Universal Second Factor authentication or why 2FA today is wubalubadubdub 1
Yuriy Ackermann Yuriy Ackermann Sr. Certification Engineer Sr. Certification Engineer @FIDOAlliance @FIDOAlliance twitter/github: @herrjemand twitter/github: @herrjemand 2
3
Today we will learn Today we will learn Why passwords not enough Why 2FA has not succeeded Introduction to U2F DEMO Q&A 4
Why not just passwords? Typical passwords life cycle Weak Reuse Phishing pwned haveibeenpwned.com SOLUTION! SOLUTION! Two Factor Authentication - aka 2FA Two Factor Authentication - aka 2FA 5
What is 2FA? Passwords verify verify 2FA authenticate authenticate 6
Do you use 2FA? 7
What does 2FA looks like? Three main types Apps Tokens SMS (TOTP and HOTP) (PKI and OTP) 8
So we solved it? Right? 9
Why 2FA has not succeeded? Apps Tokens SMS Phishing!! Cost Still phishable UX DRIVERS UX Shared key Phishing Privacy Synced time UX Security Centralised SIM reissue Fragile SIM spoof Coverage NIST Ban 10
11
12
Current state of 2FA Current state of 2FA I am in the deep pain, I am in the deep pain, please help! please help! 13
So how do we solve it? We need: Easy to use Open Secure Standardized protocol. 14
Introducing Universal Second Factor aka FIDO U2F 15
How does U2F works? 16
User layer User layer 17
Browser layer 18
Protocol Layer 19
Step one: Challenge-Response Challenge-Response 20
Step two: Phishing protection Phishing protection 21
Step three: Application-specific key-pair Application-specific key-pair Relying Party 22
To Wrap, or not to Wrap? 23
Step four: Replay Attack Protection Replay Attack Protection 24
Step five: Device attestation Device attestation 25
Metadata service Metadata service 26
Step five and a half: Key exercise protection Key exercise protection User must confirm their decision to perform 2FA, by performing user gesture e.g. e.g. Pressing button Fingerprint Retina scan Pincode Solving Rubikscube Remembering your wife's birthday. ...anything you want. 27
Multiple identifiers GMail GMail Web Android iOS mail.google.com apk-key- com.google.SecurityKe hash:FD18FA y.dogfood How do we deal with it? How do we deal with it? 28
Application Facets { "trustedFacets": [{ "version": { "major": 1, "minor" : 0 }, "ids": [ "https://accounts.google.com", "https://myaccount.google.com", "https://security.google.com", "android:apk-key-hash:FD18FA800DD00C0D9D7724328B6D...", "android:apk-key-hash:/Rj6gA3QDA2ddyQyi21JXly6gw9D...", "ios:bundle-id:com.google.SecurityKey.dogfood" ] }] } MUST MUST be served over VALID VALID HTTPS! ...no self signed certs. ...no self signed certs. 29
Implementations 30
31
Current users dongleauth.info dongleauth.info 32
Browser support Yes Yes* No* (Nightly Nightly) (Soon... Soon...) Yes Maybe? 33
WebAuthN A W3C standard for PublicKey credential authentication https://www.w3.org/Webauthn/ 34
Today we learned Today we learned Passwords are hard 2FA is wubalubadubdub, and we need to do something about it. FIDO U2F is sweet. Protocol is cute You can have multiple identities There are existing solutions... ...and people do use it 35
DEMO 36
Security Security considerations considerations You must use HTTPS You must use HTTPS Start using TLS Channel ID's U2F is just 2FA. Don't use as primary factor. 37
Things to play with Things to play with https://github.com/Yubico/pam-u2f https://github.com/Yubico/python-u2flib-server https://github.com/Yubico/python-u2flib-host https://github.com/herrjemand/flask-fido-u2f https://github.com/gavinwahl/django-u2f https://github.com/google/u2f-ref-code https://github.com/conorpp/u2f-zero Specs and data Specs and data https://developers.yubico.com/U2F/ https://fidoalliance.org/specifications/download/ https://github.com/LedgerHQ <- JavaCard FIDO Dev (fido-dev) mailing list 38
What's next? WE NEED 39
Questions? Questions? twitter/github: @herrjemand twitter/github: @herrjemand 40
Quick thanks to Quick thanks to Feitian and Yubico Feitian and Yubico for swag! for swag! 41
Thank you Thank you OWASP! OWASP! 42
Recommend
More recommend