0

I was suggested to post here from this question in Super User SE. So here is the copy of it:

I'm asked to add the possibility to scan a barcode (on a badge) to authenticate users when they log in to my app. In this context, my customer has no standard (he does not use badges for now) but would like to use these same barcodes/badges for other apps. Of course, it cannot be encoded in 'user/separator/password' way, because that will show the password when scanned in any simple text editor.

Are there any standards about that? Are there any barcode scanners that provide a built-in function for this?

Preferably, the barcodes I'd want to use may be 1D barcodes. The authentication needs to be one step in this context. The code is being written in C#.

If none of the above, how could it be done?

Thanks

lemon
  • 111
  • 3
  • could you store the hash of the username/password in the barcode? Assuming that you use the hash of a password to log in rather than the full thing it would stop anyone being able to scan the details into a text editor – Connor J Jun 28 '18 at 09:08
  • @ConnorJ, isn't what you say simply a way (by many others) to encrypt? – lemon Jun 28 '18 at 09:11
  • @ConnorJ: what will stop someone from replaying this hash? – WoJ Jun 28 '18 at 09:14
  • 1
    @lemon No, encryption can be decrypted - a hash of a value is one way only and cannot be 'unhashed'. It is good practice to store the hashes of passwords rather than the full password itself for a number of reasons, one of which is if you ever have a data breach - your users' passwords are never leaked, just the hashes of them.This link might explain it better for you: https://www.securityinnovationeurope.com/blog/page/whats-the-difference-between-hashing-and-encrypting – Connor J Jun 28 '18 at 09:14
  • 1
    @ConnorJ, ok, I get the point. – lemon Jun 28 '18 at 09:15
  • 3
    And no matter what you would be able to do for "securing" the badge: if I shoot a photo of the user with their badge, then I can reprint the same barcode and use it to log in right away, since the barcode is a "passive device". – Xenos Jun 28 '18 at 09:28
  • As the barcode should autheticate the user (like a password he's typing), it does not matter if it contains the password or a hash of a password, because you will not authenticate with the plaintext password, but with the hash. So as long as there is no user chosen password in the barcode, any token will do and hashing does not improve much from the perspective of copying a code. Hashing on the *server* side will of course have the usual advantages. – allo Jun 28 '18 at 11:50

3 Answers3

7

There is no such standard. What the barcode (or QR code) provide is a way to encode some text information.

Encode, not encrypt - so it is readable by the relevant software which can decode the scanned data.

Using this as an authentication system is similar to printing out a password on the badge.

WoJ
  • 8,957
  • 2
  • 32
  • 51
  • So, if I understand you well, there is no way to do it? That's it? (by "no way" I mean, no possible secure way). – lemon Jun 28 '18 at 09:10
  • @lemon: what you will provide is data which will discriminate your users (= you will be able to differentiate them). It means that you know that JKHTSHSGHGSTSSH accessed you system. You will never be sure that JKHTSHSGHGSTSSH is actually John, to whom you gave this access key. – WoJ Jun 28 '18 at 09:12
  • 1
    On Super User SE, I was suggested the barcode could only contain the user (and no password). What do you think about it? – lemon Jun 28 '18 at 09:14
  • You can only store the login (username) in the badge, and let the user enter their password in the form. That's safe since Username is often considered as a "public information" (so can be printed on a badge, barcode, or whatever). But it requires user to know and enter their password. – Xenos Jun 28 '18 at 09:30
  • 1
    @lemon: you can strore whatever is either public (a name which is anyway displayed in letters elsewhere on the badge) or an identification token you want to track for some purposes (statistics, some kind of obfuscation on the access (it is not guessable), ...). It really depends on your risk analysis, which starts with "what will happen if someone has the information"? All answers are possible, from "this is the end of the world" (suggesting you need real authentication, possibly 2FA) to "nah" (which means that you do not really need authentication, maybe just differentiation between accesses) – WoJ Jun 28 '18 at 11:00
1

If you only considere security as black or white, you can only write public information on the badge, be it in clear text of barcode. And the user will have to type its password which make the whole system rather useless.

Then, you could wonder what are the risks and threats? It is common to protect physical locations with a good old key that can be lost, stolen and copied at will. And the lock itself can be picked. If your security analyzis does not exhibit higher requirements, the badge and its barcode is something that owning it is enough to let you in. The major flaw is that it is probably enough to take a photo of the barcode with a smartphone to be able to copy it. That means that it should only protect data where the confidentiality level is rather low. On an implementation point of view, the barcode can contain either a username, or more likely an opaque token that the system can map to a user id.

Anyway, never use barcode to write confidential informations so no password here. It would add little to no security and would be a compromission vector for the password.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
1

You basically have to do a risk evaluation. What does the system give access to, and what protection does these assets require? There's no canned answers to that.

If it's a simple timekeeping app, that logs in and out times, a simple bar code with employee number will likely be enough; users can review time sheets and correct.

If it's a login for a production control system, this may not be good enough, as it's trivial for anyone to log in as anyone else, and it's trivial to replay barcodes. Heck, take a photo with any smartphone, hold smartphone in front of scanners.

You may want to look into smart RFID cards. They are a lot more secure, and can hand back cryptographic signature of the request, making them at best difficult to copy.

You may want to add a 4-digit pin, with limited retries. There's many kinds of authentication solutions, but the common point of all of them is that you need to define the necessary level of security, based on your application. Once you've done this, you can come back with questions as how to implement this. But remember that barcodes are for all intents just text.

vidarlo
  • 12,850
  • 2
  • 35
  • 47