I'm currently working on a server based implementation of TOTP in order to reinforce the authentication of the user by using an OTP code.
But I'm wondering how to share for the first time the QR Code (or the secret key) with the end user ? for sure the email is not the preferable choice but as I'll not have a physical contact with the end users it will be difficult to share the QR Code in another way...
another question related to TOTP if the end user is losing its mobile phone to generate its code, do I permit the end user to generate a new QR Code ? but in that case how can I share it ? (in fact this is the same question....)
If you really want to keep your server secure you should not be sharing the QR Code / OTP Setup Code via any means, but that is not very usable.
One option is to disable two factor while the user logs in, then re-enable and have the user set it up - this is the most secure way but not very manageable.
Another option is to share the QR code with the user via a secure messaging protocol and then requiring the user to reset their password and re-setup Two Factor.
What OS are you running on your server and is this for SSH access?
If you need to provide the QR code to the users you could use a portal that is externally accessible, but is itself protected by factors other than the one you are delivering.
Related
Apologies for the general nature of this question. Hoping this doesn't get shot down as "too broad", but oh well, here goes:
I'm writing a React Native app that is purely informational (medical information), with a Rails API for the back-end.
The first main question I have is whether its necessary (or a good idea) to use authentication at all. We don't want the user to have to enter any information to use it (username, password, etc). They should just be able to download the app and jump right in to use it and read the information it provides.
However, I'm thinking that I would at least want the API to only respond to someone hitting it from within the React Native app (or not? Is it considered a normal practice to have an API completely exposed in the case of an app like this which is purely information and doesn't have users, like a website?)
Second - at some point we may want to be able to store some simple preferences for that user (I.E., are they a patient or a doctor, so we can tailor the materials based on that / send them to a different home screen when the open the app). Wondering what strategy someone might use to store simple preferences if the user doesn't ever create an account?
I would at least want the API to only respond to someone hitting it
from within the React Native app.
This probably can't be done, as in a mobile app everyone has access to your client secret and can try to reverse engineer your code.
You could make it more difficult by sending a dynamically generated token to your API on the request, for example, a hash based on a time frame, and check if the hash was sent the correct way. Then, you'd have to obfuscate the code in order to make it difficult for someone to reverse engineer it.
Second - at some point we may want to be able to store some simple
preferences for that user (I.E., are they a patient or a doctor, so we
can tailor the materials based on that / send them to a different home
screen when the open the app). Wondering what strategy someone might
use to store simple preferences if the user doesn't ever create an
account?
If you use a Parse Server instance as your backend, you could benefit from the anonymous user functionality. As you're using a Rails API, you could generate a uuid for each installation of the app and save the preferences on your database based on that uuid. If you don't need those preferences stored on your backend, just store any information you need on the device through any abstraction of AsyncStorage.
I really do not need authentication when it comes down to it - there are no users.
I could verify that the data is coming from my app based on a user agent or a hard coded password. SSL should help keep those secret.
But yeah, there would be nothing preventing someone from disassembling the app and getting that information. Great idea by #felipe-martim about generating a dynamic token.
I really just want to prevent basic abuse, and I could deal with that if it ever happened, or protect myself with something like Rack-attack.
And storing user preferences locally should work just fine for local preferences.
Bottom line is that I'll deal with this if I ever need to / the client budget allows for it!
I'm trying to create a website to authenticate users through the use of a throwaway password where the assumption is that the user might not use the website again (basically a one time access).
I have done my research on OTP and various solutions to authentication but these don't seem to fit my requirements, most of them seem to rely on users having login credentials to the website whereas my system would allow them access without the need for registering.
The implementation of passwordless authentication by Auth0 seems to fit what you're describing. Even if you were not considering a third-party provider it may be useful to go through the documentation.
Basically, a user can login to a site without any need for a sign-up process. They can do so just by requesting that a one time code is delivered to them, for example, either by email or SMS.
This way, they can get quick access without having to setup a user and in the event that they do come back your application can recognize this because they will most likely be using the same mechanism, that is, you can use the email or mobile phone as the unique identifier.
Disclosure: I'm an Auth0 engineer.
If you do not require your users to register, why do you need authentication at all?
Why not just set a cookie with an unique identifier on the first visit? You can store data at the server side associated with that identifier. Keep track of when you last saw the user, and if they do not return within a certain period, you can delete any data you stored for that user.
I would like to create a spreadsheet that allows my users to do bulk uploads to my App Engine application and I would like to do so whilst exposing as little of my app to the world as possible.
My constraints are that I would like this to work via a button in Excel that turns the data in to http post requests, I like this as a plan as it means I can write the logic for one row and then the http response can validate to the user if the data has been accepted or generated an error.
I think I see two options;
Use a secured handler that forces the user to be logged in with their Google account - but this means figuring out how to implement communicating the authentication to Google. This also means my VBA code handling the user's password which I am nervous about.
Use a secret, this can be generated by the application so that only a user can access the code for which they have to be logged in to find.
Questions:
Which approach should I take with my application?
Is Option 2 materially less secure?
What can I do to make option 2 a better solution?
Should I even bother attempting option 1?
I want to write a google chrome extension, that should make a request to my website to send and get some data, so, actually I should do an ajax request like it is written here https://developer.chrome.com/extensions/xhr.html
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://api.example.com/data.json", true);
I wanted ask if there is a way to somehow secure the code or prevent others from using my api, because actually the other users can see the source code of the extension when they install it and so use my api without me being aware of it.
EDIT:
If I need to make some sort of authentication, than how can I authenticate the user before making the ajax call ? for authentication I will need to send a request to my server , but for that I should send , e.g. username and password, that should be saved somewhere in the extension's files, which, in fact, can be seen by the users, when they install the extension.
Thanks
Don't trust the browser, take steps to authenticate the user instead. So, in this case, you could require that YOU enter in a password that is used to communicate with your server.
Your Google extension would simple require you to enter in a password before it attempts to use AJAX to communicate with your server.
Be aware that you should build in means of protecting yourself from brute-force attacks. So, do things like lock everything down if there are more than some small number of wrong passwords, etc.
You could also consider using the password to simply decrypt the destination of the XHR, but if you go this route, you should store this very carefully, because this will be brute-forceable offline.
EDIT
Trying to lock down an API so that only a single application can use it is just not practical nor technically possible, so you're only hope of doing this is to authenticate the user using the API, regardless of the accessing software he is using. You could have the user sign an agreement that legally limits them to only your extension, but I suspect this will go largely unenforceable and will consume your time tracking abusers down.
If you don't want unauthorized people even knowing where the API is, you could perform authentication using an out-of-band mechanism: over the telephone, email, SMS, or simply, another API that will grant the user a password or token that requests to your API must be accompanied with.
During this out-of-band process, you could also grant the user, a unique URI (the API access point) that is only valid per authenticated session (https://api.totally-cool-extension.com/api/ijyeDvB5dYvSiWG97OLuTAoNWwbhuZ0/, for example). Any requests to your server on OTHER URIs simply won't work. However, this isn't theoretically much different than using the same API access point, and having a good password. It just changes the number of places in your architecture that will be performing authentication and/or authorization checks.
<aside>My vote would be to reduce the number of authorization/authentication points to as few as possible so that you can spend more time on getting that one place correct rather than having multiple places and possibly multiple logic flaws or other things that could lead to vulnerabilities.</aside>
You could also explore using Public Key Infrastructure and/or one-time passwords schemes or device-based token generators, etc., but in the end, you'll be allowing authenticated and authorized users to use your API. And, thanks to the Internet, this will not remain an undisclosed URI for long.
And, more importantly, it will not prevent someone from using the data on their own. Even with all these measures in place, it would be trivial for an authorized user to collect this data as it is being streamed to your extension. Or, if you employ point-to-point encryption, they could screen-scrap or use some form of JS introspection on your very code or even extract the data from their computer's memory.
I know you were looking for a silver bullet here, but it doesn't exist.
I think you are doing it wrong. You should never trust what's going on on internet users PC's. Never!
Move the line of trust one step inward, make your API public and then design the security where you have perfect control - server side.
I could not get correct aspect of your use case
Few Points:
Your extension code is always traceable( Any one who has installed extension can view the code)
If you are looking for security through complicated or obfuscated coding patterns you end up slow down of understanding process not the whole.
If your target is to ensure users who install your extension should be able to access and inert all other users( Who have gained illegal access or downloaded and edited code) have a session shared key per installation.
Please explain further use case so i can help you better.
I am well aware of the security implications of this, so much so that I'm betting it doesn't exist, so before you call me crazy, that's why I'm asking.
I got really tired of having only my phone on me and installing a new app/whatever and finding myself needing to suddenly create a new application-specific password on the fly, and having to navigate Google's decidedly non-mobile-friendly security page to do that. I want to create an app of some kind that allows me to generate an application-specific password, whether by text or an Android app itself or something else. As I see it, there are two options here:
Use some Google Account Security API (if it exists) to create the application-specific password
Do scraping-type behavior (with proper credentials, of course) to automate its creation. I really don't want to do this.
Does anyone know (a) if this type of API exists, or (b) if there are any other ways to go about doing this? This app would be published on Github for self-hosting, obviously.
There is no official API to generate application-specific passwords.
I've solved this myself by doing a couple of things:
1) printing out the QR Code for the account that can be scanned by the Authenticator app in order to generate codes. I keep it secured in my desk. This allows me to reformat my phone without needing to turn two-step off each time.
2) use the browser sign-in for my Android device. When adding a Google account to an Android phone, just before the screen where you enter your username and password, click the menu button (or 3 dots on the screen if you have no menu button) and choose Browser sign-in. This allows you to login to an Android device with your username, real password and verification code rather than an application specific password.
This saves me from needing to generate application-specific passwords 95% of the time.
Jay