|
|
Subscribe / Log in / New account

Passwordless authentication with FIDO2—beyond just the web

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 21, 2023 22:18 UTC (Tue) by k8to (guest, #15413)
In reply to: Passwordless authentication with FIDO2—beyond just the web by mss
Parent article: Passwordless authentication with FIDO2—beyond just the web

How would you protect against a threat model where the browser or os are compromised at this level? A display on the device? Would people read it? A piezoelectric speaker that announces what's being authenticated? Would you hvae a whitelist on the device so new or unusual ones would require special action?

to post comments

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 21, 2023 22:29 UTC (Tue) by mss (subscriber, #138799) [Link] (3 responses)

Yes, such device most probably would need to have a display to see what's being signed and some method to independently verify the request origin - like a shared secret with each one.

It would probably still need USB or NFC connection to exchange the data to be signed and return the signature - but no WiFi Internet-connected devices please.

The payment industry had a primitive implementation of such idea called Chip Authentication Program years ago.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 22, 2023 3:35 UTC (Wed) by stressinduktion (subscriber, #46452) [Link] (1 responses)

> The payment industry had a primitive implementation of such idea called Chip Authentication Program years ago.

Something alike is in use in Germany with HBCI/FinTS (same with the electronic id cards). The security class 3 readers have display and pin pad to verify and confirm a transaction's details. Myself, I use a ReinerSCT cyberjack komfort for doing that. Most(?) financial institutes support it, but somehow they are not keen on handing out the necessary cards anymore and instead prefer to use mobile apps to get the confirmations (at least in the consumer sector). Anyway, it is handy in particular for automated processing.

Are there any other countries using a standardized online banking protocol?

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 22, 2023 9:58 UTC (Wed) by MortenSickel (subscriber, #3238) [Link]

"Are there any other countries using a standardized online banking protocol?"

In Norway, we have the bankid system (https://www.bankid.no/en/private/) that is used for more or less all banks and a lot of other places where a secure login is needed. It can be used either by a code generator or a mobile phone app - no plugin devices.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 28, 2023 16:09 UTC (Tue) by spacefrogg (subscriber, #119608) [Link]

In Germany, it is also common to validate single bank transactions via QR-Codes as a newer implementation of CAP. The added benefit (from my point of view) is that the authentication device is airgapped. While it can read the QR code, you must input the resulting TAN manually into the browser. So, you can be reasonably sure that you only authenticate the transaction your are interested in (and no hidden transaction that runs on a compromised device). The added bonus of QR codes is that you can validate their content independently with your smartphone etc. So, you don't even have to trust the down link.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 22, 2023 3:31 UTC (Wed) by pabs (subscriber, #43278) [Link] (14 responses)

Just use your phone as a FIDO2 authenticator device? virtual-fido implements something like this using USB-over-IP, but if you could get it to use the Linux USB gadget framework, then your Linux-capable phone could become your authenticator device and have a UI for confirming details when authenticating.

https://github.com/bulwarkid/virtual-fido

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 22, 2023 11:42 UTC (Wed) by Conan_Kudo (subscriber, #103240) [Link] (10 responses)

You can also use Web Authentication caBLE v2 to do this over Bluetooth Low Energy. Chromium implements this for supporting your Android phone as a FIDO2/WebAuthn passkey.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 22, 2023 13:38 UTC (Wed) by mss (subscriber, #138799) [Link] (9 responses)

Using a Linux phone as a hardware base for such authenticator token might by a good idea, just not a stock one running full network-connected OS.

Having only simple interface to the rest of the world, which has a limited attack surface and is relatively easy to audit, is the whole point of a hardware token.
I think that any kind of network connectivity would weaken it to the point of almost defeating its purpose.

But if there's a way to just reuse the basic hardware, disable cellular modem, WiFi, Bluetooth, USB network connectivity, ADB, etc. in a way that they cannot be re-enabled without explicit user intervention then it would mostly do the trick.

The device could work line this:
  1. The system is powered on or restarted
  2. The early boot code checks for certain unusual combination of buttons (or does some other robust user presence/will check)
  3. If the above check fails the code locks its flash partition read-only (so the boot code can't be overwritten) and permanently disables network interfaces for the session
  4. The main authenticator software stack starts

Then any potential network-related attack surface would be limited only to that tiny chunk of early boot code.

In this case the device itself only needs a minimum kernel that exports just a FIDO2 HID gadget interface over USB to its host and provides basic authenticator GUI.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 22, 2023 13:57 UTC (Wed) by Conan_Kudo (subscriber, #103240) [Link]

Nobody would use that. I certainly would not. BLE with a secure enclave trigger through biometrics or a passphrase is more than enough for me.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 22, 2023 18:03 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link] (7 responses)

> But if there's a way to just reuse the basic hardware, disable cellular modem, WiFi, Bluetooth, USB network connectivity, ADB, etc. in a way that they cannot be re-enabled without explicit user intervention then it would mostly do the trick.

You need BLE (and maybe the phone camera) for passkeys. Everything else can be disabled.

So in practice you can buy the cheapest possible Android phone without a SIM card, install an OpenSource build there and it would meet your requirements.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 23, 2023 6:10 UTC (Thu) by pabs (subscriber, #43278) [Link] (2 responses)

You could drop BLE too, just use USB.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 23, 2023 6:19 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

I'm not sure it's an improvement in security, though. I think right now USB on Android is kinda all-or-nothing strategy. Either you use it only for charging, or open the floodgates.

But I haven't checked this in a while, I might be lying.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 23, 2023 6:28 UTC (Thu) by pabs (subscriber, #43278) [Link]

I definitely would not use Android for this, better would be a more minimal Linux distro that you control.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 23, 2023 13:04 UTC (Thu) by mss (subscriber, #138799) [Link] (3 responses)

So in practice you can buy the cheapest possible Android phone without a SIM card, install an OpenSource build there and it would meet your requirements.

This would still need some bootloader work though, to actually disable these network devices in a way that they cannot be re-enabled by the ordinary software stack without explicit user intervention - assuming that the hardware even has such "disable until reset" functionality.

Or opening the device and disconnecting their antennas - might be easier to achieve but harder to temporarily revert. And not easily doable for PCB antennas on the main board.

Another option would be to use a phone with hardware radio kill switches, like a PinePhone - but that technically isn't an Andorid phone, nor is it particularly cheap.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 23, 2023 21:30 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

Realistically, how is the phone going to connect to the Internet? Mobile radio is useless without a SIM card, and you can just avoid connecting it to WiFi.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 28, 2023 21:33 UTC (Tue) by nix (subscriber, #2304) [Link] (1 responses)

> Mobile radio is useless without a SIM card

Even without a SIM card, the thing connects enough for voice emergency channels (by law in many countries), which means most of the crazy mobile protocol stack and closed-source crawling-horror baseband processor is up, backdoors and all.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 28, 2023 21:58 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

I believe that the "airplane mode" still disables it. Also, realistically attacking through the baseband stack requires CIA-level expertise. It's highly unlikely that they are going to burn their secret baseband exploits just to get to me.

So I think that in practice disabling the Internet access should be enough for all, but the most paranoid applications.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 22, 2023 14:40 UTC (Wed) by smurf (subscriber, #17840) [Link] (2 responses)

Using a phone raises all those fun security concerns that prompted us to switch to Fido2 sticks in the first place.

So, cute that it's possible, but when it enables the same security problems 2-factor auth is supposed to fix, probably not a good idea.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 24, 2023 20:37 UTC (Fri) by hpro (subscriber, #74751) [Link] (1 responses)

In any case, the true threat model for the vast majority of users has nothing to do with MITM-attacks. The Swedish BankID system, and similar implementations are a case in point. They provide the user with an app on their phone which will prompt them for confirmation with PIN or biometrics with a nice display clearly showing what they are authorising.

And the vast majority of frauds occur not because users authorise transactions on malicious sites, but because someone calls them pretenting to be the bank and convinces them to authorise an actual login / transaction for their actual bank on their phone to "confirm their identity" or "sort out a minor issue". No mitm needed.

The app now supports scanning a QR to initiate a login, which makes this harder, but still not all use it, so the vast majority of fraud is done through coercion and social engineering, not hacking afaiu.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 25, 2023 15:00 UTC (Sat) by farnz (subscriber, #17727) [Link]

Underlying this is the threat model, pairing up a risk with a mitigation. For BankID and similar systems, the risk that's being mitigated is the bank's risk: "if I cannot prove that the user authorised this transaction specifically, I am on the hook for reversing the transaction at my expense, and may be completely out the money that was involved if I cannot reclaim it from the recipient".

In this threat model, fraudulent transactions authorised by the user are absolutely fine - if I can confirm that you really did authorise sending 1,800,000 kr to "Steal Money-Bank Fraudsters", then I'm off the hook, even if you actually meant to send the money to "Stockholm Mercedes-Benz Franchise".

Similarly, FIDO2's threat model is that user-controlled shared secrets (a.k.a. passwords) are too easy to steal from one site and use for access elsewhere, and too hard to change after every use - e.g. plenty of people have the same password for GMail, Amazon and their bank. FIDO2 wants to change this so that authentication is done via a public key authentication protocol, so that even having a keylogger on your GNOME desktop is not enough for me to authenticate as you at a later date.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 22, 2023 4:32 UTC (Wed) by matthias (subscriber, #94967) [Link]

> How would you protect against a threat model where the browser or os are compromised at this level? A display on the device? Would people read it?

Yes, a display on the device. Just in the same way, as I do online banking in Germany. A display shows the account number and amount for an authorized transfer. Doing this with something like FIDO2 would be much nicer than with the devices we currently use, where we have to put in the banking card to do the encryption, then scan the transaction details from the screen*, and afterwards type in a transaction number from the devices screen into the banking website.

And I do actually read this. For small amounts I usually only check the amount, as the possible damage is limited to the amount shown on the display. For large transactions, I also verify the account number.

*newer devices use QR-codes. My device has 5 photo-diodes that scan a flickering code. One of the diodes is used for a clock signal, the other 4 to transfer 4 bits in each clock cycle. A really simple device. All actual cryptography is done inside the banking card and the device only transfers data from the computer screen to the card and the builtin display.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds