Disallow the "account key" or "authenticator" to be used as a security credential

[TheAspens]

Quoting @nicolas17 in ticket #2353

The client's normal requests authenticate with the "account key" or "authenticator", which is stored directly in the database as clear text. If the database is compromised, the attacker gets the account key and can do RPC requests or login to the project website with it. To make things worse, unlike the password, there is no way for a user to change the authentication key.

The BOINC website and web rpc's should not rely on the "account key" or "authenticator" as a security credential. Additional items this change would effect:

• login to the project website with the account key should not be allowed.
• The session cookie and token should not be the authenticator (see the auth cookie in https://github.com/BOINC/boinc/blob/master/html/user/login_action.php)

We need a design and plan to change this. It will need to take into consideration how the account managers work and interact with the BOINC project websites (although it will almost certainly require them to make changes).

[grctest]

@marius311 began working on the removal of the account key mechanism in favour of an email based password recovery mechanism during the BOINC Workshop in Paris: https://github.com/marius311/boinc/commit/2c2ace80fcc850ced90342e328cfac880e2bc00b

Thanks for drawing attention to this issue. Account key based permanent account compromise is a serious concern.

Related: https://github.com/gridcoin-community/Gridcoin-Tasks/issues/111

[nicolas17]

get_passwd.php already has the account key stuff removed in master.

[Ageless93]

It may not be shown anymore that you can log in with it on the get_passwd.php page, but when you put your authenticator key in instead of the email address, you still go to your page.

[voidxor]

I hope this gets addressed! I had some BOINC machines get compromised, and there is no way for me to prevent somebody from logging in with my authenticator. Note that Einstein@Home still has a specific page for this purpose at https://einsteinathome.org/user/login/auth.

[Ageless93]

On all projects you can login with your email address and authenticator. Just in case you did forget your password and have no access to the email address you used, so sending a 24 hour login isn't useful here. In that case just fill in your email address on any project's login_form.php page, then on the line where it says Password fill in the authenticator and you can log in.

On Tue, Sep 1, 2020 at 2:18 AM voidxor notifications@github.com wrote:

I hope this gets addressed! I had some BOINC machines get compromised, and there is no way for me to prevent somebody from logging in with my authenticator. Note that Einstein@Home still has a specific page for this purpose at https://einsteinathome.org/user/login/auth.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/BOINC/boinc/issues/2371#issuecomment-684115533, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACS5WU7RYKRSNAXJ42Y2MQ3SDQ4UJANCNFSM4ERXU34Q .

[voidxor]

@Ageless93 I get the original idea behind it (and no, I didn't forget my passwords), but as others have pointed out, it's a blatant security hole once your authenticator is compromised.

Do I remember correctly that there used to be a "reset authenticator" or "change authenticator" link on the account-settings page of most projects' websites? Once my authenticator was compromised, I went looking for such a button thinking I'd seen one before. Regardless, there is currently no way to change your authenticator, making the security hole described in this issue all the greater.

[Ageless93]

Do I remember correctly that there used to be a "reset authenticator" or "change authenticator" link on the account-settings page of most projects' websites?

None that I know of. I think the authenticator changes when you change your email address (anyone corroborate?), as that's the unique identifier. The way to secure your account on your computer is to use the weak account key to add projects, that way when that key falls into the hands of someone nefarious, they cannot take over your account. But using the weak account key at a project you haven't registered at yet, requires you to make an account first at the project, something that's seemingly (only?) done via the client and GUI these days. So that's a catch 22.

Although you can then remove the project and add it again, but this time use the "Yes, I have an account already" option with the weak account key.

[voidxor]

I think the authenticator changes when you change your email address (anyone corroborate?)...

Unfortunately, no. I changed my email address across all of my BOINC projects and my authenticators didn't change. I suppose that's why @nicolas17 said it can't be changed in the quote pulled by @TheAspens above.

The way to secure your account on your computer is to use the weak account key to add projects

I found that tip only after my BOINC machines were compromised. It's not a very obvious thing to do otherwise. In fact, I think I've been using BOINC since before weak keys even existed.

But using the weak account key at a project you haven't registered at yet, requires you to make an account first at the project, something that's seemingly (only?) done via the client and GUI these days. So that's a catch 22.

There's another caveat, I believe: account managers. When installing BOINC, I simply elect to use an account manager, then sign in with my BAM username and password. That attaches all of my products, but apparently had done so by putting my authenticators in the XML files in clear text. Perhaps this has been corrected in a newer release of BOINC Manager (not to be confused with BOINC Account Manager). I'll find out when I revamp my machines this fall. If not, it defeats the purpose of using an account manager if I have to attach individual projects using weak keys.

[nicolas17]

As far as I can tell, nothing stops account managers from using weak authenticators. That's on them to implement.

[davidpanderson]

Science United uses weak authenticators.

[TheAspens]

Smaller parts of the solution to this issue have been identified in issues #4085, #4086 and #4087.

There is also more information available at https://boinc.berkeley.edu/trac/wiki/Reduce_usage_of_authenticator