A safer authentication overflow

[henvic]

I've just been on your talk on handshake and the security risk of intercepting a email has made me think about a way to fix it.

Have you ever seen how Apple does when you try to add a new device to your iCloud account?

It sends a "broadcast-like" message to all your other devices letting you verify the legitimacy of such addition.

What about a simple client which does the same over a secure protocol (that is, HTTPS)?

You could enter your email address on the web site (or whatever service / app it is you're trying to use), just like you do right now. But instead of receiving a code on your email / phone you'd open the app (maybe you receive a notification telling you to do so) and confirm you intend to authorize it. There you could also see a 4-digit code that should appear on the website just to make timing attacks (e.g., someone watching over your sholder) more difficult (maybe this is overkill) by letting the user verify if the code matches with what he's seeing.

If you're paranoid you could even use PGP signed messages on both ends.

[motdotla]

Interesting, I like this idea.

Someone has suggested even Google chrome notifications as an alternative too.

I do think it would be cool to start moving towards something like this - ideally though the developer could choose if they wanted this approach or email/sms approach.

[henvic]

Sure. I think a good approach would be to let the developer write a adapter for it. As long as it does respect a API he could inject any adapter and things should work fine.

[motdotla]

I agree. What do you imagine that pattern looking like? Any places you've seen a nice JavaScript based adapter pattern?

cc/ @jacoblwe20 - he might have some insight or thoughts of libraries in his mind

[henvic]

I haven't seen such thing with JavaScript but the idea of using dependency injection to do so.

For example:

var homingPigeonAdapter = require('handshake-adapter-homing-pigeon')({
    storage: 'wood',
    timeout: 0
});

handshakejs.addAdapter('email');
handshakejs.addAdapter(homingPigeonAdapter);

This code would add a built-in email adapter and an external homing pigeon adapter that is expected to be API-compatible.

Given that JS doesn't have anything like interfaces I think the best way would be to built a simple adapter which could serve as a example / boilerplate for anyone building a new adapter.

[henvic]

Authentication flow might look like something like this:

1. user gives adapter / id (i.e., if he types his email the adapter is 'email' and the id is the email itself)
2. an adapter method is invoked with the called id to generate a authentication request
3. the application might verify if the authentication was a success by invoking a verification method on the adapter. The verification method receives a JS object (such as {code: 0001}) which it can use to verify the authentication request. A success / failure event might be fired. If the authentication fails, an unauthorized request exception is thrown.

The adapter is responsible for storing the authorization-in-progress requests, removing old requests (garbage collector), and any other data associated with it.

method	notes
requestAuthentication(id)
verify(id, data)	fires a success / failure event
gc()	optional gargage collector, the requestAuthentication method might share part of the logic to avoid letting in expired requests. It's expected to be invoked from within the adapter itself, if it's necessary.

[motdotla]

Yep, this is something I'd like to see as well. Format-wise imagining just using data-attributes on the html though. It's much easier for programmers and moves towards eventual shadow-dom type stuff and widgets.

[henvic]

Take a look at WebComponents.org , this website is a project started by some of my co-workers and I think we could use something really fancy like a web component to offer a hassle-free way to add authentication to a page. There's some limitations to it (and I'm not entirely sure about what they are), but I think this might work and, if so, should attract attention for this project for sure.

[motdotla]

Exactly!

This is actually the exact site I had in mind. My friend Crystal introduced it to me. She knows Zeno. I actually tried to meet up with him while in Brazil but he was away. I think he lives in SF now.

Is it Zeno you know?

[henvic]

Yeap, it's @zenorocha. He was there in SF past week, but we work together here in Recife, BR.

[henvic]

@scottmotte, have you seen https://passwordless.net/?

[motdotla]

I have. I haven't tried it yet, but it looks awesome. Stoked to see others building tools to do very similarly. (I think handshake is a little different in that it ultimately will support most any language)