I would like to use WebAuthn to securely store and retrieve some senstive information on mobile Safari.
I mention Safari specifically because it is my main target browser and the storage and retrieval of password credentials is unsupported there. Ideally, I would like to use the device biometric sensors on iOS and as I understand it, it's only possible using WebAuthn and a public key credential.
I don't want to have to create a server based service that has to store this sensitive information and to evaluate credential signatures. I would like to implement entirely on the client side.
Is there any straightforward or workaround solution to achieve this?
A passkey is a credential used for phishing-resistant authentication. It is not designed to store arbitrary information nor is WebAuthn designed to store or retrieve arbitrary information.
Related
The idea is to use public/private key cryptography to store encrypted data that only a user with biometric login can access it.
I 'm successfully using WebAuthn and this library to login and I store the credential ID and a public key. Now, as I read, I can't use this to encrypt data because I can't have the WebAuthn API decrypt it, its only used for authentication.
The question is, can I protect local browser storage with WebAuthn? If so, I could use window.crypto.subtle.generateKey to generate a RSA key, store the private locally and protect it with WebAuthn, then reuse it when necessary.
Best,
The closest thing would be to use the PRF extension that's in the draft of WebAuthn level three. However, it is not yet supported in any browser nor by any platform authenticator I'm afraid. (Although many FIDO2 security keys support the underlying hmac-secret extension to CTAP2.)
im have designed a complete mobile app.
The user has to login with their credientails in order to access the app. However, I am unsure where to store the credentials once he/she signs in. I will be reusing the username throughout different screens in the app. Where can I store them and how can i access them? is there such thing as a global variable for instance?
Also, say a user logged in the first time. I want the user to be able to shut down the app. Once the user comes back, he/she should not be asked to reenter their credentials. How can that be done?
Thanks
Luckily, all these infos are available on the official React Native docs.
https://reactnative.dev/docs/security#storing-sensitive-info
For persisted user data, choose the right type of storage based on its sensitivity. As your app is used, you’ll often find the need to save data on the device, whether to support your app being used offline, cut down on network requests or save your user’s access token between sessions so they wouldn’t have to re-authenticate each time they use the app.
The usual way to achieve that is by using the secure storage of each platform.
iOS - Keychain Services
Keychain Services allows you to securely store small chunks of sensitive info for the user. This is an ideal place to store certificates, tokens, passwords, and any other sensitive information that doesn’t belong in Async Storage.
Android - Secure Shared Preferences
Shared Preferences is the Android equivalent for a persistent key-value data store. Data in Shared Preferences is not encrypted by default, but Encrypted Shared Preferences wraps the Shared Preferences class for Android, and automatically encrypts keys and values.
Android - Keystore
The Android Keystore system lets you store cryptographic keys in a container to make it more difficult to extract from the device.
In order to use iOS Keychain services or Android Secure Shared Preferences, you can either write a bridge yourself or use a library which wraps them for you and provides a unified API at your own risk. Some libraries to consider:
expo-secure-store
react-native-keychain
react-native-sensitive-info - secure for iOS, but uses Android Shared
Preferences for Android (which is not secure by default). There is
however a branch that uses Android Keystore.
redux-persist-sensitive-storage - wraps react-native-sensitive-info
for Redux.
More on that here: https://reactnative.dev/docs/security#secure-storage
I want to create a client-side (server-less) application using the AWS SDK for JavaScript in the Browser. All intended users of the tool have individual IAM users and access to the AWS Web Console.
I want all API calls to be executed in the context of individual IAM users, so they are subject to each user's individual permissions, and so that I can see who did what in CloudTrail.
Since no kind of browser local storage should be trusted with persistent credentials, I cannot simply let the user enter his secret access key once and keep it.
However I guess I could request the user's access key id and secret access key on the beginning of each session, then call STS GetSessionToken with it, and only store the resulting temporary security credentials in the session storage and use that for all following SDK usage.
Of course it would be much nicer for users to be able to log in with their IAM user and password instead of their long and cryptic access key (think of mobile devices...).
Is there any kind of federated login option for IAM users (redirecting them to the AWS IAM login page), or a way to call the STS API with username and password?
Ideally, what you want is login via IAM user/password combination. As far as I am aware (and also see this) there is no standard way of doing this.
In one of my projects, I've simulated online login using HTTP client. If you can get the session token with that, that could work for you. But it does not support MFA, and is relying on the internals of the AWS authentication implementation which might change without warnings.
I'm building a web application that accesses a private API. The API that I'm consuming uses HTTP Basic Authentication over TLS. My client has requested a "remember me" functionality for the web app so that users can maintain persistent authentication on a given device.
My quick-and-dirty solution is to store the Authorization header in localStorage after it has been validated. Of course, given unmitigated access to a user's device, anybody who is worth their weight in salt could copy the auth header from localStorage and decode it to retrieve the user's login/password combo.
Aside from total device compromise, are there any other security implications from storing this type of sensitive data in localStorage? Is localStorage acceptable as a store for sensitive data such as passwords? If not, how would you persist such data on a user's device beyond an individual browser session?
(I wish everybody could just use his or her private key...passwords are so 90s)
EDIT After reading HTML5 localStorage security it seems clear that storage of sensitive data in localStorage in general is a bad idea, but what better option is there for authentication persistence in this case?
I think it's a bad idea to store something related to the login or the password on the user's side.
But once an user has logged in, you can store a random string (a random hash for example) on the user's side and in your database. When the user get back, you can compare the two and if they are identical, you can log in the user. And you can ask the user to enter his password for sensitive actions (change password or login, etc.). So even if the hash is stolen, no one will be able to get the full access to this account.
Edit : this concept is already used with cookies. I've never tested it with localStorage.
I'm making a chrome extension that requires fetching an xml file from a secure server.
I'm currently using XMLHttpRequest() to make a call to the server
https://username:password#mydomain.com
which returns an xml object that I can parse and display. I want this extension to be available for more than just my hobby use, so it needs an options page to set and store the username and password.
How should I store the user password in chrome so that it is secure? chrome has a localStorage global for each extension that allows extension authors to store data, but it is stored in plain text. it doesn't allow extensions to access the 'remember my password' storage(with good reasons).
and is there a more secure way to do http auth? My current way of doing things requires passing the username/password in plain text in the url each time the function is called, even if the the authentication session hasn't expired.
The problem with asking for a key is that it means that you'll have to prompt each time at startup (if you store the key, you have the same problem). This may be an OK tradeoff if what you're protecting is especially sensitive.
In general, Chrome takes the philosophy of trusting the OS to protect the user's profile where this data is stored, so if you use local storage to store passwords, it's no different than what Chrome is doing today with password autofill, browser history, etc.
An idea: ask the user for a key, which you can use to symmetrically encrypt the values before putting them in localStorage. You could also generate a unique key per client based on certain unique aspects of his machine/browser/etc.