Garrett Robinson, Yan Zhu; It Me: Under the Hood of Web Authentication; At Some Conference; circa 2017-10; N slides.
- Do not use (linear) string comparison, ever.
a == b
PRF(a) == PRF(b)
where: Pseudo-Random Function PRF with
- Use U2F with Web Authentication
- 2FA is weakened by the Password Reset Flow
- Uses SMTP to deliver secrets or capabilities.
- SMTP is not encrypted.
STARTTLSis opportunistic and fails-open (fails to cleartext)
- Hash-based message authentication code (HMAC), In Jimi Wales’ Wiki.
- jaredhanson/passport-local, on GitHub
- server.js within passport/express-4.x-local-example, on GitHub
- The Adobe Hack
- Adobe Sanitized Passwords with Bad Hints
- Cookie Flags
- Content-Security Policy (CSP)
- Message Authentication Code (MAC)
- Scott A. Crosby, Rudolf Riedi, Dan S. Wallach; Opportunities and Limits of Remote Timing Attacks; Technical Report TR2007-06; Department of Statistics, Rice University; 2007-01; 32 pages.
- vadimdemedes/secure-compare, on GitHub.
- Staff (NCC Group); Double HMAC Verification; In Their Blog; 2011-02.
tl;dr → commentariat by Brad Hill; constant-time compilation is a non-semantic in symbolic or managed-code languages.
- One-Time Password (OTP)
- HMAC-Based One-Time Password (HOTP)
- Time-Based One-Time Password (TOTP)
- SMS One-Time Password (SOTP)
- Web Authentication: An API for Accessing Public Key Credentials, Level 1; Working Draft; W3C; 2017-08-11.
- Useful Universal Second-Factor (U2F)
- hillbrad/U2FReviews, on GitHub
- github/SoftU2F, on GitHub
- U2F Authentication
- Need Must use channel and origin binding in the Challenge
- USB dongles; e.g.Yubikey.
- Chrome (now)
- Firefox (forthcoming)
- www.dongleauth.info (http only, rly?)
- Password Management and Mobile Security; a consumer survey; Pew Research; 2017-02-26.tl;dr → typically these things are N=1000, spread across the population density of the 50 states with demographic diversity stratifications.
- A quote on U2F for Yahoo, attributed to Lovlesh Chhabra, Product Manager, Yahoo.
- Auth0, a vendor, is recommended.
lt;quote>Auth0 is a SaaS that helps you with Authentication and Authorization. You can use Social Providers (Like Facebook, Google, Twitter, etc.), Enterprise Providers <snip>are good to go</snip></quote>
- Even with 2FA, all
youa bad guy must to do is use the Reset Password flow.
…aaaaaaand you’re in!
- The Password Reset flow uses SMTP to deliver a link or a password “to you”
- SMTP is still like sending postcards; always was.
STARTTLSis optional and fails-open (fails into cleartext).
- Safer Email, chartistry, at Google.