Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cloud Based "Phone Token" Option #496

Closed
cyberphone opened this issue Jun 16, 2017 · 2 comments
Closed

Cloud Based "Phone Token" Option #496

cyberphone opened this issue Jun 16, 2017 · 2 comments
Milestone
L2-WD-01

Comments

@cyberphone
Copy link

cyberphone commented Jun 16, 2017
edited

Defensive Publication

The following was not developed for WebAuthn but may be usable anyway. Similar systems using QR code or phone numbers instead of NFC are in fairly big use in Europe including millions of frequent users in Sweden only. Payments is another major application, particularly in China.

Using Web NFC adds several qualities over the existing schemes:

  • No need explicitly starting an "App"
  • Anti-phishing support
  • Potentially providing automatic Bluetooth pairing

nfc-qr-repl

Assumption: The Service, PC, and Phone are free from malware interfering with the devised scheme.

The security of this scheme is based on multiple factors:

  • Public key cryptography exposes no static secrets to attackers
  • One-time challenges limit attacks to the specfic session
  • Session cookies, only known by the Service and the user's PC (Browser), render intercepted NFC or authentication objects useless outside of the user's PC
  • Intercepting and rewriting RF data on-the-fly appears to be quite difficult
  • The Web Security context provided by the NFC solution in conjunction with signing thwarts basic "phishing" attacks
  • The user must perform an action in order to authorize a login

The original (and possibly updated) document is available at: https://cyberphone.github.io/doc/research/nfc-based-qr-replacement.pdf

Although not evident by reading this issue is that the idea is also using a slightly modified scheme to enable local NFC based payments using high-level Web based protocols rather than card emulation while still using the same "App". In such uses, Bluetooth pairing would be a nice feature since Wi-Fi or mobile network may not always be available.

For high-level payment schemes, WebSocket may be a better solution for step 10 and 11.

"Web NFC" in this description is a special purpose write only scheme.
@nadalin
Copy link
Contributor

nadalin commented Jun 22, 2017

In FIDO we have looked at things like QR codes, call backs, etc. we found these interesting but not a option for the first release

@nadalin nadalin added this to the L2-WD-00 milestone Jun 22, 2017
@cyberphone
Copy link
Author

Apparently this use case is already dead since the PC vendors do not intend to include NFC support since there is [currently] no use case for NFC which BTW was one of the motives behind this design.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
L2-WD-01
Development

No branches or pull requests
2 participants
@nadalin @cyberphone