Mobile Application Authentication
Background story
An ideal phone, like a faithful dog, should recognize the owner by smell and protect property from strangers.
Dogs have developed their snuff apparatus over millions of years of evolution, and there is nothing for our technology, so phones are not perfect so far.
People with a sense of smell are much worse, therefore, in their natural habitat, they had to develop artificial identification systems, such as a letter of deed, conditional gestures and safe passwords and recalls.
When people began to shift part of their tasks to digital shoulders, at first there was no software authentication - anyone who got access to the computer room could run the program code. But even then, this same access was regulated by certain rules, described, for example, in the statute of the guard service and other regulations with tolerances.
Soon this was missing. Primitive programmers got identifiers, then login with a password - and here we have the classic Basic Authentication protocol HTTP.
Login and password
Login allows you to identify the user, that is, perform the main authentication function.
The password prevents unauthorized access, that is, it solves the main task of information security.
Thus, this couple performs the main dog task, while it does not require either walking or feeding.
By the way, in mobile phones there is the concept of a PIN code. Sounds like a password? Yes. This is a security mechanism that solves the security problem, while not directly related to authentication.
Why can’t you do just login? Theoretically possible, but almost very inconvenient. The login appears in the request forms and reports; sometimes it has to be reported to the support service. Having made the login difficult to select and hidden from others, we will liken it to a password. And in order to somehow display public information on our account, you will have to add a new field - say, nickname - which will make everything worthless.
So today it is the most familiar scheme. You could even say that every person connected to computers has at least one username and password.
Programmers have implemented this approach so many times that almost every development environment contains a special type of control - a password entry field, where characters are replaced with asterisks, hiding the password itself from prying eyes.
One could add that everything here is good and nothing needs to be changed, but no.
Encryption
With the advent of computer networks, it turned out that it is dangerous to transmit a password in clear form, since an attacker can intercept it along the way. The logical solution was to implement password encryption. So there were Digest Authentication and NTLM. The user enters all the same data, but "over the wire" they are transmitted in encoded form. In principle, experts can decrypt or crack them, but this is still more reliable than sending a password in clear text.
Those interested in secure communication channels, we refer to the study of the protocol HTTPS, SSL and TLS, and we ourselves move on to comprehend the mobile Tao.
Single-sign-on
Another unpleasant aspect of inclusive passwords turned out to be that it is not very convenient to keep more than one or two pairs of username and password in your head, to enter them each time you enter the program, especially if there are more than one of these programs. The solution to the problem was oAuth authentication and the principle of SSO, that is, Single-Sign-On (log in once).
The idea of oAuth is simple. Instead of asking the user for their username and password each time, it is better to do this once, based on the information received, obtain the so-called token from the trusted server and then conduct operations with this token. This is especially convenient in the context of data exchange between a mobile or web application and a remote server, where authentication information (credentials) must be transmitted with each request.
SSO solves a slightly different problem.
Within the web, all applications that use the same trusted server for oAuth authentication (for example, sites with a Google account) automatically share user information (credentials). That is, by entering the username and password in one application, the user logs into another already recognized user.
For mobile applications, this approach also works, but with reservations, and requires additional effort from developers.
User information must be stored on the device so that it can be read out the next time the application is launched, as well as other applications that need it (and which have the right to access this information) can use it for automatic authentication.
Where passwords are stored
The reader, who does not just glance at the text and was able to break through the previous paragraph, should ask: what kind of place is this where you can safely store sensitive user data such as login and password? This place is special, depending on the platform and technology called differently, but most often - KeyChain (iOS, Android). The data here is encrypted, access to it is limited - in general, this is the safest place on the device, the security of which is guaranteed at the level of the operating system.
Where passwords cannot be stored
You can bring the Secure Service officer to hysteria by storing the password in the database. It would also be a bad idea to send logins with passwords somewhere to the system log. A note of moderate inadmissibility can be obtained by temporarily storing the password in public variables - it is good practice to subtract user information from KeyChain as necessary, without storing it elsewhere.
TouchID / Fingerprints
It is widely known that a person has unique fingerprints. In addition, the prints of the noses and ears are unique, and if the fingers are an attribute mainly purely human, then pets also have noses. In practice, fingerprint recognition is used to identify cats, dogs and cows.
Someday, perhaps, we will teach our phones to recognize the owner simply by holding it in their hands, but so far the technology has focused on fingerprinting, which was fixed in forensic practice a hundred years ago (we will leave it outside the box that is very convenient for the NSA articles).
In addition to the fact that many telephones are equipped with fingerprint scanners and the already mentioned PIN code, a number of them are supplemented with a graphic key - that is, you can set a code pattern instead of a digital combination, connecting the dots on the screen in one sequence or another.
Face id
Apple's latest innovation is face recognition authentication. If theoretically uncomplicated algorithmic processing is sufficient for fingerprints, then they use Rosenblatt's ideas for facial recognition and build a neural network.
Of course, the iPhone’s neural network capacity is not enough to play chess or go, but it copes with its task. The phone can now identify its owner visually.
These latest innovations, as you can imagine, endlessly delight corporate security officers and endlessly annoy end users. Here, at the forefront of technology, converge shield and sword, good and evil, and ice, and flame. MFA is forged here.
Multifactor authentication
We don’t know whose exact idea this bright thought came to, but now that it is embodied in the digital universe, we have to first enter a username and password, and then confirm our identity with a pin code.
The idea is that faking one authentication channel is easier than two. A side effect is that today you won’t be able to enter a typical corporate network without a phone: after all, it receives a pin code that must be entered to confirm your identity.
The use of this technology for mobile applications seems a bit controversial, but quite possible.
Blockchain and Chinese Chickens
After bitcoin and other cryptocurrencies caused a stir of public excitement, it would be strange if the blockchain underlying the transactions of these currencies did not attract the attention of security system developers.
How can you use a chain of blocks for authentication? Very simple.
In relation to man, the blockchain technology itself already works in Estonia today as a platform for e-citizenship; there are similar attempts in Brazil and Finland. And the Japanese Sony crossed the MFA and the blockchain (US patent 2017/0310653 A1 *). So now, when once again you enter the verification code from an SMS somewhere, it is likely that this your activity will be saved forever (within the framework of the existence of our digital universe).
As for other applications, it is known that in China they came up with a blockchain to monitor what happened in the life of chickens, who fall on the table of special connoisseurs of haute cuisine.
Designers of the future! Please try to ensure that our gadgets recognize their owners no worse than a dog, while, if possible, dispensing with dog food, and so that they do not need to be walked too often.
The author of these lines also expresses the hope that in ten years his phone will not be able to lure and cover the mouth-watering smelling sausage.
-
* patents.google.com/patent/US20170310653A1/en