beamauth - two-factor web authentication with a bookmark
TRANSCRIPT
![Page 1: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/1.jpg)
BeamAuthTwo-Factor Web Auth
with a BookmarkBen Adida
Harvard University
CCS 2007 – Alexandria, VA30 October 2007
![Page 2: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/2.jpg)
Can we improveweb security without
upgrading the browser?
![Page 3: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/3.jpg)
Sad State of Web Auth
![Page 4: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/4.jpg)
Sad State of Web Auth
![Page 5: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/5.jpg)
Sad State of Web Auth
![Page 6: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/6.jpg)
Sad State of Web Auth
![Page 7: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/7.jpg)
SSO makes things worse
![Page 8: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/8.jpg)
SSO makes things worse
![Page 9: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/9.jpg)
SSO makes things worse
![Page 10: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/10.jpg)
SSO makes things worse
![Page 11: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/11.jpg)
SSO makes things worse
![Page 12: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/12.jpg)
Update the Browser
- Dynamic Security Skins [DT2005]secure password-based key exchangenew browser chrome to auth web site.
- PwdHash [RJMBM2005]domain-specific password pre-processing.
- MS CardSpacechange the entire auth infrastructurebuilt into the operating system.
![Page 13: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/13.jpg)
Can We Do Something Now?
![Page 14: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/14.jpg)
Can We Do Something Now?
HTTP
![Page 15: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/15.jpg)
Can We Do Something Now?
HTML & JavaScript
HTTP
![Page 16: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/16.jpg)
Application Code
Can We Do Something Now?
HTML & JavaScript
HTTP
![Page 17: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/17.jpg)
Application Code
Can We Do Something Now?
HTML & JavaScript
HTTP
![Page 18: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/18.jpg)
Application Code
Can We Do Something Now?
- The web is a (limited) platform
HTML & JavaScript
HTTP
![Page 19: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/19.jpg)
Application Code
Can We Do Something Now?
- The web is a (limited) platform
- Can we build better securityin the application layer?HTML & JavaScript
HTTP
![Page 20: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/20.jpg)
Application Code
Can We Do Something Now?
- The web is a (limited) platform
- Can we build better securityin the application layer?
- Maybe by hijacking certain features for security purposes?(Active Cookies, Subspace, ...)
HTML & JavaScript
HTTP
![Page 21: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/21.jpg)
Application Code
Can We Do Something Now?
- The web is a (limited) platform
- Can we build better securityin the application layer?
- Maybe by hijacking certain features for security purposes?(Active Cookies, Subspace, ...)
HTML & JavaScript
HTTP
Goal: preventing easy phishing
![Page 22: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/22.jpg)
The General Idea
SetupPhase
LoginPhase
![Page 23: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/23.jpg)
The General Idea
SetupPhase
LoginPhase
Alice
OpenIDServer
![Page 24: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/24.jpg)
The General Ideaproof of identitySetup
Phase
LoginPhase
Alice
OpenIDServer
![Page 25: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/25.jpg)
The General Ideaproof of identitySetup
Phase
LoginPhase
tokenAlice
OpenIDServer
![Page 26: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/26.jpg)
Click Your
BeamAuth
Login Button
The General Ideaproof of identitySetup
Phase
LoginPhase
tokenAlice
OpenIDServer
![Page 27: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/27.jpg)
Click Your
BeamAuth
Login Button
The General Ideaproof of identitySetup
Phase
LoginPhase
tokenAlice
OpenIDServer
![Page 28: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/28.jpg)
Click Your
BeamAuth
Login Button
benadida
Username
Password
log in
The General Ideaproof of identitySetup
Phase
LoginPhase
tokenAlice
OpenIDServer
![Page 29: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/29.jpg)
Click Your
BeamAuth
Login Button
benadida
Username
Password
log in
The General Ideaproof of identitySetup
Phase
LoginPhase
token
benadida
Username
**********
Password
log in
Alice
OpenIDServer
![Page 30: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/30.jpg)
Click Your
BeamAuth
Login Button
benadida
Username
Password
log in
The General Ideaproof of identitySetup
Phase
LoginPhase
token
Welcome,
Ben Adida.
benadida
Username
**********
Password
log in
Alice
OpenIDServer
![Page 31: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/31.jpg)
Let’s Build this Button!
![Page 32: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/32.jpg)
Let’s Build this Button!
- Browser add-onnot an easy solution for most userscomplexity of add-on across browserssignificant trust delegated to the login site
![Page 33: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/33.jpg)
Let’s Build this Button!
- Browser add-onnot an easy solution for most userscomplexity of add-on across browserssignificant trust delegated to the login site
- BookmarkDelicious, etc. use bookmarks as buttonscan we do the same for security?
BookMark Auth = BM Auth = BeamAuth
![Page 34: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/34.jpg)
JavaScript Bookmarks
![Page 35: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/35.jpg)
JavaScript Bookmarksjavascript:document.location=‘http://del.icio.us/add?u=’ + encodeURIComponent(document.location);
![Page 36: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/36.jpg)
JavaScript Bookmarks
javascript:beamauth_token(‘x737csd23’);
javascript:document.location=‘http://del.icio.us/add?u=’ + encodeURIComponent(document.location);
![Page 37: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/37.jpg)
JavaScript Bookmarks
javascript:beamauth_token(‘x737csd23’);
javascript:document.location=‘http://del.icio.us/add?u=’ + encodeURIComponent(document.location);
![Page 38: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/38.jpg)
JavaScript Bookmarks
javascript:beamauth_token(‘x737csd23’);
javascript:if (document.location.hostname == ‘myopenid.com’){ beamauth_token(‘x737csd23’);}
javascript:document.location=‘http://del.icio.us/add?u=’ + encodeURIComponent(document.location);
![Page 39: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/39.jpg)
JavaScript Bookmarks
javascript:beamauth_token(‘x737csd23’);
javascript:if (document.location.hostname == ‘myopenid.com’){ beamauth_token(‘x737csd23’);}
javascript:document.location=‘http://del.icio.us/add?u=’ + encodeURIComponent(document.location);
![Page 40: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/40.jpg)
JavaScript Bookmarks
javascript:beamauth_token(‘x737csd23’);
javascript:if (document.location.hostname == ‘myopenid.com’){ beamauth_token(‘x737csd23’);}
Cannot trust the JavaScript Computing Base
javascript:document.location=‘http://del.icio.us/add?u=’ + encodeURIComponent(document.location);
![Page 41: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/41.jpg)
The URL Fragment Identifier
http://site.com/page#paragraph
![Page 42: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/42.jpg)
The URL Fragment Identifier
- used to designate a portion of a pagebrowser scrolls to the appropriate location.
http://site.com/page#paragraph
![Page 43: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/43.jpg)
The URL Fragment Identifier
- used to designate a portion of a pagebrowser scrolls to the appropriate location.
- never sent over the network but accessible from JavaScript
http://site.com/page#paragraph
![Page 44: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/44.jpg)
The URL Fragment Identifier
- used to designate a portion of a pagebrowser scrolls to the appropriate location.
- never sent over the network but accessible from JavaScript
- navigation between fragments does not cause a page reload.
http://site.com/page#paragraph
![Page 45: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/45.jpg)
Fragment in a Bookmark
http://login.com/login#[benadida|8x34202]
![Page 46: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/46.jpg)
Fragment in a Bookmark
http://login.com/login#[benadida|8x34202]
var hash = document.location.hash;
if (hash != ‘’) {// parse the hash, get username and tokenprocess_beamauth_hash(hash);
// clear the hash from the URLdocument.location.replace(‘/login’);
}
![Page 47: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/47.jpg)
The BeamAuth Ritual
![Page 48: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/48.jpg)
The BeamAuth Ritual
![Page 49: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/49.jpg)
The BeamAuth Ritual
![Page 50: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/50.jpg)
The BeamAuth Ritual
![Page 51: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/51.jpg)
The BeamAuth Ritual
![Page 52: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/52.jpg)
The BeamAuth Ritual
![Page 53: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/53.jpg)
The BeamAuth Ritual
![Page 54: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/54.jpg)
The BeamAuth Ritual
![Page 55: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/55.jpg)
Attacks- Trick User into Not Clicking Bookmark
password compromised, token safe.
- Lock User into Sitepassword compromised, token safe.
- Maliciously Replace Bookmarkpassword compromised, token safe.
- Pharmingall compromised.
- “Drag-and-Drop” Attackall compromised on Firefox.
![Page 56: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/56.jpg)
Comparison toLong-Lasting Cookies
- Second-channel setup – though long-lasting cookies could do the same thing there.
- Synchronization across browsersusing existing bookmark-sync tools.
- Better behavior for non-SSL sites
![Page 57: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/57.jpg)
BeamAuth: Summary
- Bookmark as second authentication factor
- Token delivered via a separate channel (email)
- Use the fragment identifier to store token
- Tweaked Login Ritual: whisk users to safety
![Page 58: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/58.jpg)
Can we do more?
- The fragment identifier might be used for more tricks.
- JavaScript bookmarksmay be useful for security.
- Security in the app layer : help evolve the browser platform without anticipating all security requirements.
generalize concept of site-specific extension?
![Page 59: BeamAuth - Two-Factor Web Authentication with a Bookmark](https://reader033.vdocuments.net/reader033/viewer/2022052907/559035481a28ab082d8b46e1/html5/thumbnails/59.jpg)
http://ben.adida.net/projects/beamauth/