CS 4401 (A12): Software Security Engineering
Assignment: Tech Memos on Authentication

Due: Tuesday, September 18 by 2pm (when class starts) under Turnin assignment authentication.

Part 1: Technical Memo on Two-factor Authentication

Several major websites now give users the option of two-factor authentication, in which a user authenticates to the system using two pieces of information provided over different channels. For example, the user might supply a password followed by a security code that was sent to a mobile phone. Google, in particular, has an application called Google Authenticator which generates the second token (rather than send it over SMS). Each generated tokens is only valid for a short period of time. Some other applications (such as Dropbox) support Google-authenticator tokens for two-factor authorization.

Write a technical memo explaining how two-factor authentication works. Discuss both the security aspects (mechanism, assurance, threats, etc) and how it is implemented (such as how time is used, how sensitive the approach is to time synchronization across devices, etc). If you worked for a non-Google product that was considering using Google-authenticator, what questions would your team need to answer before making a decision?

As with all technical memo assignments, your answer should be 1-2 pages in length and written crisply for a technical audience.

Part 2: Non-Technical Memo on OpenID

OpenID is a protocol that lets you sign into one website using your credentials from another website. Many sites, for example, allow you to login by authenticating yourself to Facebook, Google, Twitter, or some other major service rather than create a new password on the new site.

Your favorite technically-challenged relative is terrified about identity theft online, and also has an active account on a common site (such as Facebook or Google). Your relative is about to join a new social media site, and has asked you whether to use their common site login on the new site. Your relative is particularly nervous about giving the new site their Facebook/Google/etc password.

Recommend, or don't, that your relative use OpenID and explain why. You can think of this either as a 1-2 paragraph email message you might send them, or information that you might give them if you were talking in person. If you'd draw a diagram for them, include it in your answer. The goal here is to show how you would explain the risks and benefits of OpenID to an internet user with a limited or faulty model of how it all works. Go beyond "just use it" to an explanation that tries to convey what's going on in terms that your relative might understand.

(Of course, when we grade this, we will also be checking that you understand how OpenID works. Your answer should cover enough content to convince us of this.)

What to Turn In

Submit two separate documents (two-factor.EXT and OpenID.EXT, for your choice of file format/extension).