 Yep. Awesome. Well, good evening, everyone. We're going to run through two-factor authentication in Drupal 9. I've also left some time for questions at the end. So if you have anything you'd like to ask, make sure you do. Just getting into proving user identity. There are a few ways or factors of proving a user's identity. The first and most common method is using something the user knows, like a password. Another way of proving identity is verifying something a user has, such as a smartphone or hardware token that provides a unique pin. The final way of proving identity is verifying something the user is, such as through biometric authentication. While you can use any one of these methods to authenticate a user, a combination of these provides the best security. As I mentioned previously, a password is the most common method of verifying a user's identity. This is something the user knows. Passwords can but shouldn't be reused across services. And passwords can also be stolen by a phishing, a social engineering, by implanting a key logger on a user's machine or compromising the password manager. Therefore, we need to rely on a second factor to securely prove identity. So what can we use as a second factor? Biometrics is one possibility. It verifies something a user is. A common example of biometric authentication is face ID or touch ID in phones. However, biometric authentication is not widely implemented in web services due to privacy and other concerns. Therefore, most web services rely on one-time codes, something a user has to provide a second authentication factor. There are a few ways of doing this. One example is SMS. Upon login, a one-time code is sent via SMS to the user's registered phone number. However, SMS is not a secure protocol and is vulnerable to man-of-the-middle or simporting attacks. A more secure alternative is HOTP, HMECH one-time password. It's more secure than SMS as these are generated locally by a user's device. But these are quite long-lived, providing a large window of opportunity for a stolen code to be used. The best option for a one-time pin is a time-based one-time password. This is similar to TOTP, but codes are rotated every 30 to 60 seconds and provides only a small time window for an attacker to use a stolen code. Let's discuss some prerequisites for setting up two-factor authentication in Drupal 9. We need four contract modules, the TFA module, the encryption module, the key module, and the RAIL AES module. And we need the GA login module as well. Let's see, the TFA module provides a framework for implementing two-factor authentication while encryption or RAIL AES provide a way to securely encrypt shared secrets. The GA login module implements support for OTP codes using the TFA framework. Finally, we'll need a way to handle secrets. The encryption module relies on the user-generated AES private key to encrypt data. This key can be injected in a few different ways. For example, it can be injected as a secret in Docker or Kubernetes. PHP environment variables are a file on disk, but if you're using a file on disk, you need to make sure your permissions are very tightly sculpted. This is a general workflow of how Drupal authenticates an OTP code. So user logs in and it prompts the user for their one-time password. After the user types in and sends it, the code is sent to the TFA module, which then combines server time with a shared secret that's encrypted with the RAIL AES module to verify that the user's pin matches. And if the pin matches, their login session is approved. And if it's not, well, they're not allowed to log into Drupal. Sorry to interrupt, but can everybody see the diagram or do you want Mingchul zooming a bit on the diagram? That's visible. Was it too small? Cool. Awesome. Right. So this is why I went through earlier with the diagram. And now I'll be showing you a demo of how one could set up two-factor authentication in Drupal 9. So this is one of my hobby projects that I've set up earlier. It's configured with all the required modules for two-factor authentication, and we can actually go through the process of setting it up now. So, as explained earlier, we'll need a private key, which can be generated using an OpenSSL command. This generates a 256-bit private key. Obviously, in a production deployment, you wouldn't just put the key in your web root. That's bad practice, but it's running on my local machine. So once we've generated our private key, we can see here. Sorry, this will need to be zoomed in on Ming. Oh, sure. That's it. Yeah, much better, thanks. Awesome. So yeah, you can just use an OpenSSL command to create the key. That's what the key looks like. Then we can jump back into Drupal. And the first thing we'll need to do is go into the key module. I think my session got logged out just now there. We'll have to go into the key module, and we'll need to define a key of our private key. Or choose a file on disk, so we can just grab the path to the key here. Maybe we'll use options. Now that we've got our private key installed into Drupal, we can define an encryption profile. We can name it anything. And we'll use Braille AES to perform encryption, and we can save our profile. We can also test our profile just to make sure it's working properly. So I can say, I want to encrypt the string Drupal. It'll give me an encrypted string. I can take that, and I can decrypt that string. And this is all running through our new encryption profile. So it's using our private key to encrypt and decrypt the string. So as you can see, the encrypted string was decrypted successfully. We've got our original text back. So our encryption profile is working. Finally, we can jump into the TFA module settings. Just enable TFA. We've got some stuff pre-configured. It's set to TOTP. We can leave most of these as default. Save that. Oops. Let's try again. I got logged out just now, so I think it invalidates all these forms. And now that TFA is set up, we can go in and set up TFA for my account. This is just in the security tab. Set up application in my password. So this is a QR code, and you can use any two-factor authentication app. I use Authy. Let's go ahead and scan the code. It can take a while. There we go. It's detected. This is a Drupal installation, and it's giving me the chance to save the code. And that's my two-factor code. I can just go in and verify. 785500. And now two-factor authentication is set up on my account. So if I go ahead and log out and log back in, it's prompting me for my two-factor authentication code. And if I put in a focus code, it doesn't work. I have a code for my authentication application, 575458. And now I'm logged into my Drupal website. That's it for the demo. It actually went quite well. Surprisingly enough, as far as live demos go, does anybody have any questions? Just bring up the slide. I wanted to ask, what happened if I need to just rotate the private key? Because your shared secret is encrypted, well, all the users shared secrets are encrypted with a private key. You have to reset two-factor authentication for all accounts if you need to rotate the private key. So it's quite important to keep it private. But generally, if someone manages it, it's new or private. Sorry? It will be outage when you renew or regenerate the secret key, isn't it? Possibly. It's probably best to get everybody to log out and reset their TFA settings. But as you saw before, you can actually turn off TFA and it'll just disable it globally for all users. But yeah, no. Updating your private key does involve a reset. Generally, private keys are long-lived and if someone has managed to steal a private key, that's a really bad situation. It indicates that your set-up in general has been quite badly compromised. And then we need to engage the appropriate instant response for that. Yeah, because we have some policy need to rotate the key periodically. Okay, understand now. Thank you. It may be possible to use an intermediate key, but that's not implemented in the two-factor authentication module right now. It just uses the one key to encrypt and decrypt everything. Sure. Okay, thanks. Any other questions? Sorry. My doorbell has gone off, but thank you very much for the demo. Sorry for having me. Sorry, I will be right back. Let's stop recording.