BeamAuth : Two-Factor Web Authentication with a Bookmark 14 th ACM Conference on Computer and Communications Security Ben Adida Presenter : SJ Park
Table of Contents Introduction Goals BeamAuth Basic BeamAuth Protocol Example Attacks Summary 2
Web Authentication Security Passive Sniffing Attack caused by insecure wi-fi AP, unswitched local wired networks, or corporate proxies Social Engineering Technique based on specific attribute of human decision-making Example : Phishing, Pharming Desktop compromise Desktop PC compromised with malware Zero guarantee of any security Introduction 1/2 3
Fragment Identifier Purpose Used to designate a portion of a page Web browsers scroll to the appropriate location. Example Characteristics Web browsers never send it over the network. Page is not reloaded during navigation between fragment identifiers. Introduction 2/2 4
Goals Safely remaining credentials against many type of phishing attack (Social Engineering) Only requiring server-side deployment Building better security in the application layer 5
URL Fragment Identifier The resolution of a fragment identifier Example : Procedure Connecting to host hostname on port 80 Requesting /rest/of/url and rendering the HTML page Scrolling the viewport to the position indicated by fragment_id if it exists Fragment ID is never sent over the network. Navigation Navigation between fragments within the same URL does not cause a page reload. BeamAuth Basic 1/2 6
JavaScript Features Variable and method for fragments JavaScript variable for the fragment identifier Window.location.hash Updating the URL Window.location.replace() Source Code var hash = document.location.hash; if( hash != ‘’ ) { // parse the hash, get username and token parse_beamauth_hash( hash ); // clear the hash from the URL document.location.replace( ‘/login’ ); } BeamAuth Basic 2/2 7
General Idea BeamAuth Protocol 1/4 8
Setup Phase Registering ID and password Authenticating a user by using a second channel authentication mechanism like an mail-back Clicking on this verification URL in Example Web page which user reaches provides her with a link. Adding the link as a bookmark bookmark_link.href = ‘ + window.location.hash; BeamAuth Protocol 2/4 9
Re-Initialization When is Re-Initialization required? Deleting user’s BeamAuth bookmark by mistake Using several web browsers Using multiple computers Solutions Instructing a user to keep the signup Using bookmark synchronization tools BeamAuth Protocol 3/4 10
Mechanism How to hide a token from users A BeamAuth login page contains JavaScript. This script regularly polls the value of fragment ID. After reading it, the poller updates the URL by calling replace(). How to use a token for authentication HMAC the password with the secret token. Login page securely submits this resulting credential to the server. BeamAuth Protocol 4/4 11
Registration Example 1/7 12
Second Channel Authentication Example 2/7 13
Setting Up a Bookmark Example 3/7 14
Adding a Bookmark Example 4/7 15
BeamAuth Authentication Example 5/7 16
Inputting a Password Example 6/7 17
Authentication Completion Example 7/7 18
Attacks (1/2) Phishing with a deceitful URL In case of unsophisticated phishing attack Password is compromised, and token is safe. Overriding page unload User can no longer login, but token is safe. Malicious bookmark replacement Using a spoofed Token and password are safe. Explicit bookmark theft Token is compromised, and password can be compromised via phishing. 19
Attacks (2/2) Attacking the account Token is compromised, and password can be compromised via phishing. Using the victim’s computer Token is compromised, and password can be compromised via phishing. Pharming inattentive users Sending down malicious code that reads fragment ID All compromised Malware and client compromise All compromised 20
Summary The BeamAuth uses Bookmark as the second authentication factor. Token delivered via a separate channel. ( ) Fragment identifier to store token. 21