FIDO Alliance, profile picture
Uploaded byFIDO Alliance
PDF, PPTX1,568 views

Becoming Unphishable

The document discusses the inadequacies of traditional passwords and the rise of phishing attacks, highlighting the introduction of security keys based on the FIDO U2F standard as a more secure, user-friendly authentication solution. It emphasizes Google's implementation and benefits of security keys, including faster authentication and fewer support incidents compared to one-time passwords. The document also outlines potential use cases and resources for adopting this technology.

Embed presentation

Download as PDF, PPTX
Confidential & Proprietary Becoming Unphishable Towards simpler, stronger authentication Grant Dasher CIS 2017
Confidential & Proprietary Introduction and Agenda Part of the team responsible for authentication at Google Agenda ● Passwords are broken ● Introducing Security Key ● Google’s Experience ○ Some numbers ○ We’re not quite done ● How can you get started?
Confidential & Proprietary Passwords are broken
Confidential & Proprietary Passwords are broken Phishing has become increasingly sophisticated ● More than ⅔ of incidents [in 2015] … involved phishing. With a 23% effectiveness rate* ● OTPs help against shared password, but it’s not safe to rely on them for phishing * http://www.verizonenterprise.com/DBIR/2015/ REUSED PHISHED KEYLOGGED
Confidential & Proprietary Is Phishing Effective?
Confidential & Proprietary Today’s solution: One Time Passwords SMS USABILITY Coverage Issues - Delay - User Cost DEVICE USABILITY One Per Site - Expensive - Fragile USER EXPERIENCE Users find it hard PHISHABLE German Police re: iTan: ".. we still lose money"
Confidential & Proprietary Introducing Security Key
Confidential & Proprietary Introducing Security Key Designed to solve authentication challenges ● For enterprises ● For consumers Based on FIDO U2F standard ● Safe: Unphishable / UnMITMable ● Easy: Insert and press button ● Compact: One device, many services
Confidential & Proprietary Simple operation 1 2 3 Userid & Password Insert, Press button Successful Sign in
Confidential & Proprietary Based on Asymmetric Cryptography Core idea - Standard public key cryptography ● User's device mints new key pair, gives public key to server ● Server asks user's device to sign data to verify the user. ● One device, many services, "bring your own device" enabled
Confidential & Proprietary Google’s experience
Confidential & Proprietary Deployment at Google ● Enterprise use case ○ Mandated for Google employees ○ Corporate SSO (Web) ○ SSH ○ Forms basis of all authentication ● Consumer use case ○ Available as opt-in for Google consumers ○ Adopted by other relying parties too: Dropbox, Github, Facebook
Confidential & Proprietary Time to authenticate
Confidential & Proprietary Time to authenticate Security Keys are faster to use than OTPs "If you've been reading your e-mail" takeaway:
Confidential & Proprietary Second Factor Support Incidents
Confidential & Proprietary Second Factor Support Incidents Security Keys cause fewer support incidents than OTPs "If you've been reading your e-mail" takeaway:
Confidential & Proprietary We're not quite done...
Confidential & Proprietary Ongoing work ● Wireless protocols ○ NFC, BLE ● More browsers ○ Firefox, Edge, more? ● More platforms ○ Android, Windows, OS X/iOS? ● V2 of the protocol ○ Device-centric authentication
Confidential & Proprietary How can you get started?
Confidential & Proprietary U2F use cases ● Internal enterprise authentication (B2B) Authenticate to your own web applications, mobile applications, etc ● Authenticate to your service providers (“token necklace”) U2F works well in a non-federated environment Complete isolation between various RPs ● External customer authentication Authenticate your high-value customers using U2F
Confidential & Proprietary Resources ● To use with Google Enable 2-Step Verification on your account Go to: https://security.google.com Click: 2-Step Verification Click on the Security Keys tab ● Also use with GitHub, Dropbox, Facebook ● And / or play with some code https://github.com/google/u2f-ref-code https://github.com/google/pyu2f https://developers.yubico.com/U2F/Libraries/List_of_libraries.html
Confidential & Proprietary Q & A

More Related Content

PDF
FIDO Authentication & Blockchain
byFIDO Alliance
 
PPTX
UAF Tutorial: Passwordless, Biometric Authentication for Native Apps
byFIDO Alliance
 
PDF
FIDO Certified Program: Status & Futures
byFIDO Alliance
 
PDF
FIDO, Federation & Facebook Social Login
byFIDO Alliance
 
PDF
Javelin Research 2017 State of Authentication Report
byFIDO Alliance
 
PDF
Google Case Study: Strong Authentication for Employees and Consumers
byFIDO Alliance
 
PPTX
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger Authenticaton
byFIDO Alliance
 
PDF
FIDO Technical Specifications Overview
byFIDO Alliance
 
FIDO Authentication & Blockchain
byFIDO Alliance
 
UAF Tutorial: Passwordless, Biometric Authentication for Native Apps
byFIDO Alliance
 
FIDO Certified Program: Status & Futures
byFIDO Alliance
 
FIDO, Federation & Facebook Social Login
byFIDO Alliance
 
Javelin Research 2017 State of Authentication Report
byFIDO Alliance
 
Google Case Study: Strong Authentication for Employees and Consumers
byFIDO Alliance
 
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger Authenticaton
byFIDO Alliance
 
FIDO Technical Specifications Overview
byFIDO Alliance
 

What's hot

PPTX
FIDO Authentication in Korea: Early Adoption & Rapid Innovation
byFIDO Alliance
 
PDF
Implementation Case Study by eWBM
byFIDO Alliance
 
PDF
Google Case Study - Towards simpler, stronger authentication
byFIDO Alliance
 
PPTX
Introduction to the FIDO Alliance: Vision & Status
byFIDO Alliance
 
PDF
Authentication and ID Proofing in Education
byFIDO Alliance
 
PDF
FIDO & PSD2: Solving the Strong Customer Authentication Challenge in Europe
byFIDO Alliance
 
PPTX
FIDO Authentication: Unphishable MFA for All
byFIDO Alliance
 
PDF
Business Considerations for Deploying FIDO Authentication
byFIDO Alliance
 
PDF
Introduction to the FIDO Alliance
byFIDO Alliance
 
PDF
NIST 800-63 Guidance & FIDO Authentication
byFIDO Alliance
 
PPTX
Google Case Study: Becoming Unphishable
byFIDO Alliance
 
PDF
FIDO And the Future of User Authentication
byFIDO Alliance
 
PPTX
Getting to Know the FIDO Specifications - Technical Tutorial
byFIDO Alliance
 
PDF
Introduction to the FIDO Alliance
byFIDO Alliance
 
PDF
FIDO Technical Specifications Overview
byFIDO Alliance
 
PDF
NTT DOCOMO Deployment Case Study
byFIDO Alliance
 
PDF
Consumer Authentication Trends in APAC
byFIDO Alliance
 
PDF
The Value of FIDO Alliance Membership
byFIDO Alliance
 
PDF
Google FIDO Authentication Case Study
byFIDO Alliance
 
PPTX
U2F Tutorial - Authentication Tokens for Enterprise and Consumers
byFIDO Alliance
 
FIDO Authentication in Korea: Early Adoption & Rapid Innovation
byFIDO Alliance
 
Implementation Case Study by eWBM
byFIDO Alliance
 
Google Case Study - Towards simpler, stronger authentication
byFIDO Alliance
 
Introduction to the FIDO Alliance: Vision & Status
byFIDO Alliance
 
Authentication and ID Proofing in Education
byFIDO Alliance
 
FIDO & PSD2: Solving the Strong Customer Authentication Challenge in Europe
byFIDO Alliance
 
FIDO Authentication: Unphishable MFA for All
byFIDO Alliance
 
Business Considerations for Deploying FIDO Authentication
byFIDO Alliance
 
Introduction to the FIDO Alliance
byFIDO Alliance
 
NIST 800-63 Guidance & FIDO Authentication
byFIDO Alliance
 
Google Case Study: Becoming Unphishable
byFIDO Alliance
 
FIDO And the Future of User Authentication
byFIDO Alliance
 
Getting to Know the FIDO Specifications - Technical Tutorial
byFIDO Alliance
 
Introduction to the FIDO Alliance
byFIDO Alliance
 
FIDO Technical Specifications Overview
byFIDO Alliance
 
NTT DOCOMO Deployment Case Study
byFIDO Alliance
 
Consumer Authentication Trends in APAC
byFIDO Alliance
 
The Value of FIDO Alliance Membership
byFIDO Alliance
 
Google FIDO Authentication Case Study
byFIDO Alliance
 
U2F Tutorial - Authentication Tokens for Enterprise and Consumers
byFIDO Alliance
 

Similar to Becoming Unphishable

PDF
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger Authenticaton
byFIDO Alliance
 
PDF
Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...
byFIDO Alliance
 
PDF
Google & FIDO Authentication
byFIDO Alliance
 
PDF
Yubico case-study-google
byWJN
 
PPTX
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
byFIDO Alliance
 
PPTX
Passwords are passé. WebAuthn is simpler, stronger and ready to go
byMichael Furman
 
PPTX
Hardware Authentication
byCoder Tech
 
PPTX
Computer System Security User Authentication
bymhhgqqbmrk
 
PDF
Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution f...
byConorGilsenan1
 
PDF
Web Authn & Security Keys: Unlocking the Key to Authentication
byFIDO Alliance
 
PDF
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
byQAFest
 
PDF
AuthN & AuthZ testing: it’s not only about the login form
byDiana Pinchuk
 
PPTX
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
byDakiry
 
PPTX
FIDO-U2F-Case-Study_Hanson.pptx
byVladVlad504281
 
PDF
2 Factor Authentication for Wordpress
byAskkiz - Security, Cloud & Social Media GRCS
 
PDF
Ouch 201211 en
byHai Nguyen
 
PDF
Passkeys are Here - Now What? - Introduction
bydtpentest
 
PPTX
FIDO Alliance: Year in Review Webinar slides from January 20 2016
byFIDO Alliance
 
PDF
U2F in Dashlane
byDashlane
 
PDF
Secure All Teh Things - Add 2 factor authentication to your own CFML projects
byRob Dudley
 
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger Authenticaton
byFIDO Alliance
 
Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...
byFIDO Alliance
 
Google & FIDO Authentication
byFIDO Alliance
 
Yubico case-study-google
byWJN
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
byFIDO Alliance
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
byMichael Furman
 
Hardware Authentication
byCoder Tech
 
Computer System Security User Authentication
bymhhgqqbmrk
 
Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution f...
byConorGilsenan1
 
Web Authn & Security Keys: Unlocking the Key to Authentication
byFIDO Alliance
 
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
byQAFest
 
AuthN & AuthZ testing: it’s not only about the login form
byDiana Pinchuk
 
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
byDakiry
 
FIDO-U2F-Case-Study_Hanson.pptx
byVladVlad504281
 
2 Factor Authentication for Wordpress
byAskkiz - Security, Cloud & Social Media GRCS
 
Ouch 201211 en
byHai Nguyen
 
Passkeys are Here - Now What? - Introduction
bydtpentest
 
FIDO Alliance: Year in Review Webinar slides from January 20 2016
byFIDO Alliance
 
U2F in Dashlane
byDashlane
 
Secure All Teh Things - Add 2 factor authentication to your own CFML projects
byRob Dudley
 

More from FIDO Alliance

PPTX
Securing Account Lifecycles in the Age of Deepfakes.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: Perspectives on Passkeys & Consumer Adoption.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: Evolving Landscape of Post-Quantum Cryptography.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: Targeting Trust: The Future of Identity in the Workforce.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: New Data: Passkey Adoption in the Workforce.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: Authentication for a Billion Consumers - Amazon.pptx
byFIDO Alliance
 
PPTX
FIDO Alliance Seminar State of Passkeys.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar: FIDO Tech Principles.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar: Securing Smart Car.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar: Biometrics and Passkeys for In-Vehicle Apps.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar Workforce Authentication Case Study.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar In-Vehicle Payment Trends.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar FIDO Automotive Apps.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar Blueprint for In-Vehicle Payment Standard.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar Introduction to FIDO.pptx
byFIDO Alliance
 
PPTX
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
byFIDO Alliance
 
PPTX
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
byFIDO Alliance
 
PPTX
UX Webinar Series: Aligning Authentication Experiences with Business Goals
byFIDO Alliance
 
PDF
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
byFIDO Alliance
 
Securing Account Lifecycles in the Age of Deepfakes.pptx
byFIDO Alliance
 
FIDO Seminar: Perspectives on Passkeys & Consumer Adoption.pptx
byFIDO Alliance
 
FIDO Seminar: Evolving Landscape of Post-Quantum Cryptography.pptx
byFIDO Alliance
 
FIDO Seminar: Targeting Trust: The Future of Identity in the Workforce.pptx
byFIDO Alliance
 
FIDO Seminar: New Data: Passkey Adoption in the Workforce.pptx
byFIDO Alliance
 
FIDO Seminar: Authentication for a Billion Consumers - Amazon.pptx
byFIDO Alliance
 
FIDO Alliance Seminar State of Passkeys.pptx
byFIDO Alliance
 
FIDO Munich Seminar: FIDO Tech Principles.pptx
byFIDO Alliance
 
FIDO Munich Seminar: Securing Smart Car.pptx
byFIDO Alliance
 
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
byFIDO Alliance
 
FIDO Munich Seminar: Biometrics and Passkeys for In-Vehicle Apps.pptx
byFIDO Alliance
 
FIDO Munich Seminar Workforce Authentication Case Study.pptx
byFIDO Alliance
 
FIDO Munich Seminar In-Vehicle Payment Trends.pptx
byFIDO Alliance
 
FIDO Munich Seminar FIDO Automotive Apps.pptx
byFIDO Alliance
 
FIDO Munich Seminar Blueprint for In-Vehicle Payment Standard.pptx
byFIDO Alliance
 
FIDO Munich Seminar Introduction to FIDO.pptx
byFIDO Alliance
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
byFIDO Alliance
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
byFIDO Alliance
 
UX Webinar Series: Aligning Authentication Experiences with Business Goals
byFIDO Alliance
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
byFIDO Alliance
 

Recently uploaded

PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
final.pdf
byomarbishtawi04
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
final.pdf
byomarbishtawi04
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
apidays New York 2025 | AI in Application Security
byapidays
 

Becoming Unphishable

  • 1.
    Confidential & Proprietary BecomingUnphishable Towards simpler, stronger authentication Grant Dasher CIS 2017
  • 2.
    Confidential & Proprietary Introductionand Agenda Part of the team responsible for authentication at Google Agenda ● Passwords are broken ● Introducing Security Key ● Google’s Experience ○ Some numbers ○ We’re not quite done ● How can you get started?
  • 3.
  • 4.
    Confidential & Proprietary Passwordsare broken Phishing has become increasingly sophisticated ● More than ⅔ of incidents [in 2015] … involved phishing. With a 23% effectiveness rate* ● OTPs help against shared password, but it’s not safe to rely on them for phishing * http://www.verizonenterprise.com/DBIR/2015/ REUSED PHISHED KEYLOGGED
  • 5.
    Confidential & Proprietary IsPhishing Effective?
  • 6.
    Confidential & Proprietary Today’ssolution: One Time Passwords SMS USABILITY Coverage Issues - Delay - User Cost DEVICE USABILITY One Per Site - Expensive - Fragile USER EXPERIENCE Users find it hard PHISHABLE German Police re: iTan: ".. we still lose money"
  • 7.
  • 8.
    Confidential & Proprietary IntroducingSecurity Key Designed to solve authentication challenges ● For enterprises ● For consumers Based on FIDO U2F standard ● Safe: Unphishable / UnMITMable ● Easy: Insert and press button ● Compact: One device, many services
  • 9.
    Confidential & Proprietary Simpleoperation 1 2 3 Userid & Password Insert, Press button Successful Sign in
  • 10.
    Confidential & Proprietary Basedon Asymmetric Cryptography Core idea - Standard public key cryptography ● User's device mints new key pair, gives public key to server ● Server asks user's device to sign data to verify the user. ● One device, many services, "bring your own device" enabled
  • 11.
  • 12.
    Confidential & Proprietary Deploymentat Google ● Enterprise use case ○ Mandated for Google employees ○ Corporate SSO (Web) ○ SSH ○ Forms basis of all authentication ● Consumer use case ○ Available as opt-in for Google consumers ○ Adopted by other relying parties too: Dropbox, Github, Facebook
  • 13.
  • 14.
    Confidential & Proprietary Timeto authenticate Security Keys are faster to use than OTPs "If you've been reading your e-mail" takeaway:
  • 15.
    Confidential & Proprietary SecondFactor Support Incidents
  • 16.
    Confidential & Proprietary SecondFactor Support Incidents Security Keys cause fewer support incidents than OTPs "If you've been reading your e-mail" takeaway:
  • 17.
  • 18.
    Confidential & Proprietary Ongoingwork ● Wireless protocols ○ NFC, BLE ● More browsers ○ Firefox, Edge, more? ● More platforms ○ Android, Windows, OS X/iOS? ● V2 of the protocol ○ Device-centric authentication
  • 19.
    Confidential & Proprietary Howcan you get started?
  • 20.
    Confidential & Proprietary U2Fuse cases ● Internal enterprise authentication (B2B) Authenticate to your own web applications, mobile applications, etc ● Authenticate to your service providers (“token necklace”) U2F works well in a non-federated environment Complete isolation between various RPs ● External customer authentication Authenticate your high-value customers using U2F
  • 21.
    Confidential & Proprietary Resources ●To use with Google Enable 2-Step Verification on your account Go to: https://security.google.com Click: 2-Step Verification Click on the Security Keys tab ● Also use with GitHub, Dropbox, Facebook ● And / or play with some code https://github.com/google/u2f-ref-code https://github.com/google/pyu2f https://developers.yubico.com/U2F/Libraries/List_of_libraries.html
  • 22.