QR2Pass-project - A proof of concept for an alternative (passwordless) authentication system to a web server

Overview

QR2Pass

This is a proof of concept for an alternative (passwordless) authentication system to a web server. The authentication is based on public key cryptographic challenges, that can correctly responded only by the owner of the private key. Challenges are presented in the form of a QR code which are scanned by the mobile app.

The project is based on the procedure proposed by the Snap2Pass paper, but not on the corresponding implementation. In contrast to Snap2Pass, it offers only public key authentication (i.e no shared secret) and there is no OpenID integration.

The server is written in Django and the client (mobile app) is written in Swift for the iOS platform

You can check an online version of the server here

Overview

During registration, user provides their public key to the server. For authentication, server presents a challenge (unique nonce that expires after 60 seconds). User needs to sign the challenge with their private key part. Server verifies the signature and if it's valid, user is authenticated into the web site.

The web app consists of 2 parts:

  • the core app that handles the web view (what users sees in their browser)
  • the api app that handles the out-of-band communication (to/from the mobile app)

Protocol overview

To complete the registration request, or to initate a login process, the web app (core) constructs QR codes that are scanned by the mobile app

register QR

the registration QR has the following info:

   {
       "version": Int, 
       "email": String, 
       "nonce": String,
       "provider": URL, 
       "respond_to": URL,
       "action": action enum //action.register 
   }
  • version: version of the prorocol (currently ignored)
  • email: the email provided in the registration form. It is currently used as a user identifier
  • nonce: a unique nonce (used to avoid replay attacks)
  • provider: base url for the site (this is the identifier for the site)
  • respond_to: where the client should send its response
  • action: either login or register (register in this case, duh!)

login QR

the login QR has a very similar schema:

    {
        "version": Int,
        "challenge": String,
        "validTill": Date, 
        "provider": URL, 
        "respond_to": URL,
        "action": action.login //action.login 
    }

email, is not provided by the server, but in the client's request (from the mobile app)

Out of band requests/responses

We define as out-of-band the requests between the mobile app and the server (api part) Browser - server (core part) is in-band

Registration

A user needs first to head to the registration page (in their browser) where they are asked for their email. If the email is valid and not already used, a registration QR code is presented (for 60 seconds). The user uses the mobile app to scan the QR code.
The app decodes the QR code (see register schema above) and extracts the URL from the "respond_to field"
If there is no registration data in the app for this site (defined by the "provider" field), it will then send a register request to this URL using the following schema:

    {
        "version": Int,
        "email": String,
        "public_key": String, 
        "nonce": String 
    }
  • version: version of the prorocol (currently ignored)
  • email: the user's email
  • public_key: the user's public key
  • nonce: the nonce offered by the server

Upon receiving the request, the server will perform the following checks:

  • request has the valid schema
  • the nonce received is a valid one and has not expired.
  • the nonce received, corresponds to the specific user.

If the checks are succesful, server creates a user in its DB and redirects the browser to login page

Server responds using the following schema (out-of-band):

    {
        "version": Int,
        "email": String,
        "status": String, 
        "response_text": String 
    }
  • status: "ok"/"nok"
  • response_text: a message showing more info about the status (e.g "invalid token")

Loging in

A previously registered user can head to the login page to log in. A QR is presented (for 60 seconds) The user uses the mobile app to scan the QR code.
The app decodes the QR code (see login schema above) and extracts the URL from the "respond_to field".
If there is registration data in the app for this site (defined by the "provider" field), it will then send a register request to this URL using the following schema:

{

    "version": Int,
    "username": String,
    "challenge": String, 
    "response": String 

}
  • username: the email of the user
  • challenge: the nonce provided by the server
  • response: the nonce signed by the private key of the user

Similarly to registration process, server will make some initial checks on the request (valid schema and nonce, etc). If the intial checks succeed, the signed challenge will be checked against the public key of the user (stored during the registration process). If all checks are succesful, user is authenticated in the backend and the browser will be redirected to the user page.

Server responds to the app with a repsonse using the same response schema as the in the registration process

Running the project

Client

The ios app doesn't use any external libraries and it is compatible to ios > 12.4
Keep in mind that iOS won't accept initiating unsecure connections (plain HTTP). See here for more information and ways to circumvent that, in case you want to test this locally.
Alternatively, you can use ngrok to map an external https endpoint to your local machine

Server

pre-requisites

The server uses redis for Django channels backend and for temporary storage (nonces), so you need to have redis running locally or remotely.
It also uses daphne as an asynchronous server. You can invoke daphne by running:

daphne qr2pass.asgi:application --port <PORT> --bind 0.0.0.0 -v2

but locally you can also use the usual runserver command:

python manage.py runserver

requirements

  • create a virtual environment
  • activate it
  • pip3 install -r requirements.txt

Settings

The default settings are defined in the settings/defaults.py file.
You need to fill in some additional settings corresponding to your deployment environment (see deployment-template.py) and define the DJANGO_SETTINGS_MODULE environmental variable for details) to point to your settings (see here)

Parameter-ensemble-differential-evolution - Shows how to do parameter ensembling using differential evolution.

Ensembling parameters with differential evolution This repository shows how to ensemble parameters of two trained neural networks using differential e

Sayak Paul 9 May 04, 2022
Python Environment for Bayesian Learning

Pebl is a python library and command line application for learning the structure of a Bayesian network given prior knowledge and observations. Pebl in

Abhik Shah 103 Jul 14, 2022
DISTIL: Deep dIverSified inTeractIve Learning.

DISTIL: Deep dIverSified inTeractIve Learning. An active/inter-active learning library built on py-torch for reducing labeling costs.

decile-team 110 Dec 06, 2022
Compact Bidirectional Transformer for Image Captioning

Compact Bidirectional Transformer for Image Captioning Requirements Python 3.8 Pytorch 1.6 lmdb h5py tensorboardX Prepare Data Please use git clone --

YE Zhou 19 Dec 12, 2022
[CVPR 2021] MetaSAug: Meta Semantic Augmentation for Long-Tailed Visual Recognition

MetaSAug: Meta Semantic Augmentation for Long-Tailed Visual Recognition (CVPR 2021) arXiv Prerequisite PyTorch = 1.2.0 Python3 torchvision PIL argpar

51 Nov 11, 2022
A custom-designed Spider Robot trained to walk using Deep RL in a PyBullet Simulation

SpiderBot_DeepRL Title: Implementation of Single and Multi-Agent Deep Reinforcement Learning Algorithms for a Walking Spider Robot Authors(s): Arijit

Arijit Dasgupta 9 Jul 28, 2022
🔅 Shapash makes Machine Learning models transparent and understandable by everyone

🎉 What's new ? Version New Feature Description Tutorial 1.6.x Explainability Quality Metrics To help increase confidence in explainability methods, y

MAIF 2.1k Dec 27, 2022
Consensus score for tripadvisor

ContripScore ContripScore is essentially a score that combines an Internet platform rating and a consensus rating from sentiment analysis (For instanc

Pepe 1 Jan 13, 2022
TrTr: Visual Tracking with Transformer

TrTr: Visual Tracking with Transformer We propose a novel tracker network based on a powerful attention mechanism called Transformer encoder-decoder a

趙 漠居(Zhao, Moju) 66 Dec 27, 2022
Fuzzer for Linux Kernel Drivers

difuze: Fuzzer for Linux Kernel Drivers This repo contains all the sources (including setup scripts), you need to get difuze up and running. Tested on

seclab 344 Dec 27, 2022
Official implementation of CrossViT: Cross-Attention Multi-Scale Vision Transformer for Image Classification

CrossViT This repository is the official implementation of CrossViT: Cross-Attention Multi-Scale Vision Transformer for Image Classification. ArXiv If

International Business Machines 168 Dec 29, 2022
ICCV2021 Expert-Goal Trajectory Prediction

ICCV 2021: Where are you heading? Dynamic Trajectory Prediction with Expert Goal Examples This repository contains the code for the paper Where are yo

hz 21 Dec 12, 2022
Run PowerShell command without invoking powershell.exe

PowerLessShell PowerLessShell rely on MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe. You can also ex

Mr.Un1k0d3r 1.2k Jan 03, 2023
Physics-Aware Training (PAT) is a method to train real physical systems with backpropagation.

Physics-Aware Training (PAT) is a method to train real physical systems with backpropagation. It was introduced in Wright, Logan G. & Onodera, Tatsuhiro et al. (2021)1 to train Physical Neural Networ

McMahon Lab 230 Jan 05, 2023
FLVIS: Feedback Loop Based Visual Initial SLAM

FLVIS Feedback Loop Based Visual Inertial SLAM 1-Video EuRoC DataSet MH_05 Handheld Test in Lab FlVIS on UAV Platform 2-Relevent Publication: Under Re

UAV Lab - HKPolyU 182 Dec 04, 2022
Part-aware Measurement for Robust Multi-View Multi-Human 3D Pose Estimation and Tracking

Part-aware Measurement for Robust Multi-View Multi-Human 3D Pose Estimation and Tracking Part-Aware Measurement for Robust Multi-View Multi-Human 3D P

19 Oct 27, 2022
Similarity-based Gray-box Adversarial Attack Against Deep Face Recognition

Similarity-based Gray-box Adversarial Attack Against Deep Face Recognition Introduction Run attack: SGADV.py Objective function: foolbox/attacks/gradi

1 Jul 18, 2022
A PaddlePaddle version image model zoo.

Paddle-Image-Models English | 简体中文 A PaddlePaddle version image model zoo. Install Package Install by pip: $ pip install ppim Install by wheel package

AgentMaker 131 Dec 07, 2022
A GridMixup augmentation, inspired by GridMask and CutMix

GridMixup A GridMixup augmentation, inspired by GridMask and CutMix Easy install pip install git+https://github.com/IlyaDobrynin/GridMixup.git Overvie

IlyaDo 42 Dec 28, 2022
Code release for our paper, "SimNet: Enabling Robust Unknown Object Manipulation from Pure Synthetic Data via Stereo"

SimNet: Enabling Robust Unknown Object Manipulation from Pure Synthetic Data via Stereo Thomas Kollar, Michael Laskey, Kevin Stone, Brijen Thananjeyan

68 Dec 14, 2022