FIDO U2F Specifications: Overview & Tutorial
•
1 like•2,911 views
FIDO U2F (Universal Authentication Framework) Specifications: Overview & Tutorial by Jerrod Chong, Yubico Explore how FIDO U2F works and how it is used in the world today. The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to FIDO U2F Specifications: Overview & Tutorial
Similar to FIDO U2F Specifications: Overview & Tutorial (20)
More from FIDO Alliance
More from FIDO Alliance (20)
Recently uploaded
Recently uploaded (20)
FIDO U2F Specifications: Overview & Tutorial
- 1. FIDO UNIVERSAL SECOND FACTOR (U2F) SPECIFICATIONS OVERVIEW
- 2. 2 What is FIDO U2F?
- 3. 3 Simple, Secure, Scalable 2FA
- 4. FIDO U2F Core Benefits • Simple, one touch 2FA • One device works across an unlimited number of sites • Secures against phishing and man-in-the-middle attacks • No secrets shared between sites, protects user privacy Notable Services/Apps 4
- 5. Easy Two-Step Process • Cross-platform support • Across multiple device types • Contactless and tokenless options 5
- 6. Why not just the phone? • Security • Accessibility • Speed • Reliability • Durability • Backup • Privacy 6
- 7. Stats from Google Deployment • Mandatory for all Google staff and contractors • Support for Google end-users All Rights Reserved. FIDO Alliance. Copyright 2016. 7 U2F vs Google Authenticator • 4x faster to login • Significant fraud reduction • Support reduced by 40%
- 8. 8 Server sends challenge1 Server receives and verifies device signature using attestation cert5 Key handle and public key are stored in database6 Device generates key pair2 Device creates key handle3 Device signs challenge + client info4 Registration Server sends challenge + key handle1 Server receives and verifies using stored public key4 Device unwraps/derives private key from key handle2 Device signs challenge + client info3 Authentication IndividualwithU2FDevice RelyingParty
- 9. Relying Party User Side U2F Code USB (HID) API U2F JS API Secure U2F Element Transport USB (HID) Web Application U2F Library Public Keys + KeyHandles + Certificates User Action FIDO Client Browser U2F Authenticator U2F Entities
- 11. U2F Device Client Relying Party challenge challenge Sign with kpriv signature(challenge) s Check signature (s) using kpub s Lookup kpub Authentication
- 12. U2F Device Client Relying Party challenge challenge, origin, channel id Sign with kpriv signature(c) c, s Check s using kpub Verify origin & channel id s Lookup kpub Phishing/MitM Protection
- 13. U2F Device Client Relying Party handle, app id, challenge h, a; challenge, origin, channel id, etc. c a Check app id Lookup the kpriv associated with h Sign with kpriv signature(a,c) c, s Check s using kpub Verify origin & channel id s h Lookup the kpub associated with h Application-Specific Keys
- 14. U2F Device Client Relying Party handle, app id, challenge h, a; challenge, origin, channel id, etc. c a Check app id Lookup the kpriv associated with h Sign with kpriv counter++ counter, signature(a,c, counter) counter, c, s Check s using kpub Verify origin, channel id & counter s h Lookup the kpub associated with h Device Cloning
- 15. U2F Device Client Relying Party app id, challenge a; challenge, origin, channel id, etc. c a Check app id Generate: kpub kpriv handle h kpub, h, attestation cert, signature(a,c,kpub,h) c, kpub, h, attestation cert, s Associate kpub with handle h for user s Registration + Device Attestation
- 16. Adding U2F Support Original DB Original Database user_id Password# JohnDoe 4^hfd;`gpo U2F Database U2F DB Relation Relying Party user_id Meta U2F Data JohnDoe Yubico, Security Key, USB key handle, public key, certificate JohnDoe Yubico, YubiKey NEO, USB + NFC key handle, public key, certificate
- 17. Mobile FIDO U2F/FIDO 2.0 • NFC (today) Tap U2F device on NFC phone • Bluetooth (Q4, 2016) Touch button on Bluetooth U2F device • Mobile client (in development) SDK for app developers (passwordless, tokenless, using device biometrics to unlock) • Future: FIDO 2 Device-to-device 17
- 18. U2F Ecosystem Beyond Chrome ● Mozilla Firefox (in development) ● Microsoft Edge (in development) ○ seamless upgrade path to FIDO 2.0 ● Native client ○ Dashlane password manager client ○ Windows credential provider with U2F ○ Opensource host libraries available 18