Shoulder surfing prevention

[Timendus]

This is a feature that needs to be built together with the mobile dev team.

Currently it is possible to shoulder-surf issuance flows and claim attributes that are not your own.

• One way to protect users against this attack is by adding a pin code to the issuance flow that needs to be entered in the browser. This would however add yet another obstacle to the flow.
• Another way would be to ask the user to confirm that the phone has established a connection to the IRMA server before sending over the attributes. This could be accomplished with a simple yes/no or by choosing a colour or a pictogram ("Do you see this image on your smartphone?").

[ivard]

We also discussed this and to us showing a verification code on the phone that has to be checked in the browser. In this way we can for now only show the code and let the user compare and if turns out this is not strong enough we can easily convert the showing of the code to entering the code.

This feature asks some changes from irma_mobile to since the app must generate and show the code. Dependent on how fast the development of the new IRMA app goes, we might want to wait with this until this is clear. Otherwise we have to implement it twice.

Of course we can already prepare irmajs on a code being introduced in the app without actually using it for now.

[Timendus]

I don't think adding this feature in the javascript would be rocket science. Add one or two states to the state machine, make sure the front-ends can render those new states, make sure the back-ends can fetch / verify the code. And bam, done.

Do you suggest just showing a code that you can manually compare so that you can know if someone "stole" your attributes? I'd think that just knowing isn't good enough, I would want to prevent someone from "stealing" your attributes by scanning your QR code. So the IRMA server should only issue the attributes to the user after validating that the phone and the browser belong to the same user..?

[ivard]

No indeed just notifying a user's session is stolen is not good enough. What I meant is that the code is displayed in irmajs with a button below "Confim that code shown in IRMA app is the same" or something more catchy. It is therefore an active action the user has to do before the session continues.

Only one IRMA session can be active, so it is not possible that multiple users scan the same QR code. Therefore, when a session is hijacked, the website will ask the user to compare a code while the user does not see any code. Therefore the fact that the user doesn't see a code already tells us enough. It does not really matter anymore then what the actual value of that code was.

[Timendus]

Ah, I get the point. But why show any code at all then? ;)

Why not just:

• User scans QR code
• Browser moves to state that displays: "Are you sure you want to issue these attributes to your [phone model]? Yes / No"
• User clicks yes -> attributes issued
• User clicks no -> Nothing is issued

[Timendus]

Conclusions from our discussion on Slack:

1. Users should not be able to just click "yes, yes, yes" without reading and get themselves in trouble. So that goes against my proposal, as well as the code comparison proposal.
2. So the user needs to confirm something they can only know because the app told them.
   • Like typing over a short code
   • Or maybe answering a multiple choice question, with an option "I don't know" so they don't start guessing