Congratulations to Jasdeep Basra, Pascal Issa, Aldo Lagrutta, and Stephanie Perkins on being named the winners of the Spring 2020 Lily L. Chang Award for their “That’s A Hard Pass” capstone project. With support from CLTC, the research team aimed to build a usable, private and secure cloud based password manager using emerging technology. “Passwords have been the main method of authentication for a long time, but they have also been proven to be a massive weak point within authentication,” the researchers wrote in a proposal for their project. Together they created “security made tangible” with Hard Pass, a hardware token that acts as an authentication key.
Their approach combines a simple pin with a hardware key (similar to a debit card) for convenient and secure passwordless authentication. Users can login to the Hard Pass website from any location using their hardware key and pin. The website also allows users to encrypt and store all their passwords securely online. Additionally, the researchers developed a JavaScript Extension that pulls credentials from the cloud, decrypts them client side and submits them to webforms on behalf of the user.
The researchers describe a high-level overview of their cloud architecture:
“Our deliverable is a Hardware-based YubiKey to access websites using a physical tap and pin. We are using FIDO2 (WebAUTHN for CTAP2) to allow users to sign-up and login without a password to web based forms. Registration to our service leads to generating an asynchronous keypair that is transparent to the user. From there, we use the Yubikey and onboard public key for encryption of the data locally. The data is only transmitted after encryption. Lastly, we used the previously established private key on the Yubikey for decryption of the data locally. All key and extension actions are run client side. As such, data will be encrypted client side and transmitted as is, so there is no risk of data disclosure if our backend infrastructure is breached.”
Hard Pass allows users to :
- avoid reusing passwords
- avoid credential stuffing attacks by using their FIDO authentication mechanism as two-factor authentication (2FA)
- reduce risk from phishing and password attacks
- have a simple, convenient experience without additional time-consuming 2FA or SMS steps
In the table below, the team highlights Hard Pass’s key differentiators from other passwordless technologies already on the market, such as asynchronous encryption. “Hard Pass is different from other password managers because our solution has client side encryption and focuses on user privacy, usability, and security every step of the way,” said Steph Perkins.
CLTC asked the researchers to share any unexpected insights about cybersecurity that they learned during the course of their capstone project. To Jasdeep Basra, usability and functionality are key to gaining widespread market adoption and are just as important when introducing the most ‘secure’ solution. “Having global industry support is essential for security products to succeed,” Pascal Issa added. “Just because a product is the most secure does not mean it will be the most prevalent without tech industry adoption.”
Being recognized for the Lily L. Chang Award is a significant next step in these MICS students’ career in the cybersecurity field. “As I move up into leadership positions,” said Perkins, “[the MICS] program has prepared me well with a timeless approach to understanding every aspect of cybersecurity.” In reflecting on his time spent in the MICS program, Basra expressed thanks for the opportunity and everything that he learned. “I think the connections and contacts I made here will carry on and I hope to be able to take a more academic and systemic approach to cybersecurity rather than a purely practical approach.”