Passwordless website authentication scheme


Edit: This scheme has since been standardised as WebAuthn – go use that instead!

I have a userbase which really isn’t all that inclined to create a secure password for a website. They’re also almost entirely on mobile devices, so I would like to try something a little different rather than them type ‘password1’ and just wait for it to get guessed. So, firstly, some assumptions:

  • Web browsers almost always remember the password for you anyway.
  • Mobile devices are increasingly gaining features which identify a particular user more securely (touch ID, for example).
  • This uses HTTPS; Malicious clients (intercepting) are largely a non-issue.

The resulting implication:

  • The website authenticates the device and the device authenticates the user. Therefore, we might as well use something better than a poorly chosen password for website <-> device.

Given this, the intention is to use a client generated key pair. The most similar thing asked before is Using RSA for Web Application Authentication, however this approach appears to be a little different.

So, the protocol itself. Firstly, the join process:

  • The client generates an RSA key pair.
  • The public key is sent to the server (over HTTPS). This only ever happens once per device.
  • The server stores the public key as a device.
  • The server creates an account and relates the device to the account. [A]
  • The first session token along with the new device ID is encrypted using the public key, and the result is sent back to the client. The device ID is both a number and a randomly generated string.
  • The client decrypts it, stores the device ID and the private key, and sets the IP locked session token as its cookie.
  • All further requests are authenticated using the session token.

Login (typically due to changed IP)

  • The client tells the server which device it is by sending the device ID.
  • The server asks the client to prove it by encrypting the new session token with its stored public key of that device, and sending it.
  • The client decrypts the data and sets the session as it’s cookie.
  • Provided it really is who it said it was, the session is now valid.

Adding a device to an account (e.g. a new phone to replace the one you just washed):

  • The device gets a device ID for itself by doing a join similar to above but does not create an account; [A] does not occur. The device is currently able to authenticate but is not associated with any account. (And this association is purely at the server end).
  • Enter your email address (or some other account related information such as a username) on the new device.
  • The server identifies the requested account and sends it an email or SMS containing a link.
  • The user loads the link (on any device). This causes the server to relate the new device to the original account, provided it’s within e.g. 24 hours.

Known vulnerabilities:

The following vulnerabilities all also relate to your typical password system.

  • It’s as strong as the email account/ SMS receiver etc.
  • SSLStrip and XSS being used to grab the stored private key, in the same way they could grab document.cookie or the autofilled user/password fields. Although the whole site is HTTPS only, there may be some unknown exploit with the surrounding infrastructure.
  • Someone else could grab the physical device and use the site.

Benefits over a password system:

  • The ‘password’ is private, even from the server, helping against data leaks and MITM.
  • The ‘password’ text is considerably stronger as it’s essentially equivalent to one in the region of 300-500 characters long.
  • The server only contains a list of public keys. Someone gaining this list via a data leak would still have to break RSA.
  • It’s unphishable as the user never directly enters a password.
  • If an intruder breaks HTTPS, i.e. by going around it with something like SSLStrip, they’d still have to break the password as it’s not then on the wire as clear text.
  • Actually simpler to use; the user simply enters, at a minimum, an email address.

    Given this, my assumption is that such a system may provide more security and simplicity than a password one can. However, why is this not being done, and, should it be done; am I missing something? Or should I stick to the mainstream password setup and just live with it – any responses would be greatly appreciated!

Side notes

  • I’m aware of client certificates which this has parallels to, but they seem to use complicated terminology and UX for a user to understand, thus they doesn’t get used all that much. On a similar thread then, it may make a user feel odd not using a password; it may be perceived to be less secure. (?)

  • Provided the technique is sound and the ‘perception issue’ isn’t a concern, I intend to opensource the implemented solution for both greater security/ simplicity on the web with a corresponding full audit of the implementation.

Security risks on returning encrypted JSON web token without prior authentication

I am architecting a passwordless REST API where public/private keys are the primary form of authentication. In order to create a new session you must prove that you hold the private key to the public key tied to the user.

As REST/HTTP is touch and go I cannot hold an authentication session similar to the way that SSH does it. For this reason I am considering the client simply sending their user ID (without any prior authentication) and the server replies with a JSON web token encrypted with the user’s public key (from server database). Anyone can request an encrypted JSON web token tied to any user, but in theory only the user who holds the private key can decrypt and use it.

What are the potential risks and implications of using this method?

Sharepoint API authentication without OAuth

I’m trying to make an integration work between JIRA and Sharepoint, but the JIRA Addon I’m using does not support OAuth. It does support basic authentication and adding headers and cookies.

I managed to get it to work by passing the cookies fedauth and rtfa (I got those by inspecting the web requests on my browser), but I imagine those will expire soon. Plus, my account will be removed as soon as I finish this assignment.

Is there any header that I can use to authenticate, with tokens that will never expire? Or is there any way to enable basic authentication for only a specific user?

SSH Tunneling as Encryption and Authentication for Local Service

Background:

On my server there is a service running that listens on a domain socket at /srv/socket for incoming connections and then interacts with the user that connected. Please note that this service is one that I wrote (in C++) so I can modify the service’s behavior quite easily. Right now, no authentication or permission checking is done by this service (as you will see in a second this will have to change). A few developers (think five to ten) I am working with need access to this service (and this service only) from computers somewhere else in the internet. Because this service gives them quite a few privileges, I want the authentication to be as strong as possible, and the connection to be encrypted. The underlying question I have (to avoid any XY problem) is: How do I set this up?

Idea and Questions About It:

My original idea was to provide my own authentication and then use TLS for encryption (exposing the service on an external port of course). However, writing my own authentication is likely to lead to security flaws, and setting the connection up to work over TLS will be a pain.

My second idea was then to just use SSH. SSH already has very strong authentication and encryption, and basically does what I need it to. Unfortunately, I am not quite sure how to set this up. First, I of course do not want to give the devs full shell access, and so I will change their default shell to /bin/false (as per a few other answers on this and related sites). But then I still need them to be able to connect to the relevant socket. I looked into ssh tunneling but that does not seem to be what I need, and other searches for things similar to “ssh as a proxy” all reveal related but not identical issues. What is the right thing to do here? Of course, I could write a custom executable that will act as a “shell” and simply connect those users to my service, but again, this code will be security sensitive and where possible I’d like to avoid writing my own.

Best Case Scenario:

Ideally, I’d like the following to happen:

  1. The user runs some command on their client.
  2. An encrypted connection to a proxy service on my server is created, and the user authenticates themselves to this service (ideally this is a well established service that is known to be reasonably secure).
  3. The proxy service opens a connection to my service, forwards the username (or some user identifier), and the connects the client.

What is the best way to go about doing this?

Authentication Mechanism for Third Part Apps

I have an WebAPI application which is consumed in our native apps. The implemented auth grant type is ‘password’. It is working fine.

Currently we are creating a native library instead of native apps so that third party users can integrate this library into their native apps.

All API communications will be done thorough our library only. Our server have users in addition to client. Third party app have their own users.

Here my aim is we need to integrate library into their apps so that

  1. We need to validate the app
  2. Need to take user level resource based on app user.

Please suggest best authentication approach for this.

Simply telling i need to authenticate client credentials + end user id. Client is authenticated so that don’t want to authenticate against end user with password.

ADFS authentication with an app between SP and IDP

I have to set up an ADFS server for SSO in an existing architecture. I’ve already done it for some apps but I have to plan it for another.

The application that requires SSO doesn’t communicate directly with the Identity Provider. There is another application between them to avoid direct access to the Active Directory from the developpers.

I guess I have to set the application that requires SSO as the Relying Party. But, I don’t see what I am supposed to do (in the final and the between app) so that the SSO works well keeping this way : the final application needing SSO, the app between that communicates with the AD, and the AD.

I hope you could understand my problem and help me a bit.