Authentication
Authentication is one of the weakest and most commonly exploited aspects of most systems. Improving authentication security should therefore always be a high priority for any organization. Unfortunately, the burden for these improvements fall mostly on the users themselves, in the form of extra steps, more complicated user experience, and increased possibility they will be locked out of their account.
Common authentication attacks
Types of authentication attacks (in order of decreasing likelihood / increasing sophistication):
-
Brute Force: An attacker simply tries many possible combinations until they randomly find the correct password. If left to their own volition, most people choose passwords that are very similar to a small set of passwords that other people also choose, making brute force attacks more effective than you would expect. Computers are very good at guessing passwords and humans are very bad at creating passwords. Brute force is most useful in cases where each attempt is not rate limited, such as when attempting to decrypt a user’s hard drive.
-
Password Leaks: It is common for a large data breach to include millions of passwords and for these to be added to large databases maintained by scammers, criminal organizations, and state actors. Since many people reuse passwords, these databases can be used to unlock multiple accounts.
-
Social engineering: Attackers can often obtain access to an account by calling customer service and posing as the real user, or by calling the user and posing as customer service.
-
Phishing: It is common for scam emails to include links to copycat websites. For example, you might receive an email that looks like it comes from Google Docs announcing that someone has shared an document with you that they urgently want you to review. If you click the link, it opens up a website with a that looks like Google’s but is not (e.g. “data:https://google.com” or “https://googlelogin.com”, etc). These fake pages will then capture your username and password if you enter them, sometimes passing these credentials on to the real website, logging in on your behalf, and then redirecting you to the correct site so you are none the wiser.
-
Keylogger: If a device is compromised, an attacker may have installed some software that captures passwords as they are typed or reads stored passwords from the browser.
-
Man-in-the-middle (MITM): A MITM attack involves intercepting an encrypted connection, typically between the user’s browser and the website. Normally, we say that only state-level actors are able to pull off a successful MITM attack of an encrypted channel. However, there are many situations that make this type of attack much easier. If a device is compromised, then an attacker can ensure it is easier to perform MITM attacks in the future (by adding fraudulent certificate authorities to the operating system). In some cases, law enforcement has been able to obtain private key material from service providers, allowing police to perform an ongoing MITM attacks easily.
The solution
There are many ways to mitigate against authentication attacks, such as using password managers, requiring One Time Password (via SMS or email, as second factor), and Time-based One Time Passwords (TOTP, aka authenticator app). Unfortunately, these approaches are cumbersome and are still vulnerable to most attacks (to varying degrees).
There is a solution to the authentication problem that goes by many names: FIDO2, webauthn, passwordless, passkeys, security keys. These are all related terms for mostly the same system.
Security Keys: With this method, a physical hardware device is required in order to authenticate, either as a single factor authentication or a second factor in addition to the password. Typically, these devices take the form of a USB stick, sometimes with NFC support for mobile devices. Security keys, sometimes called hardware keys, provide stronger protection than any other method of authentication security and can be fast and easy to use once you have obtained a security key and registered it. Security keys can be easily lost, however, which imposes a burden on the user and potentially opens a security hole depending on what method there is to recover an account when the security key is lost. Security keys can be expensive, around $30 for a good key with contactless NFC support (or $15 without NFC). A website can require a short PIN be entered when using a security key. For a good security key, like Fido, the key is erased if you type the PIN in wrong 8 times in a row.
Passkeys: Passkeys use the same FIDO2 standard as hardware keys but do not need to be stored on a separate device or in a HSM (hardware vault that is very exceedingly to open by any means). The standards for storing passkeys are lax, and most operating systems strongly encourage you to store passkeys in the built-in vault available on their platform, which is not compatible or syncable with other operating systems. The ideal way to use passkeys is to store them in your cross-platform password manager.
Passkeys and security keys are not vulnerable to brute force, password leaks, social engineering, phishing, or keyloggers. They are still vulnerable to a true man-in-the-middle attack, but this is an exceedingly difficult attack to pull off (and usually easy to detect).
What Raft does
Raft requires passwordless authentication (using either passkeys or security keys). There is no second factor and there is no way to fall back to an insecure authentication method. This approach eliminates nearly all methods of authentication attacks.
While webauthn provide a smooth user experience with an extremely high level of authentication security, most people are not yet familiar with passwordless methods.
The user must either purchase a hardware security key and/or use a password manager with support for passkeys. Since the use of a password manager is an absolute necessity for any kind of security practice these days, and most password managers support passkeys, this requirement is perhaps less onerous than it seems at first. Most people prefer passkeys / security keys once they learn how to use them.
Raft takes advantage of a webauthn extension called PRF that allow the web application to obtain a secure secret when the user logs in. Raft uses this secret to generate a public/private key pair that is used to unlock the user’s personal vault.
Most of the time, encryption allows you to solve the problem of confidentiality by creating a new problem of how to manage keys. The Webauthn PRF extension allows for automatic key management that is invisible to the user.
Account recovery
Account recovery is a work in progress.
Currently, a user can generate a recovery code. In the future, this code should be single use, and only allow you to register a new passkey.
The long term plan is to make it not be such a big deal if a user loses their login credentials. If a user cannot log in anymore, they will just get an new invite code from a workspace admin bound to a particular membership profile in the workspace.
Then, the user can just create a new account and adopt all their previous work history stored in the workspace.
This approach does not work if there is only one admin for a workspace and they lose their account access, or for a user’s personal workspace.
Additional features
These are mostly a work in progress:
- When a user logs out, all their sessions across all devices are terminated.
- When a user closes the last tab, a service worker automatically logs them out. This allows the data on the server to be unreadable again, rather than waiting for the server to clean up the session record when it expires.
- Users can review a log of all authentication attempts.
- Users can manually terminate any particular session.