SlideShare a Scribd company logo

Fido u2 f in 10 minutes (cis 2015)

CloudIDSummit
CloudIDSummit

The document summarizes the FIDO U2F security standard for two-factor authentication. It describes how U2F works by having a single authentication device that can be used across multiple services. When a user wants to log in, their U2F device signs a challenge from the website to prove the user is present, with the signature verified by the website. The document outlines the U2F protocol and APIs, explaining the registration and authentication flows. It also provides guidance for websites wanting to implement U2F login and manufacturers wanting to produce U2F security keys.

1 of 20
Download to read offline
FIDO U2F in 10 Minutes Dirk Balfanz (Google)
The U2F solution: How it works ●  One device, many services ●  Easy: Insert and press button ●  Safe: Un-phishable Security
U2F Protocol Core idea: Standard public key cryptography: ●  User's device mints new key pair, gives public key to server ●  Server asks user's device to sign data to verify the user. ●  One device, many services, "bring your own device" enabled Lots of refinement for this to be consumer facing: ●  Privacy: Site Specific Keys, No unique ID per device ●  Security: No phishing, man-in-the-middles ●  Trust: Verify who made the device ●  Pragmatics: Affordable today, ride hardware cost curve down ●  Speed for user: Fast crypto in device (Elliptic Curve) Think "Smartcard re-designed for modern consumer web"
1 2
proofThatUserIsThere Phisher server
proofThatUserIsThere server server
proofThatUserIsThere “I promise a user is here”, “the server challenge was: 337423”, “the origin was: accounts.google.com”, “the TLS connection state was: 342384” Signed
proofThatUserIsThere “I promise a user is here”, “the server challenge was: 337423”, “the origin was: accounts.google.com”, “the TLS connection state was: 342384” Signed this is where the key is this guy knows the key
Relying Party FIDO Client 1. Setup 2. Processing 3. Verification
User Presence API u2f.register({ ‘challenge’: ‘KSDJsdASAS-AIS_AsS’, ‘app_id’: ‘https://www.google.com/facets.json’ }, callback); callback = function(response) { sendToServer( response[‘clientData’], response[‘tokenData’]); };
u2f..handleRegistrationRequest({ ‘challenge’: ‘KSDJsdASAS-AIS_AsS’, ‘app_id’: ‘https://www.google.com/facets.json’ }, callback); callback = function(response) { sendToServer( response[‘clientData’], response[‘tokenData’]); }; User Presence API{ "typ":"register", "challenge":"KSDJsdASAS-AIS_AsS", "cid_pubkey": { "kty":"EC", "crv":"P-256", "x":"HzQwlfXX7Q4S5MtCRMzPO9tOyWjBqRl4tJ8", "y":"XVguGFLIZx1fXg375hi4-7-BxhMljw42Ht4" }, "origin":"https://accounts.google.com" }
User Presence API u2f.sign({ ‘challenge’: ‘KSDJsdASAS-AIS_AsS’, ‘app_id’: ‘https://www.google.com/facets.json’, ‘key_handle’: ‘JkjhdsfkjSDFKJ_ld-sadsAJDKLSAD’ }, callback); callback = function(response) { sendToServer( response[‘clientData’], response[‘tokenData’]); };
User Presence API u2f.sign({ ‘challenge’: ‘KSDJsdASAS-AIS_AsS’, ‘app_id’: ‘https://www.google.com/facets.json’, ‘key_handle’: ‘JkjhdsfkjSDFKJ_ld-sadsAJDKLSAD’ }, callback); callback = function(response) { sendToServer( response[‘clientData’], response[‘tokenData’]); }; { "typ":"authenticate", "challenge":"KSDJsdASAS-AIS_AsS", "cid_pubkey": { "kty":"EC", "crv":"P-256", "x":"HzQwlfXX7Q4S5MtCRMzPO9tOyWjBqRl4tJ8", "y":"XVguGFLIZx1fXg375hi4-7-BxhMljw42Ht4" }, "origin":"https://accounts.google.com" }
Thanks!
U2F Token FIDO Client/ Browser Relying Party app id, challenge a; challenge, origin, channel id, etc. c a check app id generate: key kpub key kpriv handle h kpub, h, attestation cert, signature(a,c,kpub,h) c, kpub, h, attestation cert, s store: key kpub handle h s Registration cookie
U2F Token FIDO Client/ Browser Relying Party handle, app id, challenge h, a; challenge, origin, channel id, etc. c a check app id retrieve: key kpriv from handle h; counter++ counter, signature(a,c,counter) counter, c, s check: signature using key kpub s h retrieve: key kpub from handle h Authentication set cookie
What if… ...I want to accept U2F logins? ●  Browser: Call JS APIs o  available in Google Chrome, others need extensions ●  Server: Implement registration flow o  decide how to handle attestation certificates o  verify registration response o  store public key, key handle with user account ●  Server: Implement login flow o  check username/password, look up key handle o  verify authentication response (origin, signature, counter, …) ●  Check your account recovery flow
What if… ...I want to offer a USB U2F token? ●  Implement ECDSA P-256 ●  Implement counter ●  Decide on key handle strategy o  must recover private key, app id ●  Implement USB framing spec ●  No responses without user presence! o  (with one exception) o  check that app id matches
Coming Soon ●  Other platforms: browsers on Android, etc. ●  Other platforms: native apps on Android, etc. ●  Other message framing: BLE, NFC, etc. ●  Other plugin mechanisms: ASM

Recommended

Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakRed Hat Developers
 
Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB MongoDB
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examplesnasza-klasa
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 
"Auth for React.js APP", Nikita Galkin
"Auth for React.js APP", Nikita Galkin"Auth for React.js APP", Nikita Galkin
"Auth for React.js APP", Nikita GalkinFwdays
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Users' Data Security in iOS Applications
Users' Data Security in iOS ApplicationsUsers' Data Security in iOS Applications
Users' Data Security in iOS ApplicationsStanfy
 

Recommended

Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakRed Hat Developers
 
Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB MongoDB
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examplesnasza-klasa
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 
"Auth for React.js APP", Nikita Galkin
"Auth for React.js APP", Nikita Galkin"Auth for React.js APP", Nikita Galkin
"Auth for React.js APP", Nikita GalkinFwdays
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Users' Data Security in iOS Applications
Users' Data Security in iOS ApplicationsUsers' Data Security in iOS Applications
Users' Data Security in iOS ApplicationsStanfy
 
CIS 2015 How to Maximize the Business Value of Identity and Preference Manage...
CIS 2015 How to Maximize the Business Value of Identity and Preference Manage...CIS 2015 How to Maximize the Business Value of Identity and Preference Manage...
CIS 2015 How to Maximize the Business Value of Identity and Preference Manage...CloudIDSummit
 
CIS 2015- The Last Mile - Delivering All the Solutions to All the Application...
CIS 2015- The Last Mile - Delivering All the Solutions to All the Application...CIS 2015- The Last Mile - Delivering All the Solutions to All the Application...
CIS 2015- The Last Mile - Delivering All the Solutions to All the Application...CloudIDSummit
 
CIS 2015 Multi-factor for All, the Easy Way - Ran Ne'man
CIS 2015 Multi-factor for All, the Easy Way - Ran Ne'manCIS 2015 Multi-factor for All, the Easy Way - Ran Ne'man
CIS 2015 Multi-factor for All, the Easy Way - Ran Ne'manCloudIDSummit
 
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CloudIDSummit
 
CIS 2015- SSO for Mobile and Web Apps- Ashish Jain
CIS 2015- SSO for Mobile and Web Apps- Ashish JainCIS 2015- SSO for Mobile and Web Apps- Ashish Jain
CIS 2015- SSO for Mobile and Web Apps- Ashish JainCloudIDSummit
 
CIS 2015 The Ethics of Personal Data - Robin Wilton
CIS 2015 The Ethics of Personal Data - Robin WiltonCIS 2015 The Ethics of Personal Data - Robin Wilton
CIS 2015 The Ethics of Personal Data - Robin WiltonCloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CloudIDSummit
 
CIS 2015-Rationing Identity in the Internet of Things- Steve Wilson
CIS 2015-Rationing Identity in the Internet of Things- Steve WilsonCIS 2015-Rationing Identity in the Internet of Things- Steve Wilson
CIS 2015-Rationing Identity in the Internet of Things- Steve WilsonCloudIDSummit
 
CIS 2015b FIDO U2F in 10 minutes - Dirk Balfanz
CIS 2015b FIDO U2F in 10 minutes - Dirk BalfanzCIS 2015b FIDO U2F in 10 minutes - Dirk Balfanz
CIS 2015b FIDO U2F in 10 minutes - Dirk BalfanzCloudIDSummit
 
CIS 2015- Rethinking Your Authorization Strategy- Gerry Gebel
CIS 2015- Rethinking Your Authorization Strategy- Gerry GebelCIS 2015- Rethinking Your Authorization Strategy- Gerry Gebel
CIS 2015- Rethinking Your Authorization Strategy- Gerry GebelCloudIDSummit
 
CIS 2015- Understanding & Managing Discretionary Access: The TAO of Entitleme...
CIS 2015- Understanding & Managing Discretionary Access: The TAO of Entitleme...CIS 2015- Understanding & Managing Discretionary Access: The TAO of Entitleme...
CIS 2015- Understanding & Managing Discretionary Access: The TAO of Entitleme...CloudIDSummit
 
CIS 2015- User-centric Privacy of Identity- Jenn Behrens
CIS 2015- User-centric Privacy of Identity- Jenn BehrensCIS 2015- User-centric Privacy of Identity- Jenn Behrens
CIS 2015- User-centric Privacy of Identity- Jenn BehrensCloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCloudIDSummit
 
CIS 2015 User Managed Access - George Fletcher
CIS 2015 User Managed Access - George FletcherCIS 2015 User Managed Access - George Fletcher
CIS 2015 User Managed Access - George FletcherCloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016CloudIDSummit
 
CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content HighlightsCloudIDSummit
 
FIDO U2F 1.0 Specs: Overview and Insights
FIDO U2F 1.0 Specs: Overview and InsightsFIDO U2F 1.0 Specs: Overview and Insights
FIDO U2F 1.0 Specs: Overview and InsightsFIDO Alliance
 
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) SpecificationCIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) SpecificationCloudIDSummit
 
mDevCamp 2016 - Zingly, or how to design multi-banking app
mDevCamp 2016 - Zingly, or how to design multi-banking appmDevCamp 2016 - Zingly, or how to design multi-banking app
mDevCamp 2016 - Zingly, or how to design multi-banking appPetr Dvorak
 
Fiware io t_ul20_cpbr8
Fiware io t_ul20_cpbr8Fiware io t_ul20_cpbr8
Fiware io t_ul20_cpbr8FIWARE
 

More Related Content

Viewers also liked

CIS 2015 How to Maximize the Business Value of Identity and Preference Manage...
CIS 2015 How to Maximize the Business Value of Identity and Preference Manage...CIS 2015 How to Maximize the Business Value of Identity and Preference Manage...
CIS 2015 How to Maximize the Business Value of Identity and Preference Manage...CloudIDSummit
 
CIS 2015- The Last Mile - Delivering All the Solutions to All the Application...
CIS 2015- The Last Mile - Delivering All the Solutions to All the Application...CIS 2015- The Last Mile - Delivering All the Solutions to All the Application...
CIS 2015- The Last Mile - Delivering All the Solutions to All the Application...CloudIDSummit
 
CIS 2015 Multi-factor for All, the Easy Way - Ran Ne'man
CIS 2015 Multi-factor for All, the Easy Way - Ran Ne'manCIS 2015 Multi-factor for All, the Easy Way - Ran Ne'man
CIS 2015 Multi-factor for All, the Easy Way - Ran Ne'manCloudIDSummit
 
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CloudIDSummit
 
CIS 2015- SSO for Mobile and Web Apps- Ashish Jain
CIS 2015- SSO for Mobile and Web Apps- Ashish JainCIS 2015- SSO for Mobile and Web Apps- Ashish Jain
CIS 2015- SSO for Mobile and Web Apps- Ashish JainCloudIDSummit
 
CIS 2015 The Ethics of Personal Data - Robin Wilton
CIS 2015 The Ethics of Personal Data - Robin WiltonCIS 2015 The Ethics of Personal Data - Robin Wilton
CIS 2015 The Ethics of Personal Data - Robin WiltonCloudIDSummit
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CloudIDSummit
 
CIS 2015-Rationing Identity in the Internet of Things- Steve Wilson
CIS 2015-Rationing Identity in the Internet of Things- Steve WilsonCIS 2015-Rationing Identity in the Internet of Things- Steve Wilson
CIS 2015-Rationing Identity in the Internet of Things- Steve WilsonCloudIDSummit
 
CIS 2015b FIDO U2F in 10 minutes - Dirk Balfanz
CIS 2015b FIDO U2F in 10 minutes - Dirk BalfanzCIS 2015b FIDO U2F in 10 minutes - Dirk Balfanz
CIS 2015b FIDO U2F in 10 minutes - Dirk BalfanzCloudIDSummit
 
CIS 2015- Rethinking Your Authorization Strategy- Gerry Gebel
CIS 2015- Rethinking Your Authorization Strategy- Gerry GebelCIS 2015- Rethinking Your Authorization Strategy- Gerry Gebel
CIS 2015- Rethinking Your Authorization Strategy- Gerry GebelCloudIDSummit
 
CIS 2015- Understanding & Managing Discretionary Access: The TAO of Entitleme...
CIS 2015- Understanding & Managing Discretionary Access: The TAO of Entitleme...CIS 2015- Understanding & Managing Discretionary Access: The TAO of Entitleme...
CIS 2015- Understanding & Managing Discretionary Access: The TAO of Entitleme...CloudIDSummit
 
CIS 2015- User-centric Privacy of Identity- Jenn Behrens
CIS 2015- User-centric Privacy of Identity- Jenn BehrensCIS 2015- User-centric Privacy of Identity- Jenn Behrens
CIS 2015- User-centric Privacy of Identity- Jenn BehrensCloudIDSummit
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCloudIDSummit
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCloudIDSummit
 
CIS 2015 User Managed Access - George Fletcher
CIS 2015 User Managed Access - George FletcherCIS 2015 User Managed Access - George Fletcher
CIS 2015 User Managed Access - George FletcherCloudIDSummit
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CloudIDSummit
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016CloudIDSummit
 
CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content HighlightsCloudIDSummit
 

Viewers also liked (18)

CIS 2015 How to Maximize the Business Value of Identity and Preference Manage...
CIS 2015 How to Maximize the Business Value of Identity and Preference Manage...CIS 2015 How to Maximize the Business Value of Identity and Preference Manage...
CIS 2015 How to Maximize the Business Value of Identity and Preference Manage...
 
CIS 2015- The Last Mile - Delivering All the Solutions to All the Application...
CIS 2015- The Last Mile - Delivering All the Solutions to All the Application...CIS 2015- The Last Mile - Delivering All the Solutions to All the Application...
CIS 2015- The Last Mile - Delivering All the Solutions to All the Application...
 
CIS 2015 Multi-factor for All, the Easy Way - Ran Ne'man
CIS 2015 Multi-factor for All, the Easy Way - Ran Ne'manCIS 2015 Multi-factor for All, the Easy Way - Ran Ne'man
CIS 2015 Multi-factor for All, the Easy Way - Ran Ne'man
 
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
 
CIS 2015- SSO for Mobile and Web Apps- Ashish Jain
CIS 2015- SSO for Mobile and Web Apps- Ashish JainCIS 2015- SSO for Mobile and Web Apps- Ashish Jain
CIS 2015- SSO for Mobile and Web Apps- Ashish Jain
 
CIS 2015 The Ethics of Personal Data - Robin Wilton
CIS 2015 The Ethics of Personal Data - Robin WiltonCIS 2015 The Ethics of Personal Data - Robin Wilton
CIS 2015 The Ethics of Personal Data - Robin Wilton
 
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
CIS 2015 Deploying Strong Authentication to a Global Enterprise: A Comedy in ...
 
CIS 2015-Rationing Identity in the Internet of Things- Steve Wilson
CIS 2015-Rationing Identity in the Internet of Things- Steve WilsonCIS 2015-Rationing Identity in the Internet of Things- Steve Wilson
CIS 2015-Rationing Identity in the Internet of Things- Steve Wilson
 
CIS 2015b FIDO U2F in 10 minutes - Dirk Balfanz
CIS 2015b FIDO U2F in 10 minutes - Dirk BalfanzCIS 2015b FIDO U2F in 10 minutes - Dirk Balfanz
CIS 2015b FIDO U2F in 10 minutes - Dirk Balfanz
 
CIS 2015- Rethinking Your Authorization Strategy- Gerry Gebel
CIS 2015- Rethinking Your Authorization Strategy- Gerry GebelCIS 2015- Rethinking Your Authorization Strategy- Gerry Gebel
CIS 2015- Rethinking Your Authorization Strategy- Gerry Gebel
 
CIS 2015- Understanding & Managing Discretionary Access: The TAO of Entitleme...
CIS 2015- Understanding & Managing Discretionary Access: The TAO of Entitleme...CIS 2015- Understanding & Managing Discretionary Access: The TAO of Entitleme...
CIS 2015- Understanding & Managing Discretionary Access: The TAO of Entitleme...
 
CIS 2015- User-centric Privacy of Identity- Jenn Behrens
CIS 2015- User-centric Privacy of Identity- Jenn BehrensCIS 2015- User-centric Privacy of Identity- Jenn Behrens
CIS 2015- User-centric Privacy of Identity- Jenn Behrens
 
CIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of ThingsCIS 2015 Identity Relationship Management in the Internet of Things
CIS 2015 Identity Relationship Management in the Internet of Things
 
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve ToutCIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
CIS 2015 What I Learned From Pitching IAM To My CIO - Steve Tout
 
CIS 2015 User Managed Access - George Fletcher
CIS 2015 User Managed Access - George FletcherCIS 2015 User Managed Access - George Fletcher
CIS 2015 User Managed Access - George Fletcher
 
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
CIS 2015 Without Great Security, Digital Identity is Not Worth the Electrons ...
 
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016Top 6 Reasons You Should Attend Cloud Identity Summit 2016
Top 6 Reasons You Should Attend Cloud Identity Summit 2016
 
CIS 2016 Content Highlights
CIS 2016 Content HighlightsCIS 2016 Content Highlights
CIS 2016 Content Highlights
 

Similar to Fido u2 f in 10 minutes (cis 2015)

FIDO U2F 1.0 Specs: Overview and Insights
FIDO U2F 1.0 Specs: Overview and InsightsFIDO U2F 1.0 Specs: Overview and Insights
FIDO U2F 1.0 Specs: Overview and InsightsFIDO Alliance
 
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) SpecificationCIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) SpecificationCloudIDSummit
 
mDevCamp 2016 - Zingly, or how to design multi-banking app
mDevCamp 2016 - Zingly, or how to design multi-banking appmDevCamp 2016 - Zingly, or how to design multi-banking app
mDevCamp 2016 - Zingly, or how to design multi-banking appPetr Dvorak
 
Fiware io t_ul20_cpbr8
Fiware io t_ul20_cpbr8Fiware io t_ul20_cpbr8
Fiware io t_ul20_cpbr8FIWARE
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat Security Conference
 
使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務升煌 黃
 
Cutting edge HTML5 API you can use today (by Bohdan Rusinka)
Cutting edge HTML5 API you can use today (by Bohdan Rusinka) Cutting edge HTML5 API you can use today (by Bohdan Rusinka)
Cutting edge HTML5 API you can use today (by Bohdan Rusinka)Binary Studio
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)Torsten Lodderstedt
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Denis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityDenis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityАліна Шепшелей
 
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"Inhacking
 
Create online games with node.js and socket.io
Create online games with node.js and socket.ioCreate online games with node.js and socket.io
Create online games with node.js and socket.iogrrd01
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Webinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBWebinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBMongoDB
 
FIWARE Training: Connecting to Legacy Systems, IoT and other Systems
FIWARE Training: Connecting to Legacy Systems, IoT and other SystemsFIWARE Training: Connecting to Legacy Systems, IoT and other Systems
FIWARE Training: Connecting to Legacy Systems, IoT and other SystemsFIWARE
 
Session 7 - Connecting to Legacy Systems, IoT and other Systems | Train the T...
Session 7 - Connecting to Legacy Systems, IoT and other Systems | Train the T...Session 7 - Connecting to Legacy Systems, IoT and other Systems | Train the T...
Session 7 - Connecting to Legacy Systems, IoT and other Systems | Train the T...FIWARE
 
Fiware IoT Proposal & Community
Fiware IoT Proposal & Community Fiware IoT Proposal & Community
Fiware IoT Proposal & Community TIDChile
 

Similar to Fido u2 f in 10 minutes (cis 2015) (20)

FIDO U2F 1.0 Specs: Overview and Insights
FIDO U2F 1.0 Specs: Overview and InsightsFIDO U2F 1.0 Specs: Overview and Insights
FIDO U2F 1.0 Specs: Overview and Insights
 
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) SpecificationCIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
 
mDevCamp 2016 - Zingly, or how to design multi-banking app
mDevCamp 2016 - Zingly, or how to design multi-banking appmDevCamp 2016 - Zingly, or how to design multi-banking app
mDevCamp 2016 - Zingly, or how to design multi-banking app
 
Fiware io t_ul20_cpbr8
Fiware io t_ul20_cpbr8Fiware io t_ul20_cpbr8
Fiware io t_ul20_cpbr8
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
 
使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務使用 Passkeys 打造無密碼驗證服務
使用 Passkeys 打造無密碼驗證服務
 
Cutting edge HTML5 API you can use today (by Bohdan Rusinka)
Cutting edge HTML5 API you can use today (by Bohdan Rusinka) Cutting edge HTML5 API you can use today (by Bohdan Rusinka)
Cutting edge HTML5 API you can use today (by Bohdan Rusinka)
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Denis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityDenis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application security
 
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
 
Create online games with node.js and socket.io
Create online games with node.js and socket.ioCreate online games with node.js and socket.io
Create online games with node.js and socket.io
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Webinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDBWebinar: Architecting Secure and Compliant Applications with MongoDB
Webinar: Architecting Secure and Compliant Applications with MongoDB
 
Esquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdMEsquema de pasos de ejecución IdM
Esquema de pasos de ejecución IdM
 
FIWARE Training: Connecting to Legacy Systems, IoT and other Systems
FIWARE Training: Connecting to Legacy Systems, IoT and other SystemsFIWARE Training: Connecting to Legacy Systems, IoT and other Systems
FIWARE Training: Connecting to Legacy Systems, IoT and other Systems
 
1. device onboarding pdf
1. device onboarding pdf1. device onboarding pdf
1. device onboarding pdf
 
Session 7 - Connecting to Legacy Systems, IoT and other Systems | Train the T...
Session 7 - Connecting to Legacy Systems, IoT and other Systems | Train the T...Session 7 - Connecting to Legacy Systems, IoT and other Systems | Train the T...
Session 7 - Connecting to Legacy Systems, IoT and other Systems | Train the T...
 
1. device onboarding
1. device onboarding1. device onboarding
1. device onboarding
 
Fiware IoT Proposal & Community
Fiware IoT Proposal & Community Fiware IoT Proposal & Community
Fiware IoT Proposal & Community
 

More from CloudIDSummit

CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CloudIDSummit
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2CloudIDSummit
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CloudIDSummit
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CloudIDSummit
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCloudIDSummit
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCloudIDSummit
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CloudIDSummit
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCloudIDSummit
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCloudIDSummit
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...CloudIDSummit
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCloudIDSummit
 
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...CloudIDSummit
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
 
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn FayCIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn FayCloudIDSummit
 
DIRECTORY CIS 2015 - Eric Fazendin
DIRECTORY CIS 2015 - Eric FazendinDIRECTORY CIS 2015 - Eric Fazendin
DIRECTORY CIS 2015 - Eric FazendinCloudIDSummit
 
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian JaffeCIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian JaffeCloudIDSummit
 
CIS 2015 An Interlude: Token Binding over HTTP - Dirk Balfanz
CIS 2015 An Interlude: Token Binding over HTTP - Dirk BalfanzCIS 2015 An Interlude: Token Binding over HTTP - Dirk Balfanz
CIS 2015 An Interlude: Token Binding over HTTP - Dirk BalfanzCloudIDSummit
 

More from CloudIDSummit (20)

CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
CIS 2015 Security Without Borders: Taming the Cloud and Mobile Frontier - And...
 
Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2Mobile security, identity & authentication reasons for optimism 20150607 v2
Mobile security, identity & authentication reasons for optimism 20150607 v2
 
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
CIS 2015 Mobile Security, Identity & Authentication: Reasons for Optimism - R...
 
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
CIS 2015 Virtual Identity: The Vision, Challenges and Experiences in Driving ...
 
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian PuhlCIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
CIS 2015 Mergers & Acquisitions in a Cloud Enabled World - Brian Puhl
 
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian KatzCIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
CIS 2015 IoT and IDM in your Mobile Enterprise - Brian Katz
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
 
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes TschofenigCIS 2015 How to secure the Internet of Things? Hannes Tschofenig
CIS 2015 How to secure the Internet of Things? Hannes Tschofenig
 
CIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean DeubyCIS 2015 The IDaaS Dating Game - Sean Deuby
CIS 2015 The IDaaS Dating Game - Sean Deuby
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...The Industrial Internet, the Identity of Everything and the Industrial Enterp...
The Industrial Internet, the Identity of Everything and the Industrial Enterp...
 
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John DasilvaCIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
CIS 2015 SAML-IN / SAML-OUT - Scott Tomilson & John Dasilva
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
 
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John DasilvaCIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
CIS 2015 So you want to SSO … Scott Tomilson & John Dasilva
 
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
CIS 2015 What’s next? Discovery, Dynamic Registration, Mobile Connect and mor...
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David Chase
 
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn FayCIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay
CIS 2015 OpenID Connect Workshop Part 1: Challenges for mobile - B. Allyn Fay
 
DIRECTORY CIS 2015 - Eric Fazendin
DIRECTORY CIS 2015 - Eric FazendinDIRECTORY CIS 2015 - Eric Fazendin
DIRECTORY CIS 2015 - Eric Fazendin
 
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian JaffeCIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
CIS 2015 Easy Federation in Cloud and on Premises - Ian Jaffe
 
CIS 2015 An Interlude: Token Binding over HTTP - Dirk Balfanz
CIS 2015 An Interlude: Token Binding over HTTP - Dirk BalfanzCIS 2015 An Interlude: Token Binding over HTTP - Dirk Balfanz
CIS 2015 An Interlude: Token Binding over HTTP - Dirk Balfanz
 

Fido u2 f in 10 minutes (cis 2015)

  • 1. FIDO U2F in 10 Minutes Dirk Balfanz (Google)
  • 2. The U2F solution: How it works ●  One device, many services ●  Easy: Insert and press button ●  Safe: Un-phishable Security
  • 3. U2F Protocol Core idea: Standard public key cryptography: ●  User's device mints new key pair, gives public key to server ●  Server asks user's device to sign data to verify the user. ●  One device, many services, "bring your own device" enabled Lots of refinement for this to be consumer facing: ●  Privacy: Site Specific Keys, No unique ID per device ●  Security: No phishing, man-in-the-middles ●  Trust: Verify who made the device ●  Pragmatics: Affordable today, ride hardware cost curve down ●  Speed for user: Fast crypto in device (Elliptic Curve) Think "Smartcard re-designed for modern consumer web"
  • 4. 1 2
  • 5.
  • 8. proofThatUserIsThere “I promise a user is here”, “the server challenge was: 337423”, “the origin was: accounts.google.com”, “the TLS connection state was: 342384” Signed
  • 9. proofThatUserIsThere “I promise a user is here”, “the server challenge was: 337423”, “the origin was: accounts.google.com”, “the TLS connection state was: 342384” Signed this is where the key is this guy knows the key
  • 10. Relying Party FIDO Client 1. Setup 2. Processing 3. Verification
  • 11. User Presence API u2f.register({ ‘challenge’: ‘KSDJsdASAS-AIS_AsS’, ‘app_id’: ‘https://www.google.com/facets.json’ }, callback); callback = function(response) { sendToServer( response[‘clientData’], response[‘tokenData’]); };
  • 12. u2f..handleRegistrationRequest({ ‘challenge’: ‘KSDJsdASAS-AIS_AsS’, ‘app_id’: ‘https://www.google.com/facets.json’ }, callback); callback = function(response) { sendToServer( response[‘clientData’], response[‘tokenData’]); }; User Presence API{ "typ":"register", "challenge":"KSDJsdASAS-AIS_AsS", "cid_pubkey": { "kty":"EC", "crv":"P-256", "x":"HzQwlfXX7Q4S5MtCRMzPO9tOyWjBqRl4tJ8", "y":"XVguGFLIZx1fXg375hi4-7-BxhMljw42Ht4" }, "origin":"https://accounts.google.com" }
  • 13. User Presence API u2f.sign({ ‘challenge’: ‘KSDJsdASAS-AIS_AsS’, ‘app_id’: ‘https://www.google.com/facets.json’, ‘key_handle’: ‘JkjhdsfkjSDFKJ_ld-sadsAJDKLSAD’ }, callback); callback = function(response) { sendToServer( response[‘clientData’], response[‘tokenData’]); };
  • 14. User Presence API u2f.sign({ ‘challenge’: ‘KSDJsdASAS-AIS_AsS’, ‘app_id’: ‘https://www.google.com/facets.json’, ‘key_handle’: ‘JkjhdsfkjSDFKJ_ld-sadsAJDKLSAD’ }, callback); callback = function(response) { sendToServer( response[‘clientData’], response[‘tokenData’]); }; { "typ":"authenticate", "challenge":"KSDJsdASAS-AIS_AsS", "cid_pubkey": { "kty":"EC", "crv":"P-256", "x":"HzQwlfXX7Q4S5MtCRMzPO9tOyWjBqRl4tJ8", "y":"XVguGFLIZx1fXg375hi4-7-BxhMljw42Ht4" }, "origin":"https://accounts.google.com" }
  • 16. U2F Token FIDO Client/ Browser Relying Party app id, challenge a; challenge, origin, channel id, etc. c a check app id generate: key kpub key kpriv handle h kpub, h, attestation cert, signature(a,c,kpub,h) c, kpub, h, attestation cert, s store: key kpub handle h s Registration cookie
  • 17. U2F Token FIDO Client/ Browser Relying Party handle, app id, challenge h, a; challenge, origin, channel id, etc. c a check app id retrieve: key kpriv from handle h; counter++ counter, signature(a,c,counter) counter, c, s check: signature using key kpub s h retrieve: key kpub from handle h Authentication set cookie
  • 18. What if… ...I want to accept U2F logins? ●  Browser: Call JS APIs o  available in Google Chrome, others need extensions ●  Server: Implement registration flow o  decide how to handle attestation certificates o  verify registration response o  store public key, key handle with user account ●  Server: Implement login flow o  check username/password, look up key handle o  verify authentication response (origin, signature, counter, …) ●  Check your account recovery flow
  • 19. What if… ...I want to offer a USB U2F token? ●  Implement ECDSA P-256 ●  Implement counter ●  Decide on key handle strategy o  must recover private key, app id ●  Implement USB framing spec ●  No responses without user presence! o  (with one exception) o  check that app id matches
  • 20. Coming Soon ●  Other platforms: browsers on Android, etc. ●  Other platforms: native apps on Android, etc. ●  Other message framing: BLE, NFC, etc. ●  Other plugin mechanisms: ASM