Authentication and the StarLeaf app
Managing StarLeaf advancedLast updated September 18, 2020
Communications applications such as StarLeaf need to be easy to access, while remaining secure.
The StarLeaf app needs to be authenticated on a user’s device so that they can receive messages and calls at all times; if users are burdened with logging in to receive messages and calls, they quickly stop being reachable as they resist the tools mandated by their organization in favor of easier-to-use consumer apps. The StarLeaf app, once logged in, remains authenticated on a user’s device.
Organizations already have policies controlling security and mobile device management for core applications and devices. The StarLeaf app assists these policies, rather than increasing complexity for users.
The combination of username and password is a security model that is becoming less popular. Users tend to use the same password on multiple cloud services increasing the possibility of passwords being leaked and used in malicious attacks. Such attacks are not possible against the StarLeaf system, as it is password-free.
There are three components involved during a user’s first-time authentication; the StarLeaf app, the StarLeaf platform, and the user’s email. Secure communication using TLS 1.2 is used throughout the authentication process.
A user installs the StarLeaf app on a new device and runs the app for the first time. The app prompts for the user’s email address. When it is entered in the app, the app transfers the email address to the StarLeaf platform.
- The StarLeaf platform sends an email to this email address containing a one-time 6-digit code.
- The user enters the code into the StarLeaf app. The app transfers the code back to the StarLeaf platform for verification. The StarLeaf platform allocates a unique secure authentication token to the particular device the app is communicating from. The user is signed in.
After the first sign in, the authentication token enables the StarLeaf platform to continue to recognize the device and the user is signed in automatically when they open the app.
If a user logs out of their account in the app, then the user will need to go through the first-time authentication process again when restarting the app after logging out.
The StarLeaf password-free authentication system has a number of aspects to the security it provides:
- This method of authentication leverages any security policies already in place by only delivering the one-time access code to a user’s own corporate email address. Only a person with access to that corporate email account can log in as that user.
- One-time access codes are 6-digits long and have a lifetime of two hours.
Limited attempts security
- One-time access codes can only be entered incorrectly 3 times. After 3 failed attempts to enter the code in the app, the user must request a new 6-digit code to their email address again.
- A one-time access code is only valid for the device from which it was requested.
- When the access code is validated, a unique secure authentication token is allocated to the user’s device. The token allocated to devices is 1024 bits in length generated with a cryptographically secure pseudo-random number generator (CSPRNG). This high amount of entropy makes it effectively impervious to dictionary and brute-force attacks.
- Devices log into the StarLeaf platform using industry standard Transport Layer Security (TLS) 1.2. Certificate pinning is utilized to further harden the process and ensure authenticity of the platform.
Visibility and control of devices for users
- Users receive notification emails whenever a new device has been authenticated using their account
- Centralized management of authenticated devices with the ability to de-authorize devices (for example where a device has been lost)