Magic Bullet (proposal for in-browser secure 2-way authentication resistent to online and offline attacks) from Chris Drake on 2007-03-07 (public-usable-authentication@w3.org from March 2007)

From: Chris Drake <christopher@pobox.com>
Date: Thu, 8 Mar 2007 00:52:46 +1100
To: public-usable-authentication@w3.org
Message-ID: <1035550215.20070308005246@pobox.com>
Hi All,

I wish to propose a simple solution to the variety of authentication
problems we're all attempting to solve.  Here is how it works.

At enrollment, a user
 A) chooses or gets assigned a username (eg: their email address)
 B) chooses or gets assigned one or more of
    1. A password
    2. A client certificate
    3. A hardware token
    4. A Biometric identifier
    5. Etc...
 C) chooses or gets assigned a photograph (for sake of my example -
     lets assume they pick a photograph of a dog out from a selection
     of 16 random photos.)
 D) selects some point on their chosen photograph to be their login
     "hot spot" (for example - the nose of the dog).
 
 (Vision impaired folks may instead choose song snippets and some
 particular point in their chosen song, rather than use visuals)

Here is how a login would proceed:

 E) User loads up the login page, which contains the following
    elements:
    1. a single disabled input box for their username
    2. a button, positioned as close as possible to the page URL
    3. an instruction, in or near the button of the form:
       Click the button after you confirm that your login url
       above reads "https://example.com/"
    4. Another button position as close as possible to the SSL padlock
       icon
    5. an instruction, in or near this button of the form:
       Click the button to confirm that the SSL padlock is showing
       
    6. Optionally - A "report problem" button
       
 F) User clicks button E2, clicks button E4 (which enables the
    username box), and then enters their username (or accepts a
    cookie-populated username in the case of "cached" logins)
    
 G) User authenticates to the server using their one-or-more
    authentication elements from step B

 H) Server authenticates to user by showing one or more photographs,
    including their assigned one (the dog).

 I) Use logs in by clicking on their "hot spot" (dogs nose.)

Numerous problems are thus solved.

i) users are physically blocked from being able to log in to spoof
   sites, because spoof sites cannot know the users photo, thus the
   user can't find it to click on.  Users also know immediately that
   something is wrong when they don't see their photo.
   
ii) users can't be easily tricked into telling anyone their password,
    since it now consists of "difficult" things (pictures and places
    in them) that are not always easy to explain (excluding my
    simplistic dog example).
    
iii) users cannot easily write down their password for other people to
     find.

iv) passwords now consist of a 2-way authentication step including
    mouse clicks and visual elements, making the automated theft by
    existing trojans difficult.

v) man-in-the-middle (proxy) attacks are made very difficult, since
   the user is instructed to check the SSL status initially, and the
   server will be able to verify logins are occurring from legitimate
   IP addresses.

vi) dictionary attacks can be made difficult by giving no indication
    of incorrect password attempts, besides the decision to NOT show
    the users photo on the next screen: users will understand the
    mistake immediately when they don't see their photo - hackers
    would not know what photo to look for - thus won't know when
    they've found the correct password.

vii) Most robots are unable to log in, which may improve security.

viii) About 30 more benefits exist - see the URL at the end of this
      message.

Layered security can be applied based on the value of the site being
accessed - for sites willing to allow users to "remember" login data,
they can opt to also "remember" the step (B) authentication data as
well, making the re-authentication procedure for the user on
subsequent visits extremely easy: they simply load up their login
bookmark (which displays their photo based on their "remembered" login
preference) - and click once on their photo hot-spot to log in.

So - to summarize - a fully authenticated login consists of the steps:

 E) Enter username
 G) Enter password
 I) Click photo hot-spot

A re-authentication login consists of the step

 I) Click photo hot-spot


All the above is suitable for immediate deployment in existing web
browsers - no additional plugins, software, security, or chrome is
required.  In my limited testing, 100% of my subjects (including
computer-phobics) understood and operated this system successfully
with no training.

Here is the list of threats that I hope my proposal mostly solves:-

http://lists.osafoundation.org/pipermail/ietf-http-auth/2006-July/000342.html

--

Please pick apart my idea, suggest attacks, suggest improvements
examine the full list of threats, and otherwise comment on my
proposal.

Kind Regards,
Chris Drake
Received on Wednesday, 7 March 2007 13:53:27 UTC