The document discusses the vulnerabilities of traditional password-based authentication and the need for stronger, more secure alternatives like security keys. It outlines how security keys operate using public key cryptography, significantly reducing phishing risks and support incidents. Additionally, it provides guidance for deploying security keys at scale and using them with various platforms, including Google and others.

1. Proprietary + Confidential
Becoming Unphishable
Towards Simpler, Stronger Authentication
Christiaan Brand, Google

2. Largest and most
secure infrastructure

3. Proprietary + Confidential
Mobile UI
Application
Network
Software
Hardware
Google Security Stack

4. Today we tackle authentication

5. Proprietary + Confidential
Protect Yourself And Your Users
It's easier than you think for someone to steal a password
Password Reuse Phishing Interception
Social Media
BANK

6. Proprietary + Confidential
123456
Most popular password in 2015
Source: SplashData:
https://www.teamsid.com/wor
st-passwords-2015/
password
2nd most popular password in 2015

7. Proprietary + Confidential
76%
of account
vulnerabilities were due
to weak or stolen
passwords
43%
success rate
for a well designed
phishing page
goo.gl/YYDM79

8. Proprietary + Confidential
SMS Usability
Coverage Issues,
Delay, User Cost
Device Usability
One Per Site,
Expensive, Fragile
User Experience
Users find it hard
Phishable
OTPs are increasingly
phished
$
?
Today: The reality of One Time Passwords

9. Confidential + Proprietary
Web authentication
Password
Server
https://www.google.com

10. Confidential + Proprietary
https://www.goggle.com
https://www.goggle.com

11. Confidential + Proprietary
https://www.goggle.com
Password
google.com
Password
Phishing attack

12. Confidential + Proprietary
https://www.goggle.com

13. Introducing the Security Key
Your Password
Security Key
Account Data

14. Core idea - Standard public key cryptography
● User's device mints new key pair, gives public key to server
● Server asks user's device to sign data to verify the user.
● One device, many services, "bring your own device" enabled
Based on Asymmetric Cryptography

15. Confidential + Proprietary
“I promise a user is here”,
“the server challenge was: 337423”,
“the origin was: google.com”
https://www.google.com
Password
Server
How security key works

16. Confidential + Proprietary
“I promise a user is here”,
“the server challenge was: 529402”,
“the origin was: goggle.com”
https://www.goggle.com
Password Password
Server
Security key defeats phishing

17. Google’s Experience

18. ● Enterprise use case
○ Mandated for Google employees
○ Corporate SSO (Web)
○ SSH
○ Forms basis of all authentication
● Consumer use case
○ Available as opt-in for Google consumers
Deployment at Google

19. Use cases at Google
● Bootstrapping
○ Only used when an employee signs in on a new device the first time
○ This protects against phishing
○ Removable Security Key is carried as part of badge
● Hardware credential binding
○ Once I’ve signed in to a device, long lived tokens (cookies, etc) is usually
issued
○ Every once in a while, a local security key touch is required which is
presented in combination with this local token - this is done to ensure that
the token is still presented from a machine we trust

20. Time to authenticate

21. Security Keys are faster to use than OTPs
"If you've been reading your e-mail" takeaway:
Time to authenticate

22. Second factor support incidents

23. Security Keys cause fewer support incidents
than OTPs
"If you've been reading your e-mail" takeaway:
Second factor support incidents

24. We’re not quite done

25. Proprietary + Confidential
Does this work
with a mobile?
How do we deploy
this at scale?
What if they
lose their key?
But what about other enterprises?

26. Proprietary + Confidential
Making progress towards stronger authentication
Productizing FIDO U2F

27. Proprietary + Confidential
Demo: Bootstrapping account

28. How can you get started?

29. Proprietary + Confidential
Resources
● To use with Google
Enable 2-Step Verification on your account
Go to: https://security.google.com
Click: 2-Step Verification
Click on the Security Keys tab
● Also use with GitHub, Dropbox, SalesForce
● And / or play with some code
https://github.com/google/u2f-ref-code
https://developers.yubico.com/U2F/Libraries/List_of_libraries.html

30. Proprietary + Confidential
Questions?