DebAuthn: a Relying Party Implementation as a WebAuthn Authenticator Debugging Tool

[Abstract] Passwords as an authentication method have become vulnerable to numerous attacks. During the last few years, the FIDO Alliance and the W3C have been working on a new authentication method based on public key cryptography and hardware authenticators, which avoids attacks like phishing or password stealing. This degree thesis focuses on the development of a web application as a flexible testing and debugging environment for developers and researchers of the protocol, still under development. Moreover, the developed tool is used for testing the most relevant hardware authenticators, showcasing their main characteristics.[Resumo] Os contrasinais como método de autentificación volvéronse vulnerables a numerosos ataques. Durante os últimos anos, a FIDO Alliance e a W3C estiveron traballando nun novo sistema de autentificación baseado en criptografía de chave pública e autentificadores hardware, o que evita ataques como phishing ou roubo de contrasinais. Este traballo de fin de grao céntrase no desenvolvemento dunha aplicación web como un entorno flexible de probas e depuración para desenvolvedores e investigadores do protocolo, aínda en desenvolvemento. Ademais, a ferramenta desenvolvida é usada para probar os autentificadores hardware máis relevantes, mostrando as súas características principais

An Analysis of the Current Implementations Based on the WebAuthn and FIDO Authentication Standards

Presented at the 4th XoveTIC Conference, A Coruña, Spain, 7–8 October 2021.[Abstract] During the last few years, some of the most relevant IT companies have started to develop new authentication solutions which are not vulnerable to attacks like phishing. WebAuthn and FIDO authentication standards were designed to replace or complement the de facto and ubiquitous authentication method: username and password. This paper performs an analysis of the current implementations of these standards while testing and comparing these solutions in a high-level analysis, drawing the context of the adoption of these new standards and their integration with the existing systems, from web applications and services to different use cases on desktop and server operating systems.CITIC, as Research Center accredited by Galician University System, is funded by “Consellería de Cultura, Educación e Universidade from Xunta de Galicia”, supported in an 80% through ERDF, ERDF Operational Programme Galicia 2014–2020, and the remaining 20% by “Secretaría Xeral de Universidades” (Grant ED431G 2019/01). This project was also supported by the “Consellería de Cultura, Educación e Ordenación Universitaria” via the Consolidation and Structuring of Competitive Research Units—Competitive Reference Groups (ED431C 2018/49).Xunta de Galicia; ED431G 2019/01Xunta de Galicia; ED431C 2018/4

Secure Payment Authentication That Provides Strong Customer Authentication

Multi-factor verification steps currently used for authenticating online purchases, e.g., one-time codes sent to a phone, can prove to be a hurdle for some customers. This disclosure describes a strong customer authentication technique, referred to as secure payment authentication (SPA), that enables users to authenticate online transactions using device-bound tokens. Authentication is driven by payment service providers, and a simple device unlock can confirm a transaction. Strong customer authentication is made possible with just a single (or even zero) click. Cross-device authentication can be enabled, such that a customer can authenticate themselves on a payment app on a mobile device while performing transactions on a second device such as a laptop, etc

MFAProxy: A reverse proxy for multi-factor authentication

Multi-factor authentication has been shown to be an effective method to reduce the risk of remote attacks, because it prevents many attackers from easily gaining an initial foothold into an organization. Many sites only support single factor authentication based on passwords which have well known weaknesses. This paper describes MFAProxy, a reverse proxy that adds multi-factor authentication to sites that currently do not support it. The proxy can be deployed in a variety of configurations within a network to meet specific security goals. It supports flexible combinations of several factors including passwords, one-time passwords, and tokens based on public-key cryptography. Each of these factors offer a unique balance of security and usability that must be considered when an organization deploys multi- factor authentication

Let the right one in : attestation as a usable CAPTCHA alternative

CAPTCHAs are necessary to protect websites from bots and malicious crawlers, yet are increasingly solvable by automated systems. This has led to more challenging tests that require greater human effort and cultural knowledge; they may prevent bots effectively but sacrifice usability and discourage the human users they are meant to admit.We propose a new class of challenge: a Cryptographic Attestation of Personhood (CAP) as the foundation of a usable, pro-privacy alternative. Our challenge is constructed using the open Web Authentication API (WebAuthn) that is supported in most browsers. We evaluated the CAP challenge through a public demo, with an accompanying user survey. Our evaluation indicates that CAP has a strong likelihood of adoption by users who possess the necessary hardware, showing good results for effectiveness and efficiency as well as a strong expressed preference for using CAP over traditional CAPTCHA solutions. In addition to demonstrating a mechanism for more usable challenge tests, we identify some areas for improvement for the WebAuthn user experience, and reflect on the difficult usable privacy problems in this domain and how they might be mitigated

Captive Portal Network Authentication Based on WebAuthn Security Keys

[Abstract]: Network authentication is performed via different technologies, which have evolved together with authentication systems in other environments. In all these environments, the authentication paradigm during the last decades has been the well known password. However, passwords have some important security problems, like phishing or keylogging. In 2019, the WebAuthn standard from the W3C started a new authentication paradigm based on hardware devices known as security keys. Although they are already being used in many web authentication services, they have not yet been integrated with network authentication mechanisms. This work successfully developed and integrated an authentication server based on WebAuthn security keys with a captive portal system. With this solution, users can be authenticated using security keys within a web-based captive portal network authentication system that gives clients access to network resources. The resulting authentication server is compatible with major operating systems like Windows 10 and Ubuntu 20.04, browsers like Firefox and Google Chrome and security keys like the Solokey and the Yubikey.[Resumo]: A autenticación de rede realízase a través de diferentes tecnoloxías, que evolucionaron xunto con sistemas de autenticación noutros escenarios. En todos estes escenarios, o paradigma de autenticación durante as últimas décadas foi o coñecido contrasinal. Porén, os contrasinais teñen algúns problemas de seguridade importantes, como o phishing ou o keylogging. En 2019, o estándar WebAuthn da W3C comezou un novo paradigma da autenticación baseado en dispositivos físicos coñecidos como chaves de seguridade. Aínda que estas xa se están usando en moitos servizos de autenticación web, aínda non foron integradas en mecanismos de autenticación de rede. Este traballo desenvolveu e integrou con éxito un servidor de autenticación baseado en chaves de seguridade WebAuthn cun sistema de portal cativo. Con esta solución, os usuarios poden autenticarse usando chaves de seguridade nun sistema de autenticación de rede con portal cativo baseado en web que da acceso aos clientes a recursos de rede. O servidor de autenticación resultante é compatible con sistemas operativos relevantes como Windows 10 ou Ubuntu 20.04, navegadores como Firefox e Google Chrome e chaves de seguridade como a Solokey e a Yubikey.Traballo fin de mestrado (UDC.FIC). Ciberseguridade. Curso 2021/202

TWO-PARTY WEBAUTHN TOKEN ACTIVATION

In order to prevent attacks such as phishing, an enterprise needs their users to log in using a World Wide Web Consortium (W3C) Web Authentication (WebAuthn)-based authenticator. Current WebAuthn authenticator devices present a number of problems for an enterprise. For example, outsourcing authentication device distribution logistics to a device vendor brings great operational benefits to an enterprise, however this traditionally requires that a large amount of trust be placed in the vendor. Techniques are presented herein that split an authenticator\u27s secret between the two parties (i.e., an enterprise and a vendor), requiring active collaboration by the parties to issue an authenticator. This prevents both the device vendor alone, and read-only compromises of the enterprise, from issuing unauthorized or duplicated keys, while maintaining the ability to delegate logistics management to the vendor

Implementing a Web Application for W3C WebAuthn Protocol Testing

[Abstract] During the last few years, the FIDO Alliance and the W3C have been working on a new standard called WebAuthn that aims to substitute the obsolete password as an authentication method by using physical security keys instead. Due to its recent design, the standard is still changing and so are the needs for protocol testing. This research has driven the development of a web application that supports the standard and gives extensive information to the user. This tool can be used by WebAuthn developers and researchers, helping them to debug concrete use cases with no need for an ad hoc implementation.Xunta de Galicia; ED431C 2018/4

UVOS WEB REGISTRATION EXTENSION MANUAL

A client-server system for grid user and VO managemen