SESSION ID: LAB3-R02 Authentication on the Move: Challenges for Mobile Web Applications Johannes Ullrich Jason Lam Dean of Research SANS Institute @johullrich Certified Instructor SANS Institute @jasonlam_sec #RSAC Background #RSAC Strong authentication can be a challenge in the mobile world – Small screen real estate – Hard to use Keyboards – Shoulder Surfing risks Mobile native applications may have more capabilities but what about web applications? How to effectively authenticate mobile users to web applications Agenda Mobile Web Application Mistakes Assisting Users Entering Traditional Passwords Improved Authentication Standards for Mobile Additional Techniques to Improve Mobile Web Application Authentication Security and Usability #RSAC #RSAC The Basic Authentication Schemes #RSAC Authentication today? Users Authenticate via Username / Password. Users Recognize Websites using the URL and TLS Certificates. - Password Policies? - Account Lockout? - Credential Stuffing? • Phishing? • Small URL Bars • Hard to identify security indicators 5 How Big Is Your Thumb? #RSAC What Phish? #RSAC #RSAC Exercise 1 See https://rsac.authonthemove.com/exercise1 for instructions Goal: Identify shortcomings of traditional username and password authentication for mobile devices and learn how to better integrate with mobile web browsers to improve authentication usability. 8 #RSAC Improved Authentication for Mobile #RSAC Password Stores/Safes OS platforms or 3rd party software offer capabilities to store password for you Benefits – Recognize the remote site, reduce phishing risk – More inclined to use complex (generated) passwords – High user acceptance level Master passphrase and OS password/biometrics protects the vault 10 #RSAC Authenticator App based TOTP token system – RFC6238 based token system (or HOTP RFC4226) Website generate 80 bit of secret key which can be in form of QR code – Alternatively, can be manually entered into the phone Generate time based token based on the secret To cloud or not to cloud? – Some services like Authy send your keys to the cloud 11 SMS/Voice Popular form of authentication – ease of use Phone call or SMS a "token" to the user – The token needs to be generated securely – User needs to type the code back on the web page Pitfalls – SIM-jacking/SIM swapping possible – Social Engineering bundled with phishing #RSAC SMS New Style/standard Emerging standard from WebKit developers Common standard to allow the phone automatically submit the code/token back to the site In recent version of iOS, there is ability to copy the code automatically #RSAC 12345 is the code for authonthemove 12345 is the code for rsac.authonthemove.com 12345 is the code for authonthemove @rsac.authonthemove.com #12345 https://rsac.authonthemove.com Submit 12345 to HTML form field #RSAC Mobile App Push Authentication Using an already authenticated native mobile app to push notification to user User then explicitly consent to the authentication Browser Browser App Good/Bad of App Push Authentication Good – Excellent user acceptance – what's not to like? – Low cost for the Web site – Lots of vendors to choose from  Bad  Users often accidentally approve fraudulent request  Initial Setup factor - App download and initial key inject  Many security dependencies – App store, Device, Vendor… #RSAC #RSAC Exercise 2 OS/Browser integrated password vault 3rd party password vault – LastPass 1. Save password 2. AutoFill 3. Tie in with biometrics 16 #RSAC Exercise 2 See https://rsac.authonthemove.com/exercise2 for instructions Goal: Learn how to implement and use a one-time password authentications (TOTP). 17 #RSAC Advanced Mobile Authentication #RSAC FIDO2/WebAuthn Standard Fast Identity Online (FIDO) is behind the FIDO2 standard – Consists of WebAuthn and CTAP (Client to Authenticator Protocol) WebAuthn is a W3C standard that defines browser to server communication for non-password-based authentication – Uses asymmetric cryptographic authentication CTAP standardizes the communication between the authenticators and the browsers – Can be physical or software token or gesture/biometric recognition Authenticator is often used with a PIN to add extra security Authenticator CTAP Browser 19 WebAuthn Relaying Party (Website) WebAuthn Registration User registration please JavaScript: Create a public key for me, here are a bunch of options Create public key pai