On Better Authentication

A while back, I’ve discovered haveibeenpwnd and I found out that my e-mail/login was found on leaked databases of a couple of old services I didn’t use. At that point, I realized that I was reusing the password from these accounts on other sites and this wasn’t such a great idea. This, together with the fact that I was receiving more and more suspicious login notices in some other services, led to employ more reasonable security measures.

First, I enabled 2FA on every service that supported it and used the Google Authenticator App on my phone. I also started using KeePassXC to store recovery codes for all these accounts, and placed the database on my MEGA account, for synchronization. Of course, I also stopped using the pwnd password and started using a more robust passphrase. Finally, I decided that I would not further trust any crappy site not offering 2FA and auto-generate strong passwords for all services I could. This way, brute-forcing the password would be harder if their database ever got leaked and would not compromise any other account if it was actually recovered.

2FA feels like a patch

Once all this was done, I realized that even while 2FA follows the “one thing you know, one thing you have” principle for security (which sounds reasonable enough) in this age it seems kind of silly to let the server store your password (even a hashed version). Enabling a second authentication step using your smartphone feels like something that would only be required if you actually fear that your password can actually be stolen in the first place.

Thus, it feels really stupid that virtually none of major sites support stronger authentication in first place, such as assymetric keys. Given that GnuPG has existed for so long now, there’s not much excuse to force users to login via a password and not offer something better (at least as an option). It would be simply a matter of letting users that know how to generate a PGP key-pair to upload their public key to the site and then authenticate via GPG accessing the private key.

In terms of software, while there’s official support to authenticate via PKCS#11 certificates directly in the browser, I don’t know of any website using it. On the other hand, there is OpenPGP.js used in mailvelope, but again no site uses it to authenticate. There are even various chrome extensions out there that manage to talk to gpg-agent so I’d say it is at least feasible.

Safety and practicality

I think most people wanting safer password handling nowadays resort to storing complex auto-generated passwords in password managers. The database is usually protected by a master passphrase. This means that, again, if this is ever compromised, so are ALL your passwords. Not good.

You could argue that your private keys could also be compromised, however the nice thing about them is that being assymetric you can simply revoke the public part, which would not even require access to the site trying to authenticate you.

On the other hand, you could say that this kind of authentication is not practical since you would need copy your private key to all your devices. While this is actually not different than the reality of today’s password handling (did you know that Google Chrome stores all your passwords unencrypted in Smart Lock?), there are actually other options.

One way to avoid exposing the private key to every machine you use is to use a PGP SmartCard. This is nothing more than a simple (typically) USB device which stores private keys (protected behind a passphrase) and performs all operations requiring these keys on itself. Thus, the keys never leave your computer and you can carry this in your keychain. Commercial examples of this are (some models of) Yubikey and Nitrokey.

Again, someone could say this is still impractical: now I have to buy something and remember to carry around something more with me and worry about not being lost/stolen. Well, first, I would prefer that over simply hoping that some service does not expose my password. Second, there is the DIY way to make your own PGP SmartCard using dirt-cheap hardware and open-source firmware. While it is not something that you would trust state-secrets on1, for a regular person it is quite good.

Keybase

While starting to use my new SmartCard, I started to look all places I could use it. The obvious one was SSH (no more having my private key sitting on MEGA for use on new computers). I initially played a bit with PAM modules for logging into my computer but decided I wouldn’t wan’t to be locked out if I ever forgot my SmartCard somewhere. Thus I would still have to type a passphrase to login (to unlock the card). Git signing is also interesting and I already uploaded my key to GitHub and GitLab (also to my workplace’s private instance). E-mail is a tough one: there’s still no good solution unless you’re willing to pay for e-mail or use a desktop app. There are some worthy Chrome extensions but nothing widely used.

In any case, I decided I wanted to put my public key up somewhere, in case I ever signed an e-mail or a commit and thus it could be verified. At first I was a bit put off with the standard keyservers since there’s not actually a gold-standard on which one to use. Upon looking a better solution I found keybase.

WTF is it?

At its very surface it appears to be a place where you can upload your PGP key and link other services you own, kind of a modern keyserver. However, at a second glance, you learn it is actually and improvment over the keyserver model.

The idea of Keybase is to have verifiable proofs of mapping between online accounts and a given public key. It manages this by building a signature graph (or siggraph) linking your main key to each online account.

Actually, it goes a step beyond, and instead of using a single PGP key for this, you actually verify devices you own and generates private keys for these. Thus, devices themselve can verify new devices or other accounts.

Finally, on top of all this functionality, Keybase offers a desktop client which allows to chat (a la Slack), share files (a la Dropbox), among other things, all end-to-end encrypted using these keys.

Do I want it?

I’m not really sure yet. While the encryption and verification functionality is a really goal, it feel a good idea with a bad execution.

First, the desktop app is really crappy. It seems that there’s a lot of work to be done yet. Second, even considering all this high-end crypto system they built, you can login to the website with a password and without even 2FA. And finally, I’m not really keen on the whole idea of having devices act as provisioners for new devices or accounts.

This last point means that if someone would ever manage to compromise one of your device, he/she would be able to verify devices/accounts on your behalf, revoke other devices, etc.

The reason for this choice would appear to prioritizize convenience over security, by not requiring users to copy a private key everywhere (I guess they were not considering SmartCard owners).

All in all it feels like Keybase has yet to prove itself and improve some more before it earns my trust. For the moment, I’m only using it to host my public key and link it to the services I intent to associate with this profile.


  1. On the firmware side it is as secure as GPG itself. The limitation is actually from the general purpose microcontroller which is not actually hardened and keys could theoretically be obtained if it gets the hands of someone with the right tools. [return]
comments powered by Disqus