Embed Size (px)
Citation preview
Google & FIDO AuthenticationSimpler, stronger authentication with U2F and FIDO2
Alexei [email protected]
Key Threats
Password Reuse Phishing Interception
Social MediaBANK
One Time Passwords Aren't Perfect
SMS UsabilityCoverage Issues, Delay, User Cost
Device UsabilityOne Per Site,
Expensive, Fragile
User ExperienceUsers find it hard
PhishableOTPs are increasingly
phished
$?
Security Supply ChainBuild from the ground upManufacture our own components
Abuse & Spam Used machine learning to solveToday less than 0.001% spam in your Gmail inbox
Demo
Example Attack https://www.goggle.com
Introducing Security Key (U2F)Your Password
Security Key
Account Data
Based on Asymmetric CryptographyCore idea - Standard public key cryptography
● User's device mints new key pair, gives public key to server● Server asks user's device to sign data to verify the user.● One device, many services, "bring your own device" enabled
How Security Keys Work
“I promise a user is here”,“the server challenge was: 337423”,“the origin was: google.com”
https://www.google.com
Password
Server
“I promise a user is here”,“the server challenge was: 529402”,“the origin was: goggle.com”
https://www.goggle.com
goggle.comPassword Password
Server
Phishing Defeated
Google’s Deployment Experience
Deployment at Google
● Enterprise use case○ Mandated for Google employees○ Corporate SSO (Web)○ SSH○ Forms basis of all authentication
● Consumer use case○ Available as opt-in for Google consumers○ Adopted by other relying parties too: Dropbox,
Github, Facebook, Salesforce, ...
Time to Authenticate
Security Keys: Practical Cryptographic Second Factors for the Modern Web
Security Keys are faster to use
than OTPs
Second Factor Support Incidents
Security Keys: Practical Cryptographic Second Factors for the Modern Web
Security Keys cause fewer
support incidents than
OTPs
Security Supply ChainBuild from the ground upManufacture our own components
Abuse & Spam Used machine learning to solveToday less than 0.001% spam in your Gmail inbox
Productionizing Enterprise FIDO Support
Other Enterprises Can Have This Too
Does this work with a mobile?
How do we deploy this at scale?
What if they lose their key?
Productionizing FIDO Support
Security Supply ChainBuild from the ground upManufacture our own components
Abuse & Spam Used machine learning to solveToday less than 0.001% spam in your Gmail inbox
Using FIDO for Targeted Users
Recently Launched
https://google.com/advancedprotection
Security Supply ChainBuild from the ground upManufacture our own components
Abuse & Spam Used machine learning to solveToday less than 0.001% spam in your Gmail inbox
Re-Authentication
Re-Authenticating on a Known DeviceRe-authenticating on a known device
● Happens often(i.e., transaction authorization)
● Needs to be fast
● Server has device reputation(cookies, profiling, etc)
Building Native FIDO
https://developer.android.com/training/articles/security-key-attestation.html
● Android attestation of hardware backed cryptographic keys.
● New building block for strong FIDO support on Android
Android Infrastructure
Fingerprint APIFIDO APIs
Keys
tore
Native Android apps Chrome (WebAuthN)
Security Supply ChainBuild from the ground upManufacture our own components
Abuse & Spam Used machine learning to solveToday less than 0.001% spam in your Gmail inbox
How Can You Get Started?
Resources● To use with Google
○ Use through 2-Step VerificationOR
○ Enroll in the Advanced Protection Program(https://google.com/advancedprotection)
● Also use with GitHub, Dropbox, SalesForce, Facebook
● And / or play with some code https://github.com/google/u2f-ref-code https://developers.yubico.com/U2F/Libraries/List_of_libraries.html Maybe use Android Hardware Key Attestation.
● Check out W3C WebAuthn (https://www.w3.org/TR/webauthn/)
● We're always happy to answer questions
Alexei [email protected]
