Keeping passwords in your pocket: Managing password locally with mobile fingerprint sensors

(1)

Keeping passwords in your pocket: Managing password locally with mobile fingerprint sensors

Pin-Yen Lin*

National Taiwan University

Zhong-Yi Zhou*

Chun-Ming Chang

Hung-Wei

National Taiwan

Chen

University

Shu-Po Tung

Hsu-Chun Hsiao

ABSTRACT

Password managers allow users to use strong and unique passwords online. However, users have to either trust a third-party service to manage their passwords or manually synchronize passwords among local devices. To relax the trust assumption while main- taining usability, in this work, we develop a password manager that stores passwords on mobile phones. The passwords can be easily unlocked via the user’s fingerprint and securely sent to other devices such as a desktop browser. Our implementation uses the iOS local authentication API for biological authentication, and uses firebase cloud messaging to send the password to the browser.

ACM Reference Format:

Pin-Yen Lin*, Zhong-Yi Zhou*, Chun-Ming Chang, Hung-Wei Chen, Shu- Po Tung, and Hsu-Chun Hsiao. 2020. Keeping passwords in your pocket:

Managing password locally with mobile fingerprint sensors. In Companion Proceedings of the Web Conference 2020 (WWW ’20Companion), April 20–24, 2020, Taipei, Taiwan.ACM, New York, NY, USA, 2 pages. https://doi.org/10.

1145/3366424.3382730

1 INTRODUCTION

Passwords have been the primary web authentication mechanism over decades. As the number of web services increases, many users are forced to use similar or identical passwords due to memory lim- itations. However, password reuse severely weakens web security and is one of the most common vulnerabilities on the Internet [5].

Therefore, password managers, such as iCloud [3], 1Password [1], and Google Password Manager, are considered a savior that helps create and/or manage strong and unique passwords. Although password managers alleviate the password reuse problems, they intro- duce new security and usability challenges. That is, users have to either trust a third-party service to manage their passwords or manually synchronize passwords among local devices.

In this work, we design and implement a new password man- agement system based on mobile fingerprint authentication. Our password manager can retrieve the password without trusting any third party while achieving high security and usability. We have published our implementation and demonstration on GitHub¹.

1https://github.com/FPPasswordManager/FingerprintPasswordManager

*This work was done while the first and the second authors studied at NTU..

This paper is published under the Creative Commons Attribution 4.0 International (CC-BY 4.0) license. Authors reserve their rights to disseminate the work on their personal and corporate Web sites with the appropriate attribution.

WWW ’20 Companion, April 20–24, 2020, Taipei, Taiwan

ACM ISBN 978-1-4503-7024-0/20/04.

https://doi.org/10.1145/3366424.3382730

Figure 1: The registration step of our system workflow.

2 RELATED WORK

Existing password managers can be categorized into three types based on where they store the passwords and keys.

Local storage of passwords:Several password managers (e.g., KeePass Password Safe [4] and the built-in iOS password manager without iCloud syncing) store sensitive information on local ma- chines. These password managers provide high security but low portability, for that all the sensitive information is stored on the user’s local machine, but they lack the support of an efficient or easy-to-use method to login on other devices.

Remote storage of private key and encrypted password:

Some password managers (e.g., Dashlane[2]) store all the sensitive information on a remote server. This provides high usability because users only need to remember the master password and can utilize the password manager service on any devices that have installed the password manager. However, passwords are stored on the remote server, and the user needs to trust the third party to properly secure the user’s information and passwords.

Remote storage of encrypted password and local storage of users’ master password:Some password managers (e.g., 1password[1]) store the encrypted passwords on a remote server, and derive the encryption key from the user’s master password. Therefore, they can provide portability and security because the password managers cannot decrypt the passwords. However, the complexity of the encryption key relies on the complexity of the user’s master password, which means the user needs to memorize a complex master password.

3 SYSTEM DESIGN 3.1 System overview

There are three major components in our system: Server, browser, and app.

Firebase Server: The firebase server is a mobile/web develop- ment platform supported by Google. We utilize the cloud messaging

1

(2)

WWW ’20 Companion, April 20–24, 2020, Taipei, Taiwan Pin-Yen Lin*, Zhong-Yi Zhou*, Chun-Ming Chang, Hung-Wei Chen, Shu-Po Tung, and Hsu-Chun Hsiao

Figure 2: Workflow of password manager

feature offered by firebase to establish secure communication between the browser and the app. To use firebase, a service (e.g., the browser extension in our system) needs to apply for a firebase ID, by which others can uniquely identify the service and forward messages to it. We will explain how we integrate with firebase in details in Section 3.2.

Browser Extension: The browser extension is the web-side user interface of our password manager. The browser extension will exchange message with the firebase server and mobile app, and automatically fill in the password on the web page. To securely deliver message from the extension to the app, the extension will show the message in a QR code format, which can be captured by the app via the camera on the phone.

Mobile App: The app is for storing and sending passwords.

In our prototype, the passwords are stored in plaintext because the fingerprint recognition APIs of iOS TouchID only returns a Boolean value. Although passwords are stored in plaintext, during the sending process, each password will be encrypted by a one-time pad using the session-key generated by the extension.

3.2 System workflow

Registration:As shown in Figure 1, the extension will apply for a registration ID from the firebase server and then display this ID via a QR code. After the user gets the registration ID by scanning the QR code, the user can forward messages to the extension by the registration ID.

Sending: Figure 2shows our system workflow. Whenever the user wants to use our password manager, the user opens the extension and generates a QR code which contains the URL of the site and the one-time pad’s session key. After scanning this QR code, the app will send the password encrypted with one-time pad using the key in the QR code. The extension side will decrypt the ciphertext with the same key and fill it into the password field.

4 SECURITY ANALYSIS

We consider two types of attackers in our threat model:

•The passive attacker will eavesdrop the communication channels including QRcode and web channels.

•The active attacker will try to forge or replay messages to fool users into leaking their own secret. (Man-in-the-middle attack)

Following our motivation, we assume cloud services (e.g., firebase) are honest-but-curious. That is, the cloud services will follow the

protocol but may record messages. We briefly explain why these attacks are prevented in our system.

4.1 Attacker eavesdrops messages

If the attacker gets the QR code on the browser extension, the attacker can only knows the OTP key and the URL. If the attacker gets the ciphertext from the web, he cannot decrypt it without the OTP key. As a consequence, the only way to get the password is get the QR Code and ciphertext at the same time.

4.2 Attacker forges fake password requests

Since the app only receives messages through scanning QR codes, a MITM attacker cannot send any request to the app. The only way to launch MITM attack is to forge a fake QR Code and try cheating the user into scanning it. If a user scans the fake QR code and sends the password, the password will be encrypted by the fake OTP, but the attacker cannot receive the password in his browser. The attacker can only succeed if he can also eavesdrop the message in firebase or trick the user into registering the attacker’s extension.

5 CONCLUSIONS AND FUTURE WORK

Table 1 summarizes the comparison between our password manager and other types, based on the evaluation framework developed by Bonneau et al. [6]. Memory Effort indicates that users do not have to memorize any secret. Encryption method indicates the protection of passwords while they are transmitted from the password manager to the web pages.

Table 1: Comparison with other types of password managers

Our Design Local storage Remote Storage Local Master Key Trusted third

party No No Yes No

Encryption

method Random ses-

sion key / OTP

Master Key / Modern Cryp- tography

Memory Effort No Memorize

Master Key Memorize

Master Key Memorize Master Key

This work proposes a new password manager based on fingerprint authentication, one-time pad encryption with QRcode for key delivery, and mobile phone password storage. In our future work, we plan to generate a key encrypting passwords based on the user’s fingerprint, on the other hand, we also prepare to deploy passwords syncing between mobile phones based on our current system design.

REFERENCES

[1] Accessed: 2020-01-18. 1Password. https://1password.com.

[2] Accessed: 2020-01-18. Dashlan. https://www.dashlane.com/.

[3] Accessed: 2020-01-18. iCloud - Apple. https://www.apple.com/tw/icloud/.

[4] Accessed: 2020-01-18. KeePass Password Safe. https://keepass.info/.

[5] M. Caesar N. Borisov A. Das, J. Bonneau and X. Wang. 2014. The Tangled Web of Password Reuse. In Proceedings of Network and Distributed System Security Symposium (NDSS).

[6] Paul C. van Oorschot Frank Stajano Joseph Bonneau, Cormac Herley. 2012. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In Proceedings of IEEE Symposium on Security and Pri- vacy.

2