Lets Authenticate Automated Cryptographic Authentication for the - - PowerPoint PPT Presentation

let s authenticate
SMART_READER_LITE
LIVE PREVIEW

Lets Authenticate Automated Cryptographic Authentication for the - - PowerPoint PPT Presentation

May 02, 2023 275 likes •738 views

Lets Authenticate Automated Cryptographic Authentication for the Web with Simple Account Recovery James Conners Daniel Zappala Brigham Young University Our focus easy registration/login easy account recovery privacy by design What about

slide-1
SLIDE 1

Let’s Authenticate

Automated Cryptographic Authentication for the Web with Simple Account Recovery James Conners Daniel Zappala Brigham Young University

slide-2
SLIDE 2
slide-3
SLIDE 3
slide-4
SLIDE 4

Our focus

easy registration/login easy account recovery privacy by design

slide-5
SLIDE 5

What about WebAuthn?

Registration/Login Recovery Privacy

slide-6
SLIDE 6

Alice wants to register to Facebook

slide-7
SLIDE 7

Username One-Time Challenge Key, UID, Relying Party info

slide-8
SLIDE 8

JavaScript Client

slide-9
SLIDE 9

User Consent User Consent

slide-10
SLIDE 10

Alice wants to register to Amazon

slide-11
SLIDE 11

Username One-Time Challenge Key, UID, Relying Party info

slide-12
SLIDE 12

JavaScript Client

slide-13
SLIDE 13

User Consent User Consent

slide-14
SLIDE 14

Potential for authenticator bloat

slide-15
SLIDE 15

What happens if Alice loses her authenticator?

slide-16
SLIDE 16

Alice wants to recover her Amazon account

slide-17
SLIDE 17
slide-18
SLIDE 18

Alice needs to register a 2nd authenticator with Amazon

slide-19
SLIDE 19

Username One-Time Challenge Key, UID, Relying Party info

slide-20
SLIDE 20

JavaScript Client

slide-21
SLIDE 21

User Consent User Consent

slide-22
SLIDE 22

Privacy leaks and Tracking are possible

slide-23
SLIDE 23

Let’s Authenticate

Easy Registration/Login Easy account recovery Privacy

slide-24
SLIDE 24

Let’s Authenticate Registration/Login

slide-25
SLIDE 25

Username/Password

slide-26
SLIDE 26

Scan/click the QR code User gives consent

slide-27
SLIDE 27

Let’s Authenticate Server App sends CSR Returns signed cert App forwards cert to destination Facebook Case 1 Cryptographic proofs

slide-28
SLIDE 28

App forwards cert to destination Facebook Case 2 Cryptographic proofs

slide-29
SLIDE 29

Scan/click the QR code User gives consent

slide-30
SLIDE 30

Let’s Authenticate Server App sends CSR Returns signed cert App forwards cert to destination Amazon Cryptographic proofs

slide-31
SLIDE 31

What happens if Alice loses her authenticator?

slide-32
SLIDE 32

Username/Password

slide-33
SLIDE 33

Username/Password Returns all certificates Let’s Authenticate

slide-34
SLIDE 34

Scan/click the QR code User gives consent

slide-35
SLIDE 35

Privacy

  • Want to avoid colluding websites tracking users
  • Want to avoid giving Let’s Auth CA information about

sites a user authenticates to

slide-36
SLIDE 36

Privacy

  • Each certificate is bound to a unique email address:

<uniquecode>@letsauth.org

  • <uniquecode> =

hash(username,password,websiteDomain,salt)

  • Also makes it easy to reclaim accounts after lost

authenticator

slide-37
SLIDE 37

Comparing Let’s Authenticate to WebAuthn

slide-38
SLIDE 38
slide-39
SLIDE 39

What’s Next?

  • In-depth Security and privacy analysis
  • In lab and longitudinal user studies
  • Exploration of different account challenges
  • Consideration of short-lived certificates VS revocation
slide-40
SLIDE 40

Discussion

slide-41
SLIDE 41
slide-42
SLIDE 42
slide-43
SLIDE 43
slide-44
SLIDE 44
slide-45
SLIDE 45

Persona

  • Allowed email providers to issue certificates to a user
  • Simpler registration process since their email was verified
  • Tracking still possible, unless a user creates a different email for

each service

  • Adoption was an issue as well
  • 4 entities of adoption (Users, Websites, Browsers and Email providers)
  • They did provide a fallback identity provider and a cross-browser

library, but they were short term solutions