|
|
Subscribe / Log in / New account

Passwordless authentication with FIDO2—beyond just the web

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 22, 2023 13:38 UTC (Wed) by mss (subscriber, #138799)
In reply to: Passwordless authentication with FIDO2—beyond just the web by Conan_Kudo
Parent article: Passwordless authentication with FIDO2—beyond just the web

Using a Linux phone as a hardware base for such authenticator token might by a good idea, just not a stock one running full network-connected OS.

Having only simple interface to the rest of the world, which has a limited attack surface and is relatively easy to audit, is the whole point of a hardware token.
I think that any kind of network connectivity would weaken it to the point of almost defeating its purpose.

But if there's a way to just reuse the basic hardware, disable cellular modem, WiFi, Bluetooth, USB network connectivity, ADB, etc. in a way that they cannot be re-enabled without explicit user intervention then it would mostly do the trick.

The device could work line this:

  1. The system is powered on or restarted
  2. The early boot code checks for certain unusual combination of buttons (or does some other robust user presence/will check)
  3. If the above check fails the code locks its flash partition read-only (so the boot code can't be overwritten) and permanently disables network interfaces for the session
  4. The main authenticator software stack starts

Then any potential network-related attack surface would be limited only to that tiny chunk of early boot code.

In this case the device itself only needs a minimum kernel that exports just a FIDO2 HID gadget interface over USB to its host and provides basic authenticator GUI.

to post comments

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 22, 2023 13:57 UTC (Wed) by Conan_Kudo (subscriber, #103240) [Link]

Nobody would use that. I certainly would not. BLE with a secure enclave trigger through biometrics or a passphrase is more than enough for me.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 22, 2023 18:03 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link] (7 responses)

> But if there's a way to just reuse the basic hardware, disable cellular modem, WiFi, Bluetooth, USB network connectivity, ADB, etc. in a way that they cannot be re-enabled without explicit user intervention then it would mostly do the trick.

You need BLE (and maybe the phone camera) for passkeys. Everything else can be disabled.

So in practice you can buy the cheapest possible Android phone without a SIM card, install an OpenSource build there and it would meet your requirements.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 23, 2023 6:10 UTC (Thu) by pabs (subscriber, #43278) [Link] (2 responses)

You could drop BLE too, just use USB.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 23, 2023 6:19 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

I'm not sure it's an improvement in security, though. I think right now USB on Android is kinda all-or-nothing strategy. Either you use it only for charging, or open the floodgates.

But I haven't checked this in a while, I might be lying.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 23, 2023 6:28 UTC (Thu) by pabs (subscriber, #43278) [Link]

I definitely would not use Android for this, better would be a more minimal Linux distro that you control.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 23, 2023 13:04 UTC (Thu) by mss (subscriber, #138799) [Link] (3 responses)

So in practice you can buy the cheapest possible Android phone without a SIM card, install an OpenSource build there and it would meet your requirements.

This would still need some bootloader work though, to actually disable these network devices in a way that they cannot be re-enabled by the ordinary software stack without explicit user intervention - assuming that the hardware even has such "disable until reset" functionality.

Or opening the device and disconnecting their antennas - might be easier to achieve but harder to temporarily revert. And not easily doable for PCB antennas on the main board.

Another option would be to use a phone with hardware radio kill switches, like a PinePhone - but that technically isn't an Andorid phone, nor is it particularly cheap.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 23, 2023 21:30 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

Realistically, how is the phone going to connect to the Internet? Mobile radio is useless without a SIM card, and you can just avoid connecting it to WiFi.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 28, 2023 21:33 UTC (Tue) by nix (subscriber, #2304) [Link] (1 responses)

> Mobile radio is useless without a SIM card

Even without a SIM card, the thing connects enough for voice emergency channels (by law in many countries), which means most of the crazy mobile protocol stack and closed-source crawling-horror baseband processor is up, backdoors and all.

Passwordless authentication with FIDO2—beyond just the web

Posted Feb 28, 2023 21:58 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

I believe that the "airplane mode" still disables it. Also, realistically attacking through the baseband stack requires CIA-level expertise. It's highly unlikely that they are going to burn their secret baseband exploits just to get to me.

So I think that in practice disabling the Internet access should be enough for all, but the most paranoid applications.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds