Sitting in on Brian Retterer’s auth talk at php[world]. Solid talk, but there are a few extra things worth noting/expanding on:

  1. If you’re using PHP <7, you can still use random_bytes()! Well, once you install random_compat via Composer.
  2. If you’re using any mcrypt function other than mcrypt_create_iv() for working with passwords, stop. Sounds like you’re encrypting passwords rather than hashing them. Don’t do that.
  3. mcrypt isn’t exactly 1:1 with OpenSSL for encrypt/decrypt, but you can get it to do the same thing (same inputs, same outputs). I’ll do a post later on how to do this…I’ve done exactly that before and have unit tests to prove it 🙂
  4. You can specify a manual salt in PHP 7.0 within password_hash(). It’s deprecated, and for good reason: don’t use it. But if you need backward compatibility with something or other, it’s there…for now.
  5. The next password hashing mechanism that’ll show up in PHP, as PASSWORD_DEFAULT for password_hash(), is Argon2i. There’s an RFC for inclusion of the algorithm in the language, but nothing quite yet for setting as PASSWORD_DEFAULT…probably only a matter of time though. Maybe PHP 8.
  6. Re: MFA, TOTP doesn’t have replay prevention built in, but it cycles every 30 seconds if you’re using Google Authenticator (the spec lets you use other periods, but 30 seconds is the only one GAuth supports). HOTP is the other OATH standardized one time password, and that one is strictly event based. Look up spomky-labs/otphp for building those codes, as well as bacon/bacon-qr-code to spit them out as QR codes that Google Authenticator can consume. Built an internal 2FA server using those libs…eventually it’ll get open-sourced…
  7. For JWTs, League’s OAuth2 server uses lcobucci/jwt rather than Firebase’s library…lcobucci’s a bit more full-featured.
  8. Read this about JWTs’ algorithm field, and how you shouldn’t trust it. Then use a library that doesn’t have that vulnerability (both of the above are patched).

Tags: , ,