Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2019 | Google Masterclass: Democratizing Phishing-Resistant FIDO Technology | Identiverse | Day 1, June 25

139 views

Published on

Phishing is the #1 security problem on the web. According to Verizon 2018 Data Breach Investigations Report, 41.6% of breaches occurred as a result of stolen passwords, phishing, and pretexting. The industry’s collective response to this problem has been multi-factor authentication, but implementations are fragmented and most still don’t adequately address phishing. Google has been working with the FIDO Alliance since 2013 and, more recently, with the W3C to implement a standardized phishing-resistant FIDO2 protocol that can be used by any web application. This session will demystify FIDO2 and run through new, exciting user journeys enabled by these protocols to make FIDO2 available to more people.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

2019 | Google Masterclass: Democratizing Phishing-Resistant FIDO Technology | Identiverse | Day 1, June 25

  1. 1. 1 Democratizing phishing- resistant FIDO technology Christiaan Brand Product Manager, Google Cloud
  2. 2. 2 Agenda 030201 Passwords aren’t enough MFA - a spectrum of assurance Enter WebAuthn
  3. 3. 3 Passwords aren’t enough
  4. 4. 3.3B+ Credentials leaked in dumps 67M Accounts proactively re-secured 17% Minimum password reuse rate Data breaches, phishing, or malware? Understanding the risks of stolen credentials (Thomas et al.) ai.google/research/pubs/pub46437
  5. 5. Source: Google
  6. 6. Sources of stolen passwords Phishing Keyloggers Data breach
  7. 7. Account hijacking likelihood Compared to a general active account, how much more likely it is that you will be a victim of account hijacking if we know: Data breaches, phishing, or malware? Understanding the risks of stolen credentials (Thomas et al.) ai.google/research/pubs/pub46437
  8. 8. Account hijacking likelihood If you were in a breach >10x Compared to a general active account, how much more likely it is that you will be a victim of account hijacking if we know: Data breaches, phishing, or malware? Understanding the risks of stolen credentials (Thomas et al.) ai.google/research/pubs/pub46437
  9. 9. Account hijacking likelihood If you had a keylogger If you were in a breach >10x >40x Compared to a general active account, how much more likely it is that you will be a victim of account hijacking if we know: Data breaches, phishing, or malware? Understanding the risks of stolen credentials (Thomas et al.) ai.google/research/pubs/pub46437
  10. 10. Account hijacking likelihood lower bound!! If you had a keylogger If you were in a breach If you were phished >10x >40x >500xCompared to a general active account, how much more likely it is that you will be a victim of account hijacking if we know: Data breaches, phishing, or malware? Understanding the risks of stolen credentials (Thomas et al.) ai.google/research/pubs/pub46437
  11. 11. 91 80 of attacks on businesses include phishing of information security attacks start with phishing Source: PhishMe study, cofense.com/enterprise-phishing-susceptibility-report/ Source: UK govt, The Cyber Security Breaches Survey 2019
  12. 12. Phishing overtook exploit- based malware in 2016 Source: Safe Browsing (Google Transparency Report) Exploit malware and phishing sites detected each week 80000 60000 40000 20000 0 2010 2012 2014 2016 2018 Malware Phishing
  13. 13. success rate for a well designed phishing page* of account vulnerabilities were due to weak or stolen passwords** *Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials, 2017 **Verizon 2015 Data Breach Investigations Report 43% 76%
  14. 14. 14 MFA - a spectrum of assurance
  15. 15. MFA It’s a spectrum of assurance SMS / Voice Backup codes Authenticator (TOTP) Mobile Push FIDO security keys Assurance Many different types of MFA exist, all providing different levels of assurance and convenience Phishing-resistant
  16. 16. Titan Security Key Enhanced account protection Phishing-resistant 2nd factor of authentication that verifies user’s identity and sign-in URL Trusted hardware Includes a secure element with firmware written by Google to verify the key’s integrity Open ecosystem Works with popular browsers and a growing ecosystem of services that support FIDO
  17. 17. Now, your Android phone is also a security key Enhanced account protection Strongest 2FA protection against phishing Easy to use Simple, one-time enrollment process, no app required Convenient for users Use the phone which is already in your pocket Today With phone’s built- in security key
  18. 18. 18 Enter WebAuthn
  19. 19. Introducing WebAuthn + A W3C specification* (Web API) that allows websites to interact with security keys * https://github.com/w3c/webauthn
  20. 20. What is WebAuthn? How does it relate to FIDO2? WebAuthnCTAP FIDO2 Client (Computer, phone) Built-in authenticator (fingerprint) Remote server (Website) Removable authenticator (Phone, security key)
  21. 21. WebAuthn: two use cases username password user@gmail.com ********* 1. “Bootstrapping” - security key as a 2nd factor 2. “Re-authentication” - biometrics as a way to simplify verifying a returning user +
  22. 22. Implemented on Android Keymaster Biometrics FIDO module Chrome myApp... www Red: Your app can directly talk to the key store to store and use cryptographic keys Green: Your app can directly talk to the biometric APIs OR Blue: Your app and website can talk to the FIDO/WebAuthn APIs that abstracts the keystore and biometric APIs FIDO server
  23. 23. Meet Elisa
  24. 24. Elisa wants to sign in to her bank She starts on her mobile browser and enrolls in fingerprint after sign-in Registering built-in authenticator for re-auth (mobile web)
  25. 25. Elisa opens launches her mobile browser, Chrome, and goes to Tri-Bank 1. Registering built-in authenticator for re-auth (mobile web)
  26. 26. She signs in with her username and password 1. Registering built-in authenticator for re-auth (mobile web)
  27. 27. 1. Registering built-in authenticator for re-auth (mobile web) Tri-Bank shows a promo asking Elisa if she wants to opt in to fingerprint to sign in She opts in and continues to her account
  28. 28. What happened behind the scenes Silently determined whether a platform authenticator was available: PublicKeyCredential.isUserVerifyingPlatformAu thenticatorAvailable().then(response => { if (response === true) { //User verifying platform authenticator is available! } else { //User verifying platform authenticator is NOT available. }
  29. 29. What happened behind the scenes Created the credential on the platform authenticator navigator.credentials.create({ "publicKey": makeCredentialOptions });
  30. 30. What happened behind the scenes With values for makeCredentialOptions ● excludeCredentials = [// add any already registered ids ] ● authenticatorSelection.authenticatorAttach ment = 'platform' // other options: ‘cross-platform’ ● authenticatorSelection.userVerification = 'required' // other options: ‘discouraged’ or ‘preferred’
  31. 31. Elisa comes back to Tri-Bank in another session
  32. 32. The next time Elisa opens Tri-Bank on mobile browser, she gets a fingerprint dialog Since the user already signed in on this device, the credential ID is encoded in the cookie and the RP requests the “internal” transport only (since they don’t want the user to see prompts about external authenticators).
  33. 33. Using only her fingerprint, she’s able to sign in without using her username + password on mobile web
  34. 34. What happened behind the scenes Created a signature using the platform authenticator navigator.credentials.get({ "publicKey": requestOptions }); With values for requestOptions ○ allowCredentials = [// credential associated with session] ○ userVerification = true
  35. 35. 2a. Using built-in authenticator for re-auth (mobile web) Elisa downloads Tri-Bank from the Play Store She launches the app for the first time to sign in to check her funds
  36. 36. She installs Tri-Bank from Google Play Store and opens the app
  37. 37. Elisa chooses “Sign In” and enters her username
  38. 38. Elisa is now asked to authenticate with the fingerprint dialog
  39. 39. What happened behind the scenes Created a signature using the platform authenticator Fido2ApiClient fido2ApiClient = Fido.getFido2ApiClient(this.getApplicationContext()); Task<Fido2PendingIntent> result = fido2ApiClient.getSignIntent(requestOptions); With values for requestOptions ○ allowCredentials = [// credential associated with session ] ○ userVerification = true
  40. 40. Case study: Yahoo! JAPAN Reauth using fingerprint reduced time to sign-in by ... comparing to that of using a password. 37.5%
  41. 41. Case study: Google 98% of biometric reauth users finish in 38s 98% of all users enter password in 150s VS Does not exist in biometric 10:00 Google Internal Data: 2018
  42. 42. Implement WebAuthn today! ●Get a FIDO server webauthndemo.appspot.com ●Implement WebAuthn Create and Get methods github.com/w3c/webauthn ●Optional: Link this with your Android app for a seamless login experience https://github.com/googlesamples/android-fido
  43. 43. 43
  44. 44. 44 Thank you

×