Post on 21-Jan-2018
Authentication Without Authentication
December 2017@omerlh
#MeetupAtSoluto
Agenda
● Introduction
● OpenID
● Digital Signature
● One Time Password
● Demo
● Edge Cases
Can we Authenticate without Authentication?
- Helping people get the most out of their technology
“...a significant amount of drop-off in app usage,
losing up to 56% of users,
but are pretty much essential for the majority of apps out there today...”
Source: Optimizely
Authentication Requests Per Second
Source: https://www.engadget.com/2016/01/08/samsung-family-hub-smart-fridge-hands-on/
Source: https://turcomusa.com/turcom-smart-home-camera-kit-with-motion-sensor-door-sensor-and-alarm-key-fob.html
User Id
Application Server
Device Id
Application Server
● “Simple Identity Layer”
● Token-based authentication
● Widely supported
● Modularity - many authentication flows
Authorization Server
Application ServerDevice
Supported Authentication Methods
Authorization/Implicit/Hybrid
Client credentials
Resource Owner
JWT client assertion
We need a new authentication flow
Authorization ServerDevice
Authorization Server
Application ServerDevice
Requirements
❏ Strong authentication solution
❏ Unique device identification
❏ Simple
❏ Unique per request
❏ Replay Attacks
❏ Fault tolerant
Questions?
Let’s use Digital Signature
Dear BobDear BobSign Verify
Leo Bob the BuilderTM
Source: Bob the Buildertm Official Site
This sounds familiar...
How we can use it?
Authorization ServerDevice
Public Key, Id
Public Key, Id
Id: 5467
Authorization ServerDevice
Digital Signature, Id
Public Key, Id
Id: 5467
So far we have:
✓ Strong authentication solution
✓ Unique device identification
✓ Simple
❏ Unique per request
❏ Fault tolerant
Questions?
One Time Password
Authorization ServerDevice
Digital Signature, Id
Public Key, Id
Id: 5467
Let’s build our own OTP
Client State Server State
Old 5
New 2
Old 5
New 2
Old 2
New 42Old 5
New 2
Old 2
New 42
Token
So far we have…
✓ Strong authentication solution
✓ Unique device identification
✓ Simple
✓ Unique per request
✓ Fault tolerant
Questions?
Demo Time
Client
Authorization
Server
Application Server
(Sensitive API)
Let’s see it in action...
All the code is available on GitHub
Network request can fail
● Reasons:
○ Timeout
○ Network failure
○ Temporary server errors
● Unknown server state
○ State did not changed
○ State changed
Client State Server State
Old 2
New 42
Old 1
New 2
Old 2
New 42
Old 2
New 42
Old 1
New 2
Token
Error
Client State Server State
Old 2
New 42
Old 2
New 42
Old 1
New 2
Old 2
New 42Old 2
New 42Old 2
New 42
Error
Client State Server State
Old 2
New 42
Old 2
New 42Old 42
New 86
Old 42
New 86
Old 2
New 42
Bad Request (400)
Token
Questions?
Detecting Compromised Devices
Client State Server State
Old 2
New 42
Old 1
New 2
Eve
Old 2
New 42
Old 1
New 2Old 2
New 42
Old 2
New 42 Token
Client State Server State
Old 2
New 42
Old 2
New 42
Eve
Old 42
New 56
Old 2
New 42Old 2
New 42
Bad
Request
(400)
Client State Server State
Old 42
New 78
Old 2
New 42
Eve
Old 42
New 56
Old 2
New 42Old 42
New 78
Old 42
New 78Token
Client State Server State
Old 78
New 4
Old 7
New 78
Eve
Old 7
New 56
Old 7
New 78Old 7
New 93
400 Bad
Request
Questions?
Conclusion
Responsible Disclosure
Requirements
✓ Strong authentication solution
✓ Unique device identification
✓ Simple
✓ Unique per request
✓ Fault tolerant
Authorization ServerDevice
Authorization Server
Application ServerDevice
How can you use it?@omerlh
#MeetupAtSoluto