QR2Pass-project - A proof of concept for an alternative (passwordless) authentication system to a web server

Overview

QR2Pass

This is a proof of concept for an alternative (passwordless) authentication system to a web server. The authentication is based on public key cryptographic challenges, that can correctly responded only by the owner of the private key. Challenges are presented in the form of a QR code which are scanned by the mobile app.

The project is based on the procedure proposed by the Snap2Pass paper, but not on the corresponding implementation. In contrast to Snap2Pass, it offers only public key authentication (i.e no shared secret) and there is no OpenID integration.

The server is written in Django and the client (mobile app) is written in Swift for the iOS platform

You can check an online version of the server here

Overview

During registration, user provides their public key to the server. For authentication, server presents a challenge (unique nonce that expires after 60 seconds). User needs to sign the challenge with their private key part. Server verifies the signature and if it's valid, user is authenticated into the web site.

The web app consists of 2 parts:

  • the core app that handles the web view (what users sees in their browser)
  • the api app that handles the out-of-band communication (to/from the mobile app)

Protocol overview

To complete the registration request, or to initate a login process, the web app (core) constructs QR codes that are scanned by the mobile app

register QR

the registration QR has the following info:

   {
       "version": Int, 
       "email": String, 
       "nonce": String,
       "provider": URL, 
       "respond_to": URL,
       "action": action enum //action.register 
   }
  • version: version of the prorocol (currently ignored)
  • email: the email provided in the registration form. It is currently used as a user identifier
  • nonce: a unique nonce (used to avoid replay attacks)
  • provider: base url for the site (this is the identifier for the site)
  • respond_to: where the client should send its response
  • action: either login or register (register in this case, duh!)

login QR

the login QR has a very similar schema:

    {
        "version": Int,
        "challenge": String,
        "validTill": Date, 
        "provider": URL, 
        "respond_to": URL,
        "action": action.login //action.login 
    }

email, is not provided by the server, but in the client's request (from the mobile app)

Out of band requests/responses

We define as out-of-band the requests between the mobile app and the server (api part) Browser - server (core part) is in-band

Registration

A user needs first to head to the registration page (in their browser) where they are asked for their email. If the email is valid and not already used, a registration QR code is presented (for 60 seconds). The user uses the mobile app to scan the QR code.
The app decodes the QR code (see register schema above) and extracts the URL from the "respond_to field"
If there is no registration data in the app for this site (defined by the "provider" field), it will then send a register request to this URL using the following schema:

    {
        "version": Int,
        "email": String,
        "public_key": String, 
        "nonce": String 
    }
  • version: version of the prorocol (currently ignored)
  • email: the user's email
  • public_key: the user's public key
  • nonce: the nonce offered by the server

Upon receiving the request, the server will perform the following checks:

  • request has the valid schema
  • the nonce received is a valid one and has not expired.
  • the nonce received, corresponds to the specific user.

If the checks are succesful, server creates a user in its DB and redirects the browser to login page

Server responds using the following schema (out-of-band):

    {
        "version": Int,
        "email": String,
        "status": String, 
        "response_text": String 
    }
  • status: "ok"/"nok"
  • response_text: a message showing more info about the status (e.g "invalid token")

Loging in

A previously registered user can head to the login page to log in. A QR is presented (for 60 seconds) The user uses the mobile app to scan the QR code.
The app decodes the QR code (see login schema above) and extracts the URL from the "respond_to field".
If there is registration data in the app for this site (defined by the "provider" field), it will then send a register request to this URL using the following schema:

{

    "version": Int,
    "username": String,
    "challenge": String, 
    "response": String 

}
  • username: the email of the user
  • challenge: the nonce provided by the server
  • response: the nonce signed by the private key of the user

Similarly to registration process, server will make some initial checks on the request (valid schema and nonce, etc). If the intial checks succeed, the signed challenge will be checked against the public key of the user (stored during the registration process). If all checks are succesful, user is authenticated in the backend and the browser will be redirected to the user page.

Server responds to the app with a repsonse using the same response schema as the in the registration process

Running the project

Client

The ios app doesn't use any external libraries and it is compatible to ios > 12.4
Keep in mind that iOS won't accept initiating unsecure connections (plain HTTP). See here for more information and ways to circumvent that, in case you want to test this locally.
Alternatively, you can use ngrok to map an external https endpoint to your local machine

Server

pre-requisites

The server uses redis for Django channels backend and for temporary storage (nonces), so you need to have redis running locally or remotely.
It also uses daphne as an asynchronous server. You can invoke daphne by running:

daphne qr2pass.asgi:application --port <PORT> --bind 0.0.0.0 -v2

but locally you can also use the usual runserver command:

python manage.py runserver

requirements

  • create a virtual environment
  • activate it
  • pip3 install -r requirements.txt

Settings

The default settings are defined in the settings/defaults.py file.
You need to fill in some additional settings corresponding to your deployment environment (see deployment-template.py) and define the DJANGO_SETTINGS_MODULE environmental variable for details) to point to your settings (see here)

You might also like...
Plover-tapey-tape: an alternative to Plover’s built-in paper tape

plover-tapey-tape plover-tapey-tape is an alternative to Plover’s built-in paper

A commany has recently introduced a new type of bidding, the average bidding, as an alternative to the bid given to the current maximum bidding
A commany has recently introduced a new type of bidding, the average bidding, as an alternative to the bid given to the current maximum bidding

Business Problem A commany has recently introduced a new type of bidding, the average bidding, as an alternative to the bid given to the current maxim

This repo contains the pytorch implementation for Dynamic Concept Learner (accepted by ICLR 2021).
This repo contains the pytorch implementation for Dynamic Concept Learner (accepted by ICLR 2021).

DCL-PyTorch Pytorch implementation for the Dynamic Concept Learner (DCL). More details can be found at the project page. Framework Grounding Physical

MemStream: Memory-Based Anomaly Detection in Multi-Aspect Streams with Concept Drift
MemStream: Memory-Based Anomaly Detection in Multi-Aspect Streams with Concept Drift

MemStream Implementation of MemStream: Memory-Based Anomaly Detection in Multi-Aspect Streams with Concept Drift . Siddharth Bhatia, Arjit Jain, Shivi

ImageNet-CoG is a benchmark for concept generalization. It provides a full evaluation framework for pre-trained visual representations which measure how well they generalize to unseen concepts.

The ImageNet-CoG Benchmark Project Website Paper (arXiv) Code repository for the ImageNet-CoG Benchmark introduced in the paper "Concept Generalizatio

pybaum provides tools to work with pytrees which is a concept burrowed from JAX.

pybaum provides tools to work with pytrees which is a concept burrowed from JAX.

A python-image-classification web application project, written in Python and served through the Flask Microframework. This Project implements the VGG16 covolutional neural network, through Keras and Tensorflow wrappers, to make predictions on uploaded images. Discord-Protect is a simple discord bot allowing you to have some security on your discord server by ordering a captcha to the user who joins your server.
Discord-Protect is a simple discord bot allowing you to have some security on your discord server by ordering a captcha to the user who joins your server.

Discord-Protect Discord-Protect is a simple discord bot allowing you to have some security on your discord server by ordering a captcha to the user wh

DIT is a DTLS MitM proxy implemented in Python 3. It can intercept, manipulate and suppress datagrams between two DTLS endpoints and supports psk-based and certificate-based authentication schemes (RSA + ECC).

DIT - DTLS Interception Tool DIT is a MitM proxy tool to intercept DTLS traffic. It can intercept, manipulate and/or suppress DTLS datagrams between t

Owner
null
Proof-Of-Concept Piano-Drums Music AI Model/Implementation

Rock Piano "When all is one and one is all, that's what it is to be a rock and not to roll." ---Led Zeppelin, "Stairway To Heaven" Proof-Of-Concept Pi

Alex 4 Nov 28, 2021
Proof of concept GnuCash Webinterface

Proof of Concept GnuCash Webinterface This may one day be a something truly great. Milestones [ ] Browse accounts and view transactions [ ] Record sim

Josh 14 Dec 28, 2022
UpChecker is a simple opensource project to host it fast on your server and check is server up, view statistic, get messages if it is down. UpChecker - just run file and use project easy

UpChecker UpChecker is a simple opensource project to host it fast on your server and check is server up, view statistic, get messages if it is down.

Yan 4 Apr 7, 2022
This project provides the proof of the uniqueness of the equilibrium and the global asymptotic stability.

Delayed-cellular-neural-network This project provides the proof of the uniqueness of the equilibrium and the global asymptotic stability. There is als

null 4 Apr 28, 2022
PyArmadillo: an alternative approach to linear algebra in Python

PyArmadillo is a linear algebra library for the Python language, with an emphasis on ease of use.

Terry Zhuo 58 Oct 11, 2022
A Robust Non-IoU Alternative to Non-Maxima Suppression in Object Detection

Confluence: A Robust Non-IoU Alternative to Non-Maxima Suppression in Object Detection 1. 介绍 用以替代 NMS,在所有 bbox 中挑选出最优的集合。 NMS 仅考虑了 bbox 的得分,然后根据 IOU 来

null 44 Sep 15, 2022
An exploration of log domain "alternative floating point" for hardware ML/AI accelerators.

This repository contains the SystemVerilog RTL, C++, HLS (Intel FPGA OpenCL to wrap RTL code) and Python needed to reproduce the numerical results in

Facebook Research 373 Dec 31, 2022
A Python library that provides a simplified alternative to DBAPI 2

A Python library that provides a simplified alternative to DBAPI 2. It provides a facade in front of DBAPI 2 drivers.

Tony Locke 44 Nov 17, 2021
Contra is a lightweight, production ready Tensorflow alternative for solving time series prediction challenges with AI

Contra AI Engine A lightweight, production ready Tensorflow alternative developed by Styvio styvio.com » How to Use · Report Bug · Request Feature Tab

styvio 14 May 25, 2022