Melbourne Drupal Meetup — June
This month’s Melbourne Drupal Meetup included a presentation by Ming Quah on two-factor authentication.
Two-factor authentication: summary of Ming's presentation
Ming Quah from Salsa Digital provides a comprehensive exploration of the significance and implementation of two-factor authentication (2FA) in the context of Drupal 9. The talk highlights the need to strengthen user identity verification and looks at different ways to achieve this, emphasising extending security beyond conventional password-based systems.
The essence of proving user identity
To start, Ming introduces the pivotal concept of verifying user identity through distinct factors, namely knowledge, possession and inherent traits. While acknowledging that passwords are the most common form of user identity verification, he stresses their vulnerabilities and advocates for a second factor to enhance security.
Exploring second-factor alternatives
Ming proceeds to delve into various second-factor authentication alternatives. He introduces biometrics as one method, such as face and touch recognition technologies. However, he notes the limited implementation of biometrics due to privacy concerns. In contrast, he highlights the popularity of one-time codes for second-factor verification, with Short Message Service (SMS) a common but insecure approach. The HMAC One-Time Password (HOTP) method offers increased security. Ultimately, the presentation endorses the time-based, one-time password (TOTP) approach for its narrow window of vulnerability.
Setting up two-factor authentication in Drupal 9
Transitioning to the practical aspect of the presentation, Ming outlines the prerequisites for instituting 2FA in Drupal 9. He introduces key modules essential for the process:
- The Two-Factor Authentication (TFA)
- Encryption modules
- The Key
- The Google Authenticator (GA) login
Ming underscores the significance of the TFA module as a framework for implementing 2FA, and the encryption and Real AES modules for secure secret encryption. Additionally, the GA login module is introduced as the bridge for integrating OTP codes within the TFA framework.
Safeguarding secrets
To elaborate on secret management, Ming discusses the encryption module's dependence on an AES private key generated by users for data encryption. Various methods of injecting the AES private key are discussed, including Docker, Kubernetes, PHP environment variables, and on-disk files. The presenter accentuates the importance of choosing an injection method that aligns with stringent security practices.
The two-factor authentication (TFA) workflow
The presentation uses a workflow diagram to show the intricate process of 2FA authentication in the Drupal ecosystem. Users initiate the process by entering a one-time code, which is then transmitted to the TFA module. Here, the code merges with the encrypted secret and the server time to validate the user's PIN, granting access on successful authentication.
Live demonstration
Lastly, Ming Quah gives a live demonstration showing the practical steps of setting up 2FA in Drupal 9. He walks through the process of generating a private key using OpenSSL and integrating it into Drupal via the key module. The creation of an encryption profile is explained, employing Real AES for secure encryption and decryption. The audience gains insights into configuring the TFA module settings, where the presenter selects TOTP as the preferred method. The steps of configuring 2FA for an account are meticulously explained, accompanied by the scanning of a QR code using an authentication app.
Q&A
In response to audience queries, Ming addresses the implications of private key rotation. He discusses the necessity of resetting 2FA for all accounts if the private key is rotated, stressing the critical importance of safeguarding the private key to uphold robust security measures.
Conclusion
In this presentation, Ming navigates through the realms of enhanced security via two-factor authentication in Drupal 9. By shedding light on multifaceted methods of user identity verification and offering practical insights into the implementation of 2FA using Drupal modules, the audience gains a comprehensive understanding of bolstering security in digital spaces. The live demonstration breathes life into theoretical concepts, while the Q&A segment engages attendees and clarifies essential aspects of the discourse.