Do any desktop PC motherboards require hardware token authentication?

Scenario: I am assembling a desktop computer. I buy an ASUS XYZ motherboard because it will not run — or, even better, its running state cannot be altered, short of pulling the plug — without hardware token authentication. The XYZ motherboard comes with two YubiKeys. If I lose those, I can buy additional copies from ASUS, after posting bond and passing a DNA test.

I’m kidding about the DNA test. Or maybe not. The question is, does anything like the ASUS XYZ motherboard exist?

A prior question initially appeared to be seeking the same information, but its focus on laptops seems to explain its apparent satisfaction with a software solution oriented toward data encryption (e.g., Sophos SafeGuard Easy).

Security Risk of Stolen Session ID vs Authentication Token

I was intrigued by the discussion of this SO question as well as the accompanying blog post. I’m trying to better understand the mechanics of the two systems, and one of the questions I came up with is how much worse is it to have a token stolen vs. a session ID?

Here’s what I understand so far, and please do correct me if I’m wrong:

A session ID is an opaque reference to actual session data stored on the server. It is safe insofar as it is random enough to not be guessed easily, and the data is safe because it is not directly accessible by or beholden to the front-end. The session ID is stored in a cookie to simplify authenticated requests.

An authentication token is a plaintext segment of JSON user data with a cryptographic signature that verifies the data’s integrity. It is tamper-proof because of the signature, so no one can simply come up with their own token. The data it grants access to is safe on the server, except of course what is present in the token (which even then can be encrypted if need be). The token is also often stored in a cookie to simplify authenticated requests.

So here is what I do not understand. The way I see it currently, it seems just as likely that a token be stolen as a session ID, e.g. anyone breaking past my SSL and viewing my token would be able to view a session ID as well. Either event gives the attacker complete access to my account and all associated authorization. So in terms of the event likelihood and the resulting damage, is an authentication token really any worse than a session ID, as the article claims?

The one thing I could see potentially being worse for tokens is if the signing secret were somehow found out, in which case the attacker can do anything with anyone’s account, rather than just mine. However I almost want to relegate this to the reasonable unlikelihood of someone first breaking RSA, in which case they can get past SSL, and then what good is a session ID anyway?

Usefulness of token sidejacking prevention mentioned by OWASP JWT Cheat Sheet

I was just reading through the “Token sidejacking” of the JWT Cheat Sheet of OWASP (https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.html#token-sidejacking)

At the moment I don’t understand how the recommended prevention actually solves the issue.

The solution is to add a context and send this context (e.g. a random value) as a Cookie as well as part of the JWT (then hashed).

However if an attacker is able to steal the JWT by performing a XSS attack and access the sessionStorage, the attacker can also send XHR-requests, so the Cookie is automatically send with it. If the attacker is able to sniff the network traffic, the attacker also has the Cookie value. The only case I can think of where this works is, if the attacker has access to some sort of logs, where the JWT is stored, but this would be another vulnerability (or more).

What did I miss? Thanks

Jest with SharePoint Framework. SyntaxError: Unexpected token export

I’m trying to do tests on an SPFx project with Jest and Enzyme. I have configured the environment using Andrew Connel’s preset to test my solution with React and Typescript.

After run ‘npm test’ I’ve encountered this error on a component that uses Dropdown of Office Fabric UI component:

<mylocalpath>\node_modules\office-ui-fabric-react\lib\components\Dropdown\index.js:1     ({"Object.<anonymous>":function(module,exports,require,__dirname,__filename,global,jest){export * from './Dropdown';                                                                                              ^^^^^^      SyntaxError: Unexpected token export 

Can you suggest me the right configuration of Jest for these type of imports?

Identity confirmation using PIN to decrypt previously issued token

I am building an app (for web and mobile) that requires a user pass two stages of authentication/authorisation in order to access a server-side API and subsequently use the app. First, they must supply valid credentials (username/password). Second, they must meet a series of variable criteria, for example the current time being within a defined range.

I am planning to implement this through the use of two tokens:

  • A long-term, randomly generated, opaque session token
  • A short-lived JWT authorisation token, with self-contained user and expiry data

On the client side, the presence of the session token would allow the user to skip re-entering their (hopefully long and complex) username/password. On the server side, a valid session token would be required to issue an authorisation token, and a valid authorisation token would be required to access the API.

While the goal of the session token is to simplify access (particularly on mobile devices) by removing the need to enter full username/password, I would prefer the user still re-confirm their identity before a new authorisation token is issued. A shorter numeric PIN (or potentially a fingerprint/face scan on supported devices) could allow this.

However, storing such a PIN along with the user’s other data on the server would require full management facilities, as with their password (“I forgot my PIN”). To avoid this overhead, I am thinking about the following approach.

On initial login (no known session token):

  • Ask for and submit username, password, and PIN.
  • If username/password are valid, generate the session token.
  • Encrypt the session token under a key derived from a server-known secret plus the submitted PIN.
  • Return the encrypted session token to the client.

On subsequent login (known session token):

  • Ask for PIN.
  • Submit PIN and encrypted session token.
  • Decrypt the session token, using the submitted PIN, and compare the result to that stored on the server.
  • If the decrypted session token matches a valid session, the user has confirmed their identity and an authorisation token can be issued.

In my mind, this allows a simple “identity confirmation” step with little overhead. The user can reset their PIN at any time simply by fully logging out and logging back in again, choosing a new PIN. And while the PIN is short and simple, it is combined with a server-known secret in order to derive the encryption key, so an offline brute-force of the encrypted session token should be extremely difficult. And server-side use of a slow key derivation function, rate limiting, and lockouts on failed attempts should mitigate online attacks on the PIN.

So my question is: is my thinking correct? Is this a secure way to achieve my goal?

Reporting trident token or other indications of a user in compatibility mode within Google Analytics

I have noticed that the number of users reporting to be using Internet Explorer 9 is high (2%) within browser & OS in Google Analytics. Reviewing the user agent it’s clear a higher number of these are running Internet Explorer 11 in compatibility Mode. It appears google analytics would represent the following user as IE9. However, the trident value of 7 indicates they are using Internet Explorer 11. What’s my browser example

DeviceType Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+10.0;+Win64;+x64;+Trident/7.0;+Touch) 

I’ve seen older threads stating that it’s not possible to report browser by the trident token or if the the user is in compatibility mode.

Is this still the case? Are there other tools within google analytics that could give an accurate represent of the IE 9 usage?

SharePoint web application not using the good Trusted Identity Token Issuer

We have a SharePoint 2016 farm and 2 web applications. We have configured SSO through ADFS and created one SPTrustedIdentityTokenIssuer for one web app. Now, we want to have a second SPTrustedIdentityTokenIssuer for the second web app. We made the same configuration, changed the realm, added a new certificate, etc …

The issue is : – When we connect to a site on the second web app, it automatically sends the realm of the first identity token issuer, and we face this issue :

enter image description here

Now, if we change the default sign-in page on the web app, like this

enter image description here

We then are able to select between “Windows Authentication” and our second trusted identity token issuer. If we select it, the good realm is sent to ADFS and we can connect to the site.

Any idea about what’s going wrong ?

We could provide any additional information.

Thanks.