BeamAuth - Two-Factor Web Authentication with a Bookmark

BeamAuthTwo-Factor Web Auth

with a BookmarkBen Adida

Harvard University

CCS 2007 – Alexandria, VA30 October 2007

Can we improveweb security without

upgrading the browser?

Sad State of Web Auth

SSO makes things worse

Update the Browser

- Dynamic Security Skins [DT2005]secure password-based key exchangenew browser chrome to auth web site.

- PwdHash [RJMBM2005]domain-specific password pre-processing.

- MS CardSpacechange the entire auth infrastructurebuilt into the operating system.

Can We Do Something Now?


HTTP


HTML & JavaScript

HTTP

Application Code


HTML & JavaScript

HTTP

Application Code


- The web is a (limited) platform

HTML & JavaScript

HTTP

Application Code



- Can we build better securityin the application layer?HTML & JavaScript

HTTP

Application Code



- Can we build better securityin the application layer?

- Maybe by hijacking certain features for security purposes?(Active Cookies, Subspace, ...)

HTML & JavaScript

HTTP

Application Code



- Can we build better securityin the application layer?

- Maybe by hijacking certain features for security purposes?(Active Cookies, Subspace, ...)

HTML & JavaScript

HTTP

Goal: preventing easy phishing

The General Idea

SetupPhase

LoginPhase

The General Idea

SetupPhase

LoginPhase

Alice

OpenIDServer

The General Ideaproof of identitySetup

Phase

LoginPhase

Alice

OpenIDServer


Phase

LoginPhase

tokenAlice

OpenIDServer

Click Your

BeamAuth

Login Button


Phase

LoginPhase

tokenAlice

OpenIDServer

Click Your

BeamAuth

Login Button

benadida

Username

Password

log in


Phase

LoginPhase

tokenAlice

OpenIDServer

Click Your

BeamAuth

Login Button

benadida

Username

Password

log in


Phase

LoginPhase

token

benadida

Username

**********

Password

log in

Alice

OpenIDServer

Click Your

BeamAuth

Login Button

benadida

Username

Password

log in


Phase

LoginPhase

token

Welcome,

Ben Adida.

benadida

Username

**********

Password

log in

Alice

OpenIDServer

Let’s Build this Button!


- Browser add-onnot an easy solution for most userscomplexity of add-on across browserssignificant trust delegated to the login site


- Browser add-onnot an easy solution for most userscomplexity of add-on across browserssignificant trust delegated to the login site

- BookmarkDelicious, etc. use bookmarks as buttonscan we do the same for security?

BookMark Auth = BM Auth = BeamAuth

JavaScript Bookmarks

JavaScript Bookmarksjavascript:document.location=‘http://del.icio.us/add?u=’ + encodeURIComponent(document.location);

http://del.ico.us/add?





javascript:beamauth_token(‘x737csd23’);

javascript:document.location=‘http://del.icio.us/add?u=’ + encodeURIComponent(document.location);



javascript:if (document.location.hostname == ‘myopenid.com’){ beamauth_token(‘x737csd23’);}




javascript:if (document.location.hostname == ‘myopenid.com’){ beamauth_token(‘x737csd23’);}

Cannot trust the JavaScript Computing Base


The URL Fragment Identifier

http://site.com/page#paragraph

http://site.com/rest/of/url#



- used to designate a portion of a pagebrowser scrolls to the appropriate location.






- never sent over the network but accessible from JavaScript






- never sent over the network but accessible from JavaScript

- navigation between fragments does not cause a page reload.




Fragment in a Bookmark

http://login.com/login#[benadida|8x34202]

Fragment in a Bookmark

http://login.com/login#[benadida|8x34202]

var hash = document.location.hash;

if (hash != ‘’) {// parse the hash, get username and tokenprocess_beamauth_hash(hash);

// clear the hash from the URLdocument.location.replace(‘/login’);

}

The BeamAuth Ritual

Attacks- Trick User into Not Clicking Bookmark

password compromised, token safe.

- Lock User into Sitepassword compromised, token safe.

- Maliciously Replace Bookmarkpassword compromised, token safe.

- Pharmingall compromised.

- “Drag-and-Drop” Attackall compromised on Firefox.

Comparison toLong-Lasting Cookies

- Second-channel setup – though long-lasting cookies could do the same thing there.

- Synchronization across browsersusing existing bookmark-sync tools.

- Better behavior for non-SSL sites

BeamAuth: Summary

- Bookmark as second authentication factor

- Token delivered via a separate channel (email)

- Use the fragment identifier to store token

- Tweaked Login Ritual: whisk users to safety

Can we do more?

- The fragment identifier might be used for more tricks.

- JavaScript bookmarksmay be useful for security.

- Security in the app layer : help evolve the browser platform without anticipating all security requirements.

generalize concept of site-specific extension?

[email protected]

http://ben.adida.net/projects/beamauth/

mailto:[email protected]

mailto:[email protected]



BeamAuth - Two-Factor Web Authentication with a Bookmark

Technology

Transcript of BeamAuth - Two-Factor Web Authentication with a Bookmark