Blog‎ > ‎


posted Jul 12, 2014, 3:45 AM by Sami Lehtinen   [ updated Oct 10, 2014, 8:18 AM ] - Yet another authentication service. World is full of these services,
but I haven't yet found the one I would really love. Let's see if this would be the solution I could use for sites with lower security requirements. Why I said lower security? Main problem as I have earlier described is that mobile phone actually can't be used for high security authentication, because it's programmable computer itself. Especially in cases where keys are stored in the phone itself and are (directly) accessible via operating system.

First impression QR code login, reminds me immediately from SQRL (Secure Quick Reliable Login), which has been developing a lot lately. Basically this is okish solution. Works ok if you're not truly paranoid and you're using desktop to access systems and mobile phone for two-factor authentication. But there's immediately a problem when mobile phone itself is used to access these services. Now benefit of two-factor authentication is immediately lost, because the device is used for authentication and accessing the sites. Because mobile users are taking over the web, this is just more and more likely scenario. And after all only as good as any 'authentication application' on same device.

This list is actually directly from SQRLs page. (20140703)

Among the problems we have solved to create a practical solution, are:

 * How are identities backed up and/or cloned to other devices?
 * What about logging into a website displayed on the smart phones own browser?
 * What if the smart phone that contains my identity is lost or stolen?
 * What about password protecting logins on the phone?
 * What if the phone is hacked?
 * What about different people (and identities) sharing one phone?
 * What about having multiple identities for the same website?

I don't have great answers for those. Except that the password protecting logins on phone will make the experience even worse. First huge password to unlock phone, then even huger password to unlock the passwords ehh, logins / authentication information, etc. I guess this is just the reason why most of people don't care about security at all. They just use the same simple password on every site, or don't use any passwords / pins on device at all, if possible. On the other hand, logging in to a site from authentication application directly with single click is very user friendly method. So in this sense, they're right for sure, Saaspass is naturally a lot more secure than passwords. Although almost any solution which uses non-static random passwords is very secure compared to static and non-random passwords (the usual reference case). As well as getting rid of password resets is just great. Many sites seem to have high security, yet they still allow password resets using email, which is naturally a major fail.

So I can agree with them about this quote from their web pages: "This is the one authentication system that is actually easier to use than traditional login / password conventions and much more secure.". When that great feature is combined with the management portal, it's absolutely great solution. Because everyone at home, is suffering from logins & passwords, but businesses are suffering a lot more. Basically you have tens of different credentials and to cut down the work of maintaining the credentials usually there are shared accounts. Which leads to quite total loss of auditing and security. Because passwords might be widely shared and learned, changing such passwords is a bad thing, because everyone will be complaining after that. I've been blogging about this earlier. In some cases, the credential issuer doesn't even know which entities are using the password. So if you go and change it, everyone will be very unhappy. In some cases this might even break automated integrations etc. So, having efficient way to manage personal credentials is the way to go.

I personally think that the pin code for 4 digits is way too short. As far as I know, data isn't protected by something like SIM card, so it's totally possible to copy the credential storage and run off-line attack against it. In such case, 4 digits is 'nothing', even if it would be lengthened. Due to limited processing power on mobile phones, heavy password lengthening isn't great option either. So a lot longer password is required for such cases to achieve cryptographically feasible key. Of course if we can assume there won't be off-line attacks, 4 digits is bit on so so side anyway. It's worth of noting that this isn't only the 'default' setting, they do not allow stronger password than 4 digit pin.

I personally don't like the profiles feature. I think authentication application should be used to authenticate users, and not to manage (any) other user data. Yet, I can see situations where people would see this feature beneficial. Great thing is that nobody forces you to use this feature. Android mobile app didn't allow me to delete profiles, or I just couldn't find it. Anyway, they also provide link to the web portal, where deleting profiles is trivial. Unfortunately the web portal isn't mobile optimized, which was a surprise to me. I would have expected light, fast to use, and naturally mobile optimized site.

So if we get back to the Saaspass. They provide application for Mac & PC as well as mobile authentication applications for mobile phones iPhone (iOS), Android Phones and Windows Phone. First impression of the actual application is, wow, they have made so much work to get everything to this point. I also liked very much that the application didn't require excessively wide access rights (permissions). Also the list of supported authenticator(s) is awesome. So there's no need for the user to fine tune parameters of TOTP / HOTP / OATH / RFC6238 parameters. -  I just which more sites would actually support the QR code based login.

I tried SaasPass with Facebook just to see how things work out. But I assume this is a very nice solution for securing google apps (drive, etc) as well as Dropbox business logins as well as office 365, which has taken many business environments by storm. I almost forgot Salesforce, but I haven't ever used it, so it's easy to forget.

*)See next entry. What comes to SMS pin two-factor authentication, I'll find it quite annoying. So there's naturally room for improvement. Using mobile authentication in general, won't solve this problem, because the mobile security it self is on the way partly. Because now I first need to open password container, then I need to look for login name & password. After that I have to fill in the login form. Then I'll receive the SMS. Then I have to enter complex password to unlock the mobile phone. Then look for the two-factor password, then enter the password to computer, see that login is successful and then delete the SMS message. - That's very annoying. I often think, is this really worth of logging in. Because logging in itself is so annoying. Yes, security might be high, but especially for sites which you might like to login often, it's not fun at all. Actually this is one of the reasons, I'll try to log-in to some sites only weekly or on weekends.

But I can confess I'm using And I think they have made very much work to make it actually as secure as possible on modern mobile phones. Yet, it's usability is almost as bad as the previous item. First you'll need to enter the phone number to web site, then you'll have to unlock your phone. Yes, it's hard work if you use proper passwords, not four digit pins or some silly shapes or so. You'll need to wait for the authentication token. Then you'll need to give the private key unlock pin code to sign the token, and then wait for the signed token to get delivered back to server. Then server acknowledges your browser that it has received the token. Then the browser asks, that are you sure that you want to give this authentication token forward to this service, then click yet. And yeah, now you're done! Very simple, right? Well, not at all, slow and annoying. But at least it's very safe, as far as I know. Because Mobiilivarmenne is a lot safer than 99% of so called mobile authentication systems. It stored your private and key on SIM-card and requires PIN (not same as the regular SIM PIN) for access. - I'm only curious if it's still possible to steal the PIN with modified firmware on phone. This would also probably allow you to sign requests so that the user doesn't know about that at all. It's using Sim Application Toolkit features.

They also provide simple integration API for logging in, with login url (post) and instant registration. This is where the prefilled profile information comes handy. Many sites could provide easy login / account creation, but actually it's the collection of user data, which makes registration so painful. When data already exists in the authentication application, the registration process can be shortened greatly or in best case completely automated.

See: Saaspass FAQ. I also liked their FAQ because it doesn't contain bogus claims and also included information about potential but not so likely downfalls.
Also see: Developer page - There's just what I wanted to know, what kind of data is passed on when you register or login / sign-in / sign-on. I didn't try to create a service which would use Saaspass, but integrating it should be pretty trivial if required.

I personally do like very compact straight to the point documentation, but that's not enough. Basically with that documentation, you'll have to just try and see what the output is. I guess it's not hard from that to get the thing to work properly. But having it explicitly stated, instead of guessing from field names and data, is always better. (Although I'm way too used to guess.)

After using the Mobiilivarmenne, it became clear that they had thought many things that weren't clearly stated in the documentation. With the final user experience, you'll notice that many things were covered with I earlier (before using the application actually) speculated that could lack some vital elements.

More sites should support the QR code login. The TOTP authenticator solution can be used with 'any other similar applications'.

Last question? Would I use it? Yeah, why not. Looks good. Changes are I'm not going to use it, because I don't like 'extra apps'. But there aren't any particularly good reason why I wouldn't recommend this application for businesses and individuals looking for authentication solution with medium security requirements. And I'm now reminding that this is high security solution for normal users. My personal high security rating means, something what is tinfoil paranoid and NSA proof. ;)

Tags: Saaspass, OTP, TOPT, SSO (single sign-on), login, log-in, passwordless, secure, authentication, review, just few my of thoughts.