Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Authn & Security Keys: Unlocking the Key to Authentication

1,520 views

Published on

A look at Google's approach to strong authentication with FIDO, including an exploration of how security keys have been deployed within Google and how simple and secure user journeys are with Web Authn.

Published in: Internet

Web Authn & Security Keys: Unlocking the Key to Authentication

  1. 1. 1 WebAuthn and security keys = unlocking the key to authentication Christiaan Brand Product Manager, Google
  2. 2. 2 It’s no secret - passwords aren't enough
  3. 3. 123456 Most popular password in 2015 password 2nd most popular password in 2015 *Verizon data breach report, 2015
  4. 4. 123456789 Most popular password in 2018 qwerty 2nd most popular password in 2018 *techviral.net
  5. 5. success rate for a well designed password phishing page of account vulnerabilities were due to weak or stolen passwords *Verizon data breach report, 2017 43% 81% *Google study
  6. 6. 3.3B+ credentials leaked in dumps 67M accounts proactively re-secured 17% minimum password reuse rate * * * * Data breaches, phishing, or malware? Understanding the risks of stolen credentials (Thomas et al.) https://ai.google/research/pubs/pub46437
  7. 7. 999.
  8. 8. SMS usability Coverage issues, delay, user cost Device usability One per site, expensive, fragile User experience Users find it hard Phishable OTPs are increasingly phished ? Any second factor improves user security, but...
  9. 9. 9 Password Server https://www.google.com Web authentication
  10. 10. 10 https://www.goggle.com https://www.goggle.com Phishing attack | Step 1
  11. 11. 11 https://www.goggle.com Phishing attack | Step 2
  12. 12. 12 Password Password google.comgoggle.com https://www.goggle.com Phishing attack | Step 3
  13. 13. 13 At Google, on our journey to replacing the password, we started by making the password safer
  14. 14. 14 Introducing security key Your password Security key Account data
  15. 15. 15 Based on asymmetric cryptography ● User’s device mints new key pair, gives public key to server ● Server asks user’s device to sign data to verify user ● One device, many services, “bring your own device” enabled Core idea - standard public key cryptography
  16. 16. 16 How security key works “I promise a user is here”, “the server challenge was: 337423”, “the origin was: google.com” Server Password https://www.google.com
  17. 17. 17 Security key defeats phishing Password goggle.com Password “I promise a user is here”, “the server challenge was: 337423”, “the origin was: goggle.com” Server https://www.goggle.com
  18. 18. 18 Google’s experience
  19. 19. 19 Deployment at Google Enterprise use case ● Mandated for Google employees ● Corporate SSO (web) ● SSH ● Forms basis of all authentication Consumer use case ● Available as opt-in for Google consumers ● Adopted by other relying parties too: Dropbox, Github
  20. 20. 20 Use cases at Google Bootstrapping ● It’s only used when employee signs in on a new device the first time. ● It protects against phishing. ● Removable security key is carried as part of the badge. Hardware credential binding ● Once signed into a device, long-lived tokens (cookies, etc) are usually issued. ● Occasionally, a local security key touch is required, which is presented in combination with this local token. ● This is to ensure the token is still being presented from a machine we trust.
  21. 21. 21 Time to authenticate OTP via SMS OTP via app Security Keys OTP Security Keys 50 40 30 20 10 0 Timetoauthenticate(s) 50 40 30 20 10 0 Timetopresent2ndfactor(s) Google employees Consumer users
  22. 22. 22 Time to authenticate OTP via SMS OTP via app Security Keys OTP Security Keys 50 40 30 20 10 0 Timetoauthenticate(s) 50 40 30 20 10 0 Timetopresent2ndfactor(s) Google employees Consumer users "If you've been reading your e-mail" takeaway: Security keys are faster to use than OTPs
  23. 23. 23 Second factor support incidents Supportincidentsperuserpermonth PercentofusersusingSecurityKeys 100 80 60 40 20 0Jul2014 Sep 2014 N ov 2014 Jan 2014 M ar2014 M ay 2014 Jul2014 Sep 2014 N ov 2014 OTP Security Key Active Security Key users
  24. 24. 24 Second factor support incidents Supportincidentsperuserpermonth PercentofusersusingSecurityKeys 100 80 60 40 20 0Jul2014 Sep 2014 N ov 2014 Jan 2014 M ar2014 M ay 2014 Jul2014 Sep 2014 N ov 2014 OTP Security Key Active Security Key users "If you've been reading your e-mail" takeaway: Security keys cause fewer support incidents than OTPs
  25. 25. 25 We’re not quite done
  26. 26. 26 We made the password a lot safer with U2F, but we want to go one step further: we want to remove the password from the equation That’s where FIDO2 and WebAuthn come in
  27. 27. 27 What is WebAuthn? How does it relate to FIDO2? W3C WebAuthnFIDO CTAP FIDO2 Client (Computer, phone) Built-in authenticator (fingerprint) Remote server (Website) Removable authenticator (Phone, security key)
  28. 28. 28 WebAuthn enables user journeys that are: Simple Very intuitive and easy for user Secure Resistant to phishing WebAuthn / What is WebAuthn?
  29. 29. 29 Authentication has two core user journeys WebAuthn / FIDO2 enables multiple use cases BootstrapRe-authentication
  30. 30. 30 Meet Elisa
  31. 31. 31 Elisa wants to sign in to her bank She starts on her mobile browser and enrolls in fingerprint after sign-in Registering and using built-in authenticator for re-auth (mobile web)
  32. 32. 32 1. Registering built-in authenticator for re-auth (mobile web) Request UV=true X-Plat=false Result credential (internal,caBLE) Elisa opens launches her mobile browser, Chrome, and goes to Tri-Bank
  33. 33. 33 1. Registering built-in authenticator for re-auth (mobile web) She signs in with her username and password
  34. 34. 34 1. Registering built-in authenticator for re-auth (mobile web) Tri-Bank shows a promo asking Elisa if she wants to opt in to fingerprint to sign in She opts in and continues to her account
  35. 35. 35 Elisa comes back to Tri-Bank in another session 2a. Using built-in authenticator for re-auth (mobile web)
  36. 36. 36 2a. Using built-in authenticator for re-auth (mobile web) The next time Elisa opens Tri-Bank on mobile browser, she gets a fingerprint dialog Request credentialId (internal) Since the user already signed in on this device, the credential ID is encoded in the cookie and the RP requests the “internal” transport only (since they don’t want the user to see prompts about external authenticators).
  37. 37. 37 2a. Using built-in authenticator for re-auth (mobile web) Using only her fingerprint, she’s able to sign in without using her username + password on mobile web Request credentialId (internal)
  38. 38. 38 Elisa downloads Tri-Bank from the Play Store She launches the app for the first time to sign in to check her funds 2b. Using built-in authenticator for re-auth (native mobile app)
  39. 39. 39 Request UV=true X-Plat=false Result credential (internal,caBLE) Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK 2b. Using built-in authenticator for re-auth (native mobile app) She installs Tri-Bank from Google Play Store and opens the app
  40. 40. 40 2b. Using built-in authenticator for re-auth (native mobile app) Elisa chooses “Sign In” and also chooses an account Request credentialId (internal)
  41. 41. 41 Elisa is now asked to authenticate with the fingerprint dialog 2b. Using built-in authenticator for re-auth (native mobile app)
  42. 42. 42 Elisa wants to sign in to her bank on her desktop computer 3. Cross-platform bootstrap
  43. 43. 43 Elisa chooses to sign in on her desktop browser Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK 3. Cross-platform bootstrap
  44. 44. 44 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK Elisa enters her account username and chooses to proceed “next” 3. Cross-platform bootstrap
  45. 45. 45 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK She’s asked to verify the new device using her Pixel 2 phone’s fingerprint that she’s been using to sign in to Tri-Bank 3. Cross-platform bootstrap
  46. 46. 46 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK Because Elisa has a Macbook with Touch ID, Tri-bank asks her if she wants to use local fingerprint on the device 3. Cross-platform bootstrap
  47. 47. 47 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK Elisa gets prompted to try using the local fingerprint on the device 3. Cross-platform bootstrap
  48. 48. 48 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK She opts-in and continues to her account 3. Cross-platform bootstrap
  49. 49. 49 When Elisa comes back to Tri-Bank on the Macbook Pro
  50. 50. 50 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK 4. Using built-in authenticator for re-auth Elisa comes back to sign in on her desktop browser
  51. 51. 51 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK 4. Using built-in authenticator for re-auth A fingerprint dialog appears above the sign-in page and Elisa touches the sensor
  52. 52. 52 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK 4. Using built-in authenticator for re-auth Elisa’s identity is accepted and she’s signed in
  53. 53. 53 Note that we’re inheriting the strength of the credentials from the initial bootstrap If in Step 1 we only ask the user for a username + password, the strength of all the derived credentials are only as good as a username + password. If in Step 1 we ask for a stronger credential (2nd factor security key), all of the derived credentials would inherit those stronger attributes too.
  54. 54. 54 Now let’s meet Jim
  55. 55. 55 Jim has a fingerprint-enabled security key and is signing into his desktop computer 5. Typeless bootstrap flow
  56. 56. 56 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK 5a. Typeless bootstrap flow (registration) Jim comes to sign in with his desktop computer
  57. 57. 57 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK Jim enters his account username and chooses to proceed “next” 5a. Typeless bootstrap flow (registration)
  58. 58. 58 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK Jim enters his account password 5a. Typeless bootstrap flow (registration)
  59. 59. 59 Jim is asked to verify with a 2nd verification step 5a. Typeless bootstrap flow (registration)
  60. 60. 60 He gets a promotion for typeless verification, and enrolls 5a. Typeless bootstrap flow (registration)
  61. 61. 61 5a. Typeless bootstrap flow (registration) Jim inserts Security Key and taps the sensor on the key
  62. 62. 62 Jim’s Security Key is enrolled and ready to be used 5a. Typeless bootstrap flow (registration)
  63. 63. 63 Jim uses a new device with his registered security key
  64. 64. 64 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK Jim decides to use his friend’s Windows computer to sign-in 5b. Typeless bootstrap flow (log in)
  65. 65. 65 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK Jim inserts Security Key and taps on the sensor 5b. Typeless bootstrap flow (log in)
  66. 66. 66 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK He chooses account he wants amongst the other accounts that are registered on the SK 5b. Typeless bootstrap flow (log in)
  67. 67. 67 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK He signed in without username or password 5b. Typeless bootstrap flow (log in)
  68. 68. 68 How can I get started? Desktop/laptop ● WebAuthn support was launched in Chrome 67. ● The initial release supports only external tokens. ● Support for built-in modalities is coming later in the fall. Android ● FIDO2 APIs on Android are available in pre-release mode. ● Support for FIDO2 on the web (to built-in fingerprint sensor) will come later in the fall. Visit webauthndemo.appspot.com to try it out
  69. 69. 69 Questions?
  70. 70. 70 That’s a wrap

×