Authentication Without Authentication

December 2017@omerlh

#MeetupAtSoluto

Agenda

● Introduction

● OpenID

● Digital Signature

● One Time Password

● Demo

● Edge Cases

Can we Authenticate without Authentication?

- Helping people get the most out of their technology

“...a significant amount of drop-off in app usage,

losing up to 56% of users,

but are pretty much essential for the majority of apps out there today...”

Source: Optimizely

Source: pinterest

Authentication Requests Per Second

Source: https://www.engadget.com/2016/01/08/samsung-family-hub-smart-fridge-hands-on/

Source: https://turcomusa.com/turcom-smart-home-camera-kit-with-motion-sensor-door-sensor-and-alarm-key-fob.html

User Id

Application Server

Device Id

Application Server

● “Simple Identity Layer”

● Token-based authentication

● Widely supported

● Modularity - many authentication flows

Authorization Server

Application ServerDevice

Supported Authentication Methods

Authorization/Implicit/Hybrid

Client credentials

Resource Owner

JWT client assertion

We need a new authentication flow

Authorization ServerDevice

Authorization Server

Application ServerDevice

Requirements

❏ Strong authentication solution

❏ Unique device identification

❏ Simple

❏ Unique per request

❏ Replay Attacks

❏ Fault tolerant

Questions?

Let’s use Digital Signature

Dear BobDear BobSign Verify

Leo Bob the BuilderTM

Source: Bob the Buildertm Official Site

This sounds familiar...

How we can use it?

Authorization ServerDevice

Public Key, Id

Public Key, Id

Id: 5467

Authorization ServerDevice

Digital Signature, Id

Public Key, Id

Id: 5467

So far we have:

✓ Strong authentication solution

✓ Unique device identification

✓ Simple

❏ Unique per request

❏ Fault tolerant

Questions?

One Time Password

Authorization ServerDevice

Digital Signature, Id

Public Key, Id

Id: 5467

Let’s build our own OTP

Client State Server State

Old 5

New 2

Old 5

New 2

Old 2

New 42Old 5

New 2

Old 2

New 42

Token

So far we have…

✓ Strong authentication solution

✓ Unique device identification

✓ Simple

✓ Unique per request

✓ Fault tolerant

Questions?

Demo Time

Client

Authorization

Server

Application Server

(Sensitive API)

Let’s see it in action...

All the code is available on GitHub

Network request can fail

● Reasons:

○ Timeout

○ Network failure

○ Temporary server errors

● Unknown server state

○ State did not changed

○ State changed

Client State Server State

Old 2

New 42

Old 1

New 2

Old 2

New 42

Old 2

New 42

Old 1

New 2

Token

Error

Client State Server State

Old 2

New 42

Old 2

New 42

Old 1

New 2

Old 2

New 42Old 2

New 42Old 2

New 42

Error

Client State Server State

Old 2

New 42

Old 2

New 42Old 42

New 86

Old 42

New 86

Old 2

New 42

Bad Request (400)

Token

Questions?

Detecting Compromised Devices

Client State Server State

Old 2

New 42

Old 1

New 2

Eve

Old 2

New 42

Old 1

New 2Old 2

New 42

Old 2

New 42 Token

Client State Server State

Old 2

New 42

Old 2

New 42

Eve

Old 42

New 56

Old 2

New 42Old 2

New 42

Bad

Request

(400)

Client State Server State

Old 42

New 78

Old 2

New 42

Eve

Old 42

New 56

Old 2

New 42Old 42

New 78

Old 42

New 78Token

Client State Server State

Old 78

New 4

Old 7

New 78

Eve

Old 7

New 56

Old 7

New 78Old 7

New 93

400 Bad

Request

Questions?

Conclusion

Responsible Disclosure

Requirements

✓ Strong authentication solution

✓ Unique device identification

✓ Simple

✓ Unique per request

✓ Fault tolerant

Authorization ServerDevice

Authorization Server

Application ServerDevice

How can you use it?@omerlh

#MeetupAtSoluto

@omerlh#MeetupAtSoluto

We’re hiring!

Thank You!