OAuth2 – The Passwordless World of Mobile

Keeping in vogue with the fashion of killing off certain standards, technology or trends, I think it's an easy one to say, that the life of the desktop PC (and maybe even the laptop...) is coming to an end.
Smartphone sales are in the hundreds of millions per quarter and each iteration of both the iOS and Android operating system brag of richer user experiences and more sophisticated storage and app integration.  The omnipresent nature of these powerful mini-computers, has many profound benefits, uses and user benefits.



Mobile Weakness + Password Weakness = Nightmare!

With anything in the information world that is popular, comes with it security weaknesses and vulnerabilities.  The popularity aspect is a big trigger for the generation of malware and criminal intent.  As a malware developer, you would want the reward ration to be as high as possible, which means developing exploits for devices and operating systems that are the most popular.  Some key aspects of all mobile devices however result in general security weakness.  Firstly, they're small, meaning they can be easily lost or stolen.  That weakness is pretty difficult to overcome.  Unfortunately as mobiles now hold significant personal and professional information, emails, attachments, cached passwords and so on, a physical loss can have significant impact.  Most mobile devices carry no real form of anti-virus or anti-malware software, albeit this is improving.

Passwords as we know, are now not regarded as a secure means to protect websites and applications.  End users don't tend to select complex passwords (if they do they are written down...) and the transport and storage of such passwords (lack of encrypted channels, passwords not hashed in storage) all contribute to more instances of password leaks and compromise.

Password use on mobile phones, then introduces a mixture of potential vulnerabilities.  Mobile users want to access protected applications, social networking sites and web sites, all with email address and password based authentication.

Mobile keyboards are small, so many will simply enter the credentials once and cache them, leaving them vulnerable to reuse and capture if the device is lost or the operating system compromised.


Introduce OAuth2

OAuth2 (not to be confused with OAuth or OATH...) is making great strides in being the defacto standard authorization protocol, for web applications and modern federated services.  OAuth2 provides a neat access and refresh token approach to giving access to sites and services, which can reduce the burden of using static username and password based authentication and authorisation.  At a high level, OAuth2, can issue both an access token and refresh token, along with what is known as a scope.

The access token does what it says, and generally has a small lifespan - perhaps only a few minutes. The refresh token on the other hand, may have a longer lifespan and can be exchanged for a new access token in the future, without the need to re-enter usernames or passwords.  The benefit being, that the OAuth2 authorization server, can revoke the refresh token if the device that holds it, is compromised or lost. A significant improvement on having to reset passwords if a mobile is lost and contains cached passwords.  The scope aspect is simply a list of permission attributes that the authorisation server attaches to the associated access token before releasing to the requesting resource.

OAuth2 provides several different mechanisms for releasing tokens (called grants) which I wont go into here, but ultimately there is less reliance on the repeated entry of usernames and passwords.  The use of tokens removes the need for the caching of such credentials and also does not require credential exchange between the authorisation service and the protected resource.

By being able to remotely revoke an access or refresh token, gives the identity owner much more control in the event that a physical device is lost, stolen or compromised.

In addition, as passwords would be required less, more complex passwords can be used (created using generators) in order to provide a little more protection.

By Simon Moffatt