Updating FIDO U2F to WebAuthn

Back in 2018 I published a post on adding support for FIDO U2F second factor authentication to a flask application. At the time, FIDO U2F was a relatively new technology and, based in part on its development, work had already begun on a new standard. The Web Authentication (WebAuthn) proposal had been published as a draft in 2016 and reached the recommendation standard by 2019.

I recently revisited a project that included FIDO U2F support and realised that the packages I used in the original post were no longer supported with WebAuthn recommended as the successor.

When first searching for alternative packages I found this site and the associated python package. I then paired this with SimpleWebAuthn on the frontend. Unfortunately I was only able to get registering the device to work with this combination and the actual authentication failed.

A major driver between the switch from FIDO U2F to WebAuthn has been a desire to support alternative devices such as the fingerprint scanners on many laptops and phones. Although the demo on webauthn.io works with my device I was unable to create a working implementation. I suspect I may simply have some incompatible settings but I switched to the FIDO2 server implementation from Yubico and quickly had a working solution.

The code created in the original blog post has now been updated and can be found in the github repository.

Post a comment ...

Cryptography talk at DC Python

At the April meeting of DC Python I gave a talk on cryptography. A video of the event is now available on youtube.

DC Python is the local user group for the python programming language in the Washington, D.C., Maryland, and Northern Virginia area. I have been hosting a monthly event called Project Night with the group since 2015 and we have recently restarted a monthly talk event. All events can be seen on our meetup page.

My presentation was a summary of two of my recent posts on two factor authentication and partial passwords with an introduction to using cryptography in python.

The other presentation was given by Alan Swenson on JSON web tokens in flask. The video for his talk is also available.

A partial password implementation

Whilst working on my previous post on two factor authentication I was reminded of the broad spectrum of approaches taken to security by many sites. I have one bank that does two factor authentication, another using the standard username/password combination for one factor authentication, and then another that asks for a username, a piece of personal information and then a partial password. In this case, three characters from a password.

Of these three approaches it is the last that seems the weakest. The piece of personal information includes things like the town you grew up in, the name of your first school, etc. These are not generally secret and could be discovered for most people by a bit of research. The partial password scheme seems only slightly stronger than a three character password.

I believe the partial password is intended to prevent a keylogger on your computer from compromising your entire password. This scheme is often paired with selecting characters from a dropdown menu, potentially providing additional protection. The idea is that by requesting different characters on each visit you would need to log in multiple times on a compromised computer before an attacker discovered your entire password.

I don't think such a system would be used in a new application today but I did wonder how such a scheme might be implemented.

Continue reading ...

Adding second factor authentication with FIDO U2F

This is the first semester since the Fall of 2015 that I have not taught a course with the Foundation for Advanced Education in the Sciences. It was a pleasure teaching and I was lucky enough to spend most of my time on a course I had designed. For the Spring 2016 semester I designed the syllabus and began teaching a course on machine learning and object oriented python. I chose to include a web application as I felt it exposed the students to some unfamiliar ideas.

Most of the students were fellow scientists. Many only had previous experience writing scripts for use in their own research. Not trusting user input was often a novel concept. During the course I only had a couple of hours to introduce web applications. This meant I skipped over many important topics. I intend this post to be the first in a collection moving beyond the basics for anyone still new to these concepts. I will start with a basic background but the actual implementation will hopefully be new for most. If implementing web application authentication is familiar to you then skip ahead to the implementation.

Let me know if there are topics you think I should cover moving forward.

In this post I will cover authentication, specifically adding a second authentication factor for additional security.

Continue reading ...

PyDataLondon January talk

I'm just back from the UK where I spent a couple weeks catching up with family and friends. My visit happened to conincide with one of the monthly PyData London events so I attended and gave a lightning talk on image segmentation in medical applications.

They have built a really vibrant community and it was great meeting over 200 data enthusiasts.

The slide deck is available here. Unfortunately there was no video. The content is a more technical version of the presentation I gave at the NIH Pi Day 2017 event where there was video.