"474 Password Not Found" by Giuseppe Galli, Saverio Caminiti Beyond the passwords era: password-less internet is now a reality. Use your smartphone to login using T-OTP created on the spot. Build and design your app and web site using a password-less solution, enforce strong authentication to confirm user identity when developing your applicative code. Include security aspects in the application logic of your app, stop delegating them exclusively to the server. The user of your mobile apps can login without typing any data obtaining a more secure and user-friendly experience. Participate to the draft of the password-less internet Manifesto!

1. 474 Password Not Found
Giuseppe Galli g.galli@k-tech.it
Saverio Caminiti s.caminiti@k-tech.it
ROME 18-19 MARCH 2016

2. Giuseppe Galli
Mr. Giuseppe Galli, Master in Electronic Engineering
g.galli@k-tech.it
• Partner and CTO in K-Tech s.r.l.
• Experienced in JEE Architecture
• Expert in Web, mobile and SOA solutions
• Several years spent working as APM Specialist
• Class Instructor

3. Saverio Caminiti
Saverio Caminiti, Ph.D.
s.caminiti@k-tech.it
• Analyst and Senior Dev at K-Tech s.r.l.
• Formerly:
• Researcher at: Sapienza University of Rome,
Italian National Research Council, University of
Central Florida, Eötvös Loránd University.
• Cofounder of a company for Augmented Reality
mobile apps.

4. K-Tech s.r.l.
• Consultancy firm
based in Rome
• Founded in 1996
by enthusiast
developers
• Java Italian Portal
(JIP) maintainer
• Web, Mobile, SOA
applications
development

5. What this talk is about
• Advocate that passwords are obsolete
• Technologies are ready to let us move forward
• Show that humans can live (even better)
without passwords

6. • Teach you how to design/code your application
• Advertise/sell a software we made
• Blame on those that still implement
authentication systems based on passwords
What this talk is NOT about

7. Purpose of this Talk
• Open a discussion about a future without
passwords
• Raise awareness on this topic among
developers
• Receive feedbacks and opinions from this
community

8. Background

9. Password: old concept new use
• In the past only a few people were using
passwords (and in a very limited way)
STOP!
Pass phrase, please

10. Password: old concept new use
• In the past only a few people were using
passwords (and in a very limited way)
• Nowadays everybody is required to deal with
tens of passwords
STOP!
Pass phrase, please

11. Humans vs passwords
• Humans don’t play well with passwords
• they use easy passwords
Data from:
xato.net

12. Humans vs passwords
• Humans don’t play well with passwords
• they use easy passwords
Data from:
xato.net

13. • Humans don’t play well with passwords
• they use easy passwords
• they reuse the same password everywhere
…and no, a birthdate is not a password at all!
Data from:
xato.net
Humans vs passwords

14. Human-Computer Interaction point of view
• HCI basically tells us that:
• computers must adapt to humans
• humans should be able to do thing in a way
that is as natural as possible

15. Human-Computer Interaction point of view
• Overall proliferation of username/passwords
based systems is an anti-pattern

16. Human-Computer Interaction point of view
• Overall proliferation of username/passwords
based systems is an anti-pattern

17. User side
• “Computer Aided Password Management”
• Users may mitigate the problem with
software that help them dealing with this
computer-induced need
• Although helpful these software do not solve
the underling problem
…

18. User side
• “Computer Aided Password Management”
• Users may mitigate the problem with
software that help them dealing with this
computer-induced need
• Although helpful these software do not solve
the underling problem
…
So we need computer help
to do something that
computers force us to do!?
Sounds weird!

19. System side
• OAuth 2.0
• Login with Google, Facebook, Twitter, etc.
• Biometrics
• Fingerprint, face, voice, iris,
movement recognition, etc.
• 2FA (two-factors authentication)
• SMS, Physical Token, etc.

20. Move away from
passwords

21. Reasons to abandon passwords
• Usability
• Humans don’t need to deal with passwords
• and they don't want to
• Security
• Humans tend to choose poor passwords
• May be stolen without physical interaction
• Data collected and used later (phishing)

22. Guidelines proposal
• Avoid username/password
• Use your own smartphone as a physical access key
• Generate a T-OTP on request
• Authenticate a browser/app session
• Secure app-to-server communication
12345678

23. See K-Tech implementation in act
DEMO

24. K-Tech solution
details

25. Main features
1.Easy to use (no typing of any user data) 😀🔐
2.Out of Band: T-OTP exchange 🔐
3.Requires a device pre-registered by: 🔐
A. direct request (workflow to approve) 💰
B. invitation
4.No password storage (in the whole system) 🔐
5.User secret is used to build T-OTP only 🔐
6.Multi-user/multi-account/multi-device 😀
7.Activity history and logout for active sessions 😀
8.Can use a “friend device” 😀

26. Technicalities
• T-OTP: Time based One Time Password RFC 6238
• Mobile and Auth Server clocks are synchronised via
NTP
• I18n: Internationalisation
• HTOTP(s): Extension HTTP/TLS protocols
• Response status codes:
• Utilises the range of codes 470-474, left
unassigned by the RFC
• 404 Not Found
• 474 Password Not Found

27. htotp(s) Protocol
def authorize(request):
"""
:param request: the HTTP response
:return: a response with status codes:
400: request in a session with an invalid session key
404: request in a session without session key (or expired)
470: otp check failed (doesn't match)
471: missing otp related parameters
472: session already authorized
474: device id not found (or expired or wrong username)
500: the user cannot be authorized locally (unable to log in)
"""
if not backends.check_user_access(domain=domain, site=site):
logger.debug("authorize - unable to grant site '%s'on the domain '%s'" % (site, domain))
return _error_page(request, message="authorize request with wrong ‘domain': %s" % domain)
try:
user, server_ts, sso_session_id = backends.check_otp(domain=domain, site=site, request=request)
if not user:
logger.debug("authorize - otp doesn't match (response status 470)")
response = JsonResponse({"message": "otp is not valid"}, status=470)
response['otp-server-ts'] = format_utc_datetime(apps.utc_now())
return response
logger.debug("authorize - got a valid otp: authorize the session '%s' (wg_key: '%d', sso: '%s') for '%s'" %
(session_id, session_key.pk, sso_session_id, user))
session_key.authorize(user, sso_session_id=sso_session_id)
message = 'ok'
status = 200
except exceptions.UnknowRequestException as e:
logger.debug('authorize - request with unknown parameters: redirecting to error page: %s' % e)
return _error_page(request, message='authorize request with unknown parameters: redirecting to error page')
except exceptions.BadRequestException as e:
logger.debug('authorize - request without valid otp related data (response status 471)')
return JsonResponse({"message": "request without valid otp related data", "error": "%s" % e}, status=471)
except exceptions.DeviceNotFoundException as e:
logger.debug('authorize - device id not found or expired or wrong user data (response status 474)')
return JsonResponse({"message": "device id not found", "error": "%s" % e}, status=474)

28. Envisioning the
future

29. • Main changes in widespread behaviours may be
difficult to envision
• Let’s start this shift, the sooner the better
Skepticism

30. Status quo
• Technologies are broadly available and mature
• Users access Internet services increasingly
more from mobile devices
• User awareness is still too low
• Little or no innovation in software systems
development

31. Future developments
• Progressive adoption of password-less solutions
• Authentication (login, strong auth)
• Authorization (roles, dispositive action)
• Digital signature
• Anonymization (privacy)
• Standardization
• User Experience
• Protocols
• API for libraries and services

32. Questions and
Feedback

33. References
• T-OTP: https://tools.ietf.org/html/rfc6238
• HTTP Status Code: https://www.w3.org/
Protocols/rfc2616/rfc2616-sec10.html
• Password data from: https://xato.net

34. ROME 18-19 MARCH 2016
Thanks!
Giuseppe Galli g.galli@k-tech.it
Saverio Caminiti s.caminiti@k-tech.it
All pictures belong
to their respective authors