tiffany conroy - remote device sign-in – authenticating without a keyboard - codemotion milan 2017

Remote sign-inA method for signing in to a device that

doesn’t have a keyboard

Hi, I’m Tiffany@theophani

Remote sign-inA method for signing in to a device that

doesn’t have a keyboard

SoundCloud on Xbox

Signing in with a game controller is not fun

Secure and simpleand fast

The solution, in brief

How it works

Voilà!Having an access token = signed in

Inspiration:YouTube on TVs and

Google Sign-in for TVs and Devices

Using an authenticated session on Device B

Using an authenticated session on Device B

i.e. take advantage of the person already being signed in on their phone or laptop

Sign inwithout signing in

Sign inwithout signing in

(because you were already signed in)

https://soundcloud.com/activate_oauth2_callback?display=mobile-web-view#access_token=ACCESS_TOKEN

https://soundcloud.com/activate_oauth2_callback?display=mobile-web-view#access_token=ACCESS_TOKEN

https://soundcloud.com/activate_oauth2_callback?display=mobile-web-view#access_token=ACCESS_TOKEN

Choosing codes that are easy to read and type

Things to consider when choosing codes:

Sparse usage

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . X . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . X . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . X . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . X . . . .

. . . . . . X . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . X . . . . . . . . .

1 number = 10 codes

0 1 2 3 45 6 7 8 9

2 letters = 26 * 26 = 676 codesAA AB AC AD AE AF AG AH AI AJ . . .BA BB BC BD BE BF BG BH BI BJ . . .CA CB CC CD CE CF CG CH CI CJ . . .DA DB DC DD DE DF DG DH DI DJ . . .EA EB EC ED EE EF EG EH EI EJ . . .FA FB FC FD FE FF FG FH FI FJ . . .GA GB GC GD GE GF GG GH GI GJ . . .HA HB HC HD HE HF HG HH HI HJ . . .IA IB IC ID IE IF IG IH II IJ . . .. . . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . . ZZ

6 numbers = 1 000 000 codes4 letters = 26 * 26 * 26 * 26 = 456 976 codes

Numbers and letters?

Avoid:letter O, number 0,letter I, number 1

6 numbers or letters =32 * 32 * 32 * 32 * 32 * 32 =

1 073 741 824 codes

Things to consider when choosing codes:

Don’t use special characters !?&%$

Things to consider when choosing codes:

Use UPPERCASE for readability

(but verify with case insensitivity)

Security considerations

Risk:

Accidentally granting Device A access to the

wrong user

Someone is signed in … but who?

Mitigating the risk of:

Accidentally granting Device A access to the

wrong user

a) Show which user is authenticated,and allow to switch

a) Show which user is authenticated,and allow to switch

b) Display a selection of users,and allow them to choose

Risk:

Accidentally granting access to someone

else’s device

Device AN shows Nina

X X N

Device AM shows Michael

X X M

Nina accidentally types X X M

Michael’s Device AMwill get authenticated as Nina

Mitigating the risk of:

Accidentally granting access to someone

else’s device

Sparse usage of codes!

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . X . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . X . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . .

❌

X . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . X . . . .. . . . . . X . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . X . . . . . . . . .

Collect device name to show during activation

Risk:

An attacker using up all possible codes so no one

can sign in

X X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X

!

Mitigating the risk of:

An attacker using up all possible codes so no one

can sign in

Rate limit ability to request codes

Expire codes

Expire codes … but don’t reuse too soon

Risk:

An attacker guessing codes and using them to

get access tokens

Brute force attack

Aside: why do attackers want to access random accounts?

Mitigating the risk of:

An attacker guessing codes and using them to

get access tokens

Very, VERY, sparse code usage?

Rate limit for polling?

Polling tokens

e.g. AHDNFDJR-937JJ5N7HN-SNVKDHKSM2-FJSNMNDFF-93HF7H46AGMS

Issue the polling token to Device Awhen issuing the easy-to-read code

Require the polling token when:a) checking the status of the code

Require the polling token when:a) checking the status of the code

b) exchanging the code for an access token

Risk:

An attacker tricking people into giving away access to their account

Social engineering attack

Mitigating the risk of:

An attacker tricking people into giving away access to their account

Use text and design elementsthat make it clear

Have short expirations

Closing thoughts

Using a game controller to entera password is not fun

Designing and implementing a new kindof authentication flow is fun

Involve your security experts early

Painful → Magical

Thanks :)

Questions?Tiffany Conroy ~ @theophani

developers.soundcloud.com/blog/remote-device-sign-in