Modern authentication techniques in Python web

applicationsArtur Barseghyan

Goldmund, Wyldebeast & Wunderliebe

http://www.goldmund-wyldebeast-wunderliebe.nl/artur.barseghyan@gmail.comhttps://github.com/barseghyanartur

Part 1

Single Sign-on using

Central Authentication Service

A single framework/application

User base

Framework/application

Authentication system

Other importants parts not related to this talk

Typical framework/application authentication flow

User requests content requiring authentication

User gets the content requested

Is user authenticated?

Authenticate user

User provides credentials (login page)

Are credentials

correct?

Yes

No Yes

No

Multiple web frameworks/applications

User base 1

Framework/application 1

Authentication system 1

Other importants parts not related to this talk

User base 2

Framework/application 2

Authentication system 2

Other importants parts not related to this talk

User base N

Framework/application N

Authentication system N

Other importants parts not related to this talk

...

Web portal (ex. DMS, intranet, wiki, etc.)

Without Single Sign-on...● Use a single framework/application and write lots of

apps OR

● Use multiple frameworks/applications and:○ Hack their authentication systems OR○ Expect users to login into each of them OR○ Make them communicate via customly built API

● More (bad) ideas?

With Single Sign-on...● User logs in once and gains access to all systems

without being prompted to log in again.

(JaSig) CASEnterprise Single Sign-on solution

● Open source● Well documented● Scalable● Modular and highly pluggable (MySQL,

PostgreSQL, Oracle, LDAP, SPINEGO, RADIUS, etc.)

● Lots of ready-to-use clients and plugins

(JaSig) CASCAS involves at least three parties: ● A client web browser● Web application requesting authentication ● The CAS server

It also optionally may involve:● Back-end service, such as a database server

CAS authentication flow

CAS authentication schema

User requests content which requires authentication

User is asked to provide credentials

(login page)

Create SSO token and redirect

User gets the content requested

No

Yes

No

Yes

Is user authenticated

into app?

No

Yes

Authenticate user (CAS)

CAS server

Authenticate user (locally)

Are credentials

correct?Is user

authenticated into CAS?

CAS client (web application)

Pros of CASPros● Centralised authentication for all frameworks/applications.● Actively maintained and developed. Large community.● Modular and highly pluggable (MySQL, PostgreSQL, Oracle, Active

Directory, LDAP, SPINEGO, RADIUS, etc.).● Lots of ready-to-use packages for many frameworks/applications.● Less passwords to retype, remember and recover. ● More of your own code is reusable.● Happier end-users.● REST API.

Cons of CASCons● SSO availability becomes critical.● SSO security becomes critical.

Our use case

Dashboard app ● Django

Server A

CAS server Server C

User base● Active Directory

Server D

VPN

● Apache● Tomcat● Debian● Java● CAS● OpenVPN● AJP● Python● Django● Plone

More to come Server X

DMS ● Plone

Server B

Conclusion

CAS alternatives

1 / n

JOSSO http://www.josso.org

OpenAM (formerly known as OpenSSO) http://openam.forgerock.org

Pubcookie http://www.pubcookie.org

CoSign http://weblogin.org

Linkodrome

1 / n

Software packages

JaSig CAS http://www.jasig.org/cas

Django CAS client https://github.com/Goldmund-Wyldebeast-Wunderliebe/django-cas-consumer

Plone CAS client https://github.com/collective/anz.casclient

Detailed installation instructionshttp://bit.ly/1uuk2BS

Part 2

Two-step verification(Two-factor authentication)

Standard authentication flow

User requests content requiring authentication

User gets the content requested

Is user authenticated?

Authenticate user

User provides credentials (login page)

Are credentials

correct?

Yes

Yes

No

No

● Knowledge factor ("something only the user knows"): a password or a PIN.

● Possession factor ("something only the user has"): ATM card, smart card, mobile phone.

● Inherence factor ("something only the user is"): Fingerprint or voiceprint.

Standard authentication factors

Common advises on remembering many passwords

● Use complex passwords and have them saved in password managers.

● Use complex passwords, write them on paper and carry them in your wallet.

Passwords aren’t enough!

Two-factor authentication● Knowledge factor ("something only the user knows"):

a password or a PIN.

● Possession factor ("something only the user has"): ATM card, smart card, mobile phone.

● Inherence factor ("something only the user is"): Fingerprint or voiceprint.

Standard authentication flow

User requests content requiring

authentication

User provides

credentials

No

Yes

Is user authenticated

?

Authenticate user

Yes

No

Are credentials

correct?

User gets the content requested

Two-factor authentication flow

User requests content requiring

authentication

User provides

credentials

No

YesUser

provides second factor token

Is token

correct?

Yes

No

Second factor

Is user authenticated

?

Authenticate user

Yes

No

Are credentials

correct?

User gets the content requested

(Common) solutions● SMS authentication● Google Authenticator (mobile app)● Hardware token generators

Google Authenticator

Hardware token generators

Our use cases

● collective.googleauthenticator (uses Google Authenticator app)

● collective.smsauthenticator (login codes sent by SMS)

collective.googleauthenticator

Setup two-step verification

Authenticate

Verify

Conclusion

Alternatives

● Risk-based authentication (based on behavioral biometrics, keystroke dynamics, etc.)

● Strong authentication

● Reliance authentication

Linkodrome

Plone● collective.googleauthenticator (two-factor authentication using Google Authenticator app)

https://pypi.python.org/pypi/collective.googleauthenticator● collective.smsauthenticator (two-factor authentication using login codes sent by SMS)

https://pypi.python.org/pypi/collective.smsauthenticator

Django● django-two-factor-auth (two-factor authentication using Google Authenticator or login codes sent

by SMS)https://pypi.python.org/pypi/django-two-factor-auth

● django-otp (pluggable framework for adding two-factor authentication using OTP.)https://pypi.python.org/pypi/django-otp

Questions?

Thank you!Artur Barseghyan

Goldmund, Wyldebeast & Wunderliebe

artur.barseghyan@gmail.comhttps://github.com/barseghyanartur