Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Google & FIDO Authentication

1,857 views

Published on

Google & FIDO Authentication

Published in: Technology
  • Be the first to comment

Google & FIDO Authentication

  1. 1. Google & FIDO Authentication Simpler, stronger authentication with U2F and FIDO2 Alexei Czeskis Securineer aczeskis@google.com
  2. 2. Key Threats Password Reuse Phishing Interception Social Media BANK
  3. 3. One Time Passwords Aren't Perfect SMS Usability Coverage Issues, Delay, User Cost Device Usability One Per Site, Expensive, Fragile User Experience Users find it hard Phishable OTPs are increasingly phished $ ?
  4. 4. Demo
  5. 5. Example Attack https://www.goggle.com
  6. 6. Introducing Security Key (U2F) Your Password Security Key Account Data
  7. 7. Based on Asymmetric Cryptography Core idea - Standard public key cryptography ● User's device mints new key pair, gives public key to server ● Server asks user's device to sign data to verify the user. ● One device, many services, "bring your own device" enabled
  8. 8. How Security Keys Work “I promise a user is here”, “the server challenge was: 337423”, “the origin was: google.com” https://www.google.com Password Server
  9. 9. “I promise a user is here”, “the server challenge was: 529402”, “the origin was: goggle.com” https://www.goggle.com goggle.com Password Password Server Phishing Defeated
  10. 10. Google’s Deployment Experience
  11. 11. Deployment at Google ● Enterprise use case ○ Mandated for Google employees ○ Corporate SSO (Web) ○ SSH ○ Forms basis of all authentication ● Consumer use case ○ Available as opt-in for Google consumers ○ Adopted by other relying parties too: Dropbox, Github, Facebook, Salesforce, ...
  12. 12. Time to Authenticate Security Keys: Practical Cryptographic Second Factors for the Modern Web Security Keys are faster to use than OTPs
  13. 13. Second Factor Support Incidents Security Keys: Practical Cryptographic Second Factors for the Modern Web Security Keys cause fewer support incidents than OTPs
  14. 14. Productionizing Enterprise FIDO Support
  15. 15. Other Enterprises Can Have This Too Does this work with a mobile? How do we deploy this at scale? What if they lose their key?
  16. 16. Productionizing FIDO Support
  17. 17. Using FIDO for Targeted Users
  18. 18. Recently Launched https://google.com/advancedprotection
  19. 19. Re-Authentication
  20. 20. Re-Authenticating on a Known Device Re-authenticating on a known device ● Happens often (i.e., transaction authorization) ● Needs to be fast ● Server has device reputation (cookies, profiling, etc)
  21. 21. Building Native FIDO https://developer.android.com/training/articles/security-key-attestation.html ● Android attestation of hardware backed cryptographic keys. ● New building block for strong FIDO support on Android
  22. 22. Android Infrastructure Fingerprint APIFIDO APIs Keystore Native Android appsChrome (WebAuthN)
  23. 23. Demo
  24. 24. How Can You Get Started?
  25. 25. Resources ● To use with Google ○ Use through 2-Step Verification OR ○ Enroll in the Advanced Protection Program (https://google.com/advancedprotection) ● Also use with GitHub, Dropbox, SalesForce, Facebook ● And / or play with some code https://github.com/google/u2f-ref-code https://developers.yubico.com/U2F/Libraries/List_of_libraries.html Maybe use Android Hardware Key Attestation. ● Check out W3C WebAuthn (https://www.w3.org/TR/webauthn/) ● We're always happy to answer questions Alexei Czeskis aczeskis@google.com

×