and Yubikey Required. The former is necessary to associate a Typo account with a user's unique public Yubikey ID; whereas the latter allows users to enable Yubikey authentication selectively for their accounts only. Now, let's make both options available from the user's preference settings within the application's admin interface. To make the new options appear in the UI, I added a new section to the partial HTML template that renders the form for editing user options (Listing 3). Thanks to RoR's ActiveRecord support, we don't need to write any code to save these new options to the database; however, we do need to make sure that we add the correspondingly named fields to the user table to which all values on this screen are being persisted. In Rails, this is done by adding a database migration, which is nothing more than an abstract way of describing an incremental modification to the database. In our case, we are adding the fields yubikey_id and yubikey_required to the user table by creating the migration shown in Listing 4. Now, all you need to do is run the rake utility from the command line and tell it to upgrade the database: rake db:migrate. The nice thing about Rails' migrations is that they are database-provider independent. The migration we created in Listing 4 can be used with any of the underlying databases that Typo supports. At the time of this writing, this includes MySQL, PostgreSQL and SQLite. Finally, you can admire the new settings in the account-specific options in Figure 7.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

bad link

Christian Peper's picture
Submitted by Christian Peper (not verified) on Mon, 04/27/2009 - 04:26.

FYI

the link to supported apps is broken.
http://yubico.com/applications/software/ is the correct one

Swekey

Swekey's picture
Submitted by Swekey (not verified) on Mon, 03/30/2009 - 08:23.

Hi Dirk,

If you are interested in authentication you should also have a look on the swekey.

It is a totally different approach than the Yubikey.

If you want a free sample for evaluation I'll be happy to send you one...

Regards,

Luc

2 step authentication

Anonymous's picture
Submitted by Anonymous (not verified) on Sat, 03/14/2009 - 17:16.

What is to prevent the attacker from simulating the response to the first step? More than a simple challenge to the user will be too much of a burden to the user, while a simple challenge will likely be easy to work-around.

I would suggest using the Yubikey device with HTTP Digest Authentication. Of course, the Yubikey OTP will have to be entered in the User Name field, not the password.

It is 10 dreams come true!

Jane's picture
Submitted by Jane (not verified) on Wed, 12/17/2008 - 17:51.

Secure, elegant, and innovative!

http://mashedlife.com//dream2.php

Keep the good work!

Webcast
More Resources
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions