With 50,000 employees and more than a billion users, security and privacy are of critical importance to the Internet giant, Google. Two years ago, they set out with the goal of improving authentication through stronger security, increasing user satisfaction and lowering support costs. In that time, Google deployed FIDO Certified ® security keys. A detailed analysis by this data-driven company has demonstrated clear confirmation of how well FIDO’s approach is suited to making stronger, simpler authentication for employees and consumers.

1. A Google Case Study
Strong authentication for employees and consumers
Christiaan Brand, Google

2. Largest and most
secure infrastructure

3. Proprietary + Confidential
Mobile UI
Application
Network
Software
Hardware
Google Security Stack

4. Today we tackle authentication

5. Proprietary + Confidential
Protect Yourself And Your Users
It's easier than you think for someone to steal a password
Password Reuse Phishing Interception
Social Media
BANK

6. Proprietary + Confidential
123456
Most popular password in 2015
Source: SplashData:
https://www.teamsid.com/wor
st-passwords-2015/
password
2nd most popular password in 2015

7. Proprietary + Confidential
76%
of account
vulnerabilities were due
to weak or stolen
passwords
43%
success rate
for a well designed
phishing page
goo.gl/YYDM79

8. Proprietary + Confidential
SMS Usability
Coverage Issues,
Delay, User Cost
Device Usability
One Per Site,
Expensive, Fragile
User Experience
Users find it hard
Phishable
OTPs are increasingly
phished
$
?
Today: The reality of One Time Passwords

9. Proprietary + Confidential
Introducing FIDO U2F
Your Password
Security Key
Account Data

10. Core idea - Standard public key cryptography
● User's device mints new key pair, gives public key to server
● Server asks user's device to sign data to verify the user.
● One device, many services, "bring your own device" enabled
Based on Asymmetric Cryptography

11. https://www.google.com

12. https://www.goggle.com

13. https://www.goggle.com

14. https://www.goggle.com

15. https://www.goggle.com
Passw
ord
goggle.com
google.com
Passw
ord

16. https://www.google.com “I promise a user is here”,
“the server challenge was: 337423”,
“the origin was: google.com”

17. https://www.goggle.com
Passw
ord
goggle.com
google.com
Passw
ord
“I promise a user is here”,
“the server challenge was: 529402”,
“the origin was: goggle.com”

18. Google’s Experience

19. ● Enterprise use case
○ Mandated for Google employees
○ Corporate SSO (Web)
○ SSH
○ Forms basis of all authentication
● Consumer use case
○ Available as opt-in for Google consumers
○ Adopted by other relying parties too: Dropbox, Github
Deployment at Google

20. Time to authenticate

21. Security Keys are faster to use than OTPs
"If you've been reading your e-mail" takeaway:
Time to authenticate

22. Second factor support incidents

23. Security Keys cause fewer support incidents
than OTPs
"If you've been reading your e-mail" takeaway:
Second factor support incidents

24. We’re not quite done

25. Proprietary + Confidential
Does this work
with a mobile?
How do we deploy
this at scale?
What if they
lose their key?
But what about other enterprises?

26. Proprietary + Confidential
Making progress towards stronger authentication
Productizing FIDO U2F

27. Proprietary + Confidential
Demo: Bootstrapping account

28. How can you get started?

29. Proprietary + Confidential
Resources
● To use with Google
Enable 2-Step Verification on your account
Go to: https://security.google.com
Click: 2-Step Verification
Click on the Security Keys tab
● Also use with GitHub, Dropbox, SalesForce
● And / or play with some code
https://github.com/google/u2f-ref-code
https://developers.yubico.com/U2F/Libraries/List_of_libraries.html

30. Proprietary + Confidential
Questions?