Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

U2F in Dashlane


Published on

Technical introduction to U2F and the Dashlane implementation

Published in: Software
  • The Scrambler Unlock Her Legs | 95% Off by Bobby Rio-Rob Judge? ▲▲▲
    Are you sure you want to  Yes  No
    Your message goes here
  • My special guest's 3-Step "No Product Funnel" can be duplicated to start earning a significant income online. ●●●
    Are you sure you want to  Yes  No
    Your message goes here

U2F in Dashlane

  1. 1. U2F Under the Hood 1
  2. 2. What is U2F ?  Universal 2nd Factor  Open standard  Physical device using USB, NFC or Bluetooth (depends on model)  Goal: Strong authentication and online privacy  Initially developed by Google and Yubico  Maintained by FIDO Alliance  Draft W3C standard (Web Authentication)  Support in Chrome (now), FF and Edge (soon) 2
  3. 3. Dashlane User Experience 3 Registering an U2F key  Request to add a key  Insert key in USB port  Push button on key (if present)  Done !
  4. 4. Dashlane User Experience Login with a registered U2F key 4  Enter 1st authentication factor  Insert key in USB port  Push button on key (if present)  Done !
  5. 5. How does it work ? 5
  6. 6. Base Challenge – Response protocol 6 FIDO Authenticator (USB key) FIDO Client (Browser or App) Relying Party (Website) challenge challenge Sign challenge with private key sig(challenge) sig(challenge)  Classic Public/Private key challenge-response  Uses ECC (Elliptic Curve Cryptography) Decrypt signature with public key Validate data Generate and store random challenge
  7. 7. Registration challenge 7 FIDO Authenticator (USB key) FIDO Client (Browser or App) Relying Party (Website) app id, challenge Sign challenge, public key, app id and key handle pub key, handle, sig(challenge, pub key, handle, app id) Decrypt signature Validate data  Authenticator generates new public/private key pair for each registration  Additional data during registration:  Application id (challenge)  Public key + key handle (response) app id, challenge Generate key pair and key handle pub key, handle, sig(challenge, pub key, handle, app id) Store pub key, handle in account Generate and store random challenge
  8. 8. Authentication challenge 8 FIDO Authenticator (USB key) FIDO Client (Browser or App) Relying Party (Website) Generate and store random challenge handle, app id, challenge Sign challenge and app id sig(challenge, app id) Decrypt signature Validate data  Additional data during authentication:  Application id + key handle Find private key for key handle Grant access handle, app id, challenge Find key handle in user account sig(challenge, app id)
  9. 9. 9 Advantages
  10. 10. Strong privacy  Only guarantee of successful authentication challenge :  Same U2F key used for auth and registration  No unique identifier for the key  New key pair generated at every registration  No reliance on shared secret with the website (contrary to OTP)  A single U2F key can be used:  By same user on 2 websites  By 2 users on 1 website  By 1 user creating 2 accounts on same website  website can’t track the user by U2F key usage  Tracking is still possible by other means, of course 10
  11. 11. Protection against website security breach  OTP is vulnerable to security breach  If attacker steals shared secret, he can generate passwords  If the attacker steals U2F public key and key handle  Public key cryptography makes them useless for attacker  He can’t compute the private key  So he can’t authenticate on legitimate site 11
  12. 12. Protection against MITM or Phishing  Attacker intercepts and forwards user’s requests  Phishing mail with link to hacker’s site mimicking legitimate site  DNS spoof to redirect to hacker’s server  …  OTP is vulnerable  One-Time Passwords are still passwords  If the attacker can use it before the user, he wins 12
  13. 13. Protection against MITM or Phishing  U2F challenge message contains legitimate site’s app id  If the attacker doesn’t change the app id (  Browser knows challenge comes from wrong site ( or using wrong protocol ( using DNS spoof)  Browser denies usage of U2F key  If the attacker changes the app id  U2F key signs attacker’s app id with its private key  Legitimate site can see the app id in response doesn’t match his own 13
  14. 14. Support for unlimited number of websites  OTP requires client and server sharing a secret  Not a problem for software clients (e.g. Google Authenticator)  Cheap hardware has very limited storage  Yubikeys using OTP support at most 2 sites  U2F private key is retrieved from key handle  Software clients use key handle as index in private key map  Hardware clients can encrypt part of private key in key handle  Uses no storage  very cheap device  Safe as long as nobody else can decrypt key handle 14
  15. 15. Support for unlimited number of websites  Yubico’s implementation 15
  16. 16. Questions ? 16
  17. 17. We’re changing the world… one password at a time Dashlane wants to make identity and payment simple and secure everywhere! 17 Want to be a part of life in the Dashlane? Visit for all the info! Dashlane is a premier, award-winning password manager and digital wallet, intrinsically designed to make identity and payments simple and secure on every website and every device. We’re a rapidly growing, tech startup using the world’s best security and privacy architecture to simplify the lives of more than 3 billion Internet users worldwide. Since our first product launch in 2013, our brilliant team of engineers and developers tirelessly work on new coding challenges, build code using the latest up-to-date frameworks for native development across desktop and mobile, use cutting-edge web service architecture, and are at the forefront of building applications that help millions of people every day! So far, all of our hard work has been paying off! Dashlane was recently recognized by Google as one of the “Best of 2015” apps! Google also recognized our Android password manager as an Editors’ Choice winner on the Google Play Store, and selected Dashlane to demo its adoption of Android M fingerprint technology at Google I/O!
  18. 18. We work with the latest technology! See our code in action! Check out some of our projects on Github! In addition, each member of the Dashlane team can take some time to share his insights in Tech Conferences and become a thought leader in the tech community. 18 Alexis Fogel @ Droid Con Emmanuel Schalit @ The Dublin Web Summit Emmanuel Schalit @ Le Wagon Desktop Mobile Web App/Server Security Dashlane is dedicated to building high-quality user experiences on Mobile, Desktop, and on the web using the latest up-to-date technologies and languages.
  19. 19. Ready to join #LifeInTheDashlane? We’re filling our ranks from top to bottom with some of the smartest and friendliest developers and engineers in the industry! Come join us! Visit to learn more about joining the Dashlane team! 19 Also visit us here: