Tuesday, May 14, 2013

Two Factor Authentication? Try OAuth!

UPD: no wonder, I missed the fact that OAuth providers use static passwords and it cannot be legit 2nd factor, just makes 1st factor harder to exploit. Thanks for feedback people from reddit!

Disclaimer: I'm noob in Two Factor Authentication (TFA). I got an idea today which I want to share and get feedback, your comments are totally welcome.

I don't have a mobile phone. Not only because russian mobile providers are cheaters (likely, same in your country) but also for many other reasons: traveling (my mastercard was blocked once in Sofia and I needed SMS approval code, which I couldn't receive — my mobile was "outside the coverage area" all the time), no daily usage (never needed to call someone ASAP in real life. maybe I am such a nerd), VoIP FTW etc — who cares, this is not my point.

The thing is all physical items (mobile phone, yubikey, token generators, biometrics of eye, fingerprints) are clone-able / steal-able or just not reliable enough (face/gesture/speech recognition).

Again, in disclaimer I said I don't know if scientists already created a universal reliable physical object for TFA, I just read wiki article a bit and seems they did not.

Why must Second Factor provider be a real object in our digital century? Is it really any better/safer (clearly less convenient) than yet another password or bunch of cookies our browsers store? I doubt.

In browser we trust.

OAuth is not supposed to authenticate you, no surprise here. Although an OAuth (or OpenID) provider can be trusted 3rd party which will approve the action your are about to commit.

Trusted 3rd Party Website
  1. every normal Internet user has or can register Facebook/Twitter/Paypal/Google account immediately with no "physical" hassle attached.
  2. Attack surface is added, attack complexity increases dramatically.
    example.com surface + twitter surface + facebook surface = hacker needs XSS or similar bug in two major social networks and your example.com password to log in your example.com account.
    Not enough? Add Paypal Connect. Add force-login option so attacker will need all of your passwords.

    The more guys say John is a reliable person I can trust, the more I believe he really is. And I don't need to look at John's tattoo (a poor analogy for biometrics) which he hates to show!
  3. Hassle-free. Just be logged in FB/twitter all the time and couple of quick OAuth redirects in iframes (no interaction required at all) will make sure that your current FB account is the one attached to example.com account, your current twitter user is equal example.com attached one.
    It can be simplified and more secured because you only need /me endpoint data, actual access_token will not be used. 
Leaving the post short by purpose, waiting for your ideas, perhaps I missed something huge. Thanks!


  1. The biggest hardware token advantage is that you have to stole it thus need to be close to a potential victim.

    Whereas with using OAuth-based TFA a potential victim needs just lose their password (which in case if you have already stolen one may simply be identical)

    Not arguing it's a nice idea, but a lot of people use the same passwords everywhere.

    1. if something is hard to steal then it's hard to use.

  2. Not really sure this is what you mean, but you're assuming that the user has *different* passwords for example.com and any third-party service, right? In a lot of cases, that's not true and thus the attacker would only need to trick you out of 1 password.

    Again, not sure that's what you meant. :)

    1. this is true, but it's a more high-level problem. people should use different passwords at least in major social resources. Also, if there is XSS in example.com (password is not stolen) you will need somehow press "Approve" on Fb/twitter pages

    2. That is true and I generally agree with you. It's a good thing someone is looking "out of the box" for issues like this.

  3. Sorry, didn't read the previous comment which basically said the exact same thing.

  4. The way I see it the advantages and disadvantages are:
    1) Somewhat adds a second factor authentication without the hassle of traditional two factor authentication.
    1) Allows (and even requires) the third party verifiers (facebook, twitter, etc) to know where you're going and whom you're talking with.
    2) As mentioned already, this increase the attack surface from someone who can steal my physical token to anyone who can break into all my accounts. I'm willing to discard people who don't use separate passwords. However most people have a common email address that they use for the password reset features of the various third party verifiers. Thus an attacker doesn't really have to break into all the third party verifiers, just the email address that links them all. So, we're down to just two passwords, the one for example.com and the one for the email address that the third party verifiers use for password resets.

    1. I realize this cannot be called TFA, it will remain 1 factor just used multiple times. Indeed cookies and passwords are rather compromised at once all together