1. 1
WebAuthn and security
keys = unlocking the key
to authentication
Christiaan Brand
Product Manager, Google

2. 2
It’s no secret -
passwords aren't enough

3. 123456
Most popular
password in 2015
password
2nd most popular
password in 2015
*Verizon data breach report, 2015

4. 123456789
Most popular
password in 2018
qwerty
2nd most popular
password in 2018
*techviral.net

5. success rate for
a well designed
password phishing
page
of account vulnerabilities
were due to weak or
stolen passwords
*Verizon data breach report, 2017
43% 81%
*Google study

6. 3.3B+
credentials leaked
in dumps
67M
accounts proactively
re-secured
17%
minimum password
reuse rate
* * * *
Data breaches, phishing, or malware? Understanding the risks of stolen
credentials (Thomas et al.) https://ai.google/research/pubs/pub46437

7. 999.

8. SMS usability
Coverage issues,
delay, user cost
Device usability
One per site,
expensive, fragile
User experience
Users find it hard
Phishable
OTPs are increasingly phished
?
Any second factor improves user security,
but...

9. 9
Password
Server
https://www.google.com
Web authentication

10. 10
https://www.goggle.com
https://www.goggle.com
Phishing attack | Step 1

11. 11
https://www.goggle.com
Phishing attack | Step 2

12. 12
Password Password
google.comgoggle.com
https://www.goggle.com
Phishing attack | Step 3

13. 13
At Google,
on our journey to replacing
the password, we started by
making the password safer

14. 14
Introducing security key
Your password
Security key
Account data

15. 15
Based on
asymmetric
cryptography
● User’s device mints new key pair,
gives public key to server
● Server asks user’s device to sign
data to verify user
● One device, many services, “bring
your own device” enabled
Core idea - standard public key cryptography

16. 16
How security key works
“I promise a user is here”,
“the server challenge was: 337423”,
“the origin was: google.com”
Server
Password
https://www.google.com

17. 17
Security key defeats phishing
Password
goggle.com
Password
“I promise a user is here”,
“the server challenge was: 337423”,
“the origin was: goggle.com”
Server
https://www.goggle.com

18. 18
Google’s
experience

19. 19
Deployment at Google
Enterprise use case
● Mandated for Google employees
● Corporate SSO (web)
● SSH
● Forms basis of all authentication
Consumer use case
● Available as opt-in for Google consumers
● Adopted by other relying parties too:
Dropbox, Github

20. 20
Use cases at Google
Bootstrapping
● It’s only used when employee signs in on a new device the first time.
● It protects against phishing.
● Removable security key is carried as part of the badge.
Hardware credential binding
● Once signed into a device, long-lived tokens (cookies, etc) are usually issued.
● Occasionally, a local security key touch is required, which is presented in
combination with this local token.
● This is to ensure the token is still being presented from a machine we trust.

21. 21
Time to
authenticate
OTP via SMS
OTP via app
Security Keys
OTP
Security Keys
50
40
30
20
10
0
Timetoauthenticate(s)
50
40
30
20
10
0
Timetopresent2ndfactor(s)
Google employees Consumer users

22. 22
Time to
authenticate
OTP via SMS
OTP via app
Security Keys
OTP
Security Keys
50
40
30
20
10
0
Timetoauthenticate(s)
50
40
30
20
10
0
Timetopresent2ndfactor(s)
Google employees Consumer users
"If you've been reading your e-mail" takeaway:
Security keys are faster
to use than OTPs

23. 23
Second factor
support
incidents
Supportincidentsperuserpermonth
PercentofusersusingSecurityKeys
100
80
60
40
20
0Jul2014
Sep
2014
N
ov
2014
Jan
2014
M
ar2014
M
ay
2014
Jul2014
Sep
2014
N
ov
2014
OTP
Security Key
Active Security Key users

24. 24
Second factor
support
incidents
Supportincidentsperuserpermonth
PercentofusersusingSecurityKeys
100
80
60
40
20
0Jul2014
Sep
2014
N
ov
2014
Jan
2014
M
ar2014
M
ay
2014
Jul2014
Sep
2014
N
ov
2014
OTP
Security Key
Active Security Key users
"If you've been reading your e-mail" takeaway:
Security keys cause fewer
support incidents than OTPs

25. 25
We’re not
quite done

26. 26
We made the password a lot safer with U2F,
but we want to go one step further: we want
to remove the password from the equation
That’s where FIDO2 and WebAuthn come in

27. 27
What is WebAuthn? How does it relate to FIDO2?
W3C WebAuthnFIDO CTAP
FIDO2
Client
(Computer, phone)
Built-in authenticator
(fingerprint)
Remote server
(Website)
Removable authenticator
(Phone, security key)

28. 28
WebAuthn
enables user
journeys
that are:
Simple
Very intuitive and
easy for user
Secure
Resistant to phishing
WebAuthn / What is WebAuthn?

29. 29
Authentication has two core user journeys
WebAuthn / FIDO2 enables multiple use cases
BootstrapRe-authentication

30. 30
Meet
Elisa

31. 31
Elisa wants to sign in to her bank
She starts on her mobile browser and
enrolls in fingerprint after sign-in
Registering and using built-in authenticator for re-auth (mobile web)

32. 32
1. Registering built-in authenticator for re-auth (mobile web)
Request
UV=true
X-Plat=false
Result
credential
(internal,caBLE)
Elisa opens
launches her
mobile browser,
Chrome, and goes
to Tri-Bank

33. 33
1. Registering built-in authenticator for re-auth (mobile web)
She signs in with
her username and
password

34. 34
1. Registering built-in authenticator for re-auth (mobile web)
Tri-Bank shows a promo
asking Elisa if she wants
to opt in to fingerprint to
sign in
She opts in and
continues to her account

35. 35
Elisa comes back to
Tri-Bank in another session
2a. Using built-in authenticator for re-auth (mobile web)

36. 36
2a. Using built-in authenticator for re-auth (mobile web)
The next time Elisa
opens Tri-Bank on
mobile browser,
she gets a
fingerprint dialog
Request
credentialId
(internal)
Since the user already signed in on this device, the credential ID is encoded in the
cookie and the RP requests the “internal” transport only (since they don’t want the user
to see prompts about external authenticators).

37. 37
2a. Using built-in authenticator for re-auth (mobile web)
Using only her
fingerprint, she’s
able to sign in
without using her
username + password
on mobile web
Request
credentialId
(internal)

38. 38
Elisa downloads Tri-Bank
from the Play Store
She launches the app for the first time
to sign in to check her funds
2b. Using built-in authenticator for re-auth (native mobile app)

39. 39
Request
UV=true
X-Plat=false
Result
credential
(internal,caBLE)
Request
credentialId
(internal)
Request
(Alternative)
{empty
credentialId}
Will result in
prompt to insert
removable SK
2b. Using built-in authenticator for re-auth (native mobile app)
She installs
Tri-Bank from
Google Play Store
and opens the app

40. 40
2b. Using built-in authenticator for re-auth (native mobile app)
Elisa chooses
“Sign In” and also
chooses an
account
Request
credentialId
(internal)

41. 41
Elisa is now asked
to authenticate
with the
fingerprint dialog
2b. Using built-in authenticator for re-auth (native mobile app)

42. 42
Elisa wants to sign in to
her bank on her
desktop computer
3. Cross-platform bootstrap

43. 43
Elisa chooses to
sign in on her
desktop browser
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK
3. Cross-platform bootstrap

44. 44
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK
Elisa enters her
account username
and chooses to
proceed “next”
3. Cross-platform bootstrap

45. 45
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK
She’s asked to verify
the new device using
her Pixel 2 phone’s
fingerprint that she’s
been using to sign in
to Tri-Bank
3. Cross-platform bootstrap

46. 46
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK
Because Elisa has a
Macbook with Touch
ID, Tri-bank asks her
if she wants to use
local fingerprint on
the device
3. Cross-platform bootstrap

47. 47
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK
Elisa gets
prompted to
try using the
local fingerprint
on the device
3. Cross-platform bootstrap

48. 48
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK
She opts-in and
continues to her
account
3. Cross-platform bootstrap

49. 49
When Elisa comes back to
Tri-Bank on the Macbook Pro

50. 50
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK
4. Using built-in authenticator for re-auth
Elisa comes back
to sign in on her
desktop browser

51. 51
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK
4. Using built-in authenticator for re-auth
A fingerprint
dialog appears
above the sign-in
page and Elisa
touches the sensor

52. 52
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK
4. Using built-in authenticator for re-auth
Elisa’s identity is
accepted and
she’s signed in

53. 53
Note that we’re
inheriting the strength
of the credentials from
the initial bootstrap
If in Step 1 we only ask the
user for a username +
password, the strength of
all the derived credentials
are only as good as a
username + password.
If in Step 1 we ask for a
stronger credential (2nd
factor security key), all of
the derived credentials
would inherit those
stronger attributes too.

54. 54
Now let’s
meet Jim

55. 55
Jim has a
fingerprint-enabled
security key
and is signing into his
desktop computer
5. Typeless bootstrap flow

56. 56
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK
5a. Typeless bootstrap flow (registration)
Jim comes to
sign in with his
desktop computer

57. 57
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK
Jim enters his
account username
and chooses to
proceed “next”
5a. Typeless bootstrap flow (registration)

58. 58
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK
Jim enters his
account password
5a. Typeless bootstrap flow (registration)

59. 59
Jim is asked to
verify with a 2nd
verification step
5a. Typeless bootstrap flow (registration)

60. 60
He gets a
promotion for
typeless
verification,
and enrolls
5a. Typeless bootstrap flow (registration)

61. 61
5a. Typeless bootstrap flow (registration)
Jim inserts
Security Key and
taps the sensor
on the key

62. 62
Jim’s Security Key
is enrolled and
ready to be used
5a. Typeless bootstrap flow (registration)

63. 63
Jim uses a new device with
his registered security key

64. 64
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK
Jim decides to
use his friend’s
Windows computer
to sign-in
5b. Typeless bootstrap flow (log in)

65. 65
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK
Jim inserts
Security Key and
taps on the sensor
5b. Typeless bootstrap flow (log in)

66. 66
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK
He chooses account
he wants amongst
the other accounts
that are registered
on the SK
5b. Typeless bootstrap flow (log in)

67. 67
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK
He signed in
without username
or password
5b. Typeless bootstrap flow (log in)

68. 68
How can I
get started?
Desktop/laptop
● WebAuthn support was
launched in Chrome 67.
● The initial release
supports only
external tokens.
● Support for built-in
modalities is coming
later in the fall.
Android
● FIDO2 APIs on Android
are available in
pre-release mode.
● Support for FIDO2 on
the web (to built-in
fingerprint sensor) will
come later in the fall.
Visit webauthndemo.appspot.com to try it out

69. 69
Questions?

70. 70
That’s a wrap