Clef security architecture

J
jessepollak
CLEF SECURITY ARCHITECTURE GETCLEF.COM/SECURE
OVERVIEW Logging in with Clef 1. Unique id sent to browser and displayed as wave 2. Phone’s camera used to scan wave and transfer id 3. Private key on phone used to generate signature with id and timestamp- sent to Clef Server 4. Signature verified and OAuth Code sent to browser 5. Redirect in browser sends OAuth Code to Site Server 6. OAuth Handshake between Clef Server and Site Server 7. User info sent to Site Server 8. User is logged in to site
SETUP
Registration on the Phone • User downloads app • Email address confirmed, PIN set up • 2048-bit RSA key pair generated on phone • Public key sent to server and stored • Private key encrypted on device • for iOS—KeychainServices for hardware encryption • for Android—PIN-based encryption (PKCS#5)
Registering a New Site • Developer creates account at developer.getclef.com • Developer receives App ID and App Secret • <script> tag with App ID embedded in login form • Standard code to handle OAuth 2.0 Handshake
LOGGING IN
Generating the Clef Wave • <script> creates “Log in with Clef” button • On user click, loads iframe from Clef Server • iframe requests unique id (Session Key) • Session Key is stored as a signed cookie • displayed as animated barcode, the Clef Wave
Scanning the Clef Wave • User opens Clef App on their smartphone • Enters PIN to unlock the app • On-screen guide instructs user to sync Clef Wave • Phone’s camera reads Session Key from Clef Wave
Verifying the Signature • Signature is generated with Session Key, user id, and current timestamp • Signature is sent to Clef Server over TLS/SSL • Clef Server verifies signature using stored public key • Timestamp is checked for recency to prevent replay attacks
OAuth 2.0 Handshake ! • Clef server generates OAuth code and pushes to browser using WebSockets • Browser redirects to site’s specified redirect URL with OAuth code to initiate OAuth 2.0 handshake • Site Server sends OAuth code, App ID, App Secret to Clef Server for verification • Clef Server returns OAuth token • Site Server exchanges OAuth token for user information
Finishing the Login • Site receives user information from Clef Server, including site-specific identifier (clef_id) • Site looks up user in database with clef_id • Site sets a cookie to manage user’s session • User is redirected to logged-in page
LOGGING OUT
Single Sign Off • Site specifies a logout webhook URL on developer.getclef.com • User taps “log out” on phone (or logout timer expires), signed logout request sent to Clef Server • Clef server notifies each site of the logout via their webhook URL
Database Logout • Site stores login timestamp as part of session • When webhook is triggered, site stores time of logout in database • On page request, site compares both timestamps to determine whether user has logged out
LOST DEVICE
Deactivating a Lost Device • A phone can be reported lost or stolen on getclef.com/lost • Notifications are sent through available channels alerting user of attempted deactivation • 24 hour wait period before deactivation, can be skipped by verifying through email • Public key is wiped from Clef Server after wait period or verification
After Deactivation • Temporary passcode is granted after deactivation • Passcode can be used to log in at getclef.com • Because of single sign on, allows access to all connected services
Reactivation • User reconfirms email address and PIN • RSA key pair is generated on new device • New public key is associated with old account
REQUIREMENTS
Smartphone Requirements • Android or iOS device with camera • Android minimum SDK version: 2.3 • iOS minimum SDK version: 5.0 • Device must be networked
Verification Server Requirements • Able to run Python code, SQL database server • Network-accessible from smartphones and consoles
Console Requirements • Visual display for Clef Wave • Networked with access to Verification Server • Ability to look up users and store timestamps (for logout)
USING CLEF ON AN INTRANET
Replacing OAuth 2.0 • If within a completely trusted environment, no need to do any handshake • Otherwise, can replace OAuth 2.0 with asymmetric cryptography between Verification Server and Consoles
Networking Devices • Both phone and console must be able to communicate with Verification Server • No dependency on Internet
White-labeled App • Clef functionality wrapped in client app • Configured to work only within intranet • BYOD compatible • Available for iOS and Android devices
OTHER POSSIBLE FEATURES
Device Fingerprinting • Prevents device spoofing • Hardware IDs • Geolocation • OS-level IDs • Hardware clock-skew • Device type and configuration
Geofencing • Logins will be happening within a small geofence • Using device location can prevent external attacks • Force logout when user leaves fence
Automatic Logouts • As users move from console to console, they must log out each time • Use geolocation, Bluetooth, or NFC to make this automatic • Reduce vulnerability through carelessness
1 de 30

Clef security architecture

Descargar para leer sin conexión
Tecnología

A quick deck on how Clef's security architecture works.

J
jessepollak

Recomendados

CIS 2015 Extreme OpenID Connect - John Bradley por
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCloudIDSummit
1K vistas26 diapositivas
Secure your api from basics to beyond por
Secure your api from basics to beyondSecure your api from basics to beyond
Secure your api from basics to beyondAlexandre Faria
746 vistas47 diapositivas
Secure your api - from basics to beyond por
Secure your api - from basics to beyondSecure your api - from basics to beyond
Secure your api - from basics to beyondAlexandre Faria
1.6K vistas56 diapositivas
Gestión de identidad en aplicaciones corporativas web y móvil por
Gestión de identidad en aplicaciones corporativas web y móvilGestión de identidad en aplicaciones corporativas web y móvil
Gestión de identidad en aplicaciones corporativas web y móvilIbon Landa
554 vistas19 diapositivas
Wso2 is integration with .net core por
Wso2 is integration with .net coreWso2 is integration with .net core
Wso2 is integration with .net coreIsmaeel Enjreny
548 vistas19 diapositivas
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core por
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET CoreVladimir Bychkov
30 vistas29 diapositivas

Más contenido relacionado

La actualidad más candente

Troshichev i os mitm attack por
Troshichev i os mitm attackTroshichev i os mitm attack
Troshichev i os mitm attackDefconRussia
1.9K vistas31 diapositivas
Building Apps with MySpace SDKs por
Building Apps with MySpace SDKsBuilding Apps with MySpace SDKs
Building Apps with MySpace SDKsMySpaceDevTeam
558 vistas17 diapositivas
Web API 2 Token Based Authentication por
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
2.6K vistas10 diapositivas
Social Single Sign-On with OpenID Connect por
Social Single Sign-On with OpenID ConnectSocial Single Sign-On with OpenID Connect
Social Single Sign-On with OpenID ConnectJames Melville
573 vistas14 diapositivas
OAuth in the new .NET world (OWIN) por
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)Emad Alashi
7.7K vistas23 diapositivas
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ... por
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE
333 vistas36 diapositivas

La actualidad más candente(20)

Troshichev i os mitm attack por DefconRussia
Troshichev i os mitm attackTroshichev i os mitm attack
Troshichev i os mitm attack
DefconRussia1.9K vistas
Building Apps with MySpace SDKs por MySpaceDevTeam
Building Apps with MySpace SDKsBuilding Apps with MySpace SDKs
Building Apps with MySpace SDKs
MySpaceDevTeam558 vistas
Web API 2 Token Based Authentication por jeremysbrown
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
jeremysbrown2.6K vistas
Social Single Sign-On with OpenID Connect por James Melville
Social Single Sign-On with OpenID ConnectSocial Single Sign-On with OpenID Connect
Social Single Sign-On with OpenID Connect
James Melville573 vistas
OAuth in the new .NET world (OWIN) por Emad Alashi
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)
Emad Alashi7.7K vistas
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ... por FIWARE
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE333 vistas
OAuth por Vijay Naik
OAuthOAuth
OAuth
Vijay Naik580 vistas
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront por Ory Segal
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Ory Segal123 vistas
2011 Annual Release - Open Mobile Alliance por Musa Unmehopa
2011 Annual Release - Open Mobile Alliance2011 Annual Release - Open Mobile Alliance
2011 Annual Release - Open Mobile Alliance
Musa Unmehopa369 vistas
CIS 2015 OpenID Connect and Mobile Applications - David Chase por CloudIDSummit
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CloudIDSummit363 vistas
CIS14: PingAccess in Action por CloudIDSummit
CIS14: PingAccess in ActionCIS14: PingAccess in Action
CIS14: PingAccess in Action
CloudIDSummit1.4K vistas
Box connector por Thang Loi
Box connectorBox connector
Box connector
Thang Loi104 vistas
Spring4 security oauth2 por Sang Shin
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
Sang Shin281 vistas
Open Id, O Auth And Webservices por Myles Eftos
Open Id, O Auth And WebservicesOpen Id, O Auth And Webservices
Open Id, O Auth And Webservices
Myles Eftos2.2K vistas
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens. por Álvaro Alonso González
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Álvaro Alonso González1.7K vistas
safedrop secure communications por Angus Bradley
safedrop secure communicationssafedrop secure communications
safedrop secure communications
Angus Bradley301 vistas
Securing APIs with oAuth2 por Michae Blakeney
Securing APIs with oAuth2Securing APIs with oAuth2
Securing APIs with oAuth2
Michae Blakeney105 vistas
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID por South Tyrol Free Software Conference
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
South Tyrol Free Software Conference64 vistas
Spring4 security oauth2 por axykim00
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
axykim0075 vistas
HTTP Services & REST API Security por Taiseer Joudeh
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API Security
Taiseer Joudeh3.1K vistas

Destacado

Duo presentation por
Duo presentationDuo presentation
Duo presentationRobbie Small
765 vistas9 diapositivas
Duo security (1) por
Duo security (1)Duo security (1)
Duo security (1)Alishah Chator
1.2K vistas10 diapositivas
Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016 por
Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016
Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016Business of Software Conference
977 vistas26 diapositivas
Thesis_Furlan por
Thesis_FurlanThesis_Furlan
Thesis_FurlanVladimir Furlan
517 vistas147 diapositivas
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong por
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongForrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongDuo Security
1.5K vistas58 diapositivas
Plex Systems EECS 441 Company Presentation por
Plex Systems EECS 441 Company PresentationPlex Systems EECS 441 Company Presentation
Plex Systems EECS 441 Company Presentationjohntyu
1.2K vistas12 diapositivas

Destacado(6)

Duo presentation por Robbie Small
Duo presentationDuo presentation
Duo presentation
Robbie Small765 vistas
Duo security (1) por Alishah Chator
Duo security (1)Duo security (1)
Duo security (1)
Alishah Chator1.2K vistas
Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016 por Business of Software Conference
Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016
Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016
Business of Software Conference977 vistas
Thesis_Furlan por Vladimir Furlan
Thesis_FurlanThesis_Furlan
Thesis_Furlan
Vladimir Furlan517 vistas
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong por Duo Security
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongForrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Duo Security1.5K vistas
Plex Systems EECS 441 Company Presentation por johntyu
Plex Systems EECS 441 Company PresentationPlex Systems EECS 441 Company Presentation
Plex Systems EECS 441 Company Presentation
johntyu1.2K vistas

Similar a Clef security architecture

Mobile Authentication - Onboarding, best practices & anti-patterns por
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
1.2K vistas37 diapositivas
Securing .NET Core, ASP.NET Core applications por
Securing .NET Core, ASP.NET Core applicationsSecuring .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsNETUserGroupBern
51 vistas37 diapositivas
DDD Melbourne 2014 security in ASP.Net Web API 2 por
DDD Melbourne 2014 security in ASP.Net Web API 2DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2Pratik Khasnabis
1.3K vistas27 diapositivas
Authorization and Authentication using IdentityServer4 por
Authorization and Authentication using IdentityServer4Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4Aaron Ralls
430 vistas17 diapositivas
Securing SharePoint Apps with OAuth por
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthKashif Imran
6.7K vistas31 diapositivas
Application Security in ASP.NET Core por
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET CoreNETUserGroupBern
30 vistas57 diapositivas

Similar a Clef security architecture(20)

Mobile Authentication - Onboarding, best practices & anti-patterns por Pieter Ennes
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
Pieter Ennes1.2K vistas
Securing .NET Core, ASP.NET Core applications por NETUserGroupBern
Securing .NET Core, ASP.NET Core applicationsSecuring .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applications
NETUserGroupBern51 vistas
DDD Melbourne 2014 security in ASP.Net Web API 2 por Pratik Khasnabis
DDD Melbourne 2014 security in ASP.Net Web API 2DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2
Pratik Khasnabis1.3K vistas
Authorization and Authentication using IdentityServer4 por Aaron Ralls
Authorization and Authentication using IdentityServer4Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4
Aaron Ralls430 vistas
Securing SharePoint Apps with OAuth por Kashif Imran
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuth
Kashif Imran6.7K vistas
Application Security in ASP.NET Core por NETUserGroupBern
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET Core
NETUserGroupBern30 vistas
InfoSecurity Europe 2015 - Identities Exposed by David Johansson por David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonInfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
David Johansson83 vistas
GSoC Mideterm-OAuth2 Module por Mayank Sharma
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 Module
Mayank Sharma338 vistas
ConFoo 2015 - Securing RESTful resources with OAuth2 por Rodrigo Cândido da Silva
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva5K vistas
Api security por teodorcotruta
Api security Api security
Api security
teodorcotruta748 vistas
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ... por Vladimir Bychkov
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
Vladimir Bychkov41 vistas
Skype for business mobility por Fabrizio Volpe
Skype for business mobilitySkype for business mobility
Skype for business mobility
Fabrizio Volpe8.1K vistas
O auth2 with angular js por Bixlabs
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
Bixlabs 424 vistas
Mobile Authentication - Moving Towards a Passwordless Future por ForgeRock Identity Tech Talks
Mobile Authentication - Moving Towards a Passwordless FutureMobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless Future
ForgeRock Identity Tech Talks179 vistas
The WiKID Strong Authentication Systems Overview por Nick Owen
The WiKID Strong Authentication Systems OverviewThe WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems Overview
Nick Owen734 vistas
Verviam Identity Management as a Service por Nya
Verviam Identity Management as a Service Verviam Identity Management as a Service
Verviam Identity Management as a Service
Nya48 vistas
Securing APIs with OAuth 2.0 por Kai Hofstetter
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
Kai Hofstetter784 vistas
Two-factor Authentication por PortalGuard dba PistolStar, Inc.
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
PortalGuard dba PistolStar, Inc.1.3K vistas
Authenticating Angular Apps with JWT por Jennifer Estrada
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWT
Jennifer Estrada102 vistas
Kerberos protocol por Ajit Dadresa
Kerberos protocolKerberos protocol
Kerberos protocol
Ajit Dadresa4.3K vistas

Más de jessepollak

Building Trust on the Blockchain: The Importance of Mental Models por
Building Trust on the Blockchain: The Importance of Mental ModelsBuilding Trust on the Blockchain: The Importance of Mental Models
Building Trust on the Blockchain: The Importance of Mental Modelsjessepollak
1.2K vistas36 diapositivas
Passwords: the weakest link in WordPress security por
Passwords: the weakest link in WordPress securityPasswords: the weakest link in WordPress security
Passwords: the weakest link in WordPress securityjessepollak
498 vistas42 diapositivas
Passwords the weakest link in word press security por
Passwords the weakest link in word press securityPasswords the weakest link in word press security
Passwords the weakest link in word press securityjessepollak
486 vistas42 diapositivas
Passwords: the weakest link in WordPress security por
Passwords: the weakest link in WordPress securityPasswords: the weakest link in WordPress security
Passwords: the weakest link in WordPress securityjessepollak
526 vistas43 diapositivas
WordPress Security Update: How we're building the web's most secure platform ... por
WordPress Security Update: How we're building the web's most secure platform ...WordPress Security Update: How we're building the web's most secure platform ...
WordPress Security Update: How we're building the web's most secure platform ...jessepollak
536 vistas23 diapositivas
Cryptography 101 (with math) por
Cryptography 101 (with math)Cryptography 101 (with math)
Cryptography 101 (with math)jessepollak
708 vistas222 diapositivas

Más de jessepollak(10)

Building Trust on the Blockchain: The Importance of Mental Models por jessepollak
Building Trust on the Blockchain: The Importance of Mental ModelsBuilding Trust on the Blockchain: The Importance of Mental Models
Building Trust on the Blockchain: The Importance of Mental Models
jessepollak1.2K vistas
Passwords: the weakest link in WordPress security por jessepollak
Passwords: the weakest link in WordPress securityPasswords: the weakest link in WordPress security
Passwords: the weakest link in WordPress security
jessepollak498 vistas
Passwords the weakest link in word press security por jessepollak
Passwords the weakest link in word press securityPasswords the weakest link in word press security
Passwords the weakest link in word press security
jessepollak486 vistas
Passwords: the weakest link in WordPress security por jessepollak
Passwords: the weakest link in WordPress securityPasswords: the weakest link in WordPress security
Passwords: the weakest link in WordPress security
jessepollak526 vistas
WordPress Security Update: How we're building the web's most secure platform ... por jessepollak
WordPress Security Update: How we're building the web's most secure platform ...WordPress Security Update: How we're building the web's most secure platform ...
WordPress Security Update: How we're building the web's most secure platform ...
jessepollak536 vistas
Cryptography 101 (with math) por jessepollak
Cryptography 101 (with math)Cryptography 101 (with math)
Cryptography 101 (with math)
jessepollak708 vistas
Cryptography 101 por jessepollak
Cryptography 101Cryptography 101
Cryptography 101
jessepollak969 vistas
Passwords: the weakest link in WordPress security por jessepollak
Passwords: the weakest link in WordPress securityPasswords: the weakest link in WordPress security
Passwords: the weakest link in WordPress security
jessepollak647 vistas
Passwords and Botnets and Zombies (oh my!) por jessepollak
Passwords and Botnets and Zombies (oh my!)Passwords and Botnets and Zombies (oh my!)
Passwords and Botnets and Zombies (oh my!)
jessepollak606 vistas
Anatomy of a WordPress Hack por jessepollak
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
jessepollak2.5K vistas

Último

TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors por
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective SensorsTouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensorssugiuralab
15 vistas15 diapositivas
PharoJS - Zürich Smalltalk Group Meetup November 2023 por
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023Noury Bouraqadi
120 vistas17 diapositivas
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive por
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveNetwork Automation Forum
21 vistas35 diapositivas
Piloting & Scaling Successfully With Microsoft Viva por
Piloting & Scaling Successfully With Microsoft VivaPiloting & Scaling Successfully With Microsoft Viva
Piloting & Scaling Successfully With Microsoft VivaRichard Harbridge
10 vistas160 diapositivas
The Research Portal of Catalonia: Growing more (information) & more (services) por
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)CSUC - Consorci de Serveis Universitaris de Catalunya
73 vistas25 diapositivas
Data-centric AI and the convergence of data and model engineering: opportunit... por
Data-centric AI and the convergence of data and model engineering: opportunit...Data-centric AI and the convergence of data and model engineering: opportunit...
Data-centric AI and the convergence of data and model engineering: opportunit...Paolo Missier
34 vistas40 diapositivas

Último(20)

TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors por sugiuralab
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective SensorsTouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors
sugiuralab15 vistas
PharoJS - Zürich Smalltalk Group Meetup November 2023 por Noury Bouraqadi
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023
Noury Bouraqadi120 vistas
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive por Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Network Automation Forum21 vistas
Piloting & Scaling Successfully With Microsoft Viva por Richard Harbridge
Piloting & Scaling Successfully With Microsoft VivaPiloting & Scaling Successfully With Microsoft Viva
Piloting & Scaling Successfully With Microsoft Viva
Richard Harbridge10 vistas
The Research Portal of Catalonia: Growing more (information) & more (services) por CSUC - Consorci de Serveis Universitaris de Catalunya
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)
CSUC - Consorci de Serveis Universitaris de Catalunya73 vistas
Data-centric AI and the convergence of data and model engineering: opportunit... por Paolo Missier
Data-centric AI and the convergence of data and model engineering: opportunit...Data-centric AI and the convergence of data and model engineering: opportunit...
Data-centric AI and the convergence of data and model engineering: opportunit...
Paolo Missier34 vistas
The details of description: Techniques, tips, and tangents on alternative tex... por BookNet Canada
The details of description: Techniques, tips, and tangents on alternative tex...The details of description: Techniques, tips, and tangents on alternative tex...
The details of description: Techniques, tips, and tangents on alternative tex...
BookNet Canada121 vistas
Lilypad @ Labweek, Istanbul, 2023.pdf por Ally339821
Lilypad @ Labweek, Istanbul, 2023.pdfLilypad @ Labweek, Istanbul, 2023.pdf
Lilypad @ Labweek, Istanbul, 2023.pdf
Ally3398219 vistas
DALI Basics Course 2023 por Ivory Egg
DALI Basics Course 2023DALI Basics Course 2023
DALI Basics Course 2023
Ivory Egg14 vistas
Igniting Next Level Productivity with AI-Infused Data Integration Workflows por Safe Software
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Safe Software225 vistas
AMAZON PRODUCT RESEARCH.pdf por JerikkLaureta
AMAZON PRODUCT RESEARCH.pdfAMAZON PRODUCT RESEARCH.pdf
AMAZON PRODUCT RESEARCH.pdf
JerikkLaureta15 vistas
Java Platform Approach 1.0 - Picnic Meetup por Rick Ossendrijver
Java Platform Approach 1.0 - Picnic MeetupJava Platform Approach 1.0 - Picnic Meetup
Java Platform Approach 1.0 - Picnic Meetup
Rick Ossendrijver25 vistas
HTTP headers that make your website go faster - devs.gent November 2023 por Thijs Feryn
HTTP headers that make your website go faster - devs.gent November 2023HTTP headers that make your website go faster - devs.gent November 2023
HTTP headers that make your website go faster - devs.gent November 2023
Thijs Feryn19 vistas
SAP Automation Using Bar Code and FIORI.pdf por Virendra Rai, PMP
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdf
Virendra Rai, PMP19 vistas
Scaling Knowledge Graph Architectures with AI por Enterprise Knowledge
Scaling Knowledge Graph Architectures with AIScaling Knowledge Graph Architectures with AI
Scaling Knowledge Graph Architectures with AI
Enterprise Knowledge24 vistas
Five Things You SHOULD Know About Postman por Postman
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman27 vistas
handbook for web 3 adoption.pdf por Liveplex
handbook for web 3 adoption.pdfhandbook for web 3 adoption.pdf
handbook for web 3 adoption.pdf
Liveplex19 vistas
20231123_Camunda Meetup Vienna.pdf por Phactum Softwareentwicklung GmbH
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdf
Phactum Softwareentwicklung GmbH28 vistas
Spesifikasi Lengkap ASUS Vivobook Go 14 por Dot Semarang
Spesifikasi Lengkap ASUS Vivobook Go 14Spesifikasi Lengkap ASUS Vivobook Go 14
Spesifikasi Lengkap ASUS Vivobook Go 14
Dot Semarang35 vistas
Web Dev - 1 PPT.pdf por gdsczhcet
Web Dev - 1 PPT.pdfWeb Dev - 1 PPT.pdf
Web Dev - 1 PPT.pdf
gdsczhcet55 vistas

Clef security architecture

  • 2. OVERVIEW Logging in with Clef 1. Unique id sent to browser and displayed as wave 2. Phone’s camera used to scan wave and transfer id 3. Private key on phone used to generate signature with id and timestamp- sent to Clef Server 4. Signature verified and OAuth Code sent to browser 5. Redirect in browser sends OAuth Code to Site Server 6. OAuth Handshake between Clef Server and Site Server 7. User info sent to Site Server 8. User is logged in to site
  • 4. Registration on the Phone • User downloads app • Email address confirmed, PIN set up • 2048-bit RSA key pair generated on phone • Public key sent to server and stored • Private key encrypted on device • for iOS—KeychainServices for hardware encryption • for Android—PIN-based encryption (PKCS#5)
  • 5. Registering a New Site • Developer creates account at developer.getclef.com • Developer receives App ID and App Secret • <script> tag with App ID embedded in login form • Standard code to handle OAuth 2.0 Handshake
  • 7. Generating the Clef Wave • <script> creates “Log in with Clef” button • On user click, loads iframe from Clef Server • iframe requests unique id (Session Key) • Session Key is stored as a signed cookie • displayed as animated barcode, the Clef Wave
  • 8. Scanning the Clef Wave • User opens Clef App on their smartphone • Enters PIN to unlock the app • On-screen guide instructs user to sync Clef Wave • Phone’s camera reads Session Key from Clef Wave
  • 9. Verifying the Signature • Signature is generated with Session Key, user id, and current timestamp • Signature is sent to Clef Server over TLS/SSL • Clef Server verifies signature using stored public key • Timestamp is checked for recency to prevent replay attacks
  • 10. OAuth 2.0 Handshake ! • Clef server generates OAuth code and pushes to browser using WebSockets • Browser redirects to site’s specified redirect URL with OAuth code to initiate OAuth 2.0 handshake • Site Server sends OAuth code, App ID, App Secret to Clef Server for verification • Clef Server returns OAuth token • Site Server exchanges OAuth token for user information
  • 11. Finishing the Login • Site receives user information from Clef Server, including site-specific identifier (clef_id) • Site looks up user in database with clef_id • Site sets a cookie to manage user’s session • User is redirected to logged-in page
  • 13. Single Sign Off • Site specifies a logout webhook URL on developer.getclef.com • User taps “log out” on phone (or logout timer expires), signed logout request sent to Clef Server • Clef server notifies each site of the logout via their webhook URL
  • 14. Database Logout • Site stores login timestamp as part of session • When webhook is triggered, site stores time of logout in database • On page request, site compares both timestamps to determine whether user has logged out
  • 16. Deactivating a Lost Device • A phone can be reported lost or stolen on getclef.com/lost • Notifications are sent through available channels alerting user of attempted deactivation • 24 hour wait period before deactivation, can be skipped by verifying through email • Public key is wiped from Clef Server after wait period or verification
  • 17. After Deactivation • Temporary passcode is granted after deactivation • Passcode can be used to log in at getclef.com • Because of single sign on, allows access to all connected services
  • 18. Reactivation • User reconfirms email address and PIN • RSA key pair is generated on new device • New public key is associated with old account
  • 20. Smartphone Requirements • Android or iOS device with camera • Android minimum SDK version: 2.3 • iOS minimum SDK version: 5.0 • Device must be networked
  • 21. Verification Server Requirements • Able to run Python code, SQL database server • Network-accessible from smartphones and consoles
  • 22. Console Requirements • Visual display for Clef Wave • Networked with access to Verification Server • Ability to look up users and store timestamps (for logout)
  • 23. USING CLEF ON AN INTRANET
  • 24. Replacing OAuth 2.0 • If within a completely trusted environment, no need to do any handshake • Otherwise, can replace OAuth 2.0 with asymmetric cryptography between Verification Server and Consoles
  • 25. Networking Devices • Both phone and console must be able to communicate with Verification Server • No dependency on Internet
  • 26. White-labeled App • Clef functionality wrapped in client app • Configured to work only within intranet • BYOD compatible • Available for iOS and Android devices
  • 28. Device Fingerprinting • Prevents device spoofing • Hardware IDs • Geolocation • OS-level IDs • Hardware clock-skew • Device type and configuration
  • 29. Geofencing • Logins will be happening within a small geofence • Using device location can prevent external attacks • Force logout when user leaves fence
  • 30. Automatic Logouts • As users move from console to console, they must log out each time • Use geolocation, Bluetooth, or NFC to make this automatic • Reduce vulnerability through carelessness