Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Google Case Study: Strong Authentication for Employees and Consumers

2,957 views

Published on

With 50,000 employees and more than a billion users, security and privacy are of critical importance to the Internet giant, Google. Two years ago, they set out with the goal of improving authentication through stronger security, increasing user satisfaction and lowering support costs. In that time, Google deployed FIDO Certified ® security keys. A detailed analysis by this data-driven company has demonstrated clear confirmation of how well FIDO’s approach is suited to making stronger, simpler authentication for employees and consumers.

Published in: Technology
  • Be the first to comment

Google Case Study: Strong Authentication for Employees and Consumers

  1. 1. A Google Case Study Strong authentication for employees and consumers Christiaan Brand, Google
  2. 2. Largest and most secure infrastructure
  3. 3. Proprietary + Confidential Mobile UI Application Network Software Hardware Google Security Stack
  4. 4. Today we tackle authentication
  5. 5. Proprietary + Confidential Protect Yourself And Your Users It's easier than you think for someone to steal a password Password Reuse Phishing Interception Social Media BANK
  6. 6. Proprietary + Confidential 123456 Most popular password in 2015 Source: SplashData: https://www.teamsid.com/wor st-passwords-2015/ password 2nd most popular password in 2015
  7. 7. Proprietary + Confidential 76% of account vulnerabilities were due to weak or stolen passwords 43% success rate for a well designed phishing page goo.gl/YYDM79
  8. 8. Proprietary + Confidential SMS Usability Coverage Issues, Delay, User Cost Device Usability One Per Site, Expensive, Fragile User Experience Users find it hard Phishable OTPs are increasingly phished $ ? Today: The reality of One Time Passwords
  9. 9. Proprietary + Confidential Introducing FIDO U2F Your Password Security Key Account Data
  10. 10. Core idea - Standard public key cryptography ● User's device mints new key pair, gives public key to server ● Server asks user's device to sign data to verify the user. ● One device, many services, "bring your own device" enabled Based on Asymmetric Cryptography
  11. 11. https://www.google.com
  12. 12. https://www.goggle.com
  13. 13. https://www.goggle.com
  14. 14. https://www.goggle.com
  15. 15. https://www.goggle.com Passw ord goggle.com google.com Passw ord
  16. 16. https://www.google.com “I promise a user is here”, “the server challenge was: 337423”, “the origin was: google.com”
  17. 17. https://www.goggle.com Passw ord goggle.com google.com Passw ord “I promise a user is here”, “the server challenge was: 529402”, “the origin was: goggle.com”
  18. 18. Google’s Experience
  19. 19. ● Enterprise use case ○ Mandated for Google employees ○ Corporate SSO (Web) ○ SSH ○ Forms basis of all authentication ● Consumer use case ○ Available as opt-in for Google consumers ○ Adopted by other relying parties too: Dropbox, Github Deployment at Google
  20. 20. Time to authenticate
  21. 21. Security Keys are faster to use than OTPs "If you've been reading your e-mail" takeaway: Time to authenticate
  22. 22. Second factor support incidents
  23. 23. Security Keys cause fewer support incidents than OTPs "If you've been reading your e-mail" takeaway: Second factor support incidents
  24. 24. We’re not quite done
  25. 25. Proprietary + Confidential Does this work with a mobile? How do we deploy this at scale? What if they lose their key? But what about other enterprises?
  26. 26. Proprietary + Confidential Making progress towards stronger authentication Productizing FIDO U2F
  27. 27. Proprietary + Confidential Demo: Bootstrapping account
  28. 28. How can you get started?
  29. 29. Proprietary + Confidential Resources ● To use with Google Enable 2-Step Verification on your account Go to: https://security.google.com Click: 2-Step Verification Click on the Security Keys tab ● Also use with GitHub, Dropbox, SalesForce ● And / or play with some code https://github.com/google/u2f-ref-code https://developers.yubico.com/U2F/Libraries/List_of_libraries.html
  30. 30. Proprietary + Confidential Questions?

×