4. 3
OTP code cards: Root of all evil
SMS: Coverage, delay, cost
OTP app (Google authenticator): Inconvenient, bad UX
OTP device: Cost, one per site, batteries, bad UX
Custom mobile app: Reach, cost, difficult to „get right“
Password alternatives/2nd factors
Too many choices
}
7. 6
Meet U2F (universal second factor) security keys
Created by Google and Yubico
USB, NFC or Bluetooth
Communicates with browser using custom API
Phishing resistant (browser sends origin directly to token)
8. 7
U2F Mandatory for all employees
Support of U2F for Google customers
U2F statistics from Google
U2F vs OTP
• >2x faster to authenticate
• Significant reduction in fraud cases
• Support reduced by 40%
9. Open alliance, similar to:
Defines standards and provides paid certification
allowing you to put FIDO sticker on your product
12. 11
Essence of FIDO
Authenticator FIDO authenticationUser verification
Ask user for verification
User provides gesture or biometrics
Challenge
Signed response
14. 13
Set of standards for strong authentication
So, what is FIDO?
U2F
Universal second factor
UAF
Universal authentication framework
CTAP
Client to authenticator protocol
FIDO2 (WebAuthn + CTAP2)
Web authentication
15. 14
Web Authentication: evolution of U2F
Official W3C standard: JavaScript API for communication with hardware authenticators
Supported by all major browsers (not yet Safari):
Driven by FIDO2 project (sub-spec of FIDO2)
Can be used as a second factor and as a first factor (password-less)
Multi-factor authenticators - protected by biometrics, PIN, etc.
Attestation: verifiable information about authenticator properties and manufacturer
Platform (built-in) authenticators + Bluetooth, NFC or USB external tokens
19. 18
Open standard
Simple to use
Strong
Unphisable
Reusable hardware authenticators (tokens)
Built-in platform authenticators
Decoupling user verification from authentication (GDPR friendly)
WebAuthn goals for authentication
20. 19
Decoupling user verification from authentication
FIDO authentication protocol
Verification
Local verification unlocks
key on device
Authentication
Challenge signed by private key is used
to authenticate to server
30. 29
Not a silver bullet
Developers are still responsible for designing
smooth enrollment and account recovery flows
31. 30
: the new gold standard for authentication
Protects against phishing
and credential theft
Allows hassle free login Already supported by major platforms
FIDO2 = WebAuthn + CTAP2
WebAuthn = Security keys or built-in authenticators
32. 31
State of FIDO in .NET world
https://github.com/abergs/fido2-net-lib - pre-release nuget package
Crypto methods required by FIDO are not readily available in .NET
No announced built-in support in .NET Core 3.0