Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WebAuthn and Security Keys

1,275 views

Published on

WebAuthn and Security Keys = Unlocking the key to authentication by John Fontana, Yubico on behalf of Christiaan Brand at Google
- Presented at FIDO Seoul Public Seminar on December 5th, 2018

Published in: Internet
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

WebAuthn and Security Keys

  1. 1. 1 WebAuthn and security keys = unlocking the key to authentication John Fontana at Yubico on Behalf of Christiaan Brand, Product Manager, Google
  2. 2. 2 It’s no secret - passwords aren't enough
  3. 3. 123456 Most popular password in 2015 password 2nd most popular password in 2015 *Verizon data breach report, 2015
  4. 4. 123456789 Most popular password in 2018 qwerty 2nd most popular password in 2018 *techviral.net
  5. 5. success rate for a well designed password phishing page of account vulnerabilities were due to weak or stolen passwords *Verizon data breach report, 2017 43% 81% *Google study
  6. 6. 3.3B+ credentials leaked in dumps 67M accounts proactively re-secured 17% minimum password reuse rate * * * * Source: Data breaches, phishing, or malware? Understanding the risks of stolen credentials (Thomas et al.) https://ai.google/research/pubs/pub46437
  7. 7. SMS usability Coverage issues, delay, user cost Device usability One per site, expensive, fragile User experience Users find it hard Phishable OTPs are increasingly phished ? Any second factor improves user security, but...
  8. 8. Sources of stolen passwords Data BreachesKeyloggersPhishing
  9. 9. Hijacking likelihood* Compared to a general active account, how much more likely it is that you will be a victim of hijacking if we know: *lower bound Had a keyloggerYou were in a breach Were phished >10x >40x >500x
  10. 10. Data breach market Keyloggers Phishing kits The wares on sale
  11. 11. Understanding victims Signup location % United States 50% South Africa 4% Canada 3% India 3% United Kingdom 3% Other 37% Sample of phished Google accounts:
  12. 12. Takeaway Billions of passwords available to hijackers. Account hijackers are professional
  13. 13. 15 At Google, on our journey to replacing the password, we started by making the password safer
  14. 14. Core issue: User is pointed to a phishing URL Solution: Security Key tells the server which URL the user is pointed to. Correct URL? Server allows login. Phishing URL? Server blocks login.
  15. 15. 17 Based on asymmetric cryptography ● User’s device mints new key pair, gives public key to server ● Server asks user’s device to sign data to verify user ● One device, many services, “bring your own device” enabled Core idea - standard public key cryptography
  16. 16. challenge, “google.com” Server How Security Keys work Who’s calling? sign: {challenge, “google.com”} {challenge, “google.com”}signed Alice’s Security Key Challenge was: 123456 Origin was: google.com Alice’s Key https://www.google.com USB/NFC/BLE 5 challenge 1 6 2 3 4
  17. 17. Created with open standards Server USB/NFC/BLEWho’s calling? https://www.google.com https://www.google.com
  18. 18. Created with open standards Server USB/NFC/BLEWho’s calling? https://www.google.com https://www.google.com WebAuthn API (JavaScript)
  19. 19. Created with open standards Server USB/NFC/BLEWho’s calling? https://www.google.com https://www.google.com WebAuthn API CTAP API
  20. 20. 22 We made the password a lot safer with U2F, but we want to go one step further: we want to remove the password from the equation That’s where FIDO2 and WebAuthn come in
  21. 21. 23 What is WebAuthn? How does it relate to FIDO2? W3C WebAuthnFIDO CTAP FIDO2 Client (Computer, phone) Built-in authenticator (fingerprint) Remote server (Website) Removable authenticator (Phone, security key)
  22. 22. 24 WebAuthn enables user journeys that are: Simple Very intuitive and easy for user Secure Resistant to phishing WebAuthn / What is WebAuthn?
  23. 23. 25 Authentication has two core user journeys WebAuthn / FIDO2 enables multiple use cases 01 Bootstrap User authenticates to a service for the first time The next slides will walk through these user journeys as a user might encounter them on the web 02 Re-authentication User does a repeat authentication to a service
  24. 24. 26 Note that we’re inheriting the strength of the credentials from the initial bootstrap If in Step 1 we only ask the user for a username + password, the strength of all the derived credentials are only as good as a username + password. If in Step 1 we ask for a stronger credential (2nd factor security key), all of the derived credentials would inherit those stronger attributes too.
  25. 25. 27 Meet Elisa
  26. 26. 28 Elisa wants to sign in to her bank She starts on her mobile browser and enrolls in fingerprint after sign-in Registering and using built-in authenticator for re-auth (mobile web)
  27. 27. 29 1. Registering built-in authenticator for re-auth (mobile web) Request UV=true X-Plat=false Result credential (internal,caBLE) Elisa opens launches her mobile browser, Chrome, and goes to Tri-Bank
  28. 28. 30 1. Registering built-in authenticator for re-auth (mobile web) She signs in with her username and password
  29. 29. 31 1. Registering built-in authenticator for re-auth (mobile web) Tri-Bank shows a promo asking Elisa if she wants to opt in to fingerprint to sign in She opts in and continues to her account
  30. 30. 32 Silently determined whether a platform authenticator was available: PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable().then(response => { if (response === true) { //User verifying platform authenticator is available! } else { //User verifying platform authenticator is NOT available. } Created the credential on the platform authenticator navigator.credentials.create({ "publicKey": makeCredentialOptions }); With values for makeCredentialOptions ○ excludeCredentials = [// registered ids ] ○ authenticatorSelection.authenticatorAttachment = 'platform' ○ authenticatorSelection.userVerification = 'required' What happened behind the scenes? Object contains “transport” info
  31. 31. 33 ● Transports is a way to indicate how authenticators can be reached ● Allowed values include ○ USB ○ NFC ○ BLE ○ Internal (corresponds to attachment=platform request type) ○ caBLE ● Transports are both returned when credentials are created, and set when requesting signatures. ● This allows the RP to ○ which use-cases are supported by the created credential ○ select the particular use-case they’re interested in (by modifying the transports) More on transports
  32. 32. 34 Elisa comes back to Tri-Bank in another session 2a. Using built-in authenticator for re-auth (mobile web)
  33. 33. 35 2a. Using built-in authenticator for re-auth (mobile web) The next time Elisa opens Tri-Bank on mobile browser, she gets a fingerprint dialog Request credentialId (internal) Since the user already signed in on this device, the credential ID is encoded in the cookie and the RP requests the “internal” transport only (since they don’t want the user to see prompts about external authenticators).
  34. 34. 36 2a. Using built-in authenticator for re-auth (mobile web) Using only her fingerprint, she’s able to sign in without using her username + password on mobile web Request credentialId (internal)
  35. 35. 37 Created a signature using the platform authenticator navigator.credentials.get({ "publicKey": requestOptions }); With values for requestOptions ○ allowCredentials = [// credential associated with session and transport=internal ] ○ userVerification = true What happened behind the scenes?
  36. 36. 38 Elisa downloads Tri-Bank from the Play Store She launches the app for the first time to sign in to check her funds 2b. Using built-in authenticator for re-auth (native mobile app)
  37. 37. 39 Request UV=true X-Plat=false Result credential (internal,caBLE) Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK 2b. Using built-in authenticator for re-auth (native mobile app) She installs Tri-Bank from Google Play Store and opens the app
  38. 38. 40 2b. Using built-in authenticator for re-auth (native mobile app) Elisa chooses “Sign In” and also chooses an account Request credentialId (internal)
  39. 39. 41 Elisa is now asked to authenticate with the fingerprint dialog 2b. Using built-in authenticator for re-auth (native mobile app)
  40. 40. 42 Created a signature using the platform authenticator navigator.credentials.get({ "publicKey": requestOptions }); With values for requestOptions ○ allowCredentials = [// empty set ] ○ userVerification = true What happened behind the scenes?
  41. 41. 43 Elisa wants to sign in to her bank on her desktop computer and sign-in to Tri-Bank without a password 3. Cross-platform bootstrap This is the part that is not released yet
  42. 42. 44 Elisa chooses to sign in on her desktop browser Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK 3. Cross-platform bootstrap
  43. 43. 45 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK Elisa enters her account username and chooses to proceed “next” 3. Cross-platform bootstrap
  44. 44. 46 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK She’s asked to verify the new device using her Pixel 2 phone’s fingerprint that she’s been using to sign in to Tri-Bank 3. Cross-platform bootstrap
  45. 45. 47 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK Because Elisa has a Macbook with Touch ID, Tri-bank asks her if she wants to use local fingerprint on the device 3. Cross-platform bootstrap
  46. 46. 48 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK Elisa gets prompted to try using the local fingerprint on the device 3. Cross-platform bootstrap
  47. 47. 49 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK She opts-in and continues to her account 3. Cross-platform bootstrap
  48. 48. 50 When Elisa comes back to Tri-Bank on the Macbook Pro This is the part that is not released yet
  49. 49. 51 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK 4. Using built-in authenticator for re-auth Elisa comes back to sign in on her desktop browser
  50. 50. 52 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK 4. Using built-in authenticator for re-auth A fingerprint dialog appears above the sign-in page and Elisa touches the sensor
  51. 51. 53 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK 4. Using built-in authenticator for re-auth Elisa’s identity is accepted and she’s signed in
  52. 52. 54 How can I get started? Desktop/laptop ● WebAuthn support was launched in Chrome 67. ● Chrome 70 adds support for platform credentials on Mac OS X. Android ● FIDO2 APIs on Android are available in pre-release mode. ● Support for FIDO2 on the web (built-in fingerprint sensor) enabled in Chrome 70. Visit webauthndemo.appspot.com to try it out
  53. 53. 55 CTAP2 & WEB AUTHN UPDATE
  54. 54. 56 Questions?
  55. 55. 57 That’s a wrap

×