Authreq is a scheme that allows you to prove your identity to a web service in an intuitive way: by using your iPhone as a possession factor.
How it works
The app uses your iPhone's Secure Enclave to generate a public and private keypair. The private part always remains inside your iPhone - there is no way to acquire the raw key, even if your phone's kernel is compromised by an attacker (or intentionally via jailbreaking). Your public key is what proves your identity.
External service providers can send challenges to your iPhone at certain events, such as during login attempts. Authreq lets you sign these challenges, and send the signature back to the service provider - effectively proving that you allowed the transaction.
Secure Enclave will only sign these challenges when your iPhone is unlocked - which means that you must first prove your identity to your iPhone with your passcode, Touch ID or Face ID.
This makes your iPhone an efficient factor of authentication.
The paper
I've created authreq at the University of Glasgow for my MSci research project. We have conducted a user study to verify the scheme's usability and compared authreq to popular 2FA mechanisms. The paper describes authreq in detail, including its components' implementation and communication. Here's the paper.The demo
To try out authreq, get the app:
Then, head to the sample service provider where you can log in to a sample online banking site and link your account to Authreq. Once enrolled, you'll need to approve all login attempts on your iPhone.
The code
The app was written in Swift 4. It requires a paid Apple Developer Account for push notifications. The scheme's backend runs on PHP, and the current SDK provides support for PHP projects. Authreq's components are fully open source and are available under the MIT license.The presentation
I gave a presentation on authreq at the University of Glasgow.Here are the slides.
Having issues with authreq?
Contact me at akos (at) szente (dot) info — I'll be happy to help.