Contributor(s): Daniel Waller



Intro

Device cookies as additional authenticator for users devices have been discussed and used in practice for some time already. For example, it was discussed by Marc Heuse at PasswordsCon 14.

Marc speculates on various techniques for blocking online attacks and comes to notion of “device cookie” as good protection alternative (see the talk on Hydra at PasswordsCon 14, specifically from 32:50). As well as Alec Muffett at the same conference mentions “datr cookie” from Facebook (look from 10:15 of the talk).

The main idea behind the protocol is to issue a special “device” cookie to every client (browser) when it is used to successfully authenticate a user in a system. The device cookie can be used to:

Distinguish between known/trusted and unknown/untrusted clients

Establish universal temporary lockouts for all untrusted clients

Lockout trusted clients individually

Why?

There are few well-known ways to deal with online attacks:

Temporary account lockout

Use CAPTCHA to slow down attacker

Other tricks, like producing confusing answers for attacker are more like “security by obscurity” and cannot be used as first-class protection mechanism.

Temporary account lockout after several failed attempts is too simple of a target for DoS attacks against legitimate users. There is variation of this method that locks out pair of account/IP. It is better in regarding to DoS issues but have security downsides:

Attacks from botnets can be effective

Attacks through proxies can be effective

Moreover, it is not so trivial to implement account/IP lockout. Consider multiple proxies with chaining addresses in “X-Forwarded-For” header or IPv6.

The method described in this writing may be viewed as variant of account/IP blocking. But it proposes to use a browser cookie instead of an IP address. Thus it may be more predictable from security perspective and easier to implement.

Protocol

Protocol parameters:

T – Time period for lockout duration/attempt counting

N – Max number of failed authentication attempts allowed during T

The sign ∎ hereafter states for end of algorithm.

Entry point for authentication request

If the incoming request contains a device cookie: validate device cookie if device cookie is invalid, proceed to step 2. if the device cookie is in the lockout list -> reject authentication attempt ∎ else -> authenticate user If authentication from untrusted clients is locked out for this user -> reject authentication attempt ∎ Else -> authenticate user ∎

Authenticate user

Check user credentials If credentials are valid issue new device cookie to user’s client proceed with authenticated user Else register failed authentication attempt reject authentication attempt ∎

Register failed authentication attempt

Register a failed authentication attempt with following information: { user, time, device cookie (if present) } If device cookie is present count number of failed authentication attempts within time period T for this specific cookie if number of failed attempts within T > N -> put device cookie in lockout list until now() + T Else (= no device cookie present) count number of all failed authentication attempts for this user during time period T if number of failed attempts within T > N -> lockout ALL authentication attempts from untrusted clients for this specific user until now() + T

Issue new device cookie

Issue a browser cookie with a value like “LOGIN,NONCE,SIGNATURE”, where:

LOGIN – User’s login name (or internal ID) corresponding to an authenticated user

NONCE – Nonce of sufficient length or random value from CSRNG source

SIGNATURE – HMAC(secret-key, “LOGIN,NONCE”)

secret-key – server’s secret cryptographic key

Validate that the device cookie is formatted as described above Validate that SIGNATURE == HMAC(secret-key, “LOGIN,NONCE”) Validate that LOGIN represents the user who is actually trying to authenticate

Notes

Putting the device cookie in a lockout list has the same effect as if the client had no device cookie. So clients with device cookies are potentially allowed to make N * 2 failed authentication attempts before actual lockout.

Issuing a new device cookie after each successful authentication allows us to avoid making decisions in situations like: “Should the system block a device cookie if there were registered N-1 failed attempts, then one successful authentication, and then again 1 failed attempt? All within period T.”

Implementation Tips

It is good idea to use a standard format for device cookies. So, if the size of a cookie is not an issue, it is recommended to use JWT.

The following standard claims can be used:

sub – LOGIN

jti – NONCE

Important: If you already use JWT for storing session tokens or other security stuff, make sure you cannot confuse device cookies with other types of tokens. There are two possible ways to mitigate this threat:

Use different signature / encryption keys for different token types Add aud claim into device cookie token that unambiguously refers to brute force protection subsystem (e.g. “aud” : “brute-force-protection” or “device cookie”).

Threat Analysis