Discussion:
[whispersystems] TextSecure + Two-Factor Authentication
Scott Arciszewski
2014-12-21 20:58:33 UTC
Permalink
Hi Everybody!

Is anyone working on a SMS Two-Factor Authentication system that plays well
with TextSecure? I'd like my one-time codes from, e.g. Amazon, Google, etc.
to all come encrypted from their gateway is possible.

I'm in no sense of the word rich but I can help kick *some* $ towards a
bounty for this being developed if anyone has the time and technical skills
to make it happen. (Maybe a crowdfunding platform will be useful here?)

Thanks for listening,
Scott
#359
2014-12-21 21:20:02 UTC
Permalink
hej scott!

how do you think this should work? if you want to recieve TextSecure
encrypted SMS messages from Google or Amazon, they would have to
TextSecure encrypt it first and i doubt anyone could "convince" Google
or Amazon to do that. also, encrypted SMSes are, if i understood TS devs
correctly on theit way to extinction (in favour of encrypted push
messages).

why don't you use a two-factor auth code ganerator if you consider SMSes
problematic?

best,

- jure
Post by Scott Arciszewski
Hi Everybody!
Is anyone
working on a SMS Two-Factor Authentication system that plays well with
TextSecure? I'd like my one-time codes from, e.g. Amazon, Google, etc.
to all come encrypted from their gateway is possible.
Post by Scott Arciszewski
I'm
in no sense of the word rich but I can help kick *some* $ towards a
bounty for this being developed if anyone has the time and technical
skills to make it happen. (Maybe a crowdfunding platform will be
useful here?)
Post by Scott Arciszewski
Thanks for listening, Scott
Scott Arciszewski
2014-12-21 21:26:55 UTC
Permalink
Hi Jure,

I'm a web developer. I'd like to be able to build websites that, instead of
just merely a username and password, also has support for two-factor
authentication. The idea is that I somehow send a N-digit code to a user,
and it is encrypted between my webserver and their phone. The actual
implementation details (SMS vs push notifications) are not important to me.
I just want the capability to exist for every web developer.

What is a "two-factor auth code generator"? You mean like a RSA token that
requires users to purchase separate hardware? If so, that is not an
attractive solution for me. If not, I didn't understand the question.

Regards,
Scott
Post by #359
hej scott!
how do you think this should work? if you want to recieve TextSecure
encrypted SMS messages from Google or Amazon, they would have to TextSecure
encrypt it first and i doubt anyone could "convince" Google or Amazon to do
that. also, encrypted SMSes are, if i understood TS devs correctly on theit
way to extinction (in favour of encrypted push messages).
why don't you use a two-factor auth code ganerator if you consider SMSes
problematic?
best,
- jure
Hi Everybody!
Is anyone working on a SMS Two-Factor Authentication system that plays
well with TextSecure? I'd like my one-time codes from, e.g. Amazon, Google,
etc. to all come encrypted from their gateway is possible.
I'm in no sense of the word rich but I can help kick *some* $ towards a
bounty for this being developed if anyone has the time and technical skills
to make it happen. (Maybe a crowdfunding platform will be useful here?)
Thanks for listening,
Scott
cbdev
2014-12-21 21:39:26 UTC
Permalink
Hi Scott,

most 2-Factor-Authentication schemes are based on the RFC 4226/6238
OATH One-Time-Password Algorithms. There is no need to send the codes
via SMS/Push, but you exchange a secret once (most likely during
signup) by some means (QR-Codes, Text entry into an app), and verify
the output of the algorithm on your side against what the user inputs
from her Generator.

HTH,
cbdev
Scott Arciszewski
2014-12-21 21:41:31 UTC
Permalink
In the case of Google, they SMS me a random 6-digit number. In those
implementations, I would like them to be encrypted. That is all.
Post by cbdev
Hi Scott,
most 2-Factor-Authentication schemes are based on the RFC 4226/6238
OATH One-Time-Password Algorithms. There is no need to send the codes
via SMS/Push, but you exchange a secret once (most likely during
signup) by some means (QR-Codes, Text entry into an app), and verify
the output of the algorithm on your side against what the user inputs
from her Generator.
HTH,
cbdev
#359
2014-12-21 21:43:37 UTC
Permalink
scott,

this is an open source example of such generator.

https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp

i hope i didn't move away from the subjest too much.


- jure
Post by Scott Arciszewski
Hi Jure,
I'm a web developer. I'd like to be able to build websites that,
instead of just merely a username and password, also has support for
two-factor authentication. The idea is that I somehow send a N-digit
code to a user, and it is encrypted between my webserver and their
phone. The actual implementation details (SMS vs push notifications)
are not important to me. I just want the capability to exist for every
web developer.
What is a "two-factor auth code generator"? You mean like a RSA token
that requires users to purchase separate hardware? If so, that is not
an attractive solution for me. If not, I didn't understand the
question.
Regards, Scott
Post by #359
__
hej scott!
how do you think this should work? if you want to recieve TextSecure
encrypted SMS messages from Google or Amazon, they would have to
TextSecure encrypt it first and i doubt anyone could "convince"
Google or Amazon to do that. also, encrypted SMSes are, if i
understood TS devs correctly on theit way to extinction (in favour of
encrypted push messages).
why don't you use a two-factor auth code ganerator if you consider
SMSes problematic?
best,
- jure
Post by Scott Arciszewski
Hi Everybody!
Is anyone
working on a SMS Two-Factor Authentication system that plays well with
TextSecure? I'd like my one-time codes from, e.g. Amazon, Google, etc.
to all come encrypted from their gateway is possible.
Post by Scott Arciszewski
Post by #359
Post by Scott Arciszewski
I'm
in no sense of the word rich but I can help kick *some* $ towards a
bounty for this being developed if anyone has the time and technical
skills to make it happen. (Maybe a crowdfunding platform will be
useful here?)
Post by Scott Arciszewski
Post by #359
Post by Scott Arciszewski
Thanks for listening, Scott
Scott Arciszewski
2014-12-21 22:01:13 UTC
Permalink
As neat as this is, yes, I'm afraid we're off the subject.

I'm not looking for best practices in 2FA, I'm looking for "here's a black
box to send SMS messages (e.g. how Twilio works) that will also encrypt the
messages if the phone number is using TextSecure".

I realize this is a very specific problem and probably would not survive an
infosec book-burning session, but it doesn't exist and I want it to.
Anything telling me "do this method instead" is just noise to me at this
moment.
Post by #359
scott,
this is an open source example of such generator.
https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp
i hope i didn't move away from the subjest too much.
- jure
Hi Jure,
I'm a web developer. I'd like to be able to build websites that, instead
of just merely a username and password, also has support for two-factor
authentication. The idea is that I somehow send a N-digit code to a user,
and it is encrypted between my webserver and their phone. The actual
implementation details (SMS vs push notifications) are not important to me.
I just want the capability to exist for every web developer.
What is a "two-factor auth code generator"? You mean like a RSA token that
requires users to purchase separate hardware? If so, that is not an
attractive solution for me. If not, I didn't understand the question.
Regards,
Scott
hej scott!
how do you think this should work? if you want to recieve TextSecure
encrypted SMS messages from Google or Amazon, they would have to TextSecure
encrypt it first and i doubt anyone could "convince" Google or Amazon to do
that. also, encrypted SMSes are, if i understood TS devs correctly on theit
way to extinction (in favour of encrypted push messages).
why don't you use a two-factor auth code ganerator if you consider SMSes
problematic?
best,
- jure
Hi Everybody!
Is anyone working on a SMS Two-Factor Authentication system that plays
well with TextSecure? I'd like my one-time codes from, e.g. Amazon, Google,
etc. to all come encrypted from their gateway is possible.
I'm in no sense of the word rich but I can help kick *some* $ towards a
bounty for this being developed if anyone has the time and technical skills
to make it happen. (Maybe a crowdfunding platform will be useful here?)
Thanks for listening,
Scott
Jeffrey Carlson
2014-12-21 23:54:09 UTC
Permalink
Just understanding this, then:

(1) User navigates to website with 2FA
(2) User enters username/password (1st factor = what they know)
(3) System determines 1F is ok - proceeds to step (5)
(4) System determines 1F is not ok - returns to step (2)
(5) System invokes text message send to user
(6) User receives text message from traditional cellphone network
(7) User enters second factor code (2nd factor = what they have)
(8) System determines 2F is ok - proceeds to step (10)
(9) System determins 2F is not ok - retunrs to step (2)
(10) User is authenticated

If this is roughly the use case allow me a few statements:

(1) I don't see the logic behind encrypting a code which is layered behind
TWO (2) additional passwords. The Android Lockscreen and the Textsecure
Password. If you are developing security mechanisms that operate with the
assumption that the user would not lock their Android device nor protect an
application dealing with encryption - what additional benefit would
encrypting the code bring?

(2) How would the system know that the user HAD textsecure? An additional
sign-up/profile input?

(3) How would you interface with a SMS gateway?

(4) How would you ask them to encrypt the SMS code using Textsecure's
shared password?


....

Otherwise, neat idea.
Post by Scott Arciszewski
As neat as this is, yes, I'm afraid we're off the subject.
I'm not looking for best practices in 2FA, I'm looking for "here's a black
box to send SMS messages (e.g. how Twilio works) that will also encrypt the
messages if the phone number is using TextSecure".
I realize this is a very specific problem and probably would not survive
an infosec book-burning session, but it doesn't exist and I want it to.
Anything telling me "do this method instead" is just noise to me at this
moment.
Post by #359
scott,
this is an open source example of such generator.
https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp
i hope i didn't move away from the subjest too much.
- jure
Hi Jure,
I'm a web developer. I'd like to be able to build websites that, instead
of just merely a username and password, also has support for two-factor
authentication. The idea is that I somehow send a N-digit code to a user,
and it is encrypted between my webserver and their phone. The actual
implementation details (SMS vs push notifications) are not important to me.
I just want the capability to exist for every web developer.
What is a "two-factor auth code generator"? You mean like a RSA token
that requires users to purchase separate hardware? If so, that is not an
attractive solution for me. If not, I didn't understand the question.
Regards,
Scott
hej scott!
how do you think this should work? if you want to recieve TextSecure
encrypted SMS messages from Google or Amazon, they would have to TextSecure
encrypt it first and i doubt anyone could "convince" Google or Amazon to do
that. also, encrypted SMSes are, if i understood TS devs correctly on theit
way to extinction (in favour of encrypted push messages).
why don't you use a two-factor auth code ganerator if you consider SMSes
problematic?
best,
- jure
Hi Everybody!
Is anyone working on a SMS Two-Factor Authentication system that plays
well with TextSecure? I'd like my one-time codes from, e.g. Amazon, Google,
etc. to all come encrypted from their gateway is possible.
I'm in no sense of the word rich but I can help kick *some* $ towards a
bounty for this being developed if anyone has the time and technical skills
to make it happen. (Maybe a crowdfunding platform will be useful here?)
Thanks for listening,
Scott
Graham Smith
2014-12-22 01:20:04 UTC
Permalink
Hi everyone,

I'd like to add that although, Scott, your implementation of this system might be good, I have found that countless services do not expire these N-digit codes after a certain amount of time nor do they expire after a certain number of failed attempts.

One solution to this problem is to either use the standards that have been specified or you could, in the case of a native app, use something like a URL scheme to send an SMS message to the server instead of the device receiving, which allows your client to handle encryption instead of vice-versa.

Furthermore, I'd like to add that encrypting these N-digit codes poses a problem that TextSecure already encountered when figuring out the right way to upload and store users' address books. Seeing as most codes are 4 - 6 digits, encrypting one won't prevent someone from easily figuring out the N-digit code's value before it expires.

--
Graham Smith
@neuegram
Post by Jeffrey Carlson
(1) User navigates to website with 2FA
(2) User enters username/password (1st factor = what they know)
(3) System determines 1F is ok - proceeds to step (5)
(4) System determines 1F is not ok - returns to step (2)
(5) System invokes text message send to user
(6) User receives text message from traditional cellphone network
(7) User enters second factor code (2nd factor = what they have)
(8) System determines 2F is ok - proceeds to step (10)
(9) System determins 2F is not ok - retunrs to step (2)
(10) User is authenticated
(1) I don't see the logic behind encrypting a code which is layered behind TWO (2) additional passwords. The Android Lockscreen and the Textsecure Password. If you are developing security mechanisms that operate with the assumption that the user would not lock their Android device nor protect an application dealing with encryption - what additional benefit would encrypting the code bring?
(2) How would the system know that the user HAD textsecure? An additional sign-up/profile input?
(3) How would you interface with a SMS gateway?
(4) How would you ask them to encrypt the SMS code using Textsecure's shared password?
....
Otherwise, neat idea.
Post by Scott Arciszewski
As neat as this is, yes, I'm afraid we're off the subject.
I'm not looking for best practices in 2FA, I'm looking for "here's a black box to send SMS messages (e.g. how Twilio works) that will also encrypt the messages if the phone number is using TextSecure".
I realize this is a very specific problem and probably would not survive an infosec book-burning session, but it doesn't exist and I want it to. Anything telling me "do this method instead" is just noise to me at this moment.
Post by #359
scott,
this is an open source example of such generator.
https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp
i hope i didn't move away from the subjest too much.
- jure
Post by Scott Arciszewski
Hi Jure,
I'm a web developer. I'd like to be able to build websites that, instead of just merely a username and password, also has support for two-factor authentication. The idea is that I somehow send a N-digit code to a user, and it is encrypted between my webserver and their phone. The actual implementation details (SMS vs push notifications) are not important to me. I just want the capability to exist for every web developer.
What is a "two-factor auth code generator"? You mean like a RSA token that requires users to purchase separate hardware? If so, that is not an attractive solution for me. If not, I didn't understand the question.
Regards,
Scott
hej scott!
how do you think this should work? if you want to recieve TextSecure encrypted SMS messages from Google or Amazon, they would have to TextSecure encrypt it first and i doubt anyone could "convince" Google or Amazon to do that. also, encrypted SMSes are, if i understood TS devs correctly on theit way to extinction (in favour of encrypted push messages).
why don't you use a two-factor auth code ganerator if you consider SMSes problematic?
best,
- jure
Post by Scott Arciszewski
Hi Everybody!
Is anyone working on a SMS Two-Factor Authentication system that plays well with TextSecure? I'd like my one-time codes from, e.g. Amazon, Google, etc. to all come encrypted from their gateway is possible.
I'm in no sense of the word rich but I can help kick *some* $ towards a bounty for this being developed if anyone has the time and technical skills to make it happen. (Maybe a crowdfunding platform will be useful here?)
Thanks for listening,
Scott
Gary Belvin
2014-12-22 18:38:56 UTC
Permalink
If you haven't investigated this already, Google Authenticator is a widely
available app setup to support what you're trying to accomplish.
http://en.wikipedia.org/wiki/Google_Authenticator


On Sun Dec 21 2014 at 6:03:50 PM Jeffrey Carlson <
Post by Jeffrey Carlson
(1) User navigates to website with 2FA
(2) User enters username/password (1st factor = what they know)
(3) System determines 1F is ok - proceeds to step (5)
(4) System determines 1F is not ok - returns to step (2)
(5) System invokes text message send to user
(6) User receives text message from traditional cellphone network
(7) User enters second factor code (2nd factor = what they have)
(8) System determines 2F is ok - proceeds to step (10)
(9) System determins 2F is not ok - retunrs to step (2)
(10) User is authenticated
(1) I don't see the logic behind encrypting a code which is layered behind
TWO (2) additional passwords. The Android Lockscreen and the Textsecure
Password. If you are developing security mechanisms that operate with the
assumption that the user would not lock their Android device nor protect an
application dealing with encryption - what additional benefit would
encrypting the code bring?
(2) How would the system know that the user HAD textsecure? An additional
sign-up/profile input?
(3) How would you interface with a SMS gateway?
(4) How would you ask them to encrypt the SMS code using Textsecure's
shared password?
....
Otherwise, neat idea.
Post by Scott Arciszewski
As neat as this is, yes, I'm afraid we're off the subject.
I'm not looking for best practices in 2FA, I'm looking for "here's a
black box to send SMS messages (e.g. how Twilio works) that will also
encrypt the messages if the phone number is using TextSecure".
I realize this is a very specific problem and probably would not survive
an infosec book-burning session, but it doesn't exist and I want it to.
Anything telling me "do this method instead" is just noise to me at this
moment.
Post by #359
scott,
this is an open source example of such generator.
https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp
i hope i didn't move away from the subjest too much.
- jure
Hi Jure,
I'm a web developer. I'd like to be able to build websites that, instead
of just merely a username and password, also has support for two-factor
authentication. The idea is that I somehow send a N-digit code to a user,
and it is encrypted between my webserver and their phone. The actual
implementation details (SMS vs push notifications) are not important to me.
I just want the capability to exist for every web developer.
What is a "two-factor auth code generator"? You mean like a RSA token
that requires users to purchase separate hardware? If so, that is not an
attractive solution for me. If not, I didn't understand the question.
Regards,
Scott
hej scott!
how do you think this should work? if you want to recieve TextSecure
encrypted SMS messages from Google or Amazon, they would have to TextSecure
encrypt it first and i doubt anyone could "convince" Google or Amazon to do
that. also, encrypted SMSes are, if i understood TS devs correctly on theit
way to extinction (in favour of encrypted push messages).
why don't you use a two-factor auth code ganerator if you consider SMSes
problematic?
best,
- jure
Hi Everybody!
Is anyone working on a SMS Two-Factor Authentication system that plays
well with TextSecure? I'd like my one-time codes from, e.g. Amazon, Google,
etc. to all come encrypted from their gateway is possible.
I'm in no sense of the word rich but I can help kick *some* $ towards
a bounty for this being developed if anyone has the time and technical
skills to make it happen. (Maybe a crowdfunding platform will be useful
here?)
Thanks for listening,
Scott
Loading...