A technique to log into a web browser using your mobile
306 views
Skip to first unread message
Steve Krizanovic
Apr 22, 2020, 4:43:04 PM4/22/20
to FIDO Dev (fido-dev)
I have been working on the security control for the company I work for and implemented a POC using webAuthN. The problem is that it only works with a yubikey or on your mobile.
I have developed a way to register your mobile and link it to the browser device using a web socket.
The registration flow is
- user opens browser
- user submits email address (used to verify account and be able to register new devices)
- user scans QR code to redirect phone to the webAuthN pair device page
- user does the webAuthN registration on mobile browser
- user must validate email address
- if successfully browser is linked to the mobile browser
I have developed a way to register your mobile and link it to the browser device using a web socket.
The registration flow is
- user opens browser
- user submits email address (used to verify account and be able to register new devices)
- user scans QR code to redirect phone to the webAuthN pair device page
- user does the webAuthN registration on mobile browser
- user must validate email address
- if successfully browser is linked to the mobile browser
So the user login flow is
- open browser on desktop
- open browser on mobile
- login using webAuthN
- browser session become logged in (using oauth 2 flow to obtain a JWT)
https://webauthn2.azurewebsites.net/
It would be good to get feedback on this approach. Could it become part of the standard for login using webAuthN with a paired device?
Thanks
Steve
Craig Edwards
Apr 22, 2020, 11:59:11 PM4/22/20
to Steve Krizanovic, FIDO Dev (fido-dev)
Hi & thank you for including me with your forum updates. I have been
in touch with Google & Chromium in regards to why my U2F keys would be
getting bypassed on signing in on my Chromebook which I believe has
been hacked for the past 4 months. I'm still yet to receive an answer
& hence writing this email. I have discovered in the Flags section on
my browser that I can turn off flags for the keys, which has me
concerned that an infiltrator could do the same with the permission
settings that I have no control over. Is there anyone that may be able
to assist in securing my device for me please? I'm currently using a
Lenovo 100e 2nd gen which is running a version of Chrome pasted below.
Thanks
Craig
Google Chrome 84.0.4114.0 (Official Build) dev (64-bit)
Revision 76b36eab86d4b24f8f489feb41b887d058bc6fb1-refs/branch-heads/4114@{#1}
Platform 13042.0.0 (Official Build) dev-channel octopus
Firmware Version Google_Phaser.11297.93.0
ARC 6387315
JavaScript V8 8.4.54
Flash 32.0.0.363 /opt/google/chrome/pepper/libpepflashplayer.so
User Agent Mozilla/5.0 (X11; CrOS x86_64 13042.0.0) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/84.0.4114.0 Safari/537.36
Command Line /opt/google/chrome/chrome
--gpu-sandbox-failures-fatal=yes
--blink-settings=disallowFetchForDocWrittenScriptsInMainFrame=true
--disable-accelerated-2d-canvas --disable-accelerated-mjpeg-decode
--disable-accelerated-video-decode --disable-accelerated-video-encode
--disable-threaded-scrolling --enable-gpu-rasterization
--enable-logging --enable-oop-rasterization --enable-touch-drag-drop
--ash-enable-unified-desktop --enable-use-hdr-transfer-function
--enable-zero-copy
--ppapi-flash-path=/opt/google/chrome/pepper/libpepflashplayer.so
--ppapi-flash-version=32.0.0.363 --top-chrome-touch-ui=auto
--ui-disable-partial-swap --use-cras --use-gl=egl
--user-data-dir=/home/chronos --video-capture-use-gpu-memory-buffer
--enable-webgl-draft-extensions --enable-webgl-image-chromium
--enable-touchview --enable-wayland-server --ash-touch-hud
--default-wallpaper-large=/usr/share/chromeos-assets/wallpaper/default_large.jpg
--default-wallpaper-small=/usr/share/chromeos-assets/wallpaper/default_small.jpg
--guest-wallpaper-large=/usr/share/chromeos-assets/wallpaper/guest_large.jpg
--guest-wallpaper-small=/usr/share/chromeos-assets/wallpaper/guest_small.jpg
--arc-availability=officially-supported --has-chromeos-keyboard
--login-profile=user --bwsi --homepage=chrome://newtab/ --incognito
--log-level=1 --login-user=$guest --login-user=$guest
--login-profile=1489bb4fd2f37906a7b186903901271c8e2a0b38
--no-enable-crashpad
--vmodule=certificate_provider*=1,*/search_result_ranker/*=1,*night_light*=1,*/chrome/browser/chromeos/account_manager/*=1,*/chromeos/components/account_manager/*=1,*arc/*=1,app_list_syncable_service=1,*/chromeos/power/auto_screen_brightness/*=1,*/forced_extensions/installation_tracker*=2,extension_downloader=2,existing_user_controller=2,*/ash/wm/tablet_mode/*=1,enrollment_screen_handler=1,*/browser/chromeos/login/enrollment/*=1,*/ui/ozone/*=1,*/ui/display/manager/chromeos/*=1,update_engine=1,component_updater_service=1
--disable-sync --disable-extensions
--ui-compositor-memory-limit-when-visible-mb=512
Executable Path /opt/google/chrome/chrome
Profile Path /home/chronos/u-1489bb4fd2f37906a7b186903901271c8e2a0b38
> --
> You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
> To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4075a7a5-8ba1-4060-80ea-6d525445e7d6%40fidoalliance.org.
--
Kind Regards
Craig
in touch with Google & Chromium in regards to why my U2F keys would be
getting bypassed on signing in on my Chromebook which I believe has
been hacked for the past 4 months. I'm still yet to receive an answer
& hence writing this email. I have discovered in the Flags section on
my browser that I can turn off flags for the keys, which has me
concerned that an infiltrator could do the same with the permission
settings that I have no control over. Is there anyone that may be able
to assist in securing my device for me please? I'm currently using a
Lenovo 100e 2nd gen which is running a version of Chrome pasted below.
Thanks
Craig
Google Chrome 84.0.4114.0 (Official Build) dev (64-bit)
Revision 76b36eab86d4b24f8f489feb41b887d058bc6fb1-refs/branch-heads/4114@{#1}
Platform 13042.0.0 (Official Build) dev-channel octopus
Firmware Version Google_Phaser.11297.93.0
ARC 6387315
JavaScript V8 8.4.54
Flash 32.0.0.363 /opt/google/chrome/pepper/libpepflashplayer.so
User Agent Mozilla/5.0 (X11; CrOS x86_64 13042.0.0) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/84.0.4114.0 Safari/537.36
Command Line /opt/google/chrome/chrome
--gpu-sandbox-failures-fatal=yes
--blink-settings=disallowFetchForDocWrittenScriptsInMainFrame=true
--disable-accelerated-2d-canvas --disable-accelerated-mjpeg-decode
--disable-accelerated-video-decode --disable-accelerated-video-encode
--disable-threaded-scrolling --enable-gpu-rasterization
--enable-logging --enable-oop-rasterization --enable-touch-drag-drop
--ash-enable-unified-desktop --enable-use-hdr-transfer-function
--enable-zero-copy
--ppapi-flash-path=/opt/google/chrome/pepper/libpepflashplayer.so
--ppapi-flash-version=32.0.0.363 --top-chrome-touch-ui=auto
--ui-disable-partial-swap --use-cras --use-gl=egl
--user-data-dir=/home/chronos --video-capture-use-gpu-memory-buffer
--enable-webgl-draft-extensions --enable-webgl-image-chromium
--enable-touchview --enable-wayland-server --ash-touch-hud
--default-wallpaper-large=/usr/share/chromeos-assets/wallpaper/default_large.jpg
--default-wallpaper-small=/usr/share/chromeos-assets/wallpaper/default_small.jpg
--guest-wallpaper-large=/usr/share/chromeos-assets/wallpaper/guest_large.jpg
--guest-wallpaper-small=/usr/share/chromeos-assets/wallpaper/guest_small.jpg
--arc-availability=officially-supported --has-chromeos-keyboard
--login-profile=user --bwsi --homepage=chrome://newtab/ --incognito
--log-level=1 --login-user=$guest --login-user=$guest
--login-profile=1489bb4fd2f37906a7b186903901271c8e2a0b38
--no-enable-crashpad
--vmodule=certificate_provider*=1,*/search_result_ranker/*=1,*night_light*=1,*/chrome/browser/chromeos/account_manager/*=1,*/chromeos/components/account_manager/*=1,*arc/*=1,app_list_syncable_service=1,*/chromeos/power/auto_screen_brightness/*=1,*/forced_extensions/installation_tracker*=2,extension_downloader=2,existing_user_controller=2,*/ash/wm/tablet_mode/*=1,enrollment_screen_handler=1,*/browser/chromeos/login/enrollment/*=1,*/ui/ozone/*=1,*/ui/display/manager/chromeos/*=1,update_engine=1,component_updater_service=1
--disable-sync --disable-extensions
--ui-compositor-memory-limit-when-visible-mb=512
Executable Path /opt/google/chrome/chrome
Profile Path /home/chronos/u-1489bb4fd2f37906a7b186903901271c8e2a0b38
> You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
> To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4075a7a5-8ba1-4060-80ea-6d525445e7d6%40fidoalliance.org.
--
Kind Regards
Craig
Reply all
Reply to author
Forward
0 new messages