This document proposes a two-factor authentication method called BeamAuth that uses a bookmark to improve web security. BeamAuth uses a bookmark containing a token delivered via a separate channel like email. When the user clicks the bookmark, it processes the token stored in the URL fragment identifier to log the user into the site. This provides an additional authentication factor beyond a password. The method aims to strengthen security without requiring browser upgrades by hijacking existing bookmark and fragment identifier features for authentication purposes. It discusses potential attacks and compares BeamAuth to long-lasting cookies for multi-device synchronization.

1. BeamAuth
Two-Factor Web Auth
with a Bookmark
Ben Adida
Harvard University
CCS 2007 – Alexandria, VA
30 October 2007

2. Can we improve
web security without
upgrading the browser?

3. Sad State of Web Auth

4. Sad State of Web Auth

5. Sad State of Web Auth

6. Sad State of Web Auth

7. SSO makes things worse

8. SSO makes things worse

9. SSO makes things worse

10. SSO makes things worse

11. SSO makes things worse

12. Update the Browser
- Dynamic Security Skins [DT2005]
secure password-based key exchange
new browser chrome to auth web site.
- PwdHash [RJMBM2005]
domain-specific password pre-processing.
- MS CardSpace
change the entire auth infrastructure
built into the operating system.

13. Can We Do Something Now?

14. Can We Do Something Now?
HTTP

15. Can We Do Something Now?
HTML & JavaScript
HTTP

16. Can We Do Something Now?
Application Code
HTML & JavaScript
HTTP

17. Can We Do Something Now?
Application Code
HTML & JavaScript
HTTP

18. Can We Do Something Now?
- The web is a (limited) platform
Application Code
HTML & JavaScript
HTTP

19. Can We Do Something Now?
- The web is a (limited) platform
Application Code
- Can we build better security
in the application layer?
HTML & JavaScript
HTTP

20. Can We Do Something Now?
- The web is a (limited) platform
Application Code
- Can we build better security
in the application layer?
HTML & JavaScript
- Maybe by hijacking certain
HTTP features for security purposes?
(Active Cookies, Subspace, ...)

21. Can We Do Something Now?
- The web is a (limited) platform
Application Code
- Can we build better security
in the application layer?
HTML & JavaScript
- Maybe by hijacking certain
HTTP features for security purposes?
(Active Cookies, Subspace, ...)
Goal: preventing easy phishing

22. The General Idea
Setup
Phase
Login
Phase

23. The General Idea
Setup OpenID
Phase Server
Alice
Login
Phase

24. The General Idea
Setup proof of identity OpenID
Phase Server
Alice
Login
Phase

25. The General Idea
Setup proof of identity OpenID
Phase Server
Alice
token
Login
Phase

26. The General Idea
Setup proof of identity OpenID
Phase Server
Alice
token
Login Click Your
BeamAuth
Phase Login Button

27. The General Idea
Setup proof of identity OpenID
Phase Server
Alice
token
Login Click Your
BeamAuth
Phase Login Button

28. The General Idea
Setup proof of identity OpenID
Phase Server
Alice
token
Username
benadida
Login Click Your
Password
BeamAuth
Phase Login Button
log in

29. The General Idea
Setup proof of identity OpenID
Phase Server
Alice
token
Username
benadida
Login Click Your
Password
BeamAuth
Phase **********
Login Button
log in
log in

30. The General Idea
Setup proof of identity OpenID
Phase Server
Alice
token
Username
benadida
Login Click Your
Welcome,
Password
BeamAuth
Phase Ben Adida.
**********
Login Button
log in
log in

31. Let’s Build this Button!

32. Let’s Build this Button!
- Browser add-on
not an easy solution for most users
complexity of add-on across browsers
significant trust delegated to the login site

33. Let’s Build this Button!
- Browser add-on
not an easy solution for most users
complexity of add-on across browsers
significant trust delegated to the login site
- Bookmark
Delicious, etc. use bookmarks as buttons
can we do the same for security?
BookMark Auth = BM Auth = BeamAuth

34. JavaScript Bookmarks

35. JavaScript Bookmarks
javascript:document.location=‘http://del.icio.us/
add?u=’ + encodeURIComponent(document.location);

36. JavaScript Bookmarks
javascript:document.location=‘http://del.icio.us/
add?u=’ + encodeURIComponent(document.location);
javascript:beamauth_token(‘x737csd23’);

37. JavaScript Bookmarks
javascript:document.location=‘http://del.icio.us/
add?u=’ + encodeURIComponent(document.location);
javascript:beamauth_token(‘x737csd23’);

38. JavaScript Bookmarks
javascript:document.location=‘http://del.icio.us/
add?u=’ + encodeURIComponent(document.location);
javascript:beamauth_token(‘x737csd23’);
javascript:
if (document.location.hostname == ‘myopenid.com’){
beamauth_token(‘x737csd23’);
}

39. JavaScript Bookmarks
javascript:document.location=‘http://del.icio.us/
add?u=’ + encodeURIComponent(document.location);
javascript:beamauth_token(‘x737csd23’);
javascript:
if (document.location.hostname == ‘myopenid.com’){
beamauth_token(‘x737csd23’);
}

40. JavaScript Bookmarks
javascript:document.location=‘http://del.icio.us/
add?u=’ + encodeURIComponent(document.location);
javascript:beamauth_token(‘x737csd23’);
javascript:
if (document.location.hostname == ‘myopenid.com’){
beamauth_token(‘x737csd23’);
}
Cannot trust the JavaScript Computing Base

41. The URL Fragment Identifier
http://site.com/page#paragraph

42. The URL Fragment Identifier
http://site.com/page#paragraph
- used to designate a portion of a page
browser scrolls to the appropriate location.

43. The URL Fragment Identifier
http://site.com/page#paragraph
- used to designate a portion of a page
browser scrolls to the appropriate location.
- never sent over the network but accessible from JavaScript

44. The URL Fragment Identifier
http://site.com/page#paragraph
- used to designate a portion of a page
browser scrolls to the appropriate location.
- never sent over the network but accessible from JavaScript
- navigation between fragments does not cause a page reload.

45. Fragment in a Bookmark
http://login.com/login#[benadida|8x34202]

46. Fragment in a Bookmark
http://login.com/login#[benadida|8x34202]
var hash = document.location.hash;
if (hash != ‘’) {
// parse the hash, get username and token
process_beamauth_hash(hash);
// clear the hash from the URL
document.location.replace(‘/login’);
}

47. The BeamAuth Ritual

48. The BeamAuth Ritual

49. The BeamAuth Ritual

50. The BeamAuth Ritual

51. The BeamAuth Ritual

52. The BeamAuth Ritual

53. The BeamAuth Ritual

54. The BeamAuth Ritual

55. Attacks
- Trick User into Not Clicking Bookmark
password compromised, token safe.
- Lock User into Site
password compromised, token safe.
- Maliciously Replace Bookmark
password compromised, token safe.
- Pharming
all compromised.
- “Drag-and-Drop” Attack
all compromised on Firefox.

56. Comparison to
Long-Lasting Cookies
- Second-channel setup – though long-
lasting cookies could do the same thing there.
- Synchronization across browsers
using existing bookmark-sync tools.
- Better behavior for non-SSL sites

57. BeamAuth: Summary
- Bookmark as second authentication factor
- Token delivered via a separate channel (email)
- Use the fragment identifier to store token
- Tweaked Login Ritual: whisk users to safety

58. Can we do more?
- The fragment identifier might be
used for more tricks.
- JavaScript bookmarks
may be useful for security.
- Security in the app layer: help evolve the
browser platform without anticipating all
security requirements.
generalize concept of site-specific extension?

59. Questions?
ben@eecs.harvard.edu
http://ben.adida.net/projects/beamauth/