Mobile App Authentication

History of prehistory

An ideal phone, like a faithful dog, should recognize the owner by smell and protect the property from strangers.

Dogs have developed their own snuff device over millions of years of evolution, and our technologies have nothing at all, so the phones are not perfect yet.

People with a scent are much worse, so in their natural habitat they had to develop artificial identification systems, such as road signs, conditional gestures and secret passwords and recalls.
')
When people began to shift part of their tasks onto digital shoulders, at first no software authentication existed - anyone who got access to the computer room could run the program code. But even then, this very access was governed by certain rules, described, for example, in the statute of guard duty and other regulations with tolerances.

Soon this was not enough. Primitive programmers have identifiers, then a login with a password - and here we have the classic Basic Authentication HTTP protocol.

Login and password

Login allows you to identify the user, that is, to perform the main function of authentication.
The password prevents unauthorized access, that is, solves the main task of information security.

Thus, this pair performs the main dog's task, and at the same time does not require either walking or feeding.

By the way, in mobile phones there is the concept of a PIN code. Looks like a password? Yes. This is a protective mechanism that solves the security problem, while not directly related to authentication.

Why it is impossible to manage only login? It is theoretically possible, but practically very uncomfortable. Login appears in the request forms and reports, it sometimes has to be reported to the support service. Having made login difficult for selection and hidden from others, we will liken it to a password. And in order to somehow display the public information on our account, you will have to add a new field - say, nickname - that will do everything worthless efforts.

So today it is the most familiar scheme. You can even say that every person associated with computers has at least one login and password.

Programmers have implemented this approach so many times that virtually every development environment contains a special type of control - a password entry field, where characters are replaced with asterisks, hiding the password from prying eyes.

One might add that everything is good here and nothing needs to be changed, but - no.

Encryption

With the advent of computer networks, it became clear that it is dangerous to transmit the password in the open form, since an intruder can intercept it on the way. The logical solution was to implement password encryption. This is how Digest Authentication and NTLM appeared. The user enters all the same data, but "by wire" they are transmitted in coded form. Decrypt or crack them, in principle, experts can, but it is still more reliable than sending a password in clear text.

If we are interested in secure communication channels, we refer to the study of the HTTPS, SSL and TLS protocol, and we ourselves move on to the comprehension of mobile dao.

Single-sign-on

Another unpleasant aspect of all-inclusive password protection turned out to be that it’s not very convenient to keep in mind more than one or two login and password pairs, to enter them every time you enter the program, especially if there are more than one of these programs. The result of solving the problem is oAuth authentication and the principle of SSO, that is, Single-Sign-On (enter once).

The idea of ​​oAuth is simple. Instead of requiring a username and password from the user each time, it is better to do it once, based on the information received, get a so-called token from a trusted server and then carry out operations with this token. This is especially useful in the context of data exchange between a mobile or web application and a remote server, where credentials need to be transmitted with each request.

SSO solves a slightly different problem.

Within the web, all applications that use the same trusted server for oAuth authentication (for example, websites with a Google account) automatically share credentials. That is, by entering a username and password in one application, another user enters already identified.

For mobile applications, this approach also works, but with reservations, and requires additional efforts from developers.

User information must be stored on the device so that it can be read when the application is launched again, and also so that other applications that need it (and which have the right to access this information) can use it for automatic authentication.

Where passwords are stored

A reader who doesn’t just glance over the text and was able to break through the previous paragraph should ask: what is this place where you can safely store such sensitive user data as your login and password? This place is special, depending on the platform and technology called differently, but most often - KeyChain (iOS, Android). The data is encrypted here, access to it is limited - in general, this is the safest place on the device, the security of which is guaranteed at the level of the operating system.

Where passwords cannot be stored

You can bring a Secure Service officer to hysteria by storing a password in the database. A bad idea would also be to send logins with passwords somewhere to the system log. A note of the average inadmissibility can be obtained for the temporary storage of a password in public variables - it is considered good practice to read user information from KeyChain as needed, without storing them anywhere else.

TouchID / Fingerprints

It is widely known that a person has unique fingerprints. In addition, the prints of the noses and ears are unique, and if the fingers are an attribute mostly purely human, then pets also have noses. In practice, fingerprint recognition is used to identify cats, dogs and cows.

Someday, perhaps, we will teach our phones to identify the owner, just taking him in hand, but so far the technology has focused on fingerprinting, which has been fixed in forensic practice a hundred years ago (we will leave the fact that this is very convenient for the NSA) articles).

Besides the fact that many telephones are equipped with fingerprint scanners and already mentioned PIN-code, a number of them are supplemented with a graphic key - that is, you can set a certain code pattern instead of a digital combination by connecting points on the screen in one sequence or another.

Face ID

Apple's latest innovation is face recognition authentication. If theoretically simple algorithmic processing is enough for fingerprints, then Rosenblatt’s ideas are used to recognize faces and a neural network is built.

Of course, the power of a neural network in the iPhone is not enough to play chess or go, but it copes with its task. The phone can now identify its owner visually.

These latest innovations, as it is not difficult to imagine, infinitely delight corporate security officers and are equally infinitely annoying to end users. Here, on the cutting edge of technology, shield and sword, good and evil, and ice, and flame meet. Here forged MFA.

Multifactor authentication

We do not know who exactly this bright thought came to mind, but now that it has embodied in the digital universe, we have to first enter the login and password, and then confirm our identity with a pin code.

The idea is that forging one authentication channel is easier than two. A side effect is that today it will not be possible to enter a typical corporate network without a phone: after all, a PIN code comes to it, which you need to enter to confirm your identity.

The use of this technology for mobile applications looks a bit controversial, but quite possible.

Blockchain and Chinese Chickens

After bitcoin and other cryptocurrencies made a rush public response, it would be strange if the blockchain underlying these transactions did not attract the attention of security system developers.

How can you use a block chain for authentication? Very simple.

With reference to a person, the blockchain technology itself is already operating in Estonia today as a platform for e-citizenship; There are similar attempts in Brazil and Finland. And Japanese Sony crossed MFA and blockchain (US patent 2017/0310653 A1 *). So now, when once again you somewhere enter a confirmation code from SMS, it is likely that this activity of yours will be saved forever (as part of the existence of our digital universe).

As for other applications, it is known that in China they invented by means of the blockchain to keep track of what happened in the life of chickens that fall on the table of special connoisseurs of fine cuisine.

Designers of the future! Please try to ensure that our gadgets recognize their owners as well as dogs, while, if possible, do without dog food, and so they do not have to walk too often.

The author of this article also expresses the hope that in ten years from now his phone will fail to lure and chew on an appetizing-smelling sausage.

-
* patents.google.com/patent/US20170310653A1/en