474 password not found
TRANSCRIPT
474 Password Not FoundGiuseppe Galli [email protected] Saverio Caminiti [email protected]
ROME 18-19 MARCH 2016
Giuseppe Galli
Mr. Giuseppe Galli, Master in Electronic Engineering [email protected]
• Partner and CTO in K-Tech s.r.l. • Experienced in JEE Architecture • Expert in Web, mobile and SOA solutions • Several years spent working as APM Specialist • Class Instructor
Saverio Caminiti
Saverio Caminiti, Ph.D. [email protected]
• Analyst and Senior Dev at K-Tech s.r.l. • Formerly: • Researcher at: Sapienza University of Rome,
Italian National Research Council, University of Central Florida, Eötvös Loránd University. • Cofounder of a company for Augmented Reality
mobile apps.
K-Tech s.r.l.
• Consultancy firm based in Rome • Founded in 1996
by enthusiast developers • Java Italian Portal
(JIP) maintainer • Web, Mobile, SOA
applications development
What this talk is about
• Advocate that passwords are obsolete
• Technologies are ready to let us move forward
• Show that humans can live (even better) without passwords
• Teach you how to design/code your application
• Advertise/sell a software we made
• Blame on those that still implement authentication systems based on passwords
What this talk is NOT about
Purpose of this Talk
• Open a discussion about a future without passwords
• Raise awareness on this topic among developers
• Receive feedbacks and opinions from this community
Background
Password: old concept new use
• In the past only a few people were using passwords (and in a very limited way)
STOP! Pass phrase, please
Password: old concept new use
• In the past only a few people were using passwords (and in a very limited way)
• Nowadays everybody is required to deal with tens of passwords
STOP! Pass phrase, please
Humans vs passwords
• Humans don’t play well with passwords • they use easy passwords
Data from: xato.net
Humans vs passwords
• Humans don’t play well with passwords • they use easy passwords
Data from: xato.net
• Humans don’t play well with passwords • they use easy passwords
• they reuse the same password everywhere …and no, a birthdate is not a password at all!
Data from: xato.net
Humans vs passwords
Human-Computer Interaction point of view
• HCI basically tells us that: • computers must adapt to humans • humans should be able to do thing in a way
that is as natural as possible
Human-Computer Interaction point of view
• Overall proliferation of username/passwords based systems is an anti-pattern
Human-Computer Interaction point of view
• Overall proliferation of username/passwords based systems is an anti-pattern
User side
• “Computer Aided Password Management” • Users may mitigate the problem with
software that help them dealing with this computer-induced need
• Although helpful these software do not solve the underling problem
…
User side
• “Computer Aided Password Management” • Users may mitigate the problem with
software that help them dealing with this computer-induced need
• Although helpful these software do not solve the underling problem
…
So we need computer help to do something that computers force us to do!?
Sounds weird!
System side
• OAuth 2.0 • Login with Google, Facebook, Twitter, etc.
• Biometrics • Fingerprint, face, voice, iris,
movement recognition, etc.
• 2FA (two-factors authentication) • SMS, Physical Token, etc.
Move away from passwords
Reasons to abandon passwords
• Usability • Humans don’t need to deal with passwords • and they don't want to
• Security • Humans tend to choose poor passwords • May be stolen without physical interaction • Data collected and used later (phishing)
Guidelines proposal
• Avoid username/password
• Use your own smartphone as a physical access key
• Generate a T-OTP on request
• Authenticate a browser/app session
• Secure app-to-server communication
12345678
See K-Tech implementation in act
DEMO
K-Tech solution details
Main features
1.Easy to use (no typing of any user data) 😀🔐
2.Out of Band: T-OTP exchange 🔐
3. Requires a device pre-registered by: 🔐
A. direct request (workflow to approve) 💰 B. invitation
4.No password storage (in the whole system) 🔐
5.User secret is used to build T-OTP only 🔐
6.Multi-user/multi-account/multi-device 😀
7. Activity history and logout for active sessions 😀
8.Can use a “friend device” 😀
Technicalities
• T-OTP: Time based One Time Password RFC 6238 • Mobile and Auth Server clocks are synchronised via
NTP • I18n: Internationalisation • HTOTP(s): Extension HTTP/TLS protocols • Response status codes: • Utilises the range of codes 470-474, left
unassigned by the RFC • 404 Not Found • 474 Password Not Found
htotp(s) Protocol
def authorize(request): """ :param request: the HTTP response :return: a response with status codes: 400: request in a session with an invalid session key 404: request in a session without session key (or expired) 470: otp check failed (doesn't match) 471: missing otp related parameters 472: session already authorized 474: device id not found (or expired or wrong username) 500: the user cannot be authorized locally (unable to log in) """
if not backends.check_user_access(domain=domain, site=site): logger.debug("authorize - unable to grant site '%s'on the domain '%s'" % (site, domain)) return _error_page(request, message="authorize request with wrong ‘domain': %s" % domain) try: user, server_ts, sso_session_id = backends.check_otp(domain=domain, site=site, request=request) if not user: logger.debug("authorize - otp doesn't match (response status 470)") response = JsonResponse({"message": "otp is not valid"}, status=470) response['otp-server-ts'] = format_utc_datetime(apps.utc_now()) return response logger.debug("authorize - got a valid otp: authorize the session '%s' (wg_key: '%d', sso: '%s') for '%s'" % (session_id, session_key.pk, sso_session_id, user)) session_key.authorize(user, sso_session_id=sso_session_id) message = 'ok' status = 200except exceptions.UnknowRequestException as e: logger.debug('authorize - request with unknown parameters: redirecting to error page: %s' % e) return _error_page(request, message='authorize request with unknown parameters: redirecting to error page') except exceptions.BadRequestException as e: logger.debug('authorize - request without valid otp related data (response status 471)') return JsonResponse({"message": "request without valid otp related data", "error": "%s" % e}, status=471) except exceptions.DeviceNotFoundException as e: logger.debug('authorize - device id not found or expired or wrong user data (response status 474)') return JsonResponse({"message": "device id not found", "error": "%s" % e}, status=474)
Envisioning the future
• Main changes in widespread behaviours may be difficult to envision
• Let’s start this shift, the sooner the better
Skepticism
Status quo
• Technologies are broadly available and mature • Users access Internet services increasingly
more from mobile devices • User awareness is still too low • Little or no innovation in software systems
development
Future developments
• Progressive adoption of password-less solutions • Authentication (login, strong auth) • Authorization (roles, dispositive action) • Digital signature • Anonymization (privacy)
• Standardization • User Experience • Protocols • API for libraries and services
Questions andFeedback
References
• T-OTP: https://tools.ietf.org/html/rfc6238
• HTTP Status Code: https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
• Password data from: https://xato.net
ROME 18-19 MARCH 2016
Thanks!
Giuseppe Galli [email protected] Saverio Caminiti [email protected]
All pictures belong to their respective authors