Upload
vothuan
View
227
Download
7
Embed Size (px)
Citation preview
Google Confidential and Proprietary
Sam SrinivasProduct Management DirectorInformation SecurityGoogle
Authentication at Web Scale
Google Confidential and Proprietary
1. Its pretty messy out there with passwords ○ It’s hard to get people to change habits
2. But technology shifts can help make authentication:○ easy to use○ more secure than ever before
Two main ideas we will cover
Google Confidential and Proprietary
Reality Check
Google Confidential and Proprietary
How do people pick passwords?
Average Internet user has > 30 accounts
Coping with yet another Internet account?
Reuse existing password
Bad idea!● Datacenter intrusion, SQL injection● Salting and hashing defeated by GPU power
What we see:Attacker trying 1 million different accounts every single day for weeks!
Google Confidential and Proprietary
Other attacks
Let’s say:● you use a password manager● or, you write down your passwords● you create a unique passwords for every account
Is that good enough?
Google Confidential and Proprietary
What is the URL bar?
What is a web app?
What is a browser?
Why don’t we let the browser tell you if something is wrong?
Prerequisites for reasonable trust decision
Google Confidential and Proprietary
18% click-through rate on warning!
Google Confidential and Proprietary
70% click-through rate on warning!
Google Confidential and Proprietary
13-30% click-through rate on warning!
Google Confidential and Proprietary
Even experts can slip up!!!
Google Confidential and Proprietary
What does all this mean?
Google Confidential and Proprietary
Things have to just work......You cannot expect trust decisions on a daily basis
Maybe during device setup time● Maybe?
Enterprise: an IT admin should pre-setup policy decisions, and replicate on all new devices
Google Confidential and Proprietary
How to make things just work?
1. Malware-resistant platforms
2. Secure communication channels: SSL deployment and certificate transparency
3. Non-stealable credentials4. Out-of-band notifications, approvals, revocations
Google Confidential and Proprietary
Let’s talk about fixing credential theft
Google Confidential and Proprietary
Risk Analysis: Very high success rate of detection for automated attacks.
However:● Adversary can find answers with some research● More friction for user who did something anomalous
Risk Analysis
Google Confidential and Proprietary
2-Step Verification
google.com/2step
Users opt-in to turn on extra protection using their phone● One common Google account for Gmail, Drive, Google+
Google Confidential and Proprietary
Standard 2nd Factor Approach
1. Something you know
2. Something you have
Google Confidential and Proprietary
User configures verified phone number
Google Confidential and Proprietary
Multiple ways to obtain code
SMS Voice
Google Authenticator
836026
Google Confidential and Proprietary
Sign-in screen asking for code
Google Confidential and Proprietary
Library
How often to prompt?
Personal
Security vs usability tradeoff for users
Google Confidential and Proprietary
Challenges….
Google Confidential and Proprietary
What if you lost your phone?
Google Confidential and Proprietary
Check settings every quarter
Google Confidential and Proprietary
Flexible Authentication UI
Google Authored apps work without App Passwords now!!!
Google Confidential and Proprietary
Other issues…
Typing OTPs adds friction and errors
OTPs are still phishable
Can the UX friction and security issue be fixed together?
Google Confidential and Proprietary
A solution: FIDO Universal 2nd Factor (U2F)
● One device, many services● Easy: Insert and press button● Safe: Un-phishable Security
Google Confidential and Proprietary
1 2 3
Userid & Password Insert, Press button Successful Sign in
Simple for Users
Google Confidential and Proprietary
User self-registration
1 2
3
Insert, Press Button
Backup Options 4 Registration Done
Userid & Password
Google Confidential and Proprietary
How does it work?
Registered public-key for user● Eliminates secret from datacenter
Challenge response with private-key during Sign-In● Or, periodic challenge for sensitive transactions
Sign something from the SSL session● Thwart MITM by eliminating bearer tokens
Test-of-user-presence: button touch, nfc tap
Google Confidential and Proprietary
What can we do to help adoption?
Driverless mode● Direct access from browser with no middleware
One token works for multiple sites (infinite)● Unique keypair for each registration event● Private key never exposed outside Secure Element
Website integration is proposed through two JavaScript APIs● Register and Sign● UI completely within control of website
Standardization efforts: FIDO Alliance→W3C, IETF
Google Confidential and Proprietary
Feature within2-Step Verification
● Internal version deployed at Google for corp data access
● Will be available to all Google users not too far in future.
Google Confidential and Proprietary
Human Factors...
Tangible feel of control over account with a key
Can passwords be reused now?
Can passwords be reduced to a PIN?● People are used to ATM-card model● Bring that to the web?
Google Confidential and Proprietary
Can’t this be built into my device?
Device-Centric Authentication
● Device can do public-key crypto for data sync
● User can do lightweight screen unlock
Google Confidential and Proprietary
Might as well write it, lock it, and forget it!
How to bootstrap new device?● Can we use an older device to help bootstrap a newer device? (ala
U2F)
Low probability event: user loses all devices● Ask for “recovery password”● Risk analysis, phone verification, time delay, ask old device for out
of band approval
What happens to the password?
Google Confidential and Proprietary
Getting it right is hard work
Authentication is complex if you want to get it right at scale
Needs:● Implement device centric protocols● Implement bootstrapping flows● Risk analysis as a layer● Account recovery● Use beyond just sign-in, for transactional auth too!
If appropriate, relying parties can federate:● Industry momentum behind OAuth 2.0 and OpenID Connect
Google Confidential and Proprietary
What do we need to do collectively?
Work together to come up with standards for strong client to cloud authentication:
● Incorporate device as a second-factor● Allow for simple and strong in-app authentication● Allow for choice of device unlock: one size cannot fit all
Make human supplied credentials less catastrophic to lose!
Let’s seize this opportunity!
FIDO Alliance is the right forum!