Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017
•
0 likes•461 views
When we were developing our SoundCloud app for Xbox One, something became very obvious during usability testing: signing in with a game controller really sucks. Entering text requires navigating a virtual keyboard to individual letters, numbers, and characters one at a time – such a nightmare! Other connected devices are even more extreme, with no way to enter text at all. Learn how to implement what we call “remote device sign-in”, a way for people to sign in to devices with limited input capability that is secure, simple, and fast.
Report
Share
Tiffany Conroy - Remote device sign-in – Authenticating without a keyboard - Codemotion Milan 2017
- 2. Remote sign-in A method for signing in to a device that doesn’t have a keyboard
- 4. Remote sign-in A method for signing in to a device that doesn’t have a keyboard
- 6. Signing in with a game controller is not fun
- 8. Secure and simple and fast
- 9. The solution, in brief
- 14. How it works
- 23. Voilà! Having an access token = signed in
- 24. Inspiration: YouTube on TVs and Google Sign-in for TVs and Devices
- 26. Using an authenticated session on Device B
- 27. Using an authenticated session on Device B i.e. take advantage of the person already being signed in on their phone or laptop
- 28. Sign in without signing in
- 29. Sign in without signing in (because you were already signed in)
- 33. https://soundcloud.com /activate_oauth2_callback ?display=mobile-web-view #access_token=ACCESS_TOKEN
- 34. https://soundcloud.com /activate_oauth2_callback ?display=mobile-web-view #access_token=ACCESS_TOKEN
- 35. https://soundcloud.com /activate_oauth2_callback ?display=mobile-web-view #access_token=ACCESS_TOKEN
- 37. Choosing codes that are easy to read and type
- 38. Things to consider when choosing codes: Sparse usage
- 39. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X . . . . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X . . . . . . . . .
- 40. 1 number = 10 codes 0 1 2 3 4 5 6 7 8 9
- 41. 2 letters = 26 * 26 = 676 codes AA AB AC AD AE AF AG AH AI AJ . . . BA BB BC BD BE BF BG BH BI BJ . . . CA CB CC CD CE CF CG CH CI CJ . . . DA DB DC DD DE DF DG DH DI DJ . . . EA EB EC ED EE EF EG EH EI EJ . . . FA FB FC FD FE FF FG FH FI FJ . . . GA GB GC GD GE GF GG GH GI GJ . . . HA HB HC HD HE HF HG HH HI HJ . . . IA IB IC ID IE IF IG IH II IJ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ZZ
- 42. 6 numbers = 1 000 000 codes 4 letters = 26 * 26 * 26 * 26 = 456 976 codes
- 44. Avoid: letter O, number 0, letter I, number 1
- 45. 6 numbers or letters = 32 * 32 * 32 * 32 * 32 * 32 = 1 073 741 824 codes
- 46. Things to consider when choosing codes: Don’t use special characters !?&%$
- 47. Things to consider when choosing codes: Use UPPERCASE for readability (but verify with case insensitivity)
- 49. Risk: Accidentally granting Device A access to the wrong user
- 50. Someone is signed in … but who?
- 51. Mitigating the risk of: Accidentally granting Device A access to the wrong user
- 52. a) Show which user is authenticated, and allow to switch
- 53. a) Show which user is authenticated, and allow to switch b) Display a selection of users, and allow them to choose
- 54. Risk: Accidentally granting access to someone else’s device
- 55. Device AN shows Nina X X N Device AM shows Michael X X M
- 56. Nina accidentally types X X M
- 57. Michael’s Device AM will get authenticated as Nina
- 58. Mitigating the risk of: Accidentally granting access to someone else’s device
- 59. Sparse usage of codes!
- 60. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ❌ X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X . . . . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X . . . . . . . . .
- 61. Collect device name to show during activation
- 63. Risk: An attacker using up all possible codes so no one can sign in
- 64. X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X
- 65. Mitigating the risk of: An attacker using up all possible codes so no one can sign in
- 66. Rate limit ability to request codes
- 67. Expire codes
- 68. Expire codes … but don’t reuse too soon
- 69. Risk: An attacker guessing codes and using them to get access tokens
- 72. Aside: why do attackers want to access random accounts?
- 73. Mitigating the risk of: An attacker guessing codes and using them to get access tokens
- 74. Very, VERY, sparse code usage?
- 75. Rate limit for polling?
- 76. Polling tokens
- 78. Issue the polling token to Device A when issuing the easy-to-read code
- 79. Require the polling token when: a) checking the status of the code
- 80. Require the polling token when: a) checking the status of the code b) exchanging the code for an access token
- 82. Risk: An attacker tricking people into giving away access to their account
- 86. Mitigating the risk of: An attacker tricking people into giving away access to their account
- 87. Use text and design elements that make it clear
- 91. Closing thoughts
- 92. Using a game controller to enter a password is not fun
- 93. Designing and implementing a new kind of authentication flow is fun
- 94. Involve your security experts early
- 96. Thanks :)
- 97. Questions? Tiffany Conroy ~ @theophani developers.soundcloud.com/blog/remote-device-sign-in