A Secure Governance Framework for Web User
Authentication through Password Managers
Ali Cherry, Konstantinos Barmpis, Siamak Shahandashti
University of York, York, United Kingdom
{ali.cherry,konstantinos.barmpis,siamak.shahandashti}@york.ac.uk
Overview
Web App
Berytus API
Secret Manager
To effectively mediate between web applications and secret managers, we propose Berytus, a web governance framework for web authentication through embedded Secret Managers. As an orchestrator, Berytus sits between the web application frontend and the Secret Manager, operating natively in the browser. Berytus introduces two APIs, a Web API for web apps and a WebExtensions API for secret managers; both of which are used to facilitate a structured communication flow between web apps and secret managers.
With this positioning of Berytus, secret manager extensions can register as secret management tools through the Berytus WebExtensions API. At the other end, web applications can interact with the Berytus Web API to initiate an account-related operation (e.g. authentication). Inter alia, Berytus (a) tracks installed secret managers, (b) prompts for secret manager selection and (c) ensures conformity with the spec.
- Unified Secret Management (platform-agnostic) — Embedded Password Managers can now directly register with the user agent using the WebExtensions API, harmonizing multiple Password Manager usage [1, 2] through the use of secret manager selection prompts.
- Key-based Credential Mapping — Web apps can assume ownership of cryptographic public keys (Ed25519), eliminating the troublesome domain-based credential mapping [3, 4, 5, 6].
- App-level E-2-E Encryption — Berytus faciliates elliptic curve Diffie–Hellman key exchange using Curve25519, a.k.a X25519, between the secret manager and the web app to establish a shared secret for symmetric data encryption. App-level eavesdroppers abusing the DOM [7, 8, 9] or Monkey Patching can no longer steal credentials.
- Challenge-based Authentication — Web applications can now initiate one-or-more authentication challenges instead of exclusively retrieving independent credentials [10].
References
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
Project artifacts
Getting started
The quickest way to get started is to download the packaged Secret* extension and our extended Firefox browser binary. If you are compiling it yourself instead of downloading the packaged browser binary, follow the build instructions below. Otherwise, skip to the download instructions.
Build instructions
- Head to the official Firefox docs and follow the instructions to download the Mozilla codebase and bootstrap your machine.
-
Use the Berytus's port tool to copy the Berytus source code in your
Mozilla codebase director:
$ ./port export /path/to/mozilla-unified
-
Add the below mozconfig file into your mozilla-unified
directory:
# Configure build options $ cat <<EOF > ./mozconfig # mozilla build config ac_add_options --with-ccache=sccache ac_add_options --disable-bootstrap # if you wish to enable debugging, uncomment the below #ac_add_options --enable-debug-js-modules #ac_add_options --enable-debug EOF
-
Build firefox:
$ ./mach build
-
After the build completes, run the browser
$ ./mach run
Download instructions
If you wish to skip building Firefox, you can download the packaged Firefox from the download links provided above. Simply choose your Operating System (Mac or Linux (x86_64)) and follow the instructions below.
- Browser/MacOS - mount the disk image as you normally do for any installer and drag the firefox nightly icon into the applications folder. The browser can be launched by searching for 'Nightly.app'.
-
Browser/Linux - extract the zip contents into a desired directory.
The browser can be launched by executing the 'firefox' binary,
e.g. using terminal
./firefox
Launch instructions
- Open the downloaded/compiled browser.
- A few seconds after startup, Secret* would popup automatically.
- Now, to set up the secret manager, click on the bouncing ID card button.
- Go to 'Settings'
- Optional: tick 'Seamless onboarding' if you wish to experience an automated epxerience.
- Optional: Specify a sample email address and phone number with an international country code
- Optional: Click on 'Use Development Identity.' or fill your identity innformation by going back to the idendity tab. Filling your identity info is not necessary as you will get prompted to input it during registration if needed.
✅ Your secret manager is now configured and the browser your running supports the Berytus API. Navigate to the bottom of this web page to start experimenting.
Open Source Roadmap
There has been, in some sense, three development iterations of Berytus. Berytus v0.2 has been rewritten from its previous iteration that heavily relied on XPCOM to execute JavaScript in the browser chrome. This was not performant, and Berytus v0.2 eradicated such heavy dependency on XPCOM.
We aim to implement the features below within 8 months. We will be pushing incremental updates as time goes by.
- (Core): Authentication of Web App Ed25519 keys using website certificates.
- (Core): Ensure only at most 1 channel can be active within a browser context.
- (Secret*): Adapt implementation to support encrypted field data and encrypted user attributes.
- (Core/Liaison): Bind request handlers to BrowsingContexts using WeakMap. This would ensure the implementation of SequentialRequestHandler is applicable on a browsing context level instead of on a global level.
Now the fun starts!
Run the codeblock below to register a new account or authenticate with an existing account via Berytus.
Optional
Credentials
Metadata
Nice! You've completed all the steps. You can restart the stage if you wish.
Your browser the Berytus Web API