[FIDO001] VinCSS’s go passwordless story: from zero onward a FIDO2 platform

Password is too out-of-date and needed to be replaced

The exponential growth of threats on cyberspace has caused systems which used password-based authentication to become a hassle for users and a burden for organizations since the maintain cost is substantial and associated risk are exceedingly great.

The truth is no one still likes password except hackers!

Two-factor authentication using OTP (one-time password) can only partially solve the issue and has been defeated multiple times in recent cyber attacks. Password manager programs, on the other hand, fall prey to hackers since they themselves have vulnerabilities, run on exploitable Operating System(s) and use not strong enough authentication methods to self-protect.

What hope is there when our most recognized form of security isn’t as secure as we thought?

The story of going passwordless from zero at VinCSS

As a cybersecurity services provider, VinCSS has a unique requirement in protecting its both internal and customers’ systems; in which, the need for identity and access management is of vital importance.

The route to passwordless, led by FIDO Alliance has become a natural choice for us because of its open, simple characteristics and the mass support from industries.

To meet our own internal need, we decided to find a way to use passwordless authentication with FIDO2 within our systems as much as possible. Our first goal is to research and develop a solution that has passwordless authentication with FIDO2 but can be integrated into existing systems with the minimum cost of work and maintenance. Another requirement is also to not modify any code on existing opensource systems, and apply it into as many closed source systems as possible.

Eventually, we end up developing a FIDO2 solution with OAuth2 for authentication and authorization because most of our infrastructure today is web based and this modern authentication is widely supported by multiple vendors and easy to extend as needed.

After ten months of R&D, we made and built our own FIDO2 Authenticator, FIDO2 Server (both has been certified by FIDO Alliance), and OAuth2 Server.

VinCSS FIDO2® Authenticator

With the goal of giving each internal user a FIDO2 login key, we began by studying the open-designed model of Solokeys. Then, we designed our own hardware with a total rewritten of firmware. In November 2019, after passing hundreds of internal tests, we applied for inter-operability test of FIDO Alliance, passed and got the first FIDO2 certification for our VinCSS FIDO2® Authenticator.

It was just a small success but create a huge driving force for us to go forward and deployed hundreds of keys internally before enter mass producing phase in cooperation with VinSmart - a large smartphone subsidiary of Vingroup. Together, we will create an affordable product that meet international standards, firstly for internal use at Vingroup and then the Vietnam market.

VinCSS FIDO2® Server

A server is needed to register and validate an authenticator. As of 2019, we couldn’t find any solution for FIDO2 Server that can be deployed in Vietnam except STRONGKEY (which have an opensource FIDO2 Server). However, STRONGKEY’s FIDO2 Server was written in Java, which doesn’t integrate well with our existing infrastructure. Besides, we also want to provide more features that an enterprise may need such as centralized key management, user management, etc... Thus, we developed our own FIDO2 Server using Golang. March 2020, in the middle of COVID-19 pandemic, we once again brought out our product for test and received the second FIDO2 certification from FIDO Alliance.

Having our own authenticator and server, but still not enough the address our problems, we decided to continue developing an OAuth2 server!

VinCSS OAuth2 Server

This is the main authentication system we focus on to support FIDO2, also written in Golang. With this OAuth2 Server, we support centralized management services for users such as: register/remove authenticator, review user and key login activities and perform general application management. This server has management interface for both admin and users. Admin can register/remove authenticator from each user and review user and authenticator login activities, etc... Users can only review their own linked authenticator and login activities.
Another useful feature of our OAuth2 Server is optional use of an Android phone as authenticator, verifying using QRCode to bring convenient experience to users.
OAuth2 login using QRCode for Android built-in FIDO2
OAuth2 login using QRCode for Android built-in FIDO2

Plug and play

All the main tasks considered done, we refocused our attention to supporting services. Besides popular solutions that already supported FIDO2 like Gitlab, ownCloud Marketplace, Azure AD, Office365,… we also developed a plugin for Jira to support our OAuth2 system. Because OAuth2 plugin for Jira is not free and we also want to do more with the plugin in the future so developing our own plugin is our natural choice.

Jira  ready for passwordless login with FIDO2
Jira ready for passwordless login with FIDO2

The COVID-19 pandemic and its impact on the global economy are making millions of workers and businesses become dependent on remote working. At this time of heavy digital dependency, we all are seeing a rise in cybercriminal activity seeking to exploit this crisis. As any company in the world, ours remote workforce continues to expand at a rapid pace, and so the need of removing static credentials from the equation to reduces the risk. Cause OpenVPN is a desktop application, so we have to develop a new client using Electron Framework to integrate the OAuth2 login interface. While developing our VinCSS OpenVPN Client, we discovered that Electron Framework supported WebAuthn but it was built on top Chromium core. Therefore, FIDO2 wasn’t fully supported on operating system that doesn’t have platform API for FIDO2 like macOS or Linux. There was no PIN protocol support either, so authenticator that has PIN and server that has been configured to force authenticator to validate PIN will not work. On the other hand, Windows 10 have platform API for FIDO2 so it will work out of the box.

To enable our client to work well on macOS, we developed a NodeJS FIDO2Client library that supports PIN protocol. We also published our open sourcecode on Github for those who are interested in developing a cross-platform desktop client using Electron Framework and this is one of our contributions back to the FIDO community.

The source code can be found here. We will port this library to support more programming languages in the future.

VinCSS OpenVPN Client interface


Our life is much easier now as we’re all using passwordless login with FIDO2 authenticator in majority of our applications. However, we still have a long way to go for a vision of a fully passwordless environment because we still have many legacy applications that did not support modern authentication like OAuth2 or closed source desktop applications that prevent us from integrating FIDO2 login interface. Today, big corporations like Google and Microsoft have begun to support passwordless authentication with FIDO2. Hopefully, more and more software vendors will start support FIDO2 authentication for their client in the near future.

The remaining part of our road to go passwordless still lies ahead. It is now time for us to concentrate our effort to apply FIDO2 solution wider within Vingroup and begin to join the FIDO market.

We want to express our gratitude toward FIDO Alliance, which has provided guidance and those pioneering companies have lead the way and share their experience so that a startup like VinCSS have a chance to participate in this historic passwordless transformation process. For our part, we are ready to cooperate with partners, sharing our findings to contribute to a more secure future with the roadmap that FIDO Alliance has been setting out!

No comments:

Post a Comment