[Openid-specs-fapi] Issue #127: CIBA: security issues (openid/fapi)

Nat Sakimura nat at sakimura.org
Tue Nov 21 00:08:31 UTC 2017

Regular SMS is not secure at all. There are multiple points that you can 
steal the message. In CIBA, it will use the Modrna Authentication 
Profile that mandates the use of `acr_values` parameter to the OP. If 
the client uses such values like mod-pr (phishing resistant), then, it 
should be pretty good. The response should contain amr_value such as 
`swk`, `hwk` should probably be also observed in the response.

Nat Sakimura
Research Fellow, Nomura Research Institute
Chairman of the Board, OpenID Foundation

On 2017-11-19 03:14, Anders Rundgren via Openid-specs-fapi wrote:
> On 2017-11-18 18:16, tomcjones via Openid-specs-fapi wrote:
>> New issue 127: CIBA: security issues
>> https://bitbucket.org/openid/fapi/issues/127/ciba-security-issues
>> tomcjones:
>> I believe that the security level of CIBA is not well understood and 
>> would add the following text.
>> A client initiated backchannel is not difficult to intercept by a 
>> hacker, see 
>> https://www.forbes.com/sites/laurashin/2016/12/21/hackers-are-hijacking-phone-numbers-and-breaking-into-email-and-bank-accounts-how-to-protect-yourself/. 
>> So the only additional security is that the user at one time had 
>> control of the account identifier (such as phone number) that was 
>> recorded by the client from the user. It does not provide the proof of 
>> possession of the client device that is addressed by that account 
>> identifier and so does not add an authentication of "something the 
>> user has" without additional proof of possession information.
> I don't know anything about CIBA but if we are talking about an
> external device used for OOB authentication to a Web application, I
> can verify that this scheme is susceptible to phishing attacks since
> some 6 millions Swedes use such a solution and several incidents have
> been reported.  In fact, warnings have been sent out in mainstream
> media.
> FWIW, I have tried to interest platform vendors like Intel in this
> matter but they claim that I'm the only one concerned about this
> problem.  Yeah, it can be fully addressed at the platform level unless
> the CIBA folks have come up with some kind of "secret sauce" that I'm
> unaware of.
> Anders
> https://github.com/w3c/web-nfc/issues/128#issuecomment-308647894
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi

More information about the Openid-specs-fapi mailing list