Hello all,

We received a question from a client that how secure is IBM Verify? The IBM Verify stores some information regarding the user for generating the TOTP, for example shared secret. So, how likely is it that any malware or other app attempts and successfully gets access to this information for a user and manages to steal it, then starts generating TOTP? Could it be possible?

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Hi Jahanzaib,

IBM Verify is designed and implemented up to the security standards by today. On a 'common' device, other apps don't have access to IBM Verify data.

For Android, all sensitive data (OTP secrets, tokens) is encrypted with AES-256 and stored in a database. The key itself is protected by the Android Keystore.

For iOS, all data is stored in applicationDataDirectory and protected by disk encryption.

There are attacks described against the Android Keystore (https://eprint.iacr.org/eprint-bin/getfile.pl?entry=2016/677&version=20160706:055348&file=677.pdf) and the hardware responsible for disk encryption (Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption) and others. As those attacks targeting the underlying OS, IBM Verify could be vulnerable to those attacks as well.

So, is it possible to steal a secret? Probably. Is it likely? I think it is highly unlikely. Those attacks are not easy to carry out or require physical access to the device. Furthermore, I haven't seen them targeting newer version of Android.

As rooted devices are more vulnerable to malicious apps: IBM Verify submits a deviceRooted (bool) attribute during registration and token refresh. This can be taken into account on server side to flag that device/user accordingly.

------------------------------
Carsten Hagemann
------------------------------

Original Message:
Sent: Sun July 07, 2019 03:11 AM
From: Jahanzaib Sarwar
Subject: IBM Verify Security

Hello all,

We received a question from a client that how secure is IBM Verify? The IBM Verify stores some information regarding the user for generating the TOTP, for example shared secret. So, how likely is it that any malware or other app attempts and successfully gets access to this information for a user and manages to steal it, then starts generating TOTP? Could it be possible?

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Hi Carsten,

Thank you very much for the detailed answer. I got the understanding and we can explain the same to the customer. Also, as per your explanation of the deviceRooted attribute, we can check if we could use this attribute in an access control policy to try to block such devices from registering, also flag the device as an other approach.

Thanks and best regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Original Message:
Sent: Mon July 08, 2019 03:01 AM
From: Carsten Hagemann
Subject: IBM Verify Security

Hi Jahanzaib,

IBM Verify is designed and implemented up to the security standards by today. On a 'common' device, other apps don't have access to IBM Verify data.

For Android, all sensitive data (OTP secrets, tokens) is encrypted with AES-256 and stored in a database. The key itself is protected by the Android Keystore.

For iOS, all data is stored in applicationDataDirectory and protected by disk encryption.

There are attacks described against the Android Keystore (https://eprint.iacr.org/eprint-bin/getfile.pl?entry=2016/677&version=20160706:055348&file=677.pdf) and the hardware responsible for disk encryption (Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption) and others. As those attacks targeting the underlying OS, IBM Verify could be vulnerable to those attacks as well.

So, is it possible to steal a secret? Probably. Is it likely? I think it is highly unlikely. Those attacks are not easy to carry out or require physical access to the device. Furthermore, I haven't seen them targeting newer version of Android.

As rooted devices are more vulnerable to malicious apps: IBM Verify submits a deviceRooted (bool) attribute during registration and token refresh. This can be taken into account on server side to flag that device/user accordingly.

------------------------------
Carsten Hagemann

Original Message:
Sent: Sun July 07, 2019 03:11 AM
From: Jahanzaib Sarwar
Subject: IBM Verify Security

Hello all,

We received a question from a client that how secure is IBM Verify? The IBM Verify stores some information regarding the user for generating the TOTP, for example shared secret. So, how likely is it that any malware or other app attempts and successfully gets access to this information for a user and manages to steal it, then starts generating TOTP? Could it be possible?

Best regards,

------------------------------
Jahanzaib Sarwar
------------------------------