This was an enjoyable and useful talk thanks to the efforts of Rob Allen.
Starting with why 2FA is an important development, Rob's talk takes a mid-level walk through the steps, and technical foundations stripping out the 'magic'. The well chosen library suggestions are enough to allow experimentation afterwards from my notes.. bonus points!
This was a well paced talk, and with more time it could develop nicely to explore companion technologies as pointed out by James, or maybe more on choice of algorithms and implementation structures.
Highly recommended for any app developer / web designer that might otherwise be put off by some of the OTT 2FA material out there or looking for a quick update to their general knowledge.
Thanks to PHP Hants too for making it possible...
Nice talk this - good recommendations for libraries to use, summary of how 2FA actually works, why you'd want to
Being a very technical sort myself, I'd like to hear a bit more about the HMAC bit at the start (confused me a little).
Also a bit more about the specific security care to be taken (e.g. using a secure/constant-time string comparison thing, are there any other precautions you should take to implement things properly, etc.)
Perhaps a little exploration on other forms of authentication might be cool too (e.g. browser fingerprint, biometric, password-only etc.)
Also, here's a reminder to add a slide about sequence-based codes & "the window".
Overall great talk though, thanks for visiting PHP Hampshire! :)
I enjoyed this talk. I find Rob is very good at making subjects which seem complicated more accessible. I think that I may have missed some of the technical parts which explained how time-based tokens work, but I think that's a result of not paying attention enough ;)
Personally, I thought that a bit too much time was spent on how to install and set up plugins for Wordpress, Drupal etc as they all seemed to have the same process. But I can see that this might be useful to some people.
Thanks for coming to PHPHants Rob!