Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Google Case Study - Towards simpler, stronger authentication

716 views

Published on

A case study examining how Google deployed FIDO authentication for both employees and consumers, including the benefits they now experience.

Published in: Internet
  • Be the first to comment

Google Case Study - Towards simpler, stronger authentication

  1. 1. Proprietary + Confidential Towards Simpler, Stronger Authentication Christiaan Brand, Google
  2. 2. Largest and most secure infrastructure
  3. 3. Proprietary + Confidential Mobile UI Application Network Software Hardware Google Security Stack
  4. 4. Today we tackle authentication
  5. 5. Proprietary + Confidential Protect Yourself And Your Users It's easier than you think for someone to steal a password Password Reuse Phishing Interception Social Media BANK
  6. 6. Proprietary + Confidential 123456 Most popular password in 2015 Source: SplashData: https://www.teamsid.com/wor st-passwords-2015/ password 2nd most popular password in 2015
  7. 7. Proprietary + Confidential 76% of account vulnerabilities were due to weak or stolen passwords 43% success rate for a well designed phishing page goo.gl/YYDM79
  8. 8. Proprietary + Confidential SMS Usability Coverage Issues, Delay, User Cost Device Usability One Per Site, Expensive, Fragile User Experience Users find it hard Phishable OTPs are increasingly phished $ ? Today: The reality of One Time Passwords
  9. 9. Confidential + Proprietary Web authentication Password Server https://www.google.com
  10. 10. Confidential + Proprietary https://www.goggle.com https://www.goggle.com
  11. 11. Confidential + Proprietary https://www.goggle.com
  12. 12. Confidential + Proprietary goggle.com https://www.goggle.com Password google.com Password Phishing attack
  13. 13. Introducing the Security Key Your Password Security Key Account Data
  14. 14. Core idea - Standard public key cryptography ● User's device mints new key pair, gives public key to server ● Server asks user's device to sign data to verify the user. ● One device, many services, "bring your own device" enabled Based on Asymmetric Cryptography
  15. 15. Confidential + Proprietary “I promise a user is here”, “the server challenge was: 337423”, “the origin was: google.com” https://www.google.com Password Server How security key works
  16. 16. Confidential + Proprietary “I promise a user is here”, “the server challenge was: 529402”, “the origin was: goggle.com” https://www.goggle.com goggle.com Password Password Server Security key defeats phishing
  17. 17. Google’s Experience
  18. 18. ● Enterprise use case ○ Mandated for Google employees ○ Corporate SSO (Web) ○ SSH ○ Forms basis of all authentication ● Consumer use case ○ Available as opt-in for Google consumers ○ Adopted by other relying parties too: Dropbox, Github Deployment at Google
  19. 19. Use cases at Google ● Bootstrapping ○ Only used when an employee signs in on a new device the first time ○ This protects against phishing ○ Removable Security Key is carried as part of badge ● Hardware credential binding ○ Once I’ve signed in to a device, long lived tokens (cookies, etc) is usually issued ○ Every once in a while, a local security key touch is required which is presented in combination with this local token - this is done to ensure that the token is still presented from a machine we trust
  20. 20. Time to authenticate
  21. 21. Security Keys are faster to use than OTPs "If you've been reading your e-mail" takeaway: Time to authenticate
  22. 22. Second factor support incidents
  23. 23. Security Keys cause fewer support incidents than OTPs "If you've been reading your e-mail" takeaway: Second factor support incidents
  24. 24. We’re not quite done
  25. 25. Proprietary + Confidential Does this work with a mobile? How do we deploy this at scale? What if they lose their key? But what about other enterprises?
  26. 26. Proprietary + Confidential Making progress towards stronger authentication Productizing FIDO U2F
  27. 27. Proprietary + Confidential Bootstrapping account
  28. 28. How can you get started?
  29. 29. Proprietary + Confidential Resources ● To use with Google Enable 2-Step Verification on your account Go to: https://security.google.com Click: 2-Step Verification Click on the Security Keys tab ● Also use with GitHub, Dropbox, SalesForce ● And / or play with some code https://github.com/google/u2f-ref-code https://developers.yubico.com/U2F/Libraries/List_of_libraries.html
  30. 30. Proprietary + Confidential Questions?

×