138 research outputs found
DebAuthn: a Relying Party Implementation as a WebAuthn Authenticator Debugging Tool
[Abstract]
Passwords as an authentication method have become vulnerable to numerous attacks. During
the last few years, the FIDO Alliance and the W3C have been working on a new authentication
method based on public key cryptography and hardware authenticators, which avoids attacks
like phishing or password stealing. This degree thesis focuses on the development of a web
application as a flexible testing and debugging environment for developers and researchers
of the protocol, still under development. Moreover, the developed tool is used for testing the
most relevant hardware authenticators, showcasing their main characteristics.[Resumo]
Os contrasinais como método de autentificación volvéronse vulnerables a numerosos ataques.
Durante os últimos anos, a FIDO Alliance e a W3C estiveron traballando nun novo sistema
de autentificación baseado en criptografía de chave pública e autentificadores hardware,
o que evita ataques como phishing ou roubo de contrasinais. Este traballo de fin de grao
céntrase no desenvolvemento dunha aplicación web como un entorno flexible de probas e
depuración para desenvolvedores e investigadores do protocolo, aínda en desenvolvemento.
Ademais, a ferramenta desenvolvida é usada para probar os autentificadores hardware máis
relevantes, mostrando as súas características principais
An Analysis of the Current Implementations Based on the WebAuthn and FIDO Authentication Standards
Presented at the 4th XoveTIC Conference, A Coruña, Spain, 7–8 October 2021.[Abstract] During the last few years, some of the most relevant IT companies have started to develop new authentication solutions which are not vulnerable to attacks like phishing. WebAuthn and FIDO authentication standards were designed to replace or complement the de facto and ubiquitous authentication method: username and password. This paper performs an analysis of the current implementations of these standards while testing and comparing these solutions in a high-level analysis, drawing the context of the adoption of these new standards and their integration with the existing systems, from web applications and services to different use cases on desktop and server operating systems.CITIC, as Research Center accredited by Galician University System, is funded by “Consellería de Cultura, Educación e Universidade from Xunta de Galicia”, supported in an 80% through ERDF, ERDF Operational Programme Galicia 2014–2020, and the remaining 20% by “Secretaría Xeral de Universidades” (Grant ED431G 2019/01). This project was also supported by the “Consellería de Cultura, Educación e Ordenación Universitaria” via the Consolidation and Structuring of Competitive Research Units—Competitive Reference Groups (ED431C 2018/49).Xunta de Galicia; ED431G 2019/01Xunta de Galicia; ED431C 2018/4
Secure Payment Authentication That Provides Strong Customer Authentication
Multi-factor verification steps currently used for authenticating online purchases, e.g., one-time codes sent to a phone, can prove to be a hurdle for some customers. This disclosure describes a strong customer authentication technique, referred to as secure payment authentication (SPA), that enables users to authenticate online transactions using device-bound tokens. Authentication is driven by payment service providers, and a simple device unlock can confirm a transaction. Strong customer authentication is made possible with just a single (or even zero) click. Cross-device authentication can be enabled, such that a customer can authenticate themselves on a payment app on a mobile device while performing transactions on a second device such as a laptop, etc
MFAProxy: A reverse proxy for multi-factor authentication
Multi-factor authentication has been shown to be an effective method to reduce the risk of remote attacks, because it prevents many attackers from easily gaining an initial foothold into an organization. Many sites only support single factor authentication based on passwords which have well known weaknesses. This paper describes MFAProxy, a reverse proxy that adds multi-factor authentication to sites that currently do not support it. The proxy can be deployed in a variety of configurations within a network to meet specific security goals. It supports flexible combinations of several factors including passwords, one-time passwords, and tokens based on public-key cryptography. Each of these factors offer a unique balance of security and usability that must be considered when an organization deploys multi- factor authentication
Let the right one in : attestation as a usable CAPTCHA alternative
CAPTCHAs are necessary to protect websites from bots and malicious crawlers, yet are increasingly solvable by automated systems. This has led to more challenging tests that require greater human effort and cultural knowledge; they may prevent bots effectively but sacrifice usability and discourage the human users they are meant to admit.We propose a new class of challenge: a Cryptographic Attestation of Personhood (CAP) as the foundation of a usable, pro-privacy alternative. Our challenge is constructed using the open Web Authentication API (WebAuthn) that is supported in most browsers. We evaluated the CAP challenge through a public demo, with an accompanying user survey. Our evaluation indicates that CAP has a strong likelihood of adoption by users who possess the necessary hardware, showing good results for effectiveness and efficiency as well as a strong expressed preference for using CAP over traditional CAPTCHA solutions. In addition to demonstrating a mechanism for more usable challenge tests, we identify some areas for improvement for the WebAuthn user experience, and reflect on the difficult usable privacy problems in this domain and how they might be mitigated
Captive Portal Network Authentication Based on WebAuthn Security Keys
[Abstract]: Network authentication is performed via different technologies, which have evolved
together with authentication systems in other environments. In all these environments,
the authentication paradigm during the last decades has been the well known
password. However, passwords have some important security problems, like phishing
or keylogging. In 2019, the WebAuthn standard from the W3C started a new authentication
paradigm based on hardware devices known as security keys. Although
they are already being used in many web authentication services, they have not yet
been integrated with network authentication mechanisms. This work successfully
developed and integrated an authentication server based on WebAuthn security
keys with a captive portal system. With this solution, users can be authenticated
using security keys within a web-based captive portal network authentication system
that gives clients access to network resources. The resulting authentication server
is compatible with major operating systems like Windows 10 and Ubuntu 20.04,
browsers like Firefox and Google Chrome and security keys like the Solokey and the
Yubikey.[Resumo]: A autenticación de rede realízase a través de diferentes tecnoloxías, que evolucionaron
xunto con sistemas de autenticación noutros escenarios. En todos estes
escenarios, o paradigma de autenticación durante as últimas décadas foi o coñecido
contrasinal. Porén, os contrasinais teñen algúns problemas de seguridade
importantes, como o phishing ou o keylogging. En 2019, o estándar WebAuthn
da W3C comezou un novo paradigma da autenticación baseado en dispositivos
físicos coñecidos como chaves de seguridade. Aínda que estas xa se están usando en
moitos servizos de autenticación web, aínda non foron integradas en mecanismos
de autenticación de rede. Este traballo desenvolveu e integrou con éxito un servidor
de autenticación baseado en chaves de seguridade WebAuthn cun sistema de portal
cativo. Con esta solución, os usuarios poden autenticarse usando chaves de seguridade
nun sistema de autenticación de rede con portal cativo baseado en web que
da acceso aos clientes a recursos de rede. O servidor de autenticación resultante é
compatible con sistemas operativos relevantes como Windows 10 ou Ubuntu 20.04,
navegadores como Firefox e Google Chrome e chaves de seguridade como a Solokey
e a Yubikey.Traballo fin de mestrado (UDC.FIC). Ciberseguridade. Curso 2021/202
TWO-PARTY WEBAUTHN TOKEN ACTIVATION
In order to prevent attacks such as phishing, an enterprise needs their users to log in using a World Wide Web Consortium (W3C) Web Authentication (WebAuthn)-based authenticator. Current WebAuthn authenticator devices present a number of problems for an enterprise. For example, outsourcing authentication device distribution logistics to a device vendor brings great operational benefits to an enterprise, however this traditionally requires that a large amount of trust be placed in the vendor. Techniques are presented herein that split an authenticator\u27s secret between the two parties (i.e., an enterprise and a vendor), requiring active collaboration by the parties to issue an authenticator. This prevents both the device vendor alone, and read-only compromises of the enterprise, from issuing unauthorized or duplicated keys, while maintaining the ability to delegate logistics management to the vendor
Implementing a Web Application for W3C WebAuthn Protocol Testing
[Abstract]
During the last few years, the FIDO Alliance and the W3C have been working on a new standard called WebAuthn that aims to substitute the obsolete password as an authentication method by using physical security keys instead. Due to its recent design, the standard is still changing and so are the needs for protocol testing. This research has driven the development of a web application that supports the standard and gives extensive information to the user. This tool can be used by WebAuthn developers and researchers, helping them to debug concrete use cases with no need for an ad hoc implementation.Xunta de Galicia; ED431C 2018/4
- …