tiffany conroy - remote device sign-in – authenticating without a keyboard - codemotion milan 2017
TRANSCRIPT
Remote sign-inA method for signing in to a device that
doesn’t have a keyboard
Hi, I’m Tiffany@theophani
Remote sign-inA method for signing in to a device that
doesn’t have a keyboard
SoundCloud on Xbox
Signing in with a game controller is not fun
Secure and simpleand fast
The solution, in brief
How it works
Voilà!Having an access token = signed in
Inspiration:YouTube on TVs and
Google Sign-in for TVs and Devices
Using an authenticated session on Device B
Using an authenticated session on Device B
i.e. take advantage of the person already being signed in on their phone or laptop
Sign inwithout signing in
Sign inwithout signing in
(because you were already signed in)
https://soundcloud.com/activate_oauth2_callback?display=mobile-web-view#access_token=ACCESS_TOKEN
https://soundcloud.com/activate_oauth2_callback?display=mobile-web-view#access_token=ACCESS_TOKEN
https://soundcloud.com/activate_oauth2_callback?display=mobile-web-view#access_token=ACCESS_TOKEN
Choosing codes that are easy to read and type
Things to consider when choosing codes:
Sparse usage
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . X . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . X . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . X . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . X . . . .
. . . . . . X . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . X . . . . . . . . .
1 number = 10 codes
0 1 2 3 45 6 7 8 9
2 letters = 26 * 26 = 676 codesAA AB AC AD AE AF AG AH AI AJ . . .BA BB BC BD BE BF BG BH BI BJ . . .CA CB CC CD CE CF CG CH CI CJ . . .DA DB DC DD DE DF DG DH DI DJ . . .EA EB EC ED EE EF EG EH EI EJ . . .FA FB FC FD FE FF FG FH FI FJ . . .GA GB GC GD GE GF GG GH GI GJ . . .HA HB HC HD HE HF HG HH HI HJ . . .IA IB IC ID IE IF IG IH II IJ . . .. . . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . . ZZ
6 numbers = 1 000 000 codes4 letters = 26 * 26 * 26 * 26 = 456 976 codes
Numbers and letters?
Avoid:letter O, number 0,letter I, number 1
6 numbers or letters =32 * 32 * 32 * 32 * 32 * 32 =
1 073 741 824 codes
Things to consider when choosing codes:
Don’t use special characters !?&%$
Things to consider when choosing codes:
Use UPPERCASE for readability
(but verify with case insensitivity)
Security considerations
Risk:
Accidentally granting Device A access to the
wrong user
Someone is signed in … but who?
Mitigating the risk of:
Accidentally granting Device A access to the
wrong user
a) Show which user is authenticated,and allow to switch
a) Show which user is authenticated,and allow to switch
b) Display a selection of users,and allow them to choose
Risk:
Accidentally granting access to someone
else’s device
Device AN shows Nina
X X N
Device AM shows Michael
X X M
Nina accidentally types X X M
Michael’s Device AMwill get authenticated as Nina
Mitigating the risk of:
Accidentally granting access to someone
else’s device
Sparse usage of codes!
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . X . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . X . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . .
❌
X . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . X . . . .. . . . . . X . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . X . . . . . . . . .
Collect device name to show during activation
Risk:
An attacker using up all possible codes so no one
can sign in
X X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X XX X X X X X X X X X X X X X X X X X X X X X X X X X X
!
Mitigating the risk of:
An attacker using up all possible codes so no one
can sign in
Rate limit ability to request codes
Expire codes
Expire codes … but don’t reuse too soon
Risk:
An attacker guessing codes and using them to
get access tokens
Brute force attack
Aside: why do attackers want to access random accounts?
Mitigating the risk of:
An attacker guessing codes and using them to
get access tokens
Very, VERY, sparse code usage?
Rate limit for polling?
Polling tokens
e.g. AHDNFDJR-937JJ5N7HN-SNVKDHKSM2-FJSNMNDFF-93HF7H46AGMS
Issue the polling token to Device Awhen issuing the easy-to-read code
Require the polling token when:a) checking the status of the code
Require the polling token when:a) checking the status of the code
b) exchanging the code for an access token
Risk:
An attacker tricking people into giving away access to their account
Social engineering attack
Mitigating the risk of:
An attacker tricking people into giving away access to their account
Use text and design elementsthat make it clear
Have short expirations
Closing thoughts
Using a game controller to entera password is not fun
Designing and implementing a new kindof authentication flow is fun
Involve your security experts early
Painful → Magical
Thanks :)
Questions?Tiffany Conroy ~ @theophani
developers.soundcloud.com/blog/remote-device-sign-in