2020学习实验室3-R02_01_Authentication-on-the-Move-Challenges-for-Mobile-Web-Applications.pdf

RSAC SESSION ID: #RSAC SESSION ID: Johannes Ullrich Authentication on the Move: Challenges for Mobile Web Applications LAB3-R02 Dean of Research SANS Institute johullrich Jason Lam Certified Instructor SANS Institute jasonlam_sec #RSAC Background Strong authentication can be a challenge in the mobile world Small screen real estate Hard to use Keyboards Shoulder Surfing risks Mobile native applications may have more capabilities but what about web applications? How to effectively authenticate mobile users to web applications #RSAC Agenda Mobile Web Application Mistakes Assisting Users Entering Traditional Passwords Improved Authentication Standards for Mobile Additional Techniques to Improve Mobile Web Application Authentication Security and Usability #RSAC#RSAC The Basic Authentication Schemes #RSAC Authentication today? 5 Users Authenticate via Username / Password. -Password Policies? -Account Lockout? -Credential Stuffing? Users Recognize Websites using the URL and TLS Certificates. Phishing? Small URL Bars Hard to identify security indicators #RSAC How Big Is Your Thumb? #RSAC What Phish? #RSAC Exercise 1 8 See for instructions Goal: Identify shortcomings of traditional username and password authentication for mobile devices and learn how to better integrate with mobile web browsers to improve authentication usability. #RSAC#RSAC Improved Authentication for Mobile #RSAC Password Stores/Safes 10 OS platforms or 3rdparty software offer capabilities to store password for you Benefits Recognize the remote site, reduce phishing risk More inclined to use complex (generated) passwords High user acceptance level Master passphrase and OS password/biometrics protects the vault #RSAC Authenticator 11 App based TOTP token system RFC6238 based token system (or HOTP RFC4226) Website generate 80 bit of secret key which can be in form of QR code Alternatively, can be manually entered into the phone Generate time based token based on the secret To cloud or not to cloud? Some services like Authy send your keys to the cloud #RSAC SMS/Voice Popular form of authentication ease of use Phone call or SMS a token to the user The token needs to be generated securely User needs to type the code back on the web page Pitfalls SIM-jacking/SIM swapping possible Social Engineering bundled with phishing #RSAC SMS New Style/standard Emerging standard from WebKit developers Common standard to allow the phone automatically submit the code/token back to the site In recent version of iOS, there is ability to copy the code automatically 12345 is the code for authonthemove 12345 is the code for 12345 is the code for authonthemove #12345 Submit 12345 to HTML form field #RSAC Mobile App Push Authentication Using an already authenticated native mobile app to push notification to user User then explicitly consent to the authentication BrowserBrowserApp #RSAC Good/Bad of App Push Authentication Good Excellent user acceptance whats not to like? Low cost for the Web site Lots of vendors to choose from Bad Users often accidentally approve fraudulent request Initial Setup factor - App download and initial key inject Many security dependencies App store, Device, Vendor #RSAC Exercise 2 16 OS/Browser integrated password vault 3rdparty password vault LastPass 1.Save password 2.AutoFill 3.Tie in with biometrics #RSAC Exercise 2 17 See for instructions Goal: Learn how to implement and use a one-time password authentications (TOTP). #RSAC#RSAC Advanced Mobile Authentication #RSAC FIDO2/WebAuthn Standard 19 Fast Identity Online (FIDO) is behind the FIDO2 standard Consists of WebAuthn and CTAP (Client to Authenticator Protocol) WebAuthn is a W3C standard that defines browser to server communication for non-password-based authentication Uses asymmetric cryptographic authentication CTAP standardizes the communication between the authenticators and the browsers Can be physical or software token or gesture/biometric recognition Authenticator is often used with a PIN to add extra security AuthenticatorBrowser Relaying Party (Website) CTAPWebAuthn #RSAC WebAuthn Registration User registration please JavaScript: Create a public key for me, here are a bunch of options Create public key pair Here is my public key #RSAC WebAuthn Authentication 21 Here is my username, I want to sign in Please sign this challenge so I know its you Signing the challenge with the Private Key This is the signature, please validate #RSAC Do I Still Need a Password? You can still add a PIN/Passphrase to the authentication Extra layer of security, may not buy you much given the sad state of password security Can even include the use of push app authentication if desired Can blend in biometrics to further improve security Did you know? If you have a recent Android phone, you already have a FIDO2 key #RSAC NFC Factor with Mobile All major mobile OSes allow CTAP interface with NFC/Bluetooth enabled keys When prompted, put token c。