QR2Pass: a proof of concept for an alternative (passwordless) authentication system to a web server

Overview

QR2Pass

This is a proof of concept for an alternative (passwordless) authentication system to a web server. The authentication is based on public key cryptographic challenges, that can correctly responded only by the owner of the private key. Challenges are presented in the form of a QR code which are scanned by the mobile app.

The project is based on the procedure proposed by the Snap2Pass paper, but not on the corresponding implementation. In contrast to Snap2Pass, it offers only public key authentication (i.e no shared secret) and there is no OpenID integration.

The server is written in Django and the client (mobile app) is written in Swift for the iOS platform

You can check an online version of the server here

Overview

During registration, user provides their public key to the server. For authentication, server presents a challenge (unique nonce that expires after 60 seconds). User needs to sign the challenge with their private key part. Server verifies the signature and if it's valid, user is authenticated into the web site.

The web app consists of 2 parts:

  • the core app that handles the web view (what users sees in their browser)
  • the api app that handles the out-of-band communication (to/from the mobile app)

Protocol overview

To complete the registration request, or to initate a login process, the web app (core) constructs QR codes that are scanned by the mobile app

register QR

the registration QR has the following info:

   {
       "version": Int, 
       "email": String, 
       "nonce": String,
       "provider": URL, 
       "respond_to": URL,
       "action": action enum //action.register 
   }
  • version: version of the prorocol (currently ignored)
  • email: the email provided in the registration form. It is currently used as a user identifier
  • nonce: a unique nonce (used to avoid replay attacks)
  • provider: base url for the site (this is the identifier for the site)
  • respond_to: where the client should send its response
  • action: either login or register (register in this case, duh!)

login QR

the login QR has a very similar schema:

    {
        "version": Int,
        "challenge": String,
        "validTill": Date, 
        "provider": URL, 
        "respond_to": URL,
        "action": action.login //action.login 
    }

email, is not provided by the server, but in the client's request (from the mobile app)

Out of band requests/responses

We define as out-of-band the requests between the mobile app and the server (api part) Browser - server (core part) is in-band

Registration

A user needs first to head to the registration page (in their browser) where they are asked for their email. If the email is valid and not already used, a registration QR code is presented (for 60 seconds). The user uses the mobile app to scan the QR code.
The app decodes the QR code (see register schema above) and extracts the URL from the "respond_to field"
If there is no registration data in the app for this site (defined by the "provider" field), it will then send a register request to this URL using the following schema:

    {
        "version": Int,
        "email": String,
        "public_key": String, 
        "nonce": String 
    }
  • version: version of the prorocol (currently ignored)
  • email: the user's email
  • public_key: the user's public key
  • nonce: the nonce offered by the server

Upon receiving the request, the server will perform the following checks:

  • request has the valid schema
  • the nonce received is a valid one and has not expired.
  • the nonce received, corresponds to the specific user.

If the checks are succesful, server creates a user in its DB and redirects the browser to login page

Server responds using the following schema (out-of-band):

    {
        "version": Int,
        "email": String,
        "status": String, 
        "response_text": String 
    }
  • status: "ok"/"nok"
  • response_text: a message showing more info about the status (e.g "invalid token")

Loging in

A previously registered user can head to the login page to log in. A QR is presented (for 60 seconds) The user uses the mobile app to scan the QR code.
The app decodes the QR code (see login schema above) and extracts the URL from the "respond_to field".
If there is registration data in the app for this site (defined by the "provider" field), it will then send a register request to this URL using the following schema:

{

    "version": Int,
    "username": String,
    "challenge": String, 
    "response": String 

}
  • username: the email of the user
  • challenge: the nonce provided by the server
  • response: the nonce signed by the private key of the user

Similarly to registration process, server will make some initial checks on the request (valid schema and nonce, etc). If the intial checks succeed, the signed challenge will be checked against the public key of the user (stored during the registration process). If all checks are succesful, user is authenticated in the backend and the browser will be redirected to the user page.

Server responds to the app with a repsonse using the same response schema as the in the registration process

Running the project

Client

The ios app doesn't use any external libraries and it is compatible to ios > 12.4
Keep in mind that iOS won't accept initiating unsecure connections (plain HTTP). See here for more information and ways to circumvent that, in case you want to test this locally.
Alternatively, you can use ngrok to map an external https endpoint to your local machine

Server

pre-requisites

The server uses redis for Django channels backend and for temporary storage (nonces), so you need to have redis running locally or remotely.
It also uses daphne as an asynchronous server. You can invoke daphne by running:

daphne qr2pass.asgi:application --port <PORT> --bind 0.0.0.0 -v2

but locally you can also use the usual runserver command:

python manage.py runserver

requirements

  • create a virtual environment
  • activate it
  • pip3 install -r requirements.txt

Settings

The default settings are defined in the settings/defaults.py file.
You need to fill in some additional settings corresponding to your deployment environment (see deployment-template.py) and define the DJANGO_SETTINGS_MODULE environmental variable for details) to point to your settings (see here)

You might also like...
The concept took third place in the Design Concept Award contest Season 1 in 2021.
The concept took third place in the Design Concept Award contest Season 1 in 2021.

SpringAnimation Developed by Yurii Sameliuk as part of the You are launched "Design Concept Award" contest Season #1. SpringAnimation demo. Inspired b

The concept took second place in the Design Concept Award contest Season 1 in 2021.
The concept took second place in the Design Concept Award contest Season 1 in 2021.

SmileRate Developed by Alex Kryvodub as part of the You are launched "Design Concept Award" contest Season #1. SmileRate demo. Inspired by Duy Luong c

The concept took third place in the Design Concept Award contest Season 1 in 2021.
The concept took third place in the Design Concept Award contest Season 1 in 2021.

SpringAnimation Developed by Yurii Sameliuk as part of the You are launched "Design Concept Award" contest Season #1. SpringAnimation demo. Inspired b

The concept won first place in the Design Concept Award contest Season 1 in 2021.
The concept won first place in the Design Concept Award contest Season 1 in 2021.

TallyCounter Developed by Vladyslav Fil as part of the You are launched "Design Concept Award" contest Season #1. Tally Counter Micro-Interaction demo

The concept won first place in the Design Concept Award contest Season 2 in December 2021.
The concept won first place in the Design Concept Award contest Season 2 in December 2021.

SwiftUI-ChristmasGift Developed by Alex Kryvodub as part of the You are launched "Design Concept Award" contest Season #2. ChristmasGift demo. alex.mp

The concept took second place in the Design Concept Award contest Season 2 December 2021.
The concept took second place in the Design Concept Award contest Season 2 December 2021.

SwiftUI-UrlaunchedMerryChristmasCard Developed by Yurii Sameliuk as part of the You are launched "Design Concept Award" contest Season #2. MerryChrist

The concept took third place in the Design Concept Award contest Season 2 in December 2021.
The concept took third place in the Design Concept Award contest Season 2 in December 2021.

SwiftUI-UrlaunchedLaunchScreen Developed by Vladyslav Fil as part of the You are launched "Design Concept Award" contest Season #2. Animated Launch Sc

An alternative layout system for iOS

GranadaLayout GranadaLayout is an alternative layout system for iOS, inspired on the Android layout system. It includes relative and linear layout sys

Suppress mouse & keyboard events on MacOSX. Baby-proof my Mac!

Suppress mouse & keyboard events on MacOSX Catches all events (mouse, keyboard, everything), and either consumes them (locked state) or passes them th

A simple Proof-of-Work Blockchain built in Swift

Blockchain in Swift A simple Proof-of-Work Blockchain built in Swift. Requirements Xcode 13.0 Swift 5.2 Vapor 4.49 Swift NIO 2.33.0 Getting started Cl

Enables you to hide ur UIViews and make them screen/screen shot proof. objective c/c++ only

SecureView Enables you to hide ur UIViews and make them screen/screen shot proof. objective c/c++ only Usage UIWindow* mainWindow; - (void) setup {

PillowTalk - An iOS & SwiftUI server monitor tool for linux based machines using remote proc file system with script execution.
PillowTalk - An iOS & SwiftUI server monitor tool for linux based machines using remote proc file system with script execution.

An iOS & SwiftUI server monitor tool for linux based machines using remote proc file system with script execution.

MobilePillowTalkLite - An iOS & SwiftUI server monitor tool for linux based machines using remote proc file system with script execution A Swift web framework and HTTP server.
A Swift web framework and HTTP server.

A Swift Web Framework and HTTP Server Summary Kitura is a web framework and web server that is created for web services written in Swift. For more inf

💧 A server-side Swift web framework.
💧 A server-side Swift web framework.

Vapor is a web framework for Swift. It provides a beautifully expressive and easy to use foundation for your next website, API, or cloud project. Take

Lightweight library for web server applications in Swift on macOS and Linux powered by coroutines.
Lightweight library for web server applications in Swift on macOS and Linux powered by coroutines.

Why Zewo? • Support • Community • Contributing Zewo Zewo is a lightweight library for web applications in Swift. What sets Zewo apart? Zewo is not a w

💧 A server-side Swift web framework.
💧 A server-side Swift web framework.

Vapor is a web framework for Swift. It provides a beautifully expressive and easy to use foundation for your next website, API, or cloud project. Take

A Swift web framework and HTTP server.
A Swift web framework and HTTP server.

A Swift Web Framework and HTTP Server Summary Kitura is a web framework and web server that is created for web services written in Swift. For more inf

Lightweight library for web server applications in Swift on macOS and Linux powered by coroutines.
Lightweight library for web server applications in Swift on macOS and Linux powered by coroutines.

Why Zewo? • Support • Community • Contributing Zewo Zewo is a lightweight library for web applications in Swift. What sets Zewo apart? Zewo is not a w

Owner
null
SwiftUI TextEdit View - A proof-of-concept text edit component in SwiftUI & CoreText.

A proof-of-concept text edit component in SwiftUI & CoreText. No UIKit, No AppKit, no UITextView/NSTextView/UITextField involved.

Marcin Krzyzanowski 80 Dec 1, 2022
A network extension app to block a user input URI. Meant as a network extension filter proof of concept.

URIBlockNE A network extension app to block a user input URI. Meant as a network extension filter proof of concept. This is just a research effort to

Charles Edge 5 Oct 17, 2022
Proof-of-concept `WKWebview.evaluateJavaScript(...)` replacement for WebSocket-based Javascript execution.

Proof-of-concept `WKWebview.evaluateJavaScript(...)` replacement for WebSocket-based Javascript execution.

Daniel Dallos 9 Dec 7, 2022
Proof concept of modularized app with SwiftPackages built over MVI + Combine + SwiftUI in a single repo

PKDex-iOS Proof concept of modularized app with SwiftPackages built over MVI + Combine + SwiftUI in a single repo Introduction This project is a proof

Miguel Angel Zapata 13 Nov 22, 2022
A proof of concept of the VIPER architecture

This project contains a proof of concept of the VIPER architecture. For this we are going to make use of the public API tmdb, with which we will implement a search engine, a list and a view detail.

Luis Martínez Zarza 2 Feb 18, 2022
TCC ClickJacking - A proof of concept for a clickjacking attack on macOS

A proof of concept for a ClickJacking attack on macOS. Why? TCC (Transparency, Consent, and Control) restricts and control applicatio

BreakPoint Technologies 65 Nov 29, 2022
Proof of concept app for trying to integrate passkeys and WebAuthn into Vapor

Vapor Passkey Demo Proof of concept app for trying to integrate passkeys and WebAuthn into Vapor Usage Clone the project, then in Terminal run swift r

Tim Condon 70 Dec 20, 2022
A SwiftUI proof-of-concept, and some sleight-of-hand, which adds rain to a view's background

Atmos A SwiftUI proof-of-concept, and some sleight-of-hand, which adds rain to a view's background. "Ima use this in my app..." Introducing Metal to S

Nate de Jager 208 Jan 2, 2023
A proof-of-concept WebURL domain renderer, using a port of Chromium's IDN spoof-checking logic to protect against confusable domains

WebURLSpoofChecking A proof-of-concept WebURL.Domain renderer which uses a port of Chromium's IDN spoof-checking logic (Overview, Implementation) to p

Karl 3 Aug 6, 2022
The concept won first place in the Design Concept Award contest Season 1 in 2021.

TallyCounter Developed by Vladyslav Fil as part of the You are launched "Design Concept Award" contest Season #1. Tally Counter Micro-Interaction demo

You are launched 3 Dec 17, 2022