[Cryptography] On mobile passwordless logins and established technologies

Nico Williams nico at cryptonector.com
Wed Mar 26 00:01:58 EDT 2014 

Your approach is Persona-like, which IMO puts it on the right track even
though Persona failed.

My variation would be as follows:

 - clients enroll public keys for site-specific ad-hoc identities using
   per-site random PK key pairs

 - a user's devices can share these keys using a protocol for the
   purpose or can enrol multiple (1 per-device) keys for each identity

 - to the extent that sites wish to allow it their users could use their
   IDs elsewhere; for this a light-weight short-lived/fresh cert issued
   by the site's online issuer should suffice.

Note: no PKI in sight for client IDs.

I.e., Persona-like, with extensive device support.

http://www.mozilla.org/en-US/persona/

LoF/TOFU can be made workable, such that any MITM had better have been
in the middle at enrolment time and thereafter (for at least the
observed TACK periods for server credentials).  Insist on tack periods
of at least a week, use periodically so as not to miss rollovers, done.
No PKI in sight.  DANE and PKI for server auth don't hurt, to be sure,
but the combination of DANE, PKI, and LoF/TOFU would be quite strong by
comparison to the lame TLS server PKI.

The key is the ability to win trust over time.  Roughly how off-line
natural "authentication" works: recognition (here, online, with PK) +
trust building.

No passwords other than device unlock and/or recovery passwords.

No PKI.  Just Persona-like certs (if that; bare public keys should work
too).  If a site knows you well (e.g., you've made payments to them with
a credit card) they might vouch for you.

Problems:

 - Sites don't want a standard enrolment protocol that doesn't allow
   them to have highly customized interactions with prospective new
   users.  But any enrolment protocol would have to have a component
   that is completely standard and automated in mobile devices,
   otherwise we'd either not have universality or the UI would be very
   user un-friendly.

 - Mobile device OS vendors would have to agree on something rather
   important.  Either identity key sharing or facilitation of multiple
   key enrolments.  The latter actually wouldn't require much from
   mobile OS vendors... but it'd require more of users in terms of
   enrolment interactions.

   We'd still want to be able to share LoF/TOFU and other persistent
   state across devices, for extra security, but then we'd really need
   the OS vendors to cooperate.

 - Key rollover should be fine, but account recovery if you lose all
   your devices and recovery passwords -or if your devices are
   compromised- could be anywhere from difficult to impossible.  In the
   worst-case scenario the user would need new IDs and might not be able
   to do much to revoke compromised ones.

Persona just closed shop, so maybe this won't fly either, but IMO this
is the right approach.

On Mon, Mar 24, 2014 at 10:08:22AM +0100, Felix Ruzzoli wrote:
> I had a look at OAuth and OpenID and while in theory the idea seems
> [...]

I find them wanting.  They don't really help with the server
authentication problem, which is the hard one.

> I am wondering why people don't employ client-side SSL certificates
> for simple ID checking purposes? Someone please tell if I am wrong
> here..

Many reasons:

 - There's no need for a PKI for this, but TLS' user cert functionality
   is PKIX-based.  All pain, no gain.

 - Poor application/library integration on the client side.

 - Most importantly: lack of an enrolment protocol for ad-hoc
   identities.

See Persona.

> By just generating client certificates for each user of a (mobile)
> application on-the-fly and using them for ID checking we achieve
> passwordless logins with a good degree of security. Of course as
> long as the secret key is stored unencrypted on the device, the
> device acts like an ID token. Thus if the phone gets stolen the ID
> is too.

Yes.

> Of course backups of the ID could easily be done by encrypting the
> private key to a secret password. But at this point there seem to be
> no alternatives to letting the user input a secret.

a) enrolment has to be standard
b) sharing of identity keys and/ enrolment of alternate keys
   (per-device) needs to be standard
c) account recovery / revocation processes need to be solidly designed

> I claim this a feasible solution for your run-of-the-mill low
> security application which just needs a reliable way to
> differentiate between users and make sure it is not too easy to
> impersonate another user or break into his account.
> 
> What are your thoughts on this?

It's the correct approach, but getting all the relevant players to agree
is going to be like pulling teeth.  But then, who knows, it could
happen!  I'm willing to put some effort into it.

Nico
--

More information about the cryptography mailing list