Close
0%
0%

PassKey: Portable login dongle

Mooltipass alternative with unprecedented security, full compatible with your favourite websites and browser.

Similar projects worth following
Nowadays computers are not secure anymore: every day new viruses, key-loggers and stealth malware are spread. And we still keep sharing our most sensitive data with our insecure computers: our web passwords. Also we’re all having a bad time trying to remember many long passwords for different sites. The Identiva PassKey solves this problem: it is a tiny wireless device that allows people to authenticate against any website as simple as a button press. The PassKey keeps all your passwords in a super-secure way and is able to feed it to any existing password-enabled Internet website, such as your bank or your favorite e-mail provider, without ever disclosing the password to your browser computer, or to any hacker in the net. You will never have to worry again about your computer being infected or about typing your password in a friend’s computer.

We plan to share efforts with the good Hackaday's Mooltipass project, so we'll publish sources and hardware design files of this THP entry.


The PassKey logins to your favourite websites using the stored passwords (that are never revealed to your browser computer, just to the website), achieving an unprecedented level of security without requiring any change in the Internet authentication infrastructure. We have prototypes already working for the major websites. See it in action:

Traditional password managers are designed to be used only on trustworthy computers. You cannot securely plug your pendrive containing your password list on a Cybercafe computer, without risking your digital identity and digitally controlled assets. Sometimes, you should assume your password has been compromised as soon as you type it on an untrusted keyboard.

The following diagram shows the inner workings of the PassKey and the login and browsing flowchart:

The Identiva PassKey is the only device that allows you to log in using any untrusted computer with high security and no risk. And also, it is compatible with any password-enabled website in the world. The innovations are protected by patents pending in US and Europe.

The proof-of-concept hardware/software platform used for testing was a wifi-enabled smart-watch running the Android operating system and adapted for being able to simultaneously run a GNU/Linux distribution. The software was implemented in Python. For the production device, we will target a single-purpose security-hardened hardware platform such as a secure micontroller, which will just require adding a display, buttons and the battery. Also the PassKey supports password backups in the cloud. The requirements for the cloud servers are simple to met since the password backup service can be implemented on all of the standard web development languages, platforms and frameworks. We plan to make all the software open source for ease of auditing.

The Identiva PassKey wireless device concept was fully implemented and tested using a smart-watch platform. Nevertheless we plan to increase its security by using a single-purpose low-cost, power-efficient computing platform, such as one based on a secure microcontroller or IoT board. The platform must have a Wi-fi and/or blue-tooth connectivity, an LCD display, a battery and a simple user interface having two confirmation buttons  (see below)

The core computing operations performed by the device are storing a password database, opening secure connections to external websites (or the computer) using the SSL/TLS protocol suite, verifying authentication certificates, and sending passwords in encrypted form. Also the PassKey is able to intercept the traffic between the untrusted computer and the website and provide the authentication tokens when needed, without disclosing them. Last, the PassKey can offload downloading or uploading large files to the untrusted computer without disclosing sensitive information, to preserve the device battery life. These operations are performed by a single software component that resides in the PassKey. On the computer side, the PassKey requires a simple two-step configuration process that does not require administrative privileges and involves configuring the PassKey as an Internet proxy and installing a root certificate provided by the PassKey. An optional user-mode software component can be run on the untrusted computer to multiplex Internet streams and reduce the CPU-load of the PassKey, increasing its battery lifetime.

For secure-critical operations, such as changing a password, updating your personal data or making a bank transaction, you’ll be able to configure the PassKey to require specific confirmations. Your can use your PassKey today, because it is compatible with all your favorite websites like no other authentication system. Having a simple user interface with a single confirmation button makes the PassKey login process secure, easy and natural.

Read more »

  • 1 × WifiG25 50x30mm Single Board Computer (armdevs.com) (Under evaluation: smaller VoCore 1"x1" SBC)
  • 1 × 1.3" LCD display SHARP LS013B4DN04
  • 1 × Li-ion battery
  • 1 × Buttons, etc.

  • Building our own hardware

    Sergio Demian Lerner08/26/2014 at 02:46 0 comments

    July 2014.

    We started to design our own first hardware platform. It does not have to be the best, but it must be cheap, small and fast. We did some back of the envelope computations about battery life and decided that a single core Linux microprocessor could handle all login traffic with no noticeable delay and at the same time won't drain the battery too soon. This is because we have special modes to offload computations to the PC where there is large file download or upload, without compromising the security. We'll add more information about this modes later. Also we're investigating selective proxying, where the high-security traffic is redirected to the PassKey and other low security traffic is not. This hybrid strategy preserves the baterry even more.

  • Testing the Smart-watch and the Learning mode

    Sergio Demian Lerner08/26/2014 at 02:39 0 comments

    June 2014.

    We started using the Smart-watch for ourselves, login in Twitter, LinkedIn,  our banks and more. Results were 99% positive, although we had to improve the cookie handling code. To ease testing, we decided to add to the PassKey a learning mode so we could focus on the interaction and stop spending time configuring XML files manually.

    Learning mode worked great. Now we just type the password a single time, and then never again. It's magic.

  • Hacked Smart-watch used to test minimal UI

    Sergio Demian Lerner08/26/2014 at 02:33 0 comments

    May 2014.

    We hacked an smart-watch to run the UI based on Android Scripting Layer (android.py). This gave us the opportunity to test how slim the UI can be made and how comfortable (or not) would be to have the PassKey around your wrists.

    Unlucky the first Smart-watch died unexpectedly and it was impossible to revive, so we bought another to keep testing.

    We recorded a simple video to pitch the idea before another smart-watch failure. Now we're ready to go building own own hardware.

  • First Smart-phone based prototype

    Sergio Demian Lerner08/26/2014 at 02:27 0 comments

    April 2014.

    This was awesome. We took an old Samsung GT-B5510 Smart-phone, rooted it and installed a debian Linux in a chrooted environment. Python ran smoothly during long times, although it took a few days to leave everything working. The UI is still simple but serves its purpose well. We're still exploring the use case and we're not focusing technical details.

  • First Proof of Concept based on Linux

    Sergio Demian Lerner08/26/2014 at 02:17 0 comments

    March 2014.
    We finished our initial proof of concept PassKey in Python running on a Linux PC.
    We chose Python because it's good for prototyping and because we used mitmproxy.org, and excelent HTTPS proxy that supports traffic interception and modification.

View all 5 project logs

Enjoy this project?

Share

Discussions

Catalin Hausi wrote 04/14/2018 at 09:00 point

Hi, is there any chance to revive this project? It seems a great idea, and I would be interested in some updates about it, if anyone still has any plans of continuing it.

  Are you sure? yes | no

starguy20104luv wrote 01/01/2015 at 23:22 point

can a bank token be assessed by another means that is not the token ?

  Are you sure? yes | no

iWhacko wrote 10/08/2014 at 12:05 point
So basicly you are doing a Man-in-the-middle attack, but your device is trusted… so, how can I tell on my pc, that I am connecting with the right website? since the certificate is no longer correct, since it connects to your device?
My browser will no longer show the "trusted symbol" in the url bar
What if the device is compromised? there is no way to tell where it's sending the information.

  Are you sure? yes | no

Sergio Demian Lerner wrote 10/08/2014 at 19:08 point
1. First, you can add the PassKey certificate as a root certificate, and the PassKey creates the third party certificates on demand. So you will still see the trusted symbol. Also the PassKey itself will inform you you're connected to the correct site in its small display.
2. The probability the device is compromised is much much much lower than the probability of your PC being compromised. It does not load third party applications, nor games, nor printer drivers, nor browser plug-ins.
3. You can tell where it is sending the information because it has a confirmation display.

Summary: You have all the control.

  Are you sure? yes | no

josh wrote 08/25/2014 at 18:49 point
Very neat idea!

With your current and/or proposed systems: Am I understanding correctly that you are configuring the untrusted browser to proxy through your device?
A) Won't that require a very large amount of processing (and thus *battery*) power to browse the web?
B) What about un-trusted scenarios where the user themselves are "un-trusted", IE: Unable to configure proxy settings?

  Are you sure? yes | no

Victor Suarez Rovere wrote 08/26/2014 at 02:27 point
A) The simplest configuration doesn't need any additional software running on the browser computer, but in optimized and more comfortable scenario, you'll be able to install a browser plugin (or run a local proxy) that will alleviate processing in the passkey. Anyways you'll be able to power and recharge the passkey through USB.
B) Most browsers allow proxy configuration and plugins to be installed with no administrator privileges, and in a similar way, it's normally permitted to download and run a custom proxy software without administrator privileges.

  Are you sure? yes | no

Victor Suarez Rovere wrote 08/25/2014 at 03:00 point
Victor Suarez Rovere wrote a few seconds ago

Main advantages of PassKey are: a) you don't need to remember website passwords anymore b) unprecedented security since passwords are never revaled to the browser computer, so you can safely use for browsing an unstruted one like a friend's tablet c) unlike SQRL, our technology doesn't need to wait changes to websites since we reuse the currently dominating user/password authentication scheme and d) it asks for confirmations through the trusted UI (basically the integrated display and buttons), so you can reject any malware-triggered login attempt.

Obviously, the PassKey sends the password directly to the website by means of HTTPS protocol, but first checking the server's credentials. Our prototype worked well with major websites (Twitter, Facebook, LinkedIn, etc.) and we se no special problems on supporting all the websites. Indeed, we are testing a "learning mode", similar to the browser's "remember password" feature so you can build your password database easily.

  Are you sure? yes | no

PointyOintment wrote 08/20/2014 at 00:34 point
> Restrictions: patents pending but we'll provide a license only for "makers" soon.

This is going to be a commercial product, then? I must warn you that you will most likely not be able to compete with SQRL: https://www.grc.com/sqrl/sqrl.htm

  Are you sure? yes | no

Sergio Demian Lerner wrote 08/21/2014 at 12:46 point
This is much, much better than SQRL. SQRL requires websites to change the authentication infrastructure. We do not. In fact we're already using and testing our prototype PassKeys with several top Internet websites without hassle.

  Are you sure? yes | no

PointyOintment wrote 08/24/2014 at 08:42 point
OK, I looked at your block diagram. I think it's a pretty strange system (though I'd say the same about SQRL). I'm not sure about its advantages yet; I'll have to think about that for a while. What I thought might cause problems, though, are sites that don't allow logins without HTTPS (lots of sites these days). I guess the proxy could just pass on an insecure version of the page to the user's browser, so I guess you're going to do that? Will advanced features of certificates (e.g. pinning and stapling) be supported? Also, what about the user wanting to check certificates; will that be facilitated through the "trusted UI"? And what exactly is that?

  Are you sure? yes | no

Does this project spark your interest?

Become a member to follow this project and never miss any updates