Password is too out-of-date and needed to be replaced
The exponential growth of threats
on cyberspace has caused systems which used password-based authentication to
become a hassle for users and a burden for organizations since the maintain
cost is substantial and associated risk are exceedingly great.
The
truth is no one still likes password except hackers!
Two-factor
authentication using OTP (one-time password) can only partially solve the issue
and has been defeated multiple times in recent cyber attacks. Password manager
programs, on the other hand, fall prey to hackers since they themselves have vulnerabilities,
run on exploitable Operating System(s) and use not strong enough authentication methods to self-protect.
What
hope is there when our most recognized form of security isn’t as secure as we
thought?
The story of going passwordless from zero at VinCSS
As
a cybersecurity services provider, VinCSS has a unique requirement in protecting its both internal and customers’ systems; in which, the need
for identity and access management is of
vital importance.
The
route to passwordless, led by FIDO Alliance has become a natural choice for us
because of its open, simple characteristics and the mass support from industries.
To
meet our own internal need, we decided to find a way to use passwordless authentication with FIDO2 within
our systems as much as possible. Our
first goal is to research and
develop a solution that has passwordless authentication with FIDO2 but can be
integrated into existing systems with the minimum cost of work and maintenance.
Another
requirement is also to not modify any code on existing opensource systems,
and apply it into as many closed source systems as possible.
Eventually,
we end up developing a FIDO2 solution with OAuth2 for authentication and
authorization because most of our infrastructure today is web based and this
modern authentication is widely supported by multiple vendors and easy to extend
as needed.
After
ten months of R&D, we made and built our own FIDO2 Authenticator, FIDO2 Server
(both has been certified by FIDO Alliance), and OAuth2 Server.
VinCSS FIDO2® Authenticator
With
the goal of
giving each internal user a FIDO2 login key, we
began by studying the open-designed model of Solokeys.
Then, we designed our own hardware with a total rewritten of firmware. In
November 2019, after passing hundreds of internal tests, we applied for inter-operability test of FIDO Alliance, passed and got the first FIDO2
certification for our VinCSS FIDO2® Authenticator.
It
was just a small success but create a huge driving
force for us to go
forward and
deployed hundreds of keys internally before enter mass producing phase in cooperation with VinSmart - a large
smartphone subsidiary of Vingroup. Together,
we will create an affordable product that meet
international standards, firstly for internal use at Vingroup and then the
Vietnam market.
VinCSS FIDO2® Server
A
server is needed to register and validate an authenticator. As of 2019, we couldn’t
find any solution for FIDO2 Server that can be deployed in Vietnam except STRONGKEY (which
have an opensource FIDO2 Server). However, STRONGKEY’s FIDO2 Server was written
in Java, which doesn’t integrate well with our existing infrastructure. Besides,
we also want to provide more features that an enterprise may need such as
centralized key management, user management, etc... Thus, we developed our own
FIDO2 Server using Golang. March 2020, in the middle of COVID-19 pandemic, we
once again brought out our product for test and received the second FIDO2 certification from FIDO Alliance.
Having
our own
authenticator and
server, but still not enough the address our problems, we decided to continue developing an OAuth2 server!
VinCSS OAuth2 Server
This is the main authentication system we focus on to support FIDO2,
also written in Golang. With this OAuth2 Server, we support centralized
management services for users such as: register/remove authenticator, review user
and key login activities and perform general application management. This
server has management interface for both admin and users. Admin can
register/remove authenticator from each user and review user and authenticator
login activities, etc... Users can only review their own linked authenticator and
login activities.
Another useful feature of
our OAuth2 Server is optional use of an Android phone as authenticator, verifying
using QRCode to bring convenient
experience to users.
OAuth2 login using
QRCode for Android built-in FIDO2
Plug and play
All the main tasks considered done, we refocused our
attention to supporting services. Besides popular solutions that already supported FIDO2 like Gitlab, ownCloud
Marketplace, Azure AD, Office365,… we also developed a plugin
for Jira to support our OAuth2 system. Because OAuth2 plugin for Jira is not
free and we also want to do more with the plugin in the future so developing
our own plugin is our natural choice.
Jira ready for passwordless login with FIDO2
The COVID-19 pandemic
and its impact on the global economy are making millions of workers and
businesses become dependent on remote working. At this time of heavy digital dependency, we
all are seeing a rise in cybercriminal activity seeking to exploit this crisis.
As any company in the world, ours remote workforce continues to expand at a rapid
pace, and so the need of removing static credentials from the equation to reduces the risk. Cause OpenVPN is a desktop
application, so we have to develop a new
client using Electron Framework to integrate the
OAuth2 login interface. While developing our VinCSS OpenVPN Client, we
discovered that Electron Framework supported WebAuthn but it was built on top
Chromium core. Therefore, FIDO2 wasn’t fully supported on operating system that
doesn’t have platform API for FIDO2 like macOS or Linux. There was no PIN
protocol support either, so authenticator that has PIN and server that has been
configured to force authenticator to validate PIN will not work. On the other
hand, Windows 10 have platform API for FIDO2 so it will work out of the box.
To enable
our client to work well on macOS, we developed a NodeJS FIDO2Client library
that supports PIN protocol. We also published our open sourcecode on Github
for those who are interested in developing a cross-platform desktop client using
Electron Framework and this is one of our contributions back to the FIDO community.
The
source code can be found here. We will port
this library to support more programming languages in the future.
VinCSS OpenVPN Client
interface
Conclusions
Our life is much easier
now as we’re all using passwordless login with FIDO2 authenticator in majority
of our applications. However, we still have a long way to go for a vision of a
fully passwordless environment because we still have many legacy applications
that did not support modern authentication like OAuth2 or closed source desktop
applications that prevent us from integrating FIDO2 login interface. Today,
big corporations like Google and Microsoft have begun to support passwordless
authentication with FIDO2. Hopefully, more and more software vendors will start
support FIDO2 authentication for their client in the near future.
The remaining part of
our road to go passwordless still lies ahead. It is now time for us to
concentrate our effort to apply FIDO2 solution wider within Vingroup and begin to join the FIDO market.
We want to express our gratitude toward FIDO
Alliance, which has provided guidance and those
pioneering companies have lead
the way and share their experience so that a startup like VinCSS
have a chance to participate in this historic passwordless transformation
process. For our part, we are ready to cooperate with partners, sharing our findings
to contribute to a more secure
future with the roadmap that FIDO Alliance has been setting out!
No comments:
Post a Comment