Consider using asymmetric cryptography for device authentication purposes. Generate and use the private key directly within a platform supported secure hardware (e.g., Trusted Execution Environment (TEE), Secure Element (SE)).

[commjoen]

As part of #203 we have the following point of investigation: ASVS/MASVS: Consider using asymmetric cryptography for authentication and authorization purposes. Generate and use the private key directly within a platform supported secure hardware (e.g., Trusted Execution Environment (TEE), Secure Element (SE)).

Can we try to collaborate with the ASVS team and set something up for strong device authentication in terms of requirements based on asymmetric keys used for challenge-response mechanisms to authenticate devices?

[tghosth]

Do you have a suggested implentation for this?

Maybe the mobile device generates a private key and sends the public key after a successful login. Then, on subsequent logins it signs a combination of a server challenge and a timestamp or something using that private key to prove that it is a trusted device. What do you think?

[commjoen]

Yes, that would be the type of implememtation in principle. It could even be combined (e.g. user submits authentication code, with a timestamp and a signature of it at once to have less auth traffic ), or setup in multiple stepswebauthn like basically,, but that would indeed be the idea.

[tghosth]

Do we have an example we can point to where someone has done that?

[commjoen]

I don't have any OSS example, but we could / would search/make one partially for the MSTG i suppose

[commjoen]

@tghosth do you think that, if we can come up with an example, it is a good item to put in the ASVS?

[tghosth]

So I think this is a good method for creating a trusted device authenticator, I am not sure about using it for regular authentication/authorization though.

[commjoen]

Ah yes you're right. I have updated the issue accordingly 👍