Home

Yubikey One-Time Password Authentication

Issue 177

From Issue #177
January 2009

Jan 01, 2009  By Dirk Merkel
 in
How to add one-time passwords to your own system for added security without investing in an expensive authentication infrastructure.

Listing 3. Typo: Account-Specific Yubikey Configuration Options HTML


filename: app/views/admin/users/_form.html.erb:

...
<li>
  <label class="float" for="user_notify_on_new_articles"><%=
      _("Send notification messages when new articles are posted")%>?
  </label>
  <%= check_box 'user', 'notify_on_new_articles' %>
</li>
<!-- new options for Yubikey authentication - start -->
<li>
  <label class="float" for="user_yubikey_required"><%=
      _("Yubikey Required")%>?
  </label>
  <%= check_box 'user', 'yubikey_required' %>
</li>
<li>
  <label class="float" for="user_yubikey_id"><%=
      _("Yubikey ID")%>:
  </label>
  <%= text_field 'user', 'yubikey_id' %>
</li>
<!-- new options for Yubikey authentication - end -->
</ul>
</fieldset>
<!--[eoform:user]-->

Listing 4. Typo: Yubikey Settings Database Migration


filename: db/migrate/071_add_yubikey_columns_to_user.rb:

class AddYubikeyColumnsToUser < ActiveRecord::Migration
  def self.up
    add_column :users, :yubikey_id, :string, 
               :null => false, :default => ''
    add_column :users, :yubikey_required,
               :boolean, :null => false, :default => false
  end

  def self.down
    remove_column :users, :yubikey_id
    remove_column :users, :yubikey_required
  end
end

Figure 7. Typo: Account-Specific Yubikey Configuration Options UI

Now that we have the setup all taken care of, we can focus on the actual authentication during login. First, let's add a Yubikey OTP input field to the login screen provided that Yubikey authentication is enabled for the whole blog. I have done this by modifying the partial template that renders the login form in Listing 5. Notice that we always have to show the Yubikey OTP field during login, because until users supply their user names, we don't know whether Yubikey authentication is required for a particular user. Figure 8 shows the modified login screen.

When the login form is submitted, Rails routes it to the login method of the AccountsController class (Listing 6). This is where we add the logic to check whether we need to handle Yubikey authentication. After the existing code has verified the regular login and password, we now have an instantiated user object that can tell us whether Yubikey authentication is required for this user. If so, we invoke the static method authenticate_yubikey of the user object. Looking at Listing 7, we check that neither the Yubikey OTP from the login form nor the user's public Yubikey ID are blank. Moreover, by definition, the first 12 characters of the OTP have to match the public ID associated with the account. If everything is in order, we instantiate a Yubico object, which will handle the Web service authentication request for us. The method simply returns a boolean. True means the user was authenticated successfully. Conversely, false implies an invalid OTP or an attempt by an unauthorized user—possibly an attempt to hack into the account.

Listing 5. Typo: Modified Login Form HTML


filename: app/views/shared/_loginform.html.erb:

<% form_tag :action=> "login" do %>
<ul>
  <li>
    <label for="user_login"><%= _('Username')%>:</label>
    <input type="text" name="user_login" id="user_login" value=""/>
  </li>
  <li>
    <label for="user_password"><%= _('Password') %>:</label>
    <input type="password" name="user_password" id="user_password" />
  </li>
<!-- Yubikey authentication - start -->
<% if this_blog.yubikey_required %>
  <li>
    <label for="yubikey_otp"><%= _('Yubikey OTP') %>:</label>
    <input type="text" name="yubikey_otp" id="yubikey_otp" />
  </li>
<% end %>
<!-- Yubikey authentication - end -->
  <li class="r"><input type="submit" name="login"
      value= "<%= _('Login') %> &#187;"
      class="primary" id="submit" />
  </li>
</ul>
<p><%= link_to
      "&laquo; " + _('Back to ') + this_blog.blog_name,
      this_blog.base_url %></p>
<% end %>

Listing 6. Typo: Yubikey Authentication Part 1


filename: app/controllers/accounts_controller.rb:

...
def login
  case request.method
    when :post
    self.current_user =
      User.authenticate(params[:user_login], params[:user_password])

    # check whether Yubikey authentication is required and perform
    # authentication
    if logged_in? &&
           (!this_blog.yubikey_required ||
            !self.current_user.yubikey_required ||
            self.current_user.authenticate_yubikey(
                this_blog,
                self.current_user.yubikey_id,
                params[:yubikey_otp]))
      session[:user_id] = self.current_user.id

      flash[:notice]  = _("Login successful")
      redirect_back_or_default :controller => "admin/dashboard",
                               :action => "index"
    else
      flash.now[:notice]  = _("Login unsuccessful")
      @login = params[:user_login]
    end
  end
end
...
______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

bad link

Christian Peper's picture
Submitted by Christian Peper (not verified) on Mon, 04/27/2009 - 04:26.

FYI

the link to supported apps is broken.
http://yubico.com/applications/software/ is the correct one

Swekey

Swekey's picture
Submitted by Swekey (not verified) on Mon, 03/30/2009 - 08:23.

Hi Dirk,

If you are interested in authentication you should also have a look on the swekey.

It is a totally different approach than the Yubikey.

If you want a free sample for evaluation I'll be happy to send you one...

Regards,

Luc

2 step authentication

Anonymous's picture
Submitted by Anonymous (not verified) on Sat, 03/14/2009 - 17:16.

What is to prevent the attacker from simulating the response to the first step? More than a simple challenge to the user will be too much of a burden to the user, while a simple challenge will likely be easy to work-around.

I would suggest using the Yubikey device with HTTP Digest Authentication. Of course, the Yubikey OTP will have to be entered in the User Name field, not the password.

It is 10 dreams come true!

Jane's picture
Submitted by Jane (not verified) on Wed, 12/17/2008 - 17:51.

Secure, elegant, and innovative!

http://mashedlife.com//dream2.php

Keep the good work!

White Paper
More Resources
Fabric-Based Computing Enables Optimized Hyperscale Data Centers

Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions