►
Description
Stefan talks about his One Factor Authentication (1FA) Proof of Concept (PoC).
Building a new Login System that uses one security factor less than what most of the big tech sites are trying to force on you?
Why would anyone want a new system that is less secure?
To answer these questions we have to look at where we get our security and talk about operational and long-term security and safety.
About Stefan:
Stefan started with Rust in 2015, has multiple Rust services in production, gives talks and workshops, maintains a couple of crates and currently works on his Computer Science Master.
https://estada.ch/
Meetup link:
https://rust-lang.hu/
Chat link:
https://matrix.to/#/#hungary:rustch.at?via=rustch.at
A
A
Last
fest
also,
I
hoping
a
lot
to
have
clients
who
are
looking
for
us
developers
in
the
near
future,
and
I
hope
it's
not
a
dream
in
budapest,
but
now
I
would
like
to
speak
about
stefan
schindler.
Thank
thank
you.
Stefan
to
accept
my
invitation
to
give
a
talk
on
our
meetup.
We
already
met
also
stefan
and
hello,.
A
B
Thank
you
very
happy
to
be
back.
Welcome
everyone,
quick
about
me.
I've
been
doing
rust
for
a
little
over
five
years
already
it's
20
21.
yeah
and
I
started
with
a
chatbot.
Actually
that
was
the
first
project
that
we
wanted
to
migrate
from
a
very
often
failing
python
implementation
to
something
that
would
not
constantly
require
us
to
restart
it,
and
ever
since
I've
been
looking
at
many
things
and
today
this
is
less
of
this
is
all
the
things
we
have
in
rust,
and
this
is
how
it's
done
in
raspberries.
B
B
It
was
with
marco
schadler
and
stefan
kophamer
credits
to
them,
also
for
working
with
me,
and
we
discovered
that
there's
a
multitude
of
one
factor,
authentication
or,
let's
not
say
one
factor
but
like
passwordless
authentication,
because
that
was
my
original
pitch.
So
what
is
the
things
we
do
so
we'll
go
over
this
quick
history
and
then
we'll
look
into
what
do
we
need
and
also
look
into
the
proof
of
concept.
B
So
what
do
we
need?
What
gives
us
security
used
to
be
just
knowing
where
stuff
is
right
in
the
very
early
internet
in
like
the
70s,
so
few
computers
existed
globally
that
we
could
just
say
if
we
know
where
something
is
we
can
have
access
to
it?
The
internet
wasn't
a
thing
for
many
things.
There
was
many
competing
standards
like
ip
and
netlink
and
ibm
stuff
and
apple
stuff,
and
none
of
them
were
compatible.
B
That
was
the
thing
that
didn't
exist
in
the
beginning,
but
over
time
interconnectivity
grew
and
we
added
more
and
more
stuff
until
we
are
here
today
where
everything
is
connected.
Even
your
toaster
can
talk
to
your
fridge,
whether
that's
a
good
thing
or
not,
is
not
a
debate,
but
that's
where
we
are.
So
what
gives
us
security
today
on
its
entropy,
more
or
less?
How
much
guessing
does
someone
we
don't
want
in
our
system
have
to
do
to
get
in,
although
we
don't
want
that.
B
So
what
alternatives
do
we
have
to
passwords
right?
Because
that
was
the
standard
thing
at
some
point,
people
settled
on
this
like
yeah,
username
password
good
enough
right,
five
character.
Passwords
should
be
enough
or
these
what
android
had
with
the
maze
where
you
had
this
graphical
password
or
biometrics.
Magnetics
is
easy
right.
You
don't
have
to
remember
just
have
to
look
the
same
all
the
time
and
why
just
use
like
one
password
for
all
the
services.
B
B
B
B
B
So
another
fun
story
is
the
most
common
passwords
in
2020
or
these
and
to
my
as
a
surprise,
four
zeros
isn't
on
the
list
anymore,
probably
because
a
lot
of
programmers
forbid
this
password.
But
these
aren't
that
hard.
However,
we
can
see
in
the
top
20
there's
always
at
least
six
digits
or
six
characters.
So
there's
some
improvement.
I
think
the
last
survey
I've
seen
was
from
2015,
where
we
had
four
digits
so
yeah,
it's
something
and
we
covered
this
already.
B
B
B
B
B
It
doesn't
work
all
the
time,
so
we
have
to
be
a
little
fuzzy
and
give
little
headroom,
and
this
headroom
is
what
attackers
can
use
to
infiltrate
systems
which
they
should
not
have.
Access
to.
Another
thing
is
with
diametrics.
You
cannot
change
them
or
it's
really
hard
to
change
them.
I
mean
you
can
sometimes
change
your
biometrical
behavior,
for
instance,
if
you
have
a
door
that
identifies
you
by
the
kind
of
walk
you
go
into
right.
What
happens
when
you
break
your
leg?
B
B
And
in
the
end,
what
happens
if
the
data
is
leaked
because
at
some
point
enough
data
about
people
will
be
leaked?
Can
we
change
biometrics?
We
cannot.
We
can
just
switch
to
a
new
thing.
So
when
we
use
our
fingerprints,
we
can
then
maybe
use
iris
scans,
but
at
some
point
someone
will
make
an
iris
database
maybe
build
it
up
from
the
passport
pictures
database,
but
then
well
we
can
use
ears
or
nails
or
lips,
but
do
you
really
want
to
wait
for
and
then
in
20
years
you?
B
The
government
is
like
oh
well
now
for
more
security.
You
have
to
kiss
some
pad
every
time
you
want
to
use
your
passport,
for
instance,
for
boarding
a
train
or
something
so
biometrics
yeah
it
works
for
now,
but
I
wouldn't
trust
it
moving
on.
Let's
see
if
this
works
correctly.
Yes,
so
single
sign-on,
the
most
common
in
the
public
internet
nowadays
is
probably
all
out
second
version.
B
The
application
has
to
handle
revoking
access
during
a
session.
But
apart
from
that,
that's
pretty
good.
There's
a
an
older
standard.
That's
used
at
universities
a
lot,
it's
called
shibolet.
It
basically
does
the
same,
and
I
think
I
have
a
picture
for
that.
No,
we
don't
have
a
picture
for
that,
no
going
back.
B
B
This
has
to
be
a
university
that
the
application
trusts
and,
in
the
end
it
doesn't
really
matter
because
they
all
sign
a
random
token.
They
hand
over
to
the
client.
The
client
goes
to
the
identity
provider
or
chooses
one
from
the
list.
Goes
there
and
says:
okay,
I
want
to
be
authorized
for
this
application.
B
Not
always
I
mean
with
google
your
bit
pretty
much
allowed
to
try
to
log
in
anywhere
which
simulate,
for
instance,
you're
only
allowed
to
use
university
services.
You
cannot
use
it
for
your
bank
or
or
something
like
that
if
the
login
usually
with
username
and
password,
is
successful
at
the
identity
provider,
the
identity
provider
will
then
sign
this
token
as
well
hand.
It
back
to
the
client
and
the
client
can
then
take
the
signed
and
present
it
to
the
application,
which
then
can
verify
the
identity
profile.
B
B
B
Passwords
are
hard
because
they
need
to
be
very
secure.
How
much
security
do
we
need?
We
need
roughly
60
bits
of
security.
Well,
how
much
do
we
need?
How
many
different
choices
do
we
have?
So
this
is
the
example
with
the
english
alphabet,
so
this
is
just
lowercase
letters
and
some
punctuations
and
spaces
gives
us
28
bits
of
entropy
per
character.
B
Four
characters,
so
it
should
be
sufficient
for
breaking
through
this
thing,
but
you
all
know
that
it
doesn't
don't
work.
What's
the
current
recommendation
well,
according
to
ovas,
it's
12
characters
for
a
password,
and
it
should
look
like
this,
like
the
one
on
the
top
left,
troubadour
and
free,
but
many
people
use
common
substitutions
like
leadspeak
many
people
just
use
their
dog's
name,
their
birthday
or
just
the
same
password
for
all
the
things,
even
if
that
password
is
password,
as
we
have
seen
before.
B
So
this
comic
proposes
that
we
use
our
full
words
right.
We
just
spell
them
out,
and
this
gives
us
way
more
entropy.
This
is
pretty
great
right
because
it's
easier
to
remember,
but
what
I
would
change
nowadays
is.
Why
does
this
have
just
to
be
the
know?
The
nouns
we
can
use
all
of
the
sentence
like
full
with
adjectives?
B
You
can
have
this
as
a
password
right,
the
sentence
it's
a
beautiful
day
and
I
like
ice
cream
as
a
sentence
with
spaces
and
the
dot
at
the
end
is
a
great
password
which
you
can
remember
far
more
easy
than
whatever
this
cryptic
thing
is
plus
it's
like
50
characters.
Long.
So
that's
great
there's
some
disadvantages
like
there
is
a
couple
of
systems,
especially
in
banking,
that
still
store
plain
text
passwords.
Nowadays
I
found
that
out
yesterday
when
I
called
one
of
the
banks.
B
That
holds
an
account
for
me
where
they
said
so
now.
We
would
like
to
have
the
third
fourth
and
the
fifth
character
of
your
password
for
authentication
and
you're.
Just
like
great
I'm,
I'm
really
thankful
for
using
a
password
manager,
because
that
password
is
basically
burned.
It's
obviously
stored
in
clear
text
in
their
database.
B
Working
there's
another
slide
missing,
okay,
so
quick
checklist.
What
do
we
need?
We
need
passwords
that
are
stored
safely,
aka,
salted
and
hashed.
There
are
some
people
that
go
further
and
say:
okay,
we
need
passwords
that
are
also
pepper.
Pepper
means
that
the
hash
is
enhanced
with
another
value
that's
stored
in
the
source
code.
The
idea
is:
if
someone
is
able
to
leak
your
password
database
table,
then
they
don't
have
access
to
the
pepper
which
is
stored
in
the
source
code.
Ideally
it's
true
sometimes
in
the
cloud.
B
Sometimes
it's
not
it's
just
another
measure,
but
we
want
at
least
having
salted
hashes
and
then
we
would
prefer
to
actually
store
even
less
right.
If
we
can,
then
we
just
store
an
identifier
that
will
hand
off
to
an
other
service
and
then
we're
back
to
single
sign-on,
but
then
we
need
to
be
very
friendly
to
the
users,
because
people
will
not
like
us.
If
we
just
say
hey
here
is
like
a
128-bit
identifier,
why
don't
you
use
that?
As
your
username?
B
B
B
B
B
Check
means
it
compiles
all
your
dependencies
in
debug
mode
and
then
tries
all
the
steps
but
the
linking
with
your
code,
so
the
dependencies
have
to
build
and
your
project
would
most
likely
build.
It
will
be
syntactically
correct
if
this
stage
passes
you
get
all
the
fancy
error
messages
of
rust
and
it's
really
fast.
So
cargo
build
takes
with
this
project,
roughly
30
seconds,
which
is
very
long
for
immediate
feedback
from
the
compiler
with
check
it's
done
in
less
than
one
second,
which
is
great,
I
mean
after
the
initial
build.
B
B
This
is
great
because
when
I
can
type
the
ras
code
fast,
don't
have
to
spend
time
like
indenting
stuff.
If
it's
synthetic
syntactically
correct,
which
the
check
step
made
sure
of
format
will
format
it
always
the
same.
So
the
source
code
will
always
look
the
same,
and
my
editor
is
smart
enough
to
notice
the
file,
change
and
just
reload
the
file.
B
Then
we
have
test
step.
This
depends
if
you
have
actually
have
tests
in
your
project,
but
for
the
default.
It's
it's.
A
great
idea
just
run
all
the
tests
inside
the
rust
source
code,
and
this
is
run
every
time.
You
change
some
code,
but
every
time
I
press
ctrl
s,
it
will
check
format
and
then
test
the
thing.
And
finally,
if
all
the
tests
pass,
it
will
run
the
project,
since
this
is
using
actix
this
project,
the
actix,
is
smart
enough
to
let
itself
be
killed.
B
B
B
B
B
I
have
three
special
kinds:
certimillis
and
compo
the
compound
duration.
They
allow
me
to
store
the
standard,
duration
and
standard
instant
in
a
json
value
which
the
standard
certainly
does
not
implement.
Then
I
have
mail
gun
because
a
mail
transport
can
be
hard.
It
worked
on.
My
first
tests
didn't
work
with
another
male
provider,
so
I
switched
to
having
a
remote
api.
I'm
not
100
sure
if
I
would
stay
with
mail
gun,
but
it's
one
of
them.
It
works.
B
You
can
use
any
mail
provider
with
ease
that
has
an
http
interface,
you
preferably
a
rest
interface,
so
you
can
have
a
token
that's
stored
in
some
configuration
file
and
then
just
whenever
you
have
a
request,
pass
that
on
to
the
rest
service
and
then,
of
course,
rand
for
random
numbers.
And
then
this
has
been
cut
off,
sadly,
lazy,
static,
enveloper
and
identicon
identicon.
B
I
will
show
you
later,
if
I
don't
forget,
just
little
extra
touch
like
give
the
user
some
some
personality
like
hey,
like
I
don't
have
space
for
your
long
email
address
all
the
time,
but
hey
here
is
a
picture
that
identifies
you
that
you
can
remember,
maybe
by
the
way
almost
forgot
about
this.
Thanks
for
the
slide,
I
had
to
extend
this
crate
and
thanks
to
it
being
open
source.
B
We
have
our
source
code
now
it
works
on
on
my
machine
and
then
I
deploy
it
to
the
server
and
it
doesn't
even
start.
So.
What
is
this
it's
classic
case
so?
Well,
I
have
arch
on
my
local
system.
There's
a
debian
installation
on
the
server
libsy
doesn't
work.
This
is
a
very
common
error.
If
you
deploy
without
containers,
there's
two
ways
around
this
one:
you
can
build
a
container
if
your
server
supports
containers.
You
can
just
point
the
server
to
your
container
registry,
tell
it
to
download
the
container
and
be
done
with
that.
B
B
B
This
is
this
is
the
path
of
the
the
configuration
file
and
then
point
that
into
a
folder
and
that
folder
can
be
overlaid
from
your
kubernetes
or
k3s
environment.
So
you
have
a
shared
volume.
That's
like
read.
Only
to
the
container
read
write
for
you.
All.
Your
configuration
is
separate
from
the
binary.
If
you
update
the
binary
configuration
is
untouched
and
reused.
It's
pretty
great.
B
B
B
B
B
We
still
need
to
touch
it
up.
As
we
see
in
the
next
line,
then
we
map
the
current
project
into
user
source.
My
app
this
is
just
the
convention
that
the
rust
container
uses
and
then
we
tell
it
okay.
Yes,
we
want
you
to
work
inside
this
container
inside
this
folder,
with
this
image
rust
latest
from
the
docker
hub
and
then
run
this
command
cargo
build
release.
B
This
is
the
normal
cargo
build
command
just
running
inside
the
container.
Why
do
we
do
that?
Because
this
container
here
is
built
based
on
the
debian
base
image,
so
all
the
libraries
match
up,
so
the
debian
based
image
on
my
server
that's
used
is
the
same
as
for
this
container,
hence
the
the
binary
build
in
the
end.
Sadly,
this
doesn't
take
all
the
files,
because
the
artifact
at
the
end
and
some
files
are
still
created
as
the
user.
Instead
of
my
local
user,
I
have
to
change
ownership
of
the
release
folder
and
the
binary.
B
B
Sorry,
for
that,
it's
in
it's
in
the
real
make
file
and
then
we'll
rsync
all
of
the
files
we'll
have
our
mail
config,
that's
synchronized!
So
we
have
the
secrets
that
are
for
the
email
configuration
we'll
synchronize
them
over
the
release
binary
the
templates.
This
is
all
the
things
the
terra
needs
and
static.
That's
the
javascript.
The
pictures
and
whatnot
and
they'll
put
them
onto
the
host
with
the
username
in
the
the
home.
Folder
of
that
user
and
then
in
the
end,
we'll
say
make
system
be
restart.
B
B
B
B
See
down
here
version
4.0
also,
I
did
just
do
a
login
sorry
for
spoiling
the
demo.
How
is
it
done?
Build
rs
is
run
every
time.
Cargo
is
run
and
it
will
send
will
start
a
command.
It
will
use
the
git
command
with
describe
and
the
arguments
for
the
described
modules
are
tag
and
dirty
which
will
give
us
either.
B
If
we're
on
the
tag
itself,
it
will
just
give
us
the
name
of
the
git
tag
and,
if
we're
above,
if
we
like,
committed
onto
the
version,
it
will
show
us.
This
is
version,
let's
say:
zero,
four
zero
on
this
git
hash,
and
if
we
have
uncommitted
changes
in
the
tree,
it
will
add
dash
dirty
on
the
end
of
that
we
run
the
command
and
then,
if
it's
successful,
we'll
map
it
to
standard
out,
sometimes
people
clone
the
code
than
they
have
get.
B
B
B
And
then
we
just
did
this
every
time
we
change
something.
So,
for
instance,
if
we
change
the
html
or
a
javascript
file
or
css
file,
this
build
process
is
run
again
and
the
output
is
different.
Therefore
it
has
to
be
linked
again,
which
again
takes
30
seconds.
So
if
I'm
developing
my
ui
components,
I
would
rather
have
a
fast
reload
of
the
server
than
waiting
for
inch
one
character
in
an
html
file.
So
we
add
so
we
add
this
rerun.
B
It's
not
working
perfectly,
so
that's
why
you
have
to
touch
the
build
rs
source
code,
because,
if
build
rs
is
being
has
been
modified
more
recent
than
anything
else,
it
will
be
rerun
again.
It
will
trigger
this
change
and
then
it
will
actually
build
with
the
current
version
has
been
a
learning
for
me.
B
B
A
B
Me
all
right,
so
what
I
did
is
just
enter
my
email
address
up
there
and
press
login
and
then
this
is
not
great,
it's
a
proof
of
concept,
but
it
says
what
happened
suppose
were
we
able
to
send
email?
Because
sometimes
our
third
party
email
provider
is
not
able
to
be
reached
right?
We
cannot
reach
it.
We
cannot
find
it.
Maybe
they
have
tls
errors
this
time
it
worked
and
they
responded
with
success.
B
And
it's
really
slow-
and
I
show
you
this:
do
you
see
that
okay,
there's
apparently
a
little
problem
with
the
stream
yard?
Doesn't
work
no
matter,
so
we
will
just
open
a
new
tab
with
this
email
address,
so
it
sends
us
an
email
that
guesses,
our
name.
It
just
uses
the
part
in
front
of
the
app
and
then
says,
click
this
link
to
access
your
account,
and
this
is
the
link
I
copy
paste
it
in
here
and
then,
when
we
do,
it
says
hooray.
B
A
B
B
A
B
B
B
B
A
A
A
B
B
B
B
B
In
the
state,
that's
currently
in
it's
more
on
the
path
of
a
library,
because
we
don't
have
any
of
the
cryptographic
implementations
that
we
get
from
or
out
or
shivolet.
Why
is
this
still
useful?
It's
very
useful,
because
how
much
security
do
we
actually
gain
from
building
a
system
that
has
an
internal
database
for
passwords
and
and
all
the
logins
and
and
stuff
like
that?
We
still
have
to
manage
the
roles
right
with
this
system.
B
But
all
these
systems
that
use
email
address
are
as
safe
as
the
email
provider
and
if
you
have
a
reset
account
link
somewhere
in
the
application,
it
doesn't
really
matter
where
you
are.
If
someone
guesses,
the
email
password
or
is,
has
access
to
the
email
account
of
a
victim,
they
can
log
in
any
service
because
they
can
reset
the
password.
B
B
If
you
don't
want
this
session
anymore,
but
in
the
end,
the
security
level
is
not
increased
by
having
a
special
password
for
the
service
we
might
as
well
just
use
the
email
address,
one
more
thing
which
isn't
implemented
because
the
project
run
out
of
time
is:
let's
say
we
are
in
a
non-trusted
environment
like
you're
on
holiday
somewhere
in
a
hotel,
and
they
have
this
wonky
computer.
But
you
want
to
access
this
service.
B
B
I
currently
disable
this
mode
because
it
didn't
match
the
requirements
we
had
for
the
project
at
university,
but
in
theory
it's
absolutely
doable
and
the
found
founding
the
the
basic
structure
of
the
code
is
already
there.
But
we
have
websockets
and
we
can
have
the
browser
just
have
the
websocket
connection
and
as
soon
as
the
smartphone
validates
the
email
address,
we
can
then
go
back
and
authorize
the
user
on
the
non-trusted
device.
A
B
That
can
happen
from
the
emails
in
the
token,
in
the
email
in
this
demo
is
valid
for
30
minutes
currently
for
a
production
application.
I
would
make
this
configurable,
but
in
the
end,
that's
a
risk.
We
take
right
as
soon
as
we
have
a
third
party
and
that
third
party
is
unreliable
with
email,
there's
more
than
one
third
party.
Actually
right,
we
have
the
email
gateway
we
have.
A
B
That
is
correct.
There
is
a
there's,
a
talk
from
tom
scott,
where
he
talks
about
the
day
that
google
went
down
and
he
proposes
this
exact
scenario.
Actually,
with
a
little
twist,
he
asks
the
questions.
What
have
happens
if
you
don't
need
a
password
for
any
google
account
anymore,
but
if
some
high
level
employee
on
purpose
makes
everything
accessible
on
google,
it's
the
same
question
yeah
you
depend
in
the
end.
It's
a
it's
a
trade-off
right.
You
depend
on
either
all
the
things
doing
in-house
you
do
all
the
things
in-house.
B
B
B
It's
probably
for
for
some
people,
it's
it
may
be
msn
or
hotmail
like
something
really
old
for
younger
people
is
probably
gmail
because
or
apple
mail,
and
they
got
their
first
smartphone
and
just
use
that
for
everything
so
yeah
you
can
help
avoid
that
a
little
bit
by
using
two
single
sign-on
services
that
you
can
authenticate
crossover
right.
So
you
could
build
yourself
a
path
out
of
this
a
little
bit,
if
you
say
okay,
I
use
single
sign-on
for
google
that
uses
microsoft
and
vice
versa.
B
B
B
B
In
the
end
I
had
systemd,
which
does
all
the
nice
things.
So
in
the
event,
I
have
a
panic
in
the
rust
program.
Systemd
will
restart
the
service
automatically.
I
get
log
capturing
and
lock
rotation
from
systemd
all
of
these
things,
and
it
was
at
that
point
where
I
was
just
like.
I
could
either
build
in
a
container
for
mosul
or
I
could
just
build
in
a
container
for
the
standard,
tbn
environment
and
then
it's
already
there.
A
Okay,
so
before
the
next
question,
I
have
to
say
goodbye,
so
we
passed
the
so.
Thank
you,
stefan
very
much
for
your
presentation.
It
was
really
really
good
and
I
really
hope
that
we
are
going
to
meet
in
this
year
next
time
as
another
meetup
and
thank
you,
everybody
guys
who
saw
us
and-
and
if
you
have
any
further
questions
you
can,
you
can
write
it
down
into
the
chat.
Stefan
will
be
around
and
answer
your
questions.