App authentication

Why?

Communications applications such as StarLeaf need to be easy to access, while remaining secure.

The StarLeaf app needs to be authenticated on a user’s device such that they can receive messages and calls at all times; if users are burdened with logging in to receive messages and calls, they quickly stop being reachable as they resist the tools mandated by their organization in favor of easier-to-use consumer apps. The StarLeaf app, once logged in, remains authenticated on a user’s device.

Organizations already have policies controlling security and mobile device management for core applications and devices. The StarLeaf app leverages those existing policies for security, rather than increasing complexity for users.

The combination of username and password is a security model that is becoming less popular. Users tend to use the same password on multiple cloud services increasing the possibility of passwords being leaked and used in malicious attacks. Such attacks are not possible against the StarLeaf system, as it is password-free.

How do StarLeaf users log in?

Figure 1: First-time authentication in the app

  1. A user installs the StarLeaf app on a new device and runs the app for the first time. The app prompts for the user’s email address.
  2. StarLeaf sends an email to the user containing a one-time 6-digit code.
  3. The user enters the code into the StarLeaf app and is now logged into the service on that device.

Figure 2: First-time authentication

If the user quits the app and restarts it, then the user will be immediately signed in since the request from the app includes the unique secure authentication token that the Cloud allocated to this particular device during the first-time authentication.

Figure 3: Subsequent authentication

Is it secure?

The StarLeaf password-free authentication system has a number of aspects to the security it provides:

Email security

  • This method of authentication leverages any security policies already in place by only delivering the one-time access code to a user’s own corporate email address. Only a person with access to that corporate email account can log in as that user.

Time-specific security

  • One-time access codes are 6-digits long and have a lifetime of only 30 minutes.

Device-specific security:

  • A one-time access code is only valid for the device from which it was requested.
  • When the access code is validated, a unique secure authentication token is allocated to the user’s device. The token allocated to devices is 1024 bits in length generated with a cryptographically secure pseudo-random number generator (CSPRNG). This high amount of entropy makes it effectively impervious to dictionary and brute-force attacks.

Secure standards

  • Devices log into the StarLeaf Cloud using industry standard Transport Layer Security (TLS) 1.2. Certificate pinning is utilized to further harden the process and ensure authenticity of the Cloud.

Visibility and control of devices for users

  • Users receive notification emails whenever a new device has been authenticated using their account
  • Centralized management of authenticated devices with the ability to de-authorize devices (for example where a device has been lost)