QR2Pass-project - A proof of concept for an alternative (passwordless) authentication system to a web server

Related tags

Deep LearningQR2Pass-project
Overview

QR2Pass

This is a proof of concept for an alternative (passwordless) authentication system to a web server. The authentication is based on public key cryptographic challenges, that can correctly responded only by the owner of the private key. Challenges are presented in the form of a QR code which are scanned by the mobile app.

The project is based on the procedure proposed by the Snap2Pass paper, but not on the corresponding implementation. In contrast to Snap2Pass, it offers only public key authentication (i.e no shared secret) and there is no OpenID integration.

The server is written in Django and the client (mobile app) is written in Swift for the iOS platform

You can check an online version of the server here

Overview

During registration, user provides their public key to the server. For authentication, server presents a challenge (unique nonce that expires after 60 seconds). User needs to sign the challenge with their private key part. Server verifies the signature and if it's valid, user is authenticated into the web site.

The web app consists of 2 parts:

  • the core app that handles the web view (what users sees in their browser)
  • the api app that handles the out-of-band communication (to/from the mobile app)

Protocol overview

To complete the registration request, or to initate a login process, the web app (core) constructs QR codes that are scanned by the mobile app

register QR

the registration QR has the following info:

   {
       "version": Int, 
       "email": String, 
       "nonce": String,
       "provider": URL, 
       "respond_to": URL,
       "action": action enum //action.register 
   }
  • version: version of the prorocol (currently ignored)
  • email: the email provided in the registration form. It is currently used as a user identifier
  • nonce: a unique nonce (used to avoid replay attacks)
  • provider: base url for the site (this is the identifier for the site)
  • respond_to: where the client should send its response
  • action: either login or register (register in this case, duh!)

login QR

the login QR has a very similar schema:

    {
        "version": Int,
        "challenge": String,
        "validTill": Date, 
        "provider": URL, 
        "respond_to": URL,
        "action": action.login //action.login 
    }

email, is not provided by the server, but in the client's request (from the mobile app)

Out of band requests/responses

We define as out-of-band the requests between the mobile app and the server (api part) Browser - server (core part) is in-band

Registration

A user needs first to head to the registration page (in their browser) where they are asked for their email. If the email is valid and not already used, a registration QR code is presented (for 60 seconds). The user uses the mobile app to scan the QR code.
The app decodes the QR code (see register schema above) and extracts the URL from the "respond_to field"
If there is no registration data in the app for this site (defined by the "provider" field), it will then send a register request to this URL using the following schema:

    {
        "version": Int,
        "email": String,
        "public_key": String, 
        "nonce": String 
    }
  • version: version of the prorocol (currently ignored)
  • email: the user's email
  • public_key: the user's public key
  • nonce: the nonce offered by the server

Upon receiving the request, the server will perform the following checks:

  • request has the valid schema
  • the nonce received is a valid one and has not expired.
  • the nonce received, corresponds to the specific user.

If the checks are succesful, server creates a user in its DB and redirects the browser to login page

Server responds using the following schema (out-of-band):

    {
        "version": Int,
        "email": String,
        "status": String, 
        "response_text": String 
    }
  • status: "ok"/"nok"
  • response_text: a message showing more info about the status (e.g "invalid token")

Loging in

A previously registered user can head to the login page to log in. A QR is presented (for 60 seconds) The user uses the mobile app to scan the QR code.
The app decodes the QR code (see login schema above) and extracts the URL from the "respond_to field".
If there is registration data in the app for this site (defined by the "provider" field), it will then send a register request to this URL using the following schema:

{

    "version": Int,
    "username": String,
    "challenge": String, 
    "response": String 

}
  • username: the email of the user
  • challenge: the nonce provided by the server
  • response: the nonce signed by the private key of the user

Similarly to registration process, server will make some initial checks on the request (valid schema and nonce, etc). If the intial checks succeed, the signed challenge will be checked against the public key of the user (stored during the registration process). If all checks are succesful, user is authenticated in the backend and the browser will be redirected to the user page.

Server responds to the app with a repsonse using the same response schema as the in the registration process

Running the project

Client

The ios app doesn't use any external libraries and it is compatible to ios > 12.4
Keep in mind that iOS won't accept initiating unsecure connections (plain HTTP). See here for more information and ways to circumvent that, in case you want to test this locally.
Alternatively, you can use ngrok to map an external https endpoint to your local machine

Server

pre-requisites

The server uses redis for Django channels backend and for temporary storage (nonces), so you need to have redis running locally or remotely.
It also uses daphne as an asynchronous server. You can invoke daphne by running:

daphne qr2pass.asgi:application --port <PORT> --bind 0.0.0.0 -v2

but locally you can also use the usual runserver command:

python manage.py runserver

requirements

  • create a virtual environment
  • activate it
  • pip3 install -r requirements.txt

Settings

The default settings are defined in the settings/defaults.py file.
You need to fill in some additional settings corresponding to your deployment environment (see deployment-template.py) and define the DJANGO_SETTINGS_MODULE environmental variable for details) to point to your settings (see here)

Owner
GitHub Repository
WRENCH: Weak supeRvision bENCHmark

🔧 What is it? Wrench is a benchmark platform containing diverse weak supervision tasks. It also provides a common and easy framework for development

Jieyu Zhang 176 Dec 28, 2022
Code for ICLR 2021 Paper, "Anytime Sampling for Autoregressive Models via Ordered Autoencoding"

Anytime Autoregressive Model Anytime Sampling for Autoregressive Models via Ordered Autoencoding , ICLR 21 Yilun Xu, Yang Song, Sahaj Gara, Linyuan Go

Yilun Xu 22 Sep 08, 2022
Code for NAACL 2021 full paper "Efficient Attentions for Long Document Summarization"

LongDocSum Code for NAACL 2021 paper "Efficient Attentions for Long Document Summarization" This repository contains data and models needed to reprodu

56 Jan 02, 2023
TorchX is a library containing standard DSLs for authoring and running PyTorch related components for an E2E production ML pipeline.

TorchX is a library containing standard DSLs for authoring and running PyTorch related components for an E2E production ML pipeline

193 Dec 22, 2022
source code the paper Fast and Robust Iterative Closet Point.

Fast-Robust-ICP This repository includes the source code the paper Fast and Robust Iterative Closet Point. Authors: Juyong Zhang, Yuxin Yao, Bailin De

yaoyuxin 320 Dec 28, 2022
This is an open-source toolkit for Heterogeneous Graph Neural Network(OpenHGNN) based on DGL [Deep Graph Library] and PyTorch.

This is an open-source toolkit for Heterogeneous Graph Neural Network(OpenHGNN) based on DGL [Deep Graph Library] and PyTorch.

BUPT GAMMA Lab 519 Jan 02, 2023
This is the code of NeurIPS'21 paper "Towards Enabling Meta-Learning from Target Models".

ST This is the code of NeurIPS 2021 paper "Towards Enabling Meta-Learning from Target Models". If you use any content of this repo for your work, plea

Su Lu 7 Dec 06, 2022
Crowd-Kit is a powerful Python library that implements commonly-used aggregation methods for crowdsourced annotation and offers the relevant metrics and datasets

Crowd-Kit: Computational Quality Control for Crowdsourcing Documentation Crowd-Kit is a powerful Python library that implements commonly-used aggregat

Toloka 125 Dec 30, 2022
TLDR: Twin Learning for Dimensionality Reduction

TLDR (Twin Learning for Dimensionality Reduction) is an unsupervised dimensionality reduction method that combines neighborhood embedding learning with the simplicity and effectiveness of recent self

NAVER 105 Dec 28, 2022
SlideGraph+: Whole Slide Image Level Graphs to Predict HER2 Status in Breast Cancer

SlideGraph+: Whole Slide Image Level Graphs to Predict HER2 Status in Breast Cancer A novel graph neural network (GNN) based model (termed SlideGraph+

28 Dec 24, 2022
[ICCV'21] PlaneTR: Structure-Guided Transformers for 3D Plane Recovery

PlaneTR: Structure-Guided Transformers for 3D Plane Recovery This is the official implementation of our ICCV 2021 paper News There maybe some bugs in

73 Nov 30, 2022
Cross View SLAM

Cross View SLAM This is the associated code and dataset repository for our paper I. D. Miller et al., "Any Way You Look at It: Semantic Crossview Loca

Ian D. Miller 99 Dec 09, 2022
RSC-Net: 3D Human Pose, Shape and Texture from Low-Resolution Images and Videos

RSC-Net: 3D Human Pose, Shape and Texture from Low-Resolution Images and Videos Implementation for "3D Human Pose, Shape and Texture from Low-Resoluti

XiangyuXu 42 Nov 10, 2022
curl-impersonate: A special compilation of curl that makes it impersonate Chrome & Firefox

curl-impersonate A special compilation of curl that makes it impersonate real browsers. It can impersonate the four major browsers: Chrome, Edge, Safa

lwthiker 1.9k Jan 03, 2023
CodeContests is a competitive programming dataset for machine-learning

CodeContests CodeContests is a competitive programming dataset for machine-learning. This dataset was used when training AlphaCode. It consists of pro

DeepMind 1.6k Jan 08, 2023
Simple keras FCN Encoder/Decoder model for MS-COCO (food subset) segmentation

FCN_MSCOCO_Food_Segmentation Simple keras FCN Encoder/Decoder model for MS-COCO (food subset) segmentation Input data: [http://mscoco.org/dataset/#ove

Alexander Kalinovsky 11 Jan 08, 2019
The project is an official implementation of our CVPR2019 paper "Deep High-Resolution Representation Learning for Human Pose Estimation"

Deep High-Resolution Representation Learning for Human Pose Estimation (CVPR 2019) News [2020/07/05] A very nice blog from Towards Data Science introd

Leo Xiao 3.9k Jan 05, 2023
Code release for "Detecting Twenty-thousand Classes using Image-level Supervision".

Detecting Twenty-thousand Classes using Image-level Supervision Detic: A Detector with image classes that can use image-level labels to easily train d

Meta Research 1.3k Jan 04, 2023
Text-to-SQL in the Wild: A Naturally-Occurring Dataset Based on Stack Exchange Data

SEDE SEDE (Stack Exchange Data Explorer) is new dataset for Text-to-SQL tasks with more than 12,000 SQL queries and their natural language description

Rupert. 83 Nov 11, 2022
Code for paper: "Spinning Language Models for Propaganda-As-A-Service"

Spinning Language Models for Propaganda-As-A-Service This is the source code for the Arxiv version of the paper. You can use this Google Colab to expl

Eugene Bagdasaryan 16 Jan 03, 2023