SlideShare a Scribd company logo

Clef security architecture

J
jessepollak

A quick deck on how Clef's security architecture works.

Technology
1 of 30
Download to read offline
CLEF SECURITY ARCHITECTURE GETCLEF.COM/SECURE
OVERVIEW Logging in with Clef 1. Unique id sent to browser and displayed as wave 2. Phone’s camera used to scan wave and transfer id 3. Private key on phone used to generate signature with id and timestamp- sent to Clef Server 4. Signature verified and OAuth Code sent to browser 5. Redirect in browser sends OAuth Code to Site Server 6. OAuth Handshake between Clef Server and Site Server 7. User info sent to Site Server 8. User is logged in to site
SETUP
Registration on the Phone • User downloads app • Email address confirmed, PIN set up • 2048-bit RSA key pair generated on phone • Public key sent to server and stored • Private key encrypted on device • for iOS—KeychainServices for hardware encryption • for Android—PIN-based encryption (PKCS#5)
Registering a New Site • Developer creates account at developer.getclef.com • Developer receives App ID and App Secret • <script> tag with App ID embedded in login form • Standard code to handle OAuth 2.0 Handshake
LOGGING IN
Generating the Clef Wave • <script> creates “Log in with Clef” button • On user click, loads iframe from Clef Server • iframe requests unique id (Session Key) • Session Key is stored as a signed cookie • displayed as animated barcode, the Clef Wave
Scanning the Clef Wave • User opens Clef App on their smartphone • Enters PIN to unlock the app • On-screen guide instructs user to sync Clef Wave • Phone’s camera reads Session Key from Clef Wave
Verifying the Signature • Signature is generated with Session Key, user id, and current timestamp • Signature is sent to Clef Server over TLS/SSL • Clef Server verifies signature using stored public key • Timestamp is checked for recency to prevent replay attacks
OAuth 2.0 Handshake ! • Clef server generates OAuth code and pushes to browser using WebSockets • Browser redirects to site’s specified redirect URL with OAuth code to initiate OAuth 2.0 handshake • Site Server sends OAuth code, App ID, App Secret to Clef Server for verification • Clef Server returns OAuth token • Site Server exchanges OAuth token for user information
Finishing the Login • Site receives user information from Clef Server, including site-specific identifier (clef_id) • Site looks up user in database with clef_id • Site sets a cookie to manage user’s session • User is redirected to logged-in page
LOGGING OUT
Single Sign Off • Site specifies a logout webhook URL on developer.getclef.com • User taps “log out” on phone (or logout timer expires), signed logout request sent to Clef Server • Clef server notifies each site of the logout via their webhook URL
Database Logout • Site stores login timestamp as part of session • When webhook is triggered, site stores time of logout in database • On page request, site compares both timestamps to determine whether user has logged out
LOST DEVICE
Deactivating a Lost Device • A phone can be reported lost or stolen on getclef.com/lost • Notifications are sent through available channels alerting user of attempted deactivation • 24 hour wait period before deactivation, can be skipped by verifying through email • Public key is wiped from Clef Server after wait period or verification
After Deactivation • Temporary passcode is granted after deactivation • Passcode can be used to log in at getclef.com • Because of single sign on, allows access to all connected services
Reactivation • User reconfirms email address and PIN • RSA key pair is generated on new device • New public key is associated with old account
REQUIREMENTS
Smartphone Requirements • Android or iOS device with camera • Android minimum SDK version: 2.3 • iOS minimum SDK version: 5.0 • Device must be networked
Verification Server Requirements • Able to run Python code, SQL database server • Network-accessible from smartphones and consoles
Console Requirements • Visual display for Clef Wave • Networked with access to Verification Server • Ability to look up users and store timestamps (for logout)
USING CLEF ON AN INTRANET
Replacing OAuth 2.0 • If within a completely trusted environment, no need to do any handshake • Otherwise, can replace OAuth 2.0 with asymmetric cryptography between Verification Server and Consoles
Networking Devices • Both phone and console must be able to communicate with Verification Server • No dependency on Internet
White-labeled App • Clef functionality wrapped in client app • Configured to work only within intranet • BYOD compatible • Available for iOS and Android devices
OTHER POSSIBLE FEATURES
Device Fingerprinting • Prevents device spoofing • Hardware IDs • Geolocation • OS-level IDs • Hardware clock-skew • Device type and configuration
Geofencing • Logins will be happening within a small geofence • Using device location can prevent external attacks • Force logout when user leaves fence
Automatic Logouts • As users move from console to console, they must log out each time • Use geolocation, Bluetooth, or NFC to make this automatic • Reduce vulnerability through carelessness

Recommended

CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCloudIDSummit
 
Secure your api from basics to beyond
Secure your api from basics to beyondSecure your api from basics to beyond
Secure your api from basics to beyondAlexandre Faria
 
Secure your api - from basics to beyond
Secure your api - from basics to beyondSecure your api - from basics to beyond
Secure your api - from basics to beyondAlexandre Faria
 
Gestión de identidad en aplicaciones corporativas web y móvil
Gestión de identidad en aplicaciones corporativas web y móvilGestión de identidad en aplicaciones corporativas web y móvil
Gestión de identidad en aplicaciones corporativas web y móvilIbon Landa
 
Wso2 is integration with .net core
Wso2 is integration with .net coreWso2 is integration with .net core
Wso2 is integration with .net coreIsmaeel Enjreny
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET CoreVladimir Bychkov
 
WSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedWSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedIsmaeel Enjreny
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connectDerek Binkley
 

Recommended

CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCloudIDSummit
 
Secure your api from basics to beyond
Secure your api from basics to beyondSecure your api from basics to beyond
Secure your api from basics to beyondAlexandre Faria
 
Secure your api - from basics to beyond
Secure your api - from basics to beyondSecure your api - from basics to beyond
Secure your api - from basics to beyondAlexandre Faria
 
Gestión de identidad en aplicaciones corporativas web y móvil
Gestión de identidad en aplicaciones corporativas web y móvilGestión de identidad en aplicaciones corporativas web y móvil
Gestión de identidad en aplicaciones corporativas web y móvilIbon Landa
 
Wso2 is integration with .net core
Wso2 is integration with .net coreWso2 is integration with .net core
Wso2 is integration with .net coreIsmaeel Enjreny
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET CoreVladimir Bychkov
 
WSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedWSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedIsmaeel Enjreny
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connectDerek Binkley
 
Troshichev i os mitm attack
Troshichev i os mitm attackTroshichev i os mitm attack
Troshichev i os mitm attackDefconRussia
 
Building Apps with MySpace SDKs
Building Apps with MySpace SDKsBuilding Apps with MySpace SDKs
Building Apps with MySpace SDKsMySpaceDevTeam
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Social Single Sign-On with OpenID Connect
Social Single Sign-On with OpenID ConnectSocial Single Sign-On with OpenID Connect
Social Single Sign-On with OpenID ConnectJames Melville
 
OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)Emad Alashi
 
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE
 
OAuth
OAuthOAuth
OAuthVijay Naik
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontOry Segal
 
2011 Annual Release - Open Mobile Alliance
2011 Annual Release - Open Mobile Alliance2011 Annual Release - Open Mobile Alliance
2011 Annual Release - Open Mobile AllianceMusa Unmehopa
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
 
CIS14: PingAccess in Action
CIS14: PingAccess in ActionCIS14: PingAccess in Action
CIS14: PingAccess in ActionCloudIDSummit
 
Box connector
Box connectorBox connector
Box connectorThang Loi
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2Sang Shin
 
Open Id, O Auth And Webservices
Open Id, O Auth And WebservicesOpen Id, O Auth And Webservices
Open Id, O Auth And WebservicesMyles Eftos
 
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.Álvaro Alonso González
 
safedrop secure communications
safedrop secure communicationssafedrop secure communications
safedrop secure communicationsAngus Bradley
 
Securing APIs with oAuth2
Securing APIs with oAuth2Securing APIs with oAuth2
Securing APIs with oAuth2Michae Blakeney
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenIDSouth Tyrol Free Software Conference
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API SecurityTaiseer Joudeh
 
Duo presentation
Duo presentationDuo presentation
Duo presentationRobbie Small
 
Duo security (1)
Duo security (1)Duo security (1)
Duo security (1)Alishah Chator
 

More Related Content

What's hot

Troshichev i os mitm attack
Troshichev i os mitm attackTroshichev i os mitm attack
Troshichev i os mitm attackDefconRussia
 
Building Apps with MySpace SDKs
Building Apps with MySpace SDKsBuilding Apps with MySpace SDKs
Building Apps with MySpace SDKsMySpaceDevTeam
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Social Single Sign-On with OpenID Connect
Social Single Sign-On with OpenID ConnectSocial Single Sign-On with OpenID Connect
Social Single Sign-On with OpenID ConnectJames Melville
 
OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)Emad Alashi
 
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontOry Segal
 
2011 Annual Release - Open Mobile Alliance
2011 Annual Release - Open Mobile Alliance2011 Annual Release - Open Mobile Alliance
2011 Annual Release - Open Mobile AllianceMusa Unmehopa
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
 
CIS14: PingAccess in Action
CIS14: PingAccess in ActionCIS14: PingAccess in Action
CIS14: PingAccess in ActionCloudIDSummit
 
Box connector
Box connectorBox connector
Box connectorThang Loi
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2Sang Shin
 
Open Id, O Auth And Webservices
Open Id, O Auth And WebservicesOpen Id, O Auth And Webservices
Open Id, O Auth And WebservicesMyles Eftos
 
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.Álvaro Alonso González
 
safedrop secure communications
safedrop secure communicationssafedrop secure communications
safedrop secure communicationsAngus Bradley
 
Securing APIs with oAuth2
Securing APIs with oAuth2Securing APIs with oAuth2
Securing APIs with oAuth2Michae Blakeney
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API SecurityTaiseer Joudeh
 

What's hot (20)

Troshichev i os mitm attack
Troshichev i os mitm attackTroshichev i os mitm attack
Troshichev i os mitm attack
 
Building Apps with MySpace SDKs
Building Apps with MySpace SDKsBuilding Apps with MySpace SDKs
Building Apps with MySpace SDKs
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
Social Single Sign-On with OpenID Connect
Social Single Sign-On with OpenID ConnectSocial Single Sign-On with OpenID Connect
Social Single Sign-On with OpenID Connect
 
OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)
 
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
 
OAuth
OAuthOAuth
OAuth
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
 
2011 Annual Release - Open Mobile Alliance
2011 Annual Release - Open Mobile Alliance2011 Annual Release - Open Mobile Alliance
2011 Annual Release - Open Mobile Alliance
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David Chase
 
CIS14: PingAccess in Action
CIS14: PingAccess in ActionCIS14: PingAccess in Action
CIS14: PingAccess in Action
 
Box connector
Box connectorBox connector
Box connector
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Open Id, O Auth And Webservices
Open Id, O Auth And WebservicesOpen Id, O Auth And Webservices
Open Id, O Auth And Webservices
 
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
 
safedrop secure communications
safedrop secure communicationssafedrop secure communications
safedrop secure communications
 
Securing APIs with oAuth2
Securing APIs with oAuth2Securing APIs with oAuth2
Securing APIs with oAuth2
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API Security
 

Viewers also liked

Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016
Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016
Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016Business of Software Conference
 
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongForrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongDuo Security
 
Plex Systems EECS 441 Company Presentation
Plex Systems EECS 441 Company PresentationPlex Systems EECS 441 Company Presentation
Plex Systems EECS 441 Company Presentationjohntyu
 

Viewers also liked (6)

Duo presentation
Duo presentationDuo presentation
Duo presentation
 
Duo security (1)
Duo security (1)Duo security (1)
Duo security (1)
 
Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016
Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016
Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016
 
Thesis_Furlan
Thesis_FurlanThesis_Furlan
Thesis_Furlan
 
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongForrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
 
Plex Systems EECS 441 Company Presentation
Plex Systems EECS 441 Company PresentationPlex Systems EECS 441 Company Presentation
Plex Systems EECS 441 Company Presentation
 

Similar to Clef security architecture

OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootGeert Pante
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
Securing .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsSecuring .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsNETUserGroupBern
 
DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2Pratik Khasnabis
 
Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4Aaron Ralls
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthKashif Imran
 
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET CoreNETUserGroupBern
 
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonInfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonDavid Johansson
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleMayank Sharma
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...Vladimir Bychkov
 
Skype for business mobility
Skype for business mobilitySkype for business mobility
Skype for business mobilityFabrizio Volpe
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular jsBixlabs
 
Mobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureMobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureForgeRock Identity Tech Talks
 
The WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems OverviewThe WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems OverviewNick Owen
 
Verviam Identity Management as a Service
Verviam Identity Management as a Service Verviam Identity Management as a Service
Verviam Identity Management as a Service Nya
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWTJennifer Estrada
 

Similar to Clef security architecture (20)

OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Securing .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsSecuring .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applications
 
DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2
 
Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuth
 
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET Core
 
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonInfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 Module
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Api security
Api security Api security
Api security
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
Skype for business mobility
Skype for business mobilitySkype for business mobility
Skype for business mobility
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
Mobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureMobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless Future
 
The WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems OverviewThe WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems Overview
 
Verviam Identity Management as a Service
Verviam Identity Management as a Service Verviam Identity Management as a Service
Verviam Identity Management as a Service
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWT
 

More from jessepollak

Building Trust on the Blockchain: The Importance of Mental Models
Building Trust on the Blockchain: The Importance of Mental ModelsBuilding Trust on the Blockchain: The Importance of Mental Models
Building Trust on the Blockchain: The Importance of Mental Modelsjessepollak
 
Passwords: the weakest link in WordPress security
Passwords: the weakest link in WordPress securityPasswords: the weakest link in WordPress security
Passwords: the weakest link in WordPress securityjessepollak
 
Passwords the weakest link in word press security
Passwords the weakest link in word press securityPasswords the weakest link in word press security
Passwords the weakest link in word press securityjessepollak
 
Passwords: the weakest link in WordPress security
Passwords: the weakest link in WordPress securityPasswords: the weakest link in WordPress security
Passwords: the weakest link in WordPress securityjessepollak
 
WordPress Security Update: How we're building the web's most secure platform ...
WordPress Security Update: How we're building the web's most secure platform ...WordPress Security Update: How we're building the web's most secure platform ...
WordPress Security Update: How we're building the web's most secure platform ...jessepollak
 
Cryptography 101 (with math)
Cryptography 101 (with math)Cryptography 101 (with math)
Cryptography 101 (with math)jessepollak
 
Cryptography 101
Cryptography 101Cryptography 101
Cryptography 101jessepollak
 
Passwords: the weakest link in WordPress security
Passwords: the weakest link in WordPress securityPasswords: the weakest link in WordPress security
Passwords: the weakest link in WordPress securityjessepollak
 
Passwords and Botnets and Zombies (oh my!)
Passwords and Botnets and Zombies (oh my!)Passwords and Botnets and Zombies (oh my!)
Passwords and Botnets and Zombies (oh my!)jessepollak
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hackjessepollak
 

More from jessepollak (10)

Building Trust on the Blockchain: The Importance of Mental Models
Building Trust on the Blockchain: The Importance of Mental ModelsBuilding Trust on the Blockchain: The Importance of Mental Models
Building Trust on the Blockchain: The Importance of Mental Models
 
Passwords: the weakest link in WordPress security
Passwords: the weakest link in WordPress securityPasswords: the weakest link in WordPress security
Passwords: the weakest link in WordPress security
 
Passwords the weakest link in word press security
Passwords the weakest link in word press securityPasswords the weakest link in word press security
Passwords the weakest link in word press security
 
Passwords: the weakest link in WordPress security
Passwords: the weakest link in WordPress securityPasswords: the weakest link in WordPress security
Passwords: the weakest link in WordPress security
 
WordPress Security Update: How we're building the web's most secure platform ...
WordPress Security Update: How we're building the web's most secure platform ...WordPress Security Update: How we're building the web's most secure platform ...
WordPress Security Update: How we're building the web's most secure platform ...
 
Cryptography 101 (with math)
Cryptography 101 (with math)Cryptography 101 (with math)
Cryptography 101 (with math)
 
Cryptography 101
Cryptography 101Cryptography 101
Cryptography 101
 
Passwords: the weakest link in WordPress security
Passwords: the weakest link in WordPress securityPasswords: the weakest link in WordPress security
Passwords: the weakest link in WordPress security
 
Passwords and Botnets and Zombies (oh my!)
Passwords and Botnets and Zombies (oh my!)Passwords and Botnets and Zombies (oh my!)
Passwords and Botnets and Zombies (oh my!)
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
 

Recently uploaded

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

Recently uploaded (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 

Clef security architecture

  • 2. OVERVIEW Logging in with Clef 1. Unique id sent to browser and displayed as wave 2. Phone’s camera used to scan wave and transfer id 3. Private key on phone used to generate signature with id and timestamp- sent to Clef Server 4. Signature verified and OAuth Code sent to browser 5. Redirect in browser sends OAuth Code to Site Server 6. OAuth Handshake between Clef Server and Site Server 7. User info sent to Site Server 8. User is logged in to site
  • 4. Registration on the Phone • User downloads app • Email address confirmed, PIN set up • 2048-bit RSA key pair generated on phone • Public key sent to server and stored • Private key encrypted on device • for iOS—KeychainServices for hardware encryption • for Android—PIN-based encryption (PKCS#5)
  • 5. Registering a New Site • Developer creates account at developer.getclef.com • Developer receives App ID and App Secret • <script> tag with App ID embedded in login form • Standard code to handle OAuth 2.0 Handshake
  • 7. Generating the Clef Wave • <script> creates “Log in with Clef” button • On user click, loads iframe from Clef Server • iframe requests unique id (Session Key) • Session Key is stored as a signed cookie • displayed as animated barcode, the Clef Wave
  • 8. Scanning the Clef Wave • User opens Clef App on their smartphone • Enters PIN to unlock the app • On-screen guide instructs user to sync Clef Wave • Phone’s camera reads Session Key from Clef Wave
  • 9. Verifying the Signature • Signature is generated with Session Key, user id, and current timestamp • Signature is sent to Clef Server over TLS/SSL • Clef Server verifies signature using stored public key • Timestamp is checked for recency to prevent replay attacks
  • 10. OAuth 2.0 Handshake ! • Clef server generates OAuth code and pushes to browser using WebSockets • Browser redirects to site’s specified redirect URL with OAuth code to initiate OAuth 2.0 handshake • Site Server sends OAuth code, App ID, App Secret to Clef Server for verification • Clef Server returns OAuth token • Site Server exchanges OAuth token for user information
  • 11. Finishing the Login • Site receives user information from Clef Server, including site-specific identifier (clef_id) • Site looks up user in database with clef_id • Site sets a cookie to manage user’s session • User is redirected to logged-in page
  • 13. Single Sign Off • Site specifies a logout webhook URL on developer.getclef.com • User taps “log out” on phone (or logout timer expires), signed logout request sent to Clef Server • Clef server notifies each site of the logout via their webhook URL
  • 14. Database Logout • Site stores login timestamp as part of session • When webhook is triggered, site stores time of logout in database • On page request, site compares both timestamps to determine whether user has logged out
  • 16. Deactivating a Lost Device • A phone can be reported lost or stolen on getclef.com/lost • Notifications are sent through available channels alerting user of attempted deactivation • 24 hour wait period before deactivation, can be skipped by verifying through email • Public key is wiped from Clef Server after wait period or verification
  • 17. After Deactivation • Temporary passcode is granted after deactivation • Passcode can be used to log in at getclef.com • Because of single sign on, allows access to all connected services
  • 18. Reactivation • User reconfirms email address and PIN • RSA key pair is generated on new device • New public key is associated with old account
  • 20. Smartphone Requirements • Android or iOS device with camera • Android minimum SDK version: 2.3 • iOS minimum SDK version: 5.0 • Device must be networked
  • 21. Verification Server Requirements • Able to run Python code, SQL database server • Network-accessible from smartphones and consoles
  • 22. Console Requirements • Visual display for Clef Wave • Networked with access to Verification Server • Ability to look up users and store timestamps (for logout)
  • 23. USING CLEF ON AN INTRANET
  • 24. Replacing OAuth 2.0 • If within a completely trusted environment, no need to do any handshake • Otherwise, can replace OAuth 2.0 with asymmetric cryptography between Verification Server and Consoles
  • 25. Networking Devices • Both phone and console must be able to communicate with Verification Server • No dependency on Internet
  • 26. White-labeled App • Clef functionality wrapped in client app • Configured to work only within intranet • BYOD compatible • Available for iOS and Android devices
  • 28. Device Fingerprinting • Prevents device spoofing • Hardware IDs • Geolocation • OS-level IDs • Hardware clock-skew • Device type and configuration
  • 29. Geofencing • Logins will be happening within a small geofence • Using device location can prevent external attacks • Force logout when user leaves fence
  • 30. Automatic Logouts • As users move from console to console, they must log out each time • Use geolocation, Bluetooth, or NFC to make this automatic • Reduce vulnerability through carelessness