474 Password Not FoundGiuseppe Galli g.galli@k-tech.it Saverio Caminiti s.caminiti@k-tech.it

ROME 18-19 MARCH 2016

Giuseppe Galli

Mr. Giuseppe Galli, Master in Electronic Engineering g.galli@k-tech.it

• Partner and CTO in K-Tech s.r.l. • Experienced in JEE Architecture • Expert in Web, mobile and SOA solutions • Several years spent working as APM Specialist • Class Instructor

Saverio Caminiti

Saverio Caminiti, Ph.D. s.caminiti@k-tech.it

• Analyst and Senior Dev at K-Tech s.r.l. • Formerly: • Researcher at: Sapienza University of Rome,

Italian National Research Council, University of Central Florida, Eötvös Loránd University. • Cofounder of a company for Augmented Reality

mobile apps.

K-Tech s.r.l.

• Consultancy firm based in Rome • Founded in 1996

by enthusiast developers • Java Italian Portal

(JIP) maintainer • Web, Mobile, SOA

applications development

What this talk is about

• Advocate that passwords are obsolete

• Technologies are ready to let us move forward

• Show that humans can live (even better) without passwords

• Teach you how to design/code your application

• Advertise/sell a software we made

• Blame on those that still implement authentication systems based on passwords

What this talk is NOT about

Purpose of this Talk

• Open a discussion about a future without passwords

• Raise awareness on this topic among developers

• Receive feedbacks and opinions from this community

Background

Password: old concept new use

• In the past only a few people were using passwords (and in a very limited way)

STOP! Pass phrase, please

Password: old concept new use

• In the past only a few people were using passwords (and in a very limited way)

• Nowadays everybody is required to deal with tens of passwords

STOP! Pass phrase, please

Humans vs passwords

• Humans don’t play well with passwords • they use easy passwords

Data from: xato.net

Humans vs passwords

• Humans don’t play well with passwords • they use easy passwords

Data from: xato.net

• Humans don’t play well with passwords • they use easy passwords

• they reuse the same password everywhere …and no, a birthdate is not a password at all!

Data from: xato.net

Humans vs passwords

Human-Computer Interaction point of view

• HCI basically tells us that: • computers must adapt to humans • humans should be able to do thing in a way

that is as natural as possible

Human-Computer Interaction point of view

• Overall proliferation of username/passwords based systems is an anti-pattern

Human-Computer Interaction point of view

• Overall proliferation of username/passwords based systems is an anti-pattern

User side

• “Computer Aided Password Management” • Users may mitigate the problem with

software that help them dealing with this computer-induced need

• Although helpful these software do not solve the underling problem

…

User side

• “Computer Aided Password Management” • Users may mitigate the problem with

software that help them dealing with this computer-induced need

• Although helpful these software do not solve the underling problem

…

So we need computer help to do something that computers force us to do!?

Sounds weird!

System side

• OAuth 2.0 • Login with Google, Facebook, Twitter, etc.

• Biometrics • Fingerprint, face, voice, iris,

movement recognition, etc.

• 2FA (two-factors authentication) • SMS, Physical Token, etc.

Move away from passwords

Reasons to abandon passwords

• Usability • Humans don’t need to deal with passwords • and they don't want to

• Security • Humans tend to choose poor passwords • May be stolen without physical interaction • Data collected and used later (phishing)

Guidelines proposal

• Avoid username/password

• Use your own smartphone as a physical access key

• Generate a T-OTP on request

• Authenticate a browser/app session

• Secure app-to-server communication

12345678

See K-Tech implementation in act

DEMO

K-Tech solution details

Main features

1.Easy to use (no typing of any user data) 😀🔐

2.Out of Band: T-OTP exchange 🔐

3. Requires a device pre-registered by: 🔐

A. direct request (workflow to approve) 💰 B. invitation

4.No password storage (in the whole system) 🔐

5.User secret is used to build T-OTP only 🔐

6.Multi-user/multi-account/multi-device 😀

7. Activity history and logout for active sessions 😀

8.Can use a “friend device” 😀

Technicalities

• T-OTP: Time based One Time Password RFC 6238 • Mobile and Auth Server clocks are synchronised via

NTP • I18n: Internationalisation • HTOTP(s): Extension HTTP/TLS protocols • Response status codes: • Utilises the range of codes 470-474, left

unassigned by the RFC • 404 Not Found • 474 Password Not Found

htotp(s) Protocol

def authorize(request): """ :param request: the HTTP response :return: a response with status codes: 400: request in a session with an invalid session key 404: request in a session without session key (or expired) 470: otp check failed (doesn't match) 471: missing otp related parameters 472: session already authorized 474: device id not found (or expired or wrong username) 500: the user cannot be authorized locally (unable to log in) """

if not backends.check_user_access(domain=domain, site=site): logger.debug("authorize - unable to grant site '%s'on the domain '%s'" % (site, domain)) return _error_page(request, message="authorize request with wrong ‘domain': %s" % domain) try: user, server_ts, sso_session_id = backends.check_otp(domain=domain, site=site, request=request) if not user: logger.debug("authorize - otp doesn't match (response status 470)") response = JsonResponse({"message": "otp is not valid"}, status=470) response['otp-server-ts'] = format_utc_datetime(apps.utc_now()) return response logger.debug("authorize - got a valid otp: authorize the session '%s' (wg_key: '%d', sso: '%s') for '%s'" % (session_id, session_key.pk, sso_session_id, user)) session_key.authorize(user, sso_session_id=sso_session_id) message = 'ok' status = 200except exceptions.UnknowRequestException as e: logger.debug('authorize - request with unknown parameters: redirecting to error page: %s' % e) return _error_page(request, message='authorize request with unknown parameters: redirecting to error page') except exceptions.BadRequestException as e: logger.debug('authorize - request without valid otp related data (response status 471)') return JsonResponse({"message": "request without valid otp related data", "error": "%s" % e}, status=471) except exceptions.DeviceNotFoundException as e: logger.debug('authorize - device id not found or expired or wrong user data (response status 474)') return JsonResponse({"message": "device id not found", "error": "%s" % e}, status=474)

Envisioning the future

• Main changes in widespread behaviours may be difficult to envision

• Let’s start this shift, the sooner the better

Skepticism

Status quo

• Technologies are broadly available and mature • Users access Internet services increasingly

more from mobile devices • User awareness is still too low • Little or no innovation in software systems

development

Future developments

• Progressive adoption of password-less solutions • Authentication (login, strong auth) • Authorization (roles, dispositive action) • Digital signature • Anonymization (privacy)

• Standardization • User Experience • Protocols • API for libraries and services

Questions andFeedback

References

• T-OTP: https://tools.ietf.org/html/rfc6238

• HTTP Status Code: https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

• Password data from: https://xato.net

ROME 18-19 MARCH 2016

Thanks!

Giuseppe Galli g.galli@k-tech.it Saverio Caminiti s.caminiti@k-tech.it

All pictures belong to their respective authors