A behind the scenes look at how Google deployed FIDO Authentication for employees and customers in their efforts towards simpler, stronger authentication.
Introduction to FIDO: A New Model for AuthenticationFIDO Alliance
An overview of FIDO authentication with a special section on government and policy. This was presented at the European Policy Forum by Jeremy Grant, managing director of The Chertoff Group.
Presented at GSMA Mobile Connect + FIDO Alliance: The Future of Strong Authentication
By: Rolf Lindemann, Senior Director of Technology and Products, Nok Nok Labs
FIDO U2F (Universal Authentication Framework) Specifications: Overview & Tutorial
by Jerrod Chong, Yubico
Explore how FIDO U2F works and how it is used in the world today.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
W3C - Web Authentication API by Korea ETRI (Electronics and Telecommunication Research Institute)
- Presented at FIDO Technical Seminar on July 16th, 2018
Introduction to FIDO: A New Model for AuthenticationFIDO Alliance
An overview of FIDO authentication with a special section on government and policy. This was presented at the European Policy Forum by Jeremy Grant, managing director of The Chertoff Group.
Presented at GSMA Mobile Connect + FIDO Alliance: The Future of Strong Authentication
By: Rolf Lindemann, Senior Director of Technology and Products, Nok Nok Labs
FIDO U2F (Universal Authentication Framework) Specifications: Overview & Tutorial
by Jerrod Chong, Yubico
Explore how FIDO U2F works and how it is used in the world today.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
W3C - Web Authentication API by Korea ETRI (Electronics and Telecommunication Research Institute)
- Presented at FIDO Technical Seminar on July 16th, 2018
Learn how FIDO standards compliment federation protocols. These guidelines detail how to integrate the two in order to add support for FIDO-based multi-factor authentication and replace or supplement traditional authentication methods in federation environments.
Developer Tutorial: WebAuthn for Web & FIDO2 for AndroidFIDO Alliance
This tutorial walks through how to build a website with a simple re-authentication functionality using a fingerprint sensor. Re-authentication is a concept where a user signs into a website once, then authenticate again as they try to enter important sections of the website, or come back after a certain interval, etc in order to protect the account. It also covers how to build an Android app with a simple re-authentication functionality using a fingerprint sensor. "Re-authentication" is a concept where user signs into an app once, then authenticate again when they come back to your app, or trying to access an important section of your app.
WebAuthn and Security Keys = Unlocking the key to authentication by John Fontana, Yubico on behalf of Christiaan Brand at Google
- Presented at FIDO Seoul Public Seminar on December 5th, 2018
This presentation details the FIDO Alliance Certification Program - including an overview of the programs, process and the value of certification for both vendors and relying parties.
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
Building an enterprise level single sign-on application with the help of keycloak (Open Source Identity and Access Management). And understanding the way to secure your application; frontend & backend API’s. Managing user federation with minimum configuration.
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger AuthenticatonFIDO Alliance
Brand is part of the team responsible for authentication at Google. Overview of how today's solution to phishing is one time passwords. Introduces and explains Google's experience with security keys. Describes Google's ongoing work and explains how to get started with FIDO Authentication.
Learn how FIDO standards compliment federation protocols. These guidelines detail how to integrate the two in order to add support for FIDO-based multi-factor authentication and replace or supplement traditional authentication methods in federation environments.
Developer Tutorial: WebAuthn for Web & FIDO2 for AndroidFIDO Alliance
This tutorial walks through how to build a website with a simple re-authentication functionality using a fingerprint sensor. Re-authentication is a concept where a user signs into a website once, then authenticate again as they try to enter important sections of the website, or come back after a certain interval, etc in order to protect the account. It also covers how to build an Android app with a simple re-authentication functionality using a fingerprint sensor. "Re-authentication" is a concept where user signs into an app once, then authenticate again when they come back to your app, or trying to access an important section of your app.
WebAuthn and Security Keys = Unlocking the key to authentication by John Fontana, Yubico on behalf of Christiaan Brand at Google
- Presented at FIDO Seoul Public Seminar on December 5th, 2018
This presentation details the FIDO Alliance Certification Program - including an overview of the programs, process and the value of certification for both vendors and relying parties.
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
Building an enterprise level single sign-on application with the help of keycloak (Open Source Identity and Access Management). And understanding the way to secure your application; frontend & backend API’s. Managing user federation with minimum configuration.
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger AuthenticatonFIDO Alliance
Brand is part of the team responsible for authentication at Google. Overview of how today's solution to phishing is one time passwords. Introduces and explains Google's experience with security keys. Describes Google's ongoing work and explains how to get started with FIDO Authentication.
Google Case Study: Strong Authentication for Employees and ConsumersFIDO Alliance
With 50,000 employees and more than a billion users, security and privacy are of critical importance to the Internet giant, Google. Two years ago, they set out with the goal of improving authentication through stronger security, increasing user satisfaction and lowering support costs. In that time, Google deployed FIDO Certified ® security keys. A detailed analysis by this data-driven company has demonstrated clear confirmation of how well FIDO’s approach is suited to making stronger, simpler authentication for employees and consumers.
Google Case Study: Becoming UnphishableFIDO Alliance
Brand is part of the team responsible for authentication at Google. Overview of how today's solution to phishing is one time passwords. Introduces and explains Google's experience with security keys. Describes Google's ongoing work and explains how to get started with FIDO Authentication.
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger AuthenticatonFIDO Alliance
Brand is part of the team responsible for authentication at Google. Overview of how today's solution to phishing is one time passwords. Introduces and explains Google's experience with security keys. Describes Google's ongoing work and explains how to get started with FIDO Authentication.
Protecting Your Privacy: Cyberspace Security, Real World SafetyAEGILITY
Carpe Diem Strategic Services (CDSS), a veteran owned service-disabled business that offers education and training which addresses threats to digital communications and online privacy.
Their mission is to assist individuals, families, and small businesses to understand, identify, and reduce threats and vulnerabilities that expose their business, financial, intellectual property, and sensitive personal data to potential exploitation and risk.
(Presentation, slides, and content created by AEGILITY)
Authentication without Authentication - AppSec CaliforniaSoluto
Authentication is important, but how do you authenticate when user interaction is not an option? For example, an IoT app without a user interface. We need to authenticate the app ― without any predefined credentials. But how?
If you think you’re safe because you have two-factor authentication protecting your applications and data, you might want to rethink your security strategy. While certain two-factor methods can be secure, others can be easily defeated leaving you vulnerable to attacks.
Learn why simple two-factor authentication is not enough and what you can do to make sure you are protected. We'll present a new approach to authentication, which continuously analyzes risk-factors including, geo-location, behavioural biometrics and threat intelligence, to ensure your users are who they say they are.
If you are in the growing app and SaaS market, you will know all too well about the critical issues surrounding user security and pricy.
Since 2005, Two Factor Authentication has had a growing increase in interest, usage and adoption by businesses and users, as privacy and safety of our online lives becomes more important. Just looking at Google Trends shows that Two Factor Authentication is here to stay, and the forecast shows promising growth.
With 2014 being noted as “The Year of the Breach,” many businesses are still unprepared or not properly protected from numerous security threats. So what can your business do to help keep sensitive data safe? Check out the following slideshow to learn how to protect yourself and your business from threats. Contact the IT Security experts at MTG today to protect your organization!
One of the sites I administer was recently attacked to the point the security module triggered an alert.
I know there are many amature bloggers and web developers out there who use Wordpress.
There are some pretty simple steps to raising the level of security on your site and this simple presentation takes you though them.
Why Depending On Malware Prevention Alone Is No Longer An Option Seculert
Over the last few years Seculert and other leading security companies have discovered many advanced malwares lurking on company networks that have gone undetected by standard advanced threat prevention solutions. Enterprises are now realizing that they need to find alternative solutions to protect their network. Learn why depending on malware prevention alone is no longer an option. Join Seculert’s CTO Aviv Raff for an in-depth webinar.
Aviv Raff will address:
- How recent malware such as Dexter and Shamoon entered company networks despite their APT prevention systems
- How Seculert discovered Shamoon
- Why your peers are moving to malware detection instead of prevention
- How Big Data is an indispensable tool to fight Advanced Persistent Threats
Raff is responsible for the fundamental research and design of Seculert’s core technology. Don’t miss out on hearing from the expert.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
5. Proprietary + Confidential
Protect Yourself And Your Users
It's easier than you think for someone to steal a password
Password Reuse Phishing Interception
Social Media
BANK
6. Proprietary + Confidential
123456
Most popular password in 2015
Source: SplashData:
https://www.teamsid.com/wor
st-passwords-2015/
password
2nd most popular password in 2015
7. Proprietary + Confidential
76%
of account
vulnerabilities were due
to weak or stolen
passwords
43%
success rate
for a well designed
phishing page
goo.gl/YYDM79
8. Proprietary + Confidential
SMS Usability
Coverage Issues,
Delay, User Cost
Device Usability
One Per Site,
Expensive, Fragile
User Experience
Users find it hard
Phishable
OTPs are increasingly
phished
$
?
Today: The reality of One Time Passwords
14. Core idea - Standard public key cryptography
● User's device mints new key pair, gives public key to server
● Server asks user's device to sign data to verify the user.
● One device, many services, "bring your own device" enabled
Based on Asymmetric Cryptography
15. Confidential + Proprietary
“I promise a user is here”,
“the server challenge was: 337423”,
“the origin was: google.com”
https://www.google.com
Password
Server
How security key works
16. Confidential + Proprietary
“I promise a user is here”,
“the server challenge was: 529402”,
“the origin was: goggle.com”
https://www.goggle.com
Password Password
Server
Security key defeats phishing
18. ● Enterprise use case
○ Mandated for Google employees
○ Corporate SSO (Web)
○ SSH
○ Forms basis of all authentication
● Consumer use case
○ Available as opt-in for Google consumers
Deployment at Google
19. Use cases at Google
● Bootstrapping
○ Only used when an employee signs in on a new device the first time
○ This protects against phishing
○ Removable Security Key is carried as part of badge
● Hardware credential binding
○ Once I’ve signed in to a device, long lived tokens (cookies, etc) is usually
issued
○ Every once in a while, a local security key touch is required which is
presented in combination with this local token - this is done to ensure that
the token is still presented from a machine we trust
25. Proprietary + Confidential
Does this work
with a mobile?
How do we deploy
this at scale?
What if they
lose their key?
But what about other enterprises?
29. Proprietary + Confidential
Resources
● To use with Google
Enable 2-Step Verification on your account
Go to: https://security.google.com
Click: 2-Step Verification
Click on the Security Keys tab
● Also use with GitHub, Dropbox, SalesForce
● And / or play with some code
https://github.com/google/u2f-ref-code
https://developers.yubico.com/U2F/Libraries/List_of_libraries.html