Authentication without Authentication - Peerlyst meetup

Click here to load reader

  • date post

    21-Jan-2018

  • Category

    Technology

  • view

    54

  • download

    1

Embed Size (px)

Transcript of Authentication without Authentication - Peerlyst meetup

  1. 1. Authentication Without Authentication December 2017 @omerlh #MeetupAtSoluto
  2. 2. Agenda Introduction OpenID Digital Signature One Time Password Demo Edge Cases
  3. 3. Can we Authenticate without Authentication?
  4. 4. - Helping people get the most out of their technology
  5. 5. ...a significant amount of drop-off in app usage, losing up to 56% of users, but are pretty much essential for the majority of apps out there today... Source: Optimizely
  6. 6. Source: pinterest
  7. 7. Authentication Requests Per Second
  8. 8. Source: https://www.engadget.com/2016/01/08/samsung-family-hub-smart-fridge-hands-on/
  9. 9. Source: https://turcomusa.com/turcom-smart-home-camera-kit-with-motion-sensor-door-sensor-and-alarm-key-fob.html
  10. 10. User Id Application Server
  11. 11. Device Id Application Server
  12. 12. Simple Identity Layer Token-based authentication Widely supported Modularity - many authentication flows
  13. 13. Authorization Server Application ServerDevice
  14. 14. Supported Authentication Methods Authorization/Implicit/Hybrid Client credentials Resource Owner JWT client assertion
  15. 15. We need a new authentication flow
  16. 16. Authorization Server Device
  17. 17. Authorization Server Application ServerDevice
  18. 18. Requirements Strong authentication solution Unique device identification Simple Unique per request Replay Attacks Fault tolerant
  19. 19. Questions?
  20. 20. Lets use Digital Signature
  21. 21. Dear Bob Dear BobSign Verify Leo Bob the BuilderTM Source: Bob the Buildertm Official Site
  22. 22. This sounds familiar...
  23. 23. How we can use it?
  24. 24. Authorization Server Device Public Key, Id Public Key, Id Id: 5467
  25. 25. Authorization ServerDevice Digital Signature, Id Public Key, Id Id: 5467
  26. 26. So far we have: Strong authentication solution Unique device identification Simple Unique per request Fault tolerant
  27. 27. Questions?
  28. 28. One Time Password
  29. 29. Authorization ServerDevice Digital Signature, Id Public Key, Id Id: 5467
  30. 30. Lets build our own OTP
  31. 31. Client State Server State Old 5 New 2 Old 5 New 2 Old 2 New 42 Old 5 New 2 Old 2 New 42 Token
  32. 32. So far we have Strong authentication solution Unique device identification Simple Unique per request Fault tolerant
  33. 33. Questions?
  34. 34. Demo Time
  35. 35. Client Authorization Server Application Server (Sensitive API)
  36. 36. Lets see it in action... All the code is available on GitHub
  37. 37. Network request can fail Reasons: Timeout Network failure Temporary server errors Unknown server state State did not changed State changed
  38. 38. Client State Server State Old 2 New 42 Old 1 New 2 Old 2 New 42 Old 2 New 42 Old 1 New 2 Token Error
  39. 39. Client State Server State Old 2 New 42 Old 2 New 42 Old 1 New 2 Old 2 New 42Old 2 New 42Old 2 New 42 Error
  40. 40. Client State Server State Old 2 New 42 Old 2 New 42 Old 42 New 86 Old 42 New 86 Old 2 New 42 Bad Request (400) Token
  41. 41. Questions?
  42. 42. Detecting Compromised Devices
  43. 43. Client State Server State Old 2 New 42 Old 1 New 2 Eve Old 2 New 42 Old 1 New 2 Old 2 New 42 Old 2 New 42 Token
  44. 44. Client State Server State Old 2 New 42 Old 2 New 42 Eve Old 42 New 56 Old 2 New 42 Old 2 New 42 Bad Request (400)
  45. 45. Client State Server State Old 42 New 78 Old 2 New 42 Eve Old 42 New 56 Old 2 New 42 Old 42 New 78 Old 42 New 78Token
  46. 46. Client State Server State Old 78 New 4 Old 7 New 78 Eve Old 7 New 56 Old 7 New 78 Old 7 New 93 400 Bad Request
  47. 47. Questions?
  48. 48. Conclusion
  49. 49. Responsible Disclosure
  50. 50. Requirements Strong authentication solution Unique device identification Simple Unique per request Fault tolerant
  51. 51. Authorization Server Device
  52. 52. Authorization Server Application ServerDevice
  53. 53. How can you use it? @omerlh #MeetupAtSoluto
  54. 54. @omerlh #MeetupAtSoluto Were hiring! Thank You!

Active Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without Triggers
RSA Authentication Manager to IDENTIKEY Authentication .RSA Authentication Manager to IDENTIKEY Authentication
RSA Authentication Manager to IDENTIKEY Authentication .RSA Authentication Manager to IDENTIKEY Authentication
ï‚–. ï¶ Define authentication ï¶ Authentication credentials ï¶ Authentication models ï¶ Authentication servers ï¶ Extended authentication protocols ï¶
ï‚–. ï¶ Define authentication ï¶ Authentication credentials ï¶ Authentication models ï¶ Authentication servers ï¶ Extended authentication protocols ï¶
SYNOPSIS: INSIGHTS SECURE Q & A intercaste & love marriages without any authentication by brahimical
SYNOPSIS: INSIGHTS SECURE Q & A intercaste & love marriages without any authentication by brahimical
Information Security Lecture 8: User Authentication RSA SecurID without PIN L08 - User Auth. INF3510
Information Security Lecture 8: User Authentication RSA SecurID without PIN L08 - User Auth. INF3510
Strong Authentication for Healthcare - Entrust Datacard ??2016-10-03Strong Authentication for Healthcare ... You should not act or abstain from acting based upon such information without
Strong Authentication for Healthcare - Entrust Datacard ??2016-10-03Strong Authentication for Healthcare ... You should not act or abstain from acting based upon such information without
Steganography and authentication in image sharing without ...h.web.umkc.edu/harnl/papers/2012 j2.pdf¢ 
Steganography and authentication in image sharing without ...h.web.umkc.edu/harnl/papers/2012 j2.pdf¢ 
MAFIA MEETUP KIT - MAFIA MEETUP KIT Mafia Meetup Checklist (Short Version) Mafia Meetup Checklist (Long/Detailed
MAFIA MEETUP KIT - MAFIA MEETUP KIT Mafia Meetup Checklist (Short Version) Mafia Meetup Checklist (Long/Detailed
KB 150186 - VASCO .KB 150186 How to Configure SOAP without SSL in IDENTIKEY Authentication Server
KB 150186 - VASCO .KB 150186 How to Configure SOAP without SSL in IDENTIKEY Authentication Server
Software craftsmanship meetup (Zurich 2015) on solving real problems without reading code
Software craftsmanship meetup (Zurich 2015) on solving real problems without reading code
Security without High Cost Open Source Authentication Anthem, Inc. (02/05/2015) 80M Social Security
Security without High Cost Open Source Authentication Anthem, Inc. (02/05/2015) 80M Social Security
Authentication Without Authentication
Authentication Without Authentication
Microservices without the Servers - Meetup - Microservices without th¢  Microservices without the Servers
Microservices without the Servers - Meetup - Microservices without th¢  Microservices without the Servers
Data in the Cloud: Authentication Without Leaking
Data in the Cloud: Authentication Without Leaking
Best Practices! - Binary Gary Override your parent theme. Update without fear. WPJax Meetup - June 2016
Best Practices! - Binary Gary Override your parent theme. Update without fear. WPJax Meetup - June 2016
Outline User authentication –Password authentication, salt –Challenge-response authentication protocols –Biometrics –Token-based authentication Authentication
Outline User authentication –Password authentication, salt –Challenge-response authentication protocols –Biometrics –Token-based authentication Authentication
Saigon Wordpress Meetup - Themes Wordpress Meetup
Saigon Wordpress Meetup - Themes Wordpress Meetup
Strong Authentication without Tamper-Resistant Hardware ... Strong Authentication without Tamper-Resistant
Strong Authentication without Tamper-Resistant Hardware ... Strong Authentication without Tamper-Resistant
Authentication without interruptions
Authentication without interruptions
Custom/External Authentication in TIBCO Spotœre .authenticationâ€‌ that will handle most cases without
Custom/External Authentication in TIBCO Spotœre .authenticationâ€‌ that will handle most cases without
View more