All geek questions in one place

How to create cryptographically secure authentication without entering a keyboard?

I am working on a system that will require the user to log in to the device using the account created on the website. Authentication will go through HTTPS, so this is not a problem. The application running on the device will allow you to make purchases inside the application using a credit card associated with their account, so it is important that the login credentials are safe enough so that it is difficult to attack using brute force. The only problem is that the device that will be used by the user will have limited user input capabilities (essentially, arrow keys and a selection button).

In this case, a typical username / password may be too cumbersome to enter, which also requires the development of an on-screen keyboard that is accessible using the arrow keys. Users are likely to eventually create simple passwords that are easy to crack. However, after entering the system, the user will use the access token behind the scenes, so they may not need to enter the password many times.

The first step is that the user will need to enter their username or identification number. Using a number may be easier to enter, but also easier to guess. I am also open to suggestions in this area.

Next is the password entry process. So, here are a few ideas that I have, but I'm not a cryptography specialist, so I don’t know how to evaluate the level of security.

  • The user must first register the device. This may be a step that I require in any case, for added security. The device will generate a key that will be sent to the server and saved with the account. The key will be required when making future authentication requests. The user will need to log into the website to approve the device. The device will not have any identifier, so if you do not log in soon, you will not know if it was your device or someone else is trying to fake you. It would be nice to create some kind of additional identifier, maybe a short code, phrase or image will be displayed so that you know this is the same device that you just tried to register.

  • Since entering a text password may be too complicated if the device is registered, it is possible that a four-digit access code may be used in the application to confirm purchases. In any case, this can be nice to prevent if other users of the device cannot use your account without your permission. However, if they watch you enter your password, then this is not very good for this purpose.

  • If device registration is not required, instead of logging in with a text password, the user may be presented with images or phrases as parameters, and they should choose the right combination of images / phrases that match their account.

That's all I have. What do you think? How can I create a simple but secure login when purchasing apps in an app?

+4
source share
1 answer

I am dealing with a limited scenario of input capabilities. Could you describe the platform your application is running on? This helps to choose a solution according to the platform security model.

Update. I hope you are not considering a multi-user scenario for each device. So, I assume that there is one user per device. The second assumption is that the device may have a unique serial number, which can be accessed through some APIs, and the serial number is registered on the server in advance. At the initial stage, the user generates a random key through the device selection button, and the application confirms the success of the key generation, probably displays the serial number (the user may need to register the serial number for the latest configuration). Behind the scenes, the application sends a new key with its serial number to the server. The server updates its serial number with a random key in the database record. The device may block further key generation or may allow it until it is finally configured with a dedicated user. The device also stores the serial number with a random key in a local database / file. The user then goes to his account via the web interface to configure the device. For a registered user, the server presents a list of available devices, and the user can select the one that belongs to her / her and set a four-digit pin code. The server does the following:

  • Associate the user account, serial number, random key (the one that sent the device at the beginning).
  • create token
  • generate a key using a pin code and a random key in the form of a salt using a password-based derivative key algorithm (PBKDF2)
  • encrypt the token using the key obtained in step 3
  • Refresh the database user string with an encryption token.

The user can synchronize the encryption token using the device select button. To unlock the application, the user must enter the pin code through a simple digital screen. The application uses a PIN code and a random key (stored at the beginning) and generates the PBKDF2 key and decrypts the token. PBKDF2 helps us slow down brute force a bit, but blocking can also be provided based on time or attempts. For example, after some trail, an application can delete user credentials and force the user to configure from scratch.

+1
source

Source: https://habr.com/ru/post/1497114/

More articles:


All Articles