Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

SitePoint PHP Blog:
How to Secure Laravel Apps with 2FA via SMS
Mar 01, 2017 @ 11:52:23

On the SitePoint PHP blog there's a new tutorial posted by author Younes Rafie showing you how to secure your Laravel application with 2FA (two-factor authentication) via SMS messages. In this example they make use of the Twilio SMS handling to send the message to the end user's device.

While everyone is concerned about their application’s security, few take it seriously and take the plunge. The first thing you’ll notice when learning about this is that two factor authentication (2FA) is the go-to solution as a first step.

Although there have been some serious problems with using text messages as a second factor, it’s definitely safer than a plain username and password combination, given that many users tend to use popular and easy to guess passwords for critical services such as payments, chat, emails, etc. In this article, we’re going to build two factor authentication into a Laravel application using Twilio SMS as the second factor.

The tutorial then starts by explaining what the end result will look like - a basic username/password login system that will require a code (from the SMS message) to continue into the account. They walk you through the creation of a new Homestead instance and installation/configuration of the new Laravel project. It then shows the updates you'll need to make to migrations and the models to handle the storage of the SMS tokens. It also shows the Blade templates to create the code entry view and error output in case of a code validation failure.

The tutorial then integrates Twilio's PHP SDK via a provider and provides a screencast of the end result.

tagged: laravel application security sms twofactor authentication

Link: https://www.sitepoint.com/secure-laravel-apps-2fa-via-sms/

SitePoint PHP Blog:
2FA in Laravel with Google Authenticator – Get Secure!
Nov 01, 2016 @ 10:47:02

On the SitePoint PHP blog there's a tutorial posted from Christopher Thomas showing you how to integrate two-factor authentication into your Laravel application with a Google Authenticator-compatible library, helping to secure your site even better than just one level of authentication and authorization.

In this tutorial, we will use Laravel and Google Authenticator to demonstrate how to implement 2FA in a webapp. Google Authenticator is just one implementation of the Time-Based One-Time Password (TOTP) algorithm, RFC 6238. This industry standard is used in a lot of various 2FA solutions.

[...] How the TOTP works is that the server generates a secret key. This secret key is then passed to the user. The secret key is used in combination with the current Unix timestamp to generate a six digit number, using a keyed-hash message authentication code (HMAC) based algorithm. This six digit number is the OTP. It changes every 30 seconds.

They start with a clean slate and build a new Laravel project out and include the libraries needed for the TFA support: pragmarx/google2fa and paragonie/constant_time_encoding. You then add in the provider to Laravel's config, build out the models/tables to hold the two-factor information and add a few routes to handle the validation steps. They also include the details in building out the controllers, updating the AuthController for the new step in the authentication flow and how to handle the code validation. The code for all of this (as well as the views) is included as well as screenshots showing the setup and usage of the two-factor handling in the standard authentication flow.

tagged: tutorial google authenticator security laravel twofactor authentication

Link: https://www.sitepoint.com/2fa-in-laravel-with-google-authenticator-get-secure/

NetTuts.com:
Using Google Two-Factor Authentication With WordPress
Jan 05, 2015 @ 13:38:39

NetTuts.com has a new tutorial for the WordPress users out there wanting to enhance the security of their application. In it they show you how to set up Google's two-factor authentication as a part of your standard login prompt.

Brute force login attacks targeting WordPress sites are quite common, such as in April 2013 when more than 90,000 sites were targeted. There are a handful of good ways to protect yourself against these attacks: choosing a strong administrator password and installing a plugin that guards against brute force logins, such All in One WP Security or BruteProtect Changing the default wp-admin url with a plugin such as HC Custom URL. However, I prefer to use a two-factor authentication method that requires a code from my phone to complete the login process.

Thanks to a handy WordPress plugin, adding in support is relatively easy. They walk you through the installation of the plugin, activation and how to set up your Google Authenticator (or similar) application on your mobile device via a scannable QR code.

tagged: wordpress twofactor plugin login googleauthenticator

Link: http://code.tutsplus.com/tutorials/using-google-two-factor-authentication-with-wordpress--cms-22263

NetTuts.com:
Integrating Two-Factor Authentication with CodeIgniter
Jun 27, 2011 @ 09:31:05

On NetTuts.com today they have a new tutorial showing you how to use two-factor authentication in your CodeIgniter-based application - a login process combining a username/password and access to a device that's authorized for the account.

Two-factor authentication is a way of proving your identity based on your username and password as well as a physical device that you can carry with you. This makes it much harder for crooks to steal your identity, since they will need access to your phone or hardware token - not just your login credentials.

They've chosen the free service offered by Duo Security that lets you approve the device in several ways including a phone call, SMS tokens and push-based authentication. They walk you through the setup of a Duo account, making an "Integration", grabbing the PHP and Javascript files needed to make it work and changing up your user and administration module to send a bcrypted value to the service. They flesh it out with a new version of the view to include the Duo code and generating the signed request.

tagged: twofactor authentication codeigniter tutorial login duosecurity

Link: