Authentication without Authentication - Peerlyst meetup

Click here to load reader

  • date post

    21-Jan-2018
  • Category

    Technology

  • view

    54
  • download

    1

Embed Size (px)

Transcript of Authentication without Authentication - Peerlyst meetup

  1. 1. Authentication Without Authentication December 2017 @omerlh #MeetupAtSoluto
  2. 2. Agenda Introduction OpenID Digital Signature One Time Password Demo Edge Cases
  3. 3. Can we Authenticate without Authentication?
  4. 4. - Helping people get the most out of their technology
  5. 5. ...a significant amount of drop-off in app usage, losing up to 56% of users, but are pretty much essential for the majority of apps out there today... Source: Optimizely
  6. 6. Source: pinterest
  7. 7. Authentication Requests Per Second
  8. 8. Source: https://www.engadget.com/2016/01/08/samsung-family-hub-smart-fridge-hands-on/
  9. 9. Source: https://turcomusa.com/turcom-smart-home-camera-kit-with-motion-sensor-door-sensor-and-alarm-key-fob.html
  10. 10. User Id Application Server
  11. 11. Device Id Application Server
  12. 12. Simple Identity Layer Token-based authentication Widely supported Modularity - many authentication flows
  13. 13. Authorization Server Application ServerDevice
  14. 14. Supported Authentication Methods Authorization/Implicit/Hybrid Client credentials Resource Owner JWT client assertion
  15. 15. We need a new authentication flow
  16. 16. Authorization Server Device
  17. 17. Authorization Server Application ServerDevice
  18. 18. Requirements Strong authentication solution Unique device identification Simple Unique per request Replay Attacks Fault tolerant
  19. 19. Questions?
  20. 20. Lets use Digital Signature
  21. 21. Dear Bob Dear BobSign Verify Leo Bob the BuilderTM Source: Bob the Buildertm Official Site
  22. 22. This sounds familiar...
  23. 23. How we can use it?
  24. 24. Authorization Server Device Public Key, Id Public Key, Id Id: 5467
  25. 25. Authorization ServerDevice Digital Signature, Id Public Key, Id Id: 5467
  26. 26. So far we have: Strong authentication solution Unique device identification Simple Unique per request Fault tolerant
  27. 27. Questions?
  28. 28. One Time Password
  29. 29. Authorization ServerDevice Digital Signature, Id Public Key, Id Id: 5467
  30. 30. Lets build our own OTP
  31. 31. Client State Server State Old 5 New 2 Old 5 New 2 Old 2 New 42 Old 5 New 2 Old 2 New 42 Token
  32. 32. So far we have Strong authentication solution Unique device identification Simple Unique per request Fault tolerant
  33. 33. Questions?
  34. 34. Demo Time
  35. 35. Client Authorization Server Application Server (Sensitive API)
  36. 36. Lets see it in action... All the code is available on GitHub
  37. 37. Network request can fail Reasons: Timeout Network failure Temporary server errors Unknown server state State did not changed State changed
  38. 38. Client State Server State Old 2 New 42 Old 1 New 2 Old 2 New 42 Old 2 New 42 Old 1 New 2 Token Error
  39. 39. Client State Server State Old 2 New 42 Old 2 New 42 Old 1 New 2 Old 2 New 42Old 2 New 42Old 2 New 42 Error
  40. 40. Client State Server State Old 2 New 42 Old 2 New 42 Old 42 New 86 Old 42 New 86 Old 2 New 42 Bad Request (400) Token
  41. 41. Questions?
  42. 42. Detecting Compromised Devices
  43. 43. Client State Server State Old 2 New 42 Old 1 New 2 Eve Old 2 New 42 Old 1 New 2 Old 2 New 42 Old 2 New 42 Token
  44. 44. Client State Server State Old 2 New 42 Old 2 New 42 Eve Old 42 New 56 Old 2 New 42 Old 2 New 42 Bad Request (400)
  45. 45. Client State Server State Old 42 New 78 Old 2 New 42 Eve Old 42 New 56 Old 2 New 42 Old 42 New 78 Old 42 New 78Token
  46. 46. Client State Server State Old 78 New 4 Old 7 New 78 Eve Old 7 New 56 Old 7 New 78 Old 7 New 93 400 Bad Request
  47. 47. Questions?
  48. 48. Conclusion
  49. 49. Responsible Disclosure
  50. 50. Requirements Strong authentication solution Unique device identification Simple Unique per request Fault tolerant
  51. 51. Authorization Server Device
  52. 52. Authorization Server Application ServerDevice
  53. 53. How can you use it? @omerlh #MeetupAtSoluto
  54. 54. @omerlh #MeetupAtSoluto Were hiring! Thank You!