Why?

Communications applications such as StarLeaf need to be easy to access, while remaining secure.

The StarLeaf app needs to be authenticated on a user’s device such that they can receive messages and calls at all times; if users are burdened with logging in to receive messages and calls, they quickly stop being reachable as they resist the tools mandated by their organization in favor of easier-to-use consumer apps. The StarLeaf app, once logged in, remains authenticated on a user’s device.

Organizations already have policies controlling security and mobile device management for core applications and devices. The StarLeaf app assists these policies, rather than increasing complexity for users.

The combination of username and password is a security model that is becoming less popular. Users tend to use the same password on multiple cloud services increasing the possibility of passwords being leaked and used in malicious attacks. Such attacks are not possible against the StarLeaf system, as it is password-free.

How do StarLeaf users log in?

Figure 1: First-time authentication in the app

There are three components involved during a user’s first-time authentication; the StarLeaf app, StarLeaf Cloud, and the user’s email. Secure communication using TLS 1.2 is used throughout the authentication process.

  1. A user installs the StarLeaf app on a new device and runs the app for the first time. The app prompts for the user’s email address. When it is entered in the app, the app transfers the email address to StarLeaf Cloud.
  2. StarLeaf Cloud sends an email to this email address containing a one-time 6-digit code.
  3. The user enters the code into the StarLeaf app. The app transfers the code back to StarLeaf Cloud for verification. StarLeaf Cloud allocates a unique secure authentication token to the particular device the app is communicating from. The user is signed in.

Figure 2: First-time authentication

After the first sign in, the authentication token enables StarLeaf Cloud to continue to recognize the device and the user is signed in automatically when they open the app.

Figure 3: Subsequent authentication

If a user logs out of their account in the app, then the user will need to go through the first-time authentication process again when restarting the app after logging out.

Is it secure?

The StarLeaf password-free authentication system has a number of aspects to the security it provides:

Email security

  • This method of authentication leverages any security policies already in place by only delivering the one-time access code to a user’s own corporate email address. Only a person with access to that corporate email account can log in as that user.

Time-specific security

  • One-time access codes are 6-digits long and have a lifetime of two hours.

Device-specific security:

  • A one-time access code is only valid for the device from which it was requested.
  • When the access code is validated, a unique secure authentication token is allocated to the user’s device. The token allocated to devices is 1024 bits in length generated with a cryptographically secure pseudo-random number generator (CSPRNG). This high amount of entropy makes it effectively impervious to dictionary and brute-force attacks.

Secure standards

  • Devices log into the StarLeaf Cloud using industry standard Transport Layer Security (TLS) 1.2. Certificate pinning is utilized to further harden the process and ensure authenticity of the Cloud.

Visibility and control of devices for users

  • Users receive notification emails whenever a new device has been authenticated using their account
  • Centralized management of authenticated devices with the ability to de-authorize devices (for example where a device has been lost)