Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Authentication Without
Authentication
December 2017
@omerlh
#MeetupAtSoluto
Agenda
● Introduction
● OpenID
● Digital Signature
● One Time Password
● Demo
● Edge Cases
Can we Authenticate without Authentication?
- Helping people get the most out of their technology
“...a significant amount of drop-off in app usage,
losing up to 56% of users,
but are pretty much essential for the
majori...
Source: pinterest
Authentication Requests Per Second
Source: https://www.engadget.com/2016/01/08/samsung-family-hub-smart-fridge-hands-on/
Source: https://turcomusa.com/turcom-smart-home-camera-kit-with-motion-sensor-door-sensor-and-alarm-key-fob.html
User Id
Application Server
Device Id
Application Server
● “Simple Identity Layer”
● Token-based authentication
● Widely supported
● Modularity - many authentication flows
Authorization Server
Application ServerDevice
Supported Authentication Methods
Authorization/Implicit/Hybrid
Client credentials
Resource Owner
JWT client assertion
We need a new authentication flow
Authorization Server
Device
Authorization Server
Application ServerDevice
Requirements
❏ Strong authentication solution
❏ Unique device identification
❏ Simple
❏ Unique per request
❏ Replay Attack...
Questions?
Let’s use Digital Signature
Dear Bob
Dear BobSign Verify
Leo Bob the BuilderTM
Source: Bob the Buildertm Official Site
This sounds familiar...
How we can use it?
Authorization Server
Device
Public Key, Id
Public Key, Id
Id: 5467
Authorization ServerDevice
Digital Signature, Id
Public Key, Id
Id: 5467
So far we have:
✓ Strong authentication solution
✓ Unique device identification
✓ Simple
❏ Unique per request
❏ Fault tole...
Questions?
One Time Password
Authorization ServerDevice
Digital Signature, Id
Public Key, Id
Id: 5467
Let’s build our own OTP
Client State Server State
Old 5
New 2
Old 5
New 2
Old 2
New 42
Old 5
New 2
Old 2
New 42
Token
So far we have…
✓ Strong authentication solution
✓ Unique device identification
✓ Simple
✓ Unique per request
✓ Fault tole...
Questions?
Demo Time
Client
Authorization
Server
Application Server
(Sensitive API)
Let’s see it in action...
All the code is available on GitHub
Network request can fail
● Reasons:
○ Timeout
○ Network failure
○ Temporary server errors
● Unknown server state
○ State d...
Client State Server State
Old 2
New 42
Old 1
New 2
Old 2
New 42
Old 2
New 42
Old 1
New 2
Token
Error
Client State Server State
Old 2
New 42
Old 2
New 42
Old 1
New 2
Old 2
New 42Old 2
New 42Old 2
New 42
Error
Client State Server State
Old 2
New 42
Old 2
New 42
Old 42
New 86
Old 42
New 86
Old 2
New 42
Bad Request (400)
Token
Questions?
Detecting Compromised Devices
Client State Server State
Old 2
New 42
Old 1
New 2
Eve
Old 2
New 42
Old 1
New 2
Old 2
New 42
Old 2
New 42 Token
Client State Server State
Old 2
New 42
Old 2
New 42
Eve
Old 42
New 56
Old 2
New 42
Old 2
New 42
Bad
Request
(400)
Client State Server State
Old 42
New 78
Old 2
New 42
Eve
Old 42
New 56
Old 2
New 42
Old 42
New 78
Old 42
New 78Token
Client State Server State
Old 78
New 4
Old 7
New 78
Eve
Old 7
New 56
Old 7
New 78
Old 7
New 93
400 Bad
Request
Questions?
Conclusion
Responsible Disclosure
Requirements
✓ Strong authentication solution
✓ Unique device identification
✓ Simple
✓ Unique per request
✓ Fault tolerant
Authorization Server
Device
Authorization Server
Application ServerDevice
How can you use it?
@omerlh
#MeetupAtSoluto
@omerlh
#MeetupAtSoluto
We’re hiring!
Thank You!
Authentication without Authentication - Peerlyst meetup
Authentication without Authentication - Peerlyst meetup
Authentication without Authentication - Peerlyst meetup
Authentication without Authentication - Peerlyst meetup
Upcoming SlideShare
Loading in …5
×

Authentication without Authentication - Peerlyst meetup

104 views

Published on

Authentication is important, but how do you authenticate when user interaction is not an option? For example, an IoT app without a user interface. We need to authenticate the app - without any predefined credentials.
Join us to this meetup to learn how!
This talk was given at Peerlyst meetup.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Authentication without Authentication - Peerlyst meetup

  1. 1. Authentication Without Authentication December 2017 @omerlh #MeetupAtSoluto
  2. 2. Agenda ● Introduction ● OpenID ● Digital Signature ● One Time Password ● Demo ● Edge Cases
  3. 3. Can we Authenticate without Authentication?
  4. 4. - Helping people get the most out of their technology
  5. 5. “...a significant amount of drop-off in app usage, losing up to 56% of users, but are pretty much essential for the majority of apps out there today...” Source: Optimizely
  6. 6. Source: pinterest
  7. 7. Authentication Requests Per Second
  8. 8. Source: https://www.engadget.com/2016/01/08/samsung-family-hub-smart-fridge-hands-on/
  9. 9. Source: https://turcomusa.com/turcom-smart-home-camera-kit-with-motion-sensor-door-sensor-and-alarm-key-fob.html
  10. 10. User Id Application Server
  11. 11. Device Id Application Server
  12. 12. ● “Simple Identity Layer” ● Token-based authentication ● Widely supported ● Modularity - many authentication flows
  13. 13. Authorization Server Application ServerDevice
  14. 14. Supported Authentication Methods Authorization/Implicit/Hybrid Client credentials Resource Owner JWT client assertion
  15. 15. We need a new authentication flow
  16. 16. Authorization Server Device
  17. 17. Authorization Server Application ServerDevice
  18. 18. Requirements ❏ Strong authentication solution ❏ Unique device identification ❏ Simple ❏ Unique per request ❏ Replay Attacks ❏ Fault tolerant
  19. 19. Questions?
  20. 20. Let’s use Digital Signature
  21. 21. Dear Bob Dear BobSign Verify Leo Bob the BuilderTM Source: Bob the Buildertm Official Site
  22. 22. This sounds familiar...
  23. 23. How we can use it?
  24. 24. Authorization Server Device Public Key, Id Public Key, Id Id: 5467
  25. 25. Authorization ServerDevice Digital Signature, Id Public Key, Id Id: 5467
  26. 26. So far we have: ✓ Strong authentication solution ✓ Unique device identification ✓ Simple ❏ Unique per request ❏ Fault tolerant
  27. 27. Questions?
  28. 28. One Time Password
  29. 29. Authorization ServerDevice Digital Signature, Id Public Key, Id Id: 5467
  30. 30. Let’s build our own OTP
  31. 31. Client State Server State Old 5 New 2 Old 5 New 2 Old 2 New 42 Old 5 New 2 Old 2 New 42 Token
  32. 32. So far we have… ✓ Strong authentication solution ✓ Unique device identification ✓ Simple ✓ Unique per request ✓ Fault tolerant
  33. 33. Questions?
  34. 34. Demo Time
  35. 35. Client Authorization Server Application Server (Sensitive API)
  36. 36. Let’s see it in action... All the code is available on GitHub
  37. 37. Network request can fail ● Reasons: ○ Timeout ○ Network failure ○ Temporary server errors ● Unknown server state ○ State did not changed ○ State changed
  38. 38. Client State Server State Old 2 New 42 Old 1 New 2 Old 2 New 42 Old 2 New 42 Old 1 New 2 Token Error
  39. 39. Client State Server State Old 2 New 42 Old 2 New 42 Old 1 New 2 Old 2 New 42Old 2 New 42Old 2 New 42 Error
  40. 40. Client State Server State Old 2 New 42 Old 2 New 42 Old 42 New 86 Old 42 New 86 Old 2 New 42 Bad Request (400) Token
  41. 41. Questions?
  42. 42. Detecting Compromised Devices
  43. 43. Client State Server State Old 2 New 42 Old 1 New 2 Eve Old 2 New 42 Old 1 New 2 Old 2 New 42 Old 2 New 42 Token
  44. 44. Client State Server State Old 2 New 42 Old 2 New 42 Eve Old 42 New 56 Old 2 New 42 Old 2 New 42 Bad Request (400)
  45. 45. Client State Server State Old 42 New 78 Old 2 New 42 Eve Old 42 New 56 Old 2 New 42 Old 42 New 78 Old 42 New 78Token
  46. 46. Client State Server State Old 78 New 4 Old 7 New 78 Eve Old 7 New 56 Old 7 New 78 Old 7 New 93 400 Bad Request
  47. 47. Questions?
  48. 48. Conclusion
  49. 49. Responsible Disclosure
  50. 50. Requirements ✓ Strong authentication solution ✓ Unique device identification ✓ Simple ✓ Unique per request ✓ Fault tolerant
  51. 51. Authorization Server Device
  52. 52. Authorization Server Application ServerDevice
  53. 53. How can you use it? @omerlh #MeetupAtSoluto
  54. 54. @omerlh #MeetupAtSoluto We’re hiring! Thank You!

×