Security keys provide stronger authentication than text or call-based two-factor authentication by requiring a physical device to log in. They use standards like FIDO U2F and FIDO2 to generate unique keys for each service, preventing stolen credentials from being used across sites. While not hackproof, security keys like YubiKey are currently the most secure option for two-factor authentication. Suppliers offer various options that support different device types and protocols.
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger AuthenticatonFIDO Alliance
Brand is part of the team responsible for authentication at Google. Overview of how today's solution to phishing is one time passwords. Introduces and explains Google's experience with security keys. Describes Google's ongoing work and explains how to get started with FIDO Authentication.
Google Case Study: Becoming UnphishableFIDO Alliance
Brand is part of the team responsible for authentication at Google. Overview of how today's solution to phishing is one time passwords. Introduces and explains Google's experience with security keys. Describes Google's ongoing work and explains how to get started with FIDO Authentication.
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...CODE BLUE
Smartphones are commonly used as the controller and Internet gateway for BLE-enabled IoT devices. Designing a strong authentication protocol between them is the key part of IoT security. However mobile app design has many challenges such as limited input & output interfaces as well as user privacy protection features. Due to these restrictions, many vendors has given-up BLE's build-in security manager protocol and choose to build their own authentication protocols.
This study focused on a generalized method to analyze these BLE authentication protocols, discovering and solving challenges mentioned above. We applied this method on commercial products, including popular Gogoro Smart Scooter from Taiwan. We will demo under some certain circumstances it is possible to dump key used to unlock your Gogoro Scooter and send fake BLE authentication protocol packets to steal the scooter.
--- Chen-yu Dai [GD]
Chen-yu Dai (GD) is CTO at Team T5 Research, providing Digital Forensics & Incident Response services, developing Threat Intelligence Program and Platforms, consulting enterprise cyber defenses.
He is studying at the graduate school of Department of Information Management in the National Taiwan University of Science and Technology.
He also volunteered as deputy coordinator of HITCON, the largest hacker community and security conference in Taiwan.
He has received many prizes from domestic and international CTFs, as well as bug bounty programs.
--- Shi-Cho Cha [CSC]
Professor Shi-Cho Cha [CSC]
Shi-Cho Cha (CSC) is currently an associate professor at the Department of Information Management in the National Taiwan University of Science and Technology, where he has been a faculty member since 2006. He received his B.S. and Ph.D. in Information Management from the National Taiwan University in 1996 and 2003. He is a certified PMP, CISSP, CCFP and CISM. From 2000~2003.
He was a senior consultant in eLand technologies and played the role of project leaders to develop several systems about e-marketing. From 2003~2006, he was a manager at PricewaterhouseCoopers, Taiwan and helped several major government agencies to develop their information security management systems.
Recently, he helped NTUST to establish security analysis workforce and help several organizations to evaluate their system security. His current research interests are in the area information security management, identity management, smartphone security, and IoT security.
Hello, Guys, My name is Punit Pandey and i am pursuing an MCA and I am also a security expert for securing a network and computer. So, that i am gonna publish some PPT for understanding how to create a layer for security.
In this section, you can learn the introduction of the hardware authentication in a technology.
And it will be covering all the Hardware security-related things I think it is a very helpful for your learning process and easy to understand how to the hardware work.
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger AuthenticatonFIDO Alliance
Brand is part of the team responsible for authentication at Google. Overview of how today's solution to phishing is one time passwords. Introduces and explains Google's experience with security keys. Describes Google's ongoing work and explains how to get started with FIDO Authentication.
Google Case Study: Becoming UnphishableFIDO Alliance
Brand is part of the team responsible for authentication at Google. Overview of how today's solution to phishing is one time passwords. Introduces and explains Google's experience with security keys. Describes Google's ongoing work and explains how to get started with FIDO Authentication.
[CB16] BLE authentication design challenges on smartphone controlled IoT devi...CODE BLUE
Smartphones are commonly used as the controller and Internet gateway for BLE-enabled IoT devices. Designing a strong authentication protocol between them is the key part of IoT security. However mobile app design has many challenges such as limited input & output interfaces as well as user privacy protection features. Due to these restrictions, many vendors has given-up BLE's build-in security manager protocol and choose to build their own authentication protocols.
This study focused on a generalized method to analyze these BLE authentication protocols, discovering and solving challenges mentioned above. We applied this method on commercial products, including popular Gogoro Smart Scooter from Taiwan. We will demo under some certain circumstances it is possible to dump key used to unlock your Gogoro Scooter and send fake BLE authentication protocol packets to steal the scooter.
--- Chen-yu Dai [GD]
Chen-yu Dai (GD) is CTO at Team T5 Research, providing Digital Forensics & Incident Response services, developing Threat Intelligence Program and Platforms, consulting enterprise cyber defenses.
He is studying at the graduate school of Department of Information Management in the National Taiwan University of Science and Technology.
He also volunteered as deputy coordinator of HITCON, the largest hacker community and security conference in Taiwan.
He has received many prizes from domestic and international CTFs, as well as bug bounty programs.
--- Shi-Cho Cha [CSC]
Professor Shi-Cho Cha [CSC]
Shi-Cho Cha (CSC) is currently an associate professor at the Department of Information Management in the National Taiwan University of Science and Technology, where he has been a faculty member since 2006. He received his B.S. and Ph.D. in Information Management from the National Taiwan University in 1996 and 2003. He is a certified PMP, CISSP, CCFP and CISM. From 2000~2003.
He was a senior consultant in eLand technologies and played the role of project leaders to develop several systems about e-marketing. From 2003~2006, he was a manager at PricewaterhouseCoopers, Taiwan and helped several major government agencies to develop their information security management systems.
Recently, he helped NTUST to establish security analysis workforce and help several organizations to evaluate their system security. His current research interests are in the area information security management, identity management, smartphone security, and IoT security.
Hello, Guys, My name is Punit Pandey and i am pursuing an MCA and I am also a security expert for securing a network and computer. So, that i am gonna publish some PPT for understanding how to create a layer for security.
In this section, you can learn the introduction of the hardware authentication in a technology.
And it will be covering all the Hardware security-related things I think it is a very helpful for your learning process and easy to understand how to the hardware work.
COMPUTEX TAIPEI 2013 - Cloud Industry Forum
Topic: Securing the Cloud for a Connected Society
Speaker: Michael Poitner
Global Segment Marketing Director, Authentication, NXP Semiconductors
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
DevOps and CI/CD make for faster code releases, but they also create new challenges for security practices. Think about TLS and code-signing certificates. Almost every component in CI/CD – binaries, builds, web servers and containers – needs certificates to authenticate and verify trust, but traditional PKI processes just can't scale in DevOps environments.
Join Keyfactor and Infinite Ranges to learn how PKI and certificate management fits within the CI/CD pipeline and why an integrated and automated approach is key to success. In this webinar, we'll discuss:
How applications in the DevOps toolchain use PKI (i.e. Jenkins, Kubernetes, Istio, etc.)
The risks of unmanaged or untracked certificates in DevOps environments
Best practices to support visibility, compliance and automation of certificates in CI/CD
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity ServerYenlo
Hackers and crackers are exposing the password as the Internet’s weakest security link. To combat these attacks, organizations need to ensure that access to online information is protected and restricted to authorized users, and diminish the reliance on passwords.
Join us as we detail a new security feature in WSO2 Identity Server (5.1.0) by enhancing account security with the FIDO Alliance’s U2F public key cryptography specification for strong authentication.
In this webinar, WSO2, Yubico co-creator of U2F, and WSO2’s premier integrator Yenlo explain the technology, discuss the use cases for strong authentication, and demonstrate the power and ease-of-use of the U2F security key. WSO2 will present the Authentication framework of WSO2 Identity server, Multi factor and Multi step authentication configuration and more.
See the recording of the WSO2 Identity Server webinar here: http://www.yenlo.com/en/web-wso2-identity-server-fido
The Challenge of Integrating Security Solutions with CI.pdfSavinder Puri
Informational article which will discuss the issues with code signing solutions as they relate to ci/cd workflows (including DIY and HSM solutions).
Targeted Persona: mostly technical decision makers and operational champions (devops/devsecops).
Software security, secure software development in the age of IoT, smart thing...LabSharegroup
How to design secure software products for IoT, embedded application, smart metering, smart lighting, medical application with the help of Common Criteria
A behind the scenes look at how Google deployed FIDO Authentication for employees and customers in their efforts towards simpler, stronger authentication.
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger AuthenticatonFIDO Alliance
Brand is part of the team responsible for authentication at Google. Overview of how today's solution to phishing is one time passwords. Introduces and explains Google's experience with security keys. Describes Google's ongoing work and explains how to get started with FIDO Authentication.
IoT Systems provide powerful, flexible features for IT systems — tracking, monitoring, and other data sharing. Today’s IoT devices utilize microservices and APIs that make them easy to put into production. But securing them isn’t as easy.
This webinar will look at security risks of IoT devices, interfaces, and implementations. We’ll provide practical steps and checklists any DevOps team can use to make their IoT components as secure as possible. We’ll also cover some testing best practices that can be done pre- and post-production to verify security and resilience on an ongoing basis.
This presentation discusses about IoT, challenges associated with it, common threats to IoT. It also briefs about how OWASP introduces Vulnerabilities in IoT.
FIDO® for Government & Enterprise - PresentationFIDO Alliance
With FIDO 1.0 standards published in December, 2015, mainstream product adoption and service deployment has begun with more announcement planned for the RSA Security Conference 2015. This webinar will feature FIDO highlights from the conference and a discussion of how governments and enterprises are engaging with FIDO Alliance and the new wave of innovative authentication solutions FIDO standards enable, with a special focus on how the US Government is positioning FIDO within the context of NSTIC (National Strategy for Trusted Identities in Cyberspace).
Beyond username and password it's continuous authorization webinarForgeRock
Legacy access management using simple usernames and passwords at the 'digital front door' is not enough in today's connected-everywhere mobile environment. Wouldn't it be better if access decisions were made at the moment each access attempt is made for every resource? And wouldn't it be even better if policies considered real-time and historical user and session data to assess risk, and reacted accordingly by scaling authentication requirements up or down dynamically? In this webinar, learn how the ForgeRock Identity Platform can do this and much more, to keep your users happy and your data secure.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
COMPUTEX TAIPEI 2013 - Cloud Industry Forum
Topic: Securing the Cloud for a Connected Society
Speaker: Michael Poitner
Global Segment Marketing Director, Authentication, NXP Semiconductors
PKI in DevOps: How to Deploy Certificate Automation within CI/CDDevOps.com
DevOps and CI/CD make for faster code releases, but they also create new challenges for security practices. Think about TLS and code-signing certificates. Almost every component in CI/CD – binaries, builds, web servers and containers – needs certificates to authenticate and verify trust, but traditional PKI processes just can't scale in DevOps environments.
Join Keyfactor and Infinite Ranges to learn how PKI and certificate management fits within the CI/CD pipeline and why an integrated and automated approach is key to success. In this webinar, we'll discuss:
How applications in the DevOps toolchain use PKI (i.e. Jenkins, Kubernetes, Istio, etc.)
The risks of unmanaged or untracked certificates in DevOps environments
Best practices to support visibility, compliance and automation of certificates in CI/CD
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity ServerYenlo
Hackers and crackers are exposing the password as the Internet’s weakest security link. To combat these attacks, organizations need to ensure that access to online information is protected and restricted to authorized users, and diminish the reliance on passwords.
Join us as we detail a new security feature in WSO2 Identity Server (5.1.0) by enhancing account security with the FIDO Alliance’s U2F public key cryptography specification for strong authentication.
In this webinar, WSO2, Yubico co-creator of U2F, and WSO2’s premier integrator Yenlo explain the technology, discuss the use cases for strong authentication, and demonstrate the power and ease-of-use of the U2F security key. WSO2 will present the Authentication framework of WSO2 Identity server, Multi factor and Multi step authentication configuration and more.
See the recording of the WSO2 Identity Server webinar here: http://www.yenlo.com/en/web-wso2-identity-server-fido
The Challenge of Integrating Security Solutions with CI.pdfSavinder Puri
Informational article which will discuss the issues with code signing solutions as they relate to ci/cd workflows (including DIY and HSM solutions).
Targeted Persona: mostly technical decision makers and operational champions (devops/devsecops).
Software security, secure software development in the age of IoT, smart thing...LabSharegroup
How to design secure software products for IoT, embedded application, smart metering, smart lighting, medical application with the help of Common Criteria
A behind the scenes look at how Google deployed FIDO Authentication for employees and customers in their efforts towards simpler, stronger authentication.
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger AuthenticatonFIDO Alliance
Brand is part of the team responsible for authentication at Google. Overview of how today's solution to phishing is one time passwords. Introduces and explains Google's experience with security keys. Describes Google's ongoing work and explains how to get started with FIDO Authentication.
IoT Systems provide powerful, flexible features for IT systems — tracking, monitoring, and other data sharing. Today’s IoT devices utilize microservices and APIs that make them easy to put into production. But securing them isn’t as easy.
This webinar will look at security risks of IoT devices, interfaces, and implementations. We’ll provide practical steps and checklists any DevOps team can use to make their IoT components as secure as possible. We’ll also cover some testing best practices that can be done pre- and post-production to verify security and resilience on an ongoing basis.
This presentation discusses about IoT, challenges associated with it, common threats to IoT. It also briefs about how OWASP introduces Vulnerabilities in IoT.
FIDO® for Government & Enterprise - PresentationFIDO Alliance
With FIDO 1.0 standards published in December, 2015, mainstream product adoption and service deployment has begun with more announcement planned for the RSA Security Conference 2015. This webinar will feature FIDO highlights from the conference and a discussion of how governments and enterprises are engaging with FIDO Alliance and the new wave of innovative authentication solutions FIDO standards enable, with a special focus on how the US Government is positioning FIDO within the context of NSTIC (National Strategy for Trusted Identities in Cyberspace).
Beyond username and password it's continuous authorization webinarForgeRock
Legacy access management using simple usernames and passwords at the 'digital front door' is not enough in today's connected-everywhere mobile environment. Wouldn't it be better if access decisions were made at the moment each access attempt is made for every resource? And wouldn't it be even better if policies considered real-time and historical user and session data to assess risk, and reacted accordingly by scaling authentication requirements up or down dynamically? In this webinar, learn how the ForgeRock Identity Platform can do this and much more, to keep your users happy and your data secure.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
The Art of the Pitch: WordPress Relationships and Sales
Security Keys Presentation.pptx
1. SECURITY KEYS
– ARE THEY SECURE?
By: Dale Shelinbarger, CISSP
MTSI Cybersecurity Engineering Analyst
E-mail: dale.shelinbarger@gmail.com
2. SECURITY KEY
A security key is an authentication device that
strengthens account security when used in addition to a
password when signing in. Using a security key is better
than receiving codes via phone call or text message
because these codes can be phished or intercepted.
3. WHY USE A SECURITY KEY
• Security keys are one of the most secure and efficient
ways to use Two-Factor Authentication (2FA). When
prompted to provide your 2FA credentials, instead of
typing in a code, you simply insert your security key
and physically tap it when prompted during login.
• Google and Yubico created a 2FA called Universal
Two-Factor Authentication (U2F).
• A U2F Security Key generates a new pair of keys for every service, and only
the service stores the public key. With this approach, no secrets are shared
between service providers, and an affordable U2F Security Key can support
any number of services.
4. SUPPLIERS OF SECURITY KEYS
Yubico Yubikey
5 NFC
Good – uses USB-A & NFC, durable, waterproof, and
crush resistant
5C/5C NANO
Good – uses USB-C, water-resistant
Bad – tiny so can be misplaced
5 NANO
Good – portable USB-A device, tiny hole for
keychain
Bad – not crush resistant, not compatible with
mobile devices, connector fully exposed
5. SUPPLIERS OF SECURITY KEYS (CON’T)
Thetis
FIDO (Fast IDentity Online) U2F
Good - aluminum alloy casing rotates 360
degrees, less expensive
Bad – no connectivity to mobile devices,
bulkier than other devices
BLE (Bluetooth Low Energy) U2F
Good – bluetooth low energy support use with
mobile devices
Bad - bulkier than other devices, requires an app
to work with mobile devices
6. SUPPLIERS OF SECURITY KEYS (CON’T)
Google Titan
Good – comes with 2 keys (USB-A, Bluetooth), supports
Google Advanced Protection
Bad – bluetooth takes some setting up, white paint
easily chips off on the Bluetooth module, requires you
to use the included dongle for USB-C ports
Kennsington Verimark Fingerprint Key
Good – has fingerprint scanner for use with Windows
Hello login, conveniently small
Bad – cheap dinky plastic cover, requires driver/system
restart to get working fully, can’t be used for mobile
devices
7. SECURITY KEY PROTOCOLS
• FIDO U2F
• An open authentication standard enabling strong two-factor authentication to any number of
web-based applications, such as Gmail, Salesforce, Twitter and hundreds more services. Works
via the browser, Chrome today, and Firefox under development, and does not require any
client software or drivers.
• FIDO2
• The latest open authentication standard enabling expanded authentication options including
two-factor, multi-factor and now passwordless authentication. With YubiKey support for
FIDO2, organizations can accelerate to the passwordless future without the need for any client
software or drivers.
• OATH – TOTP (Time)
• The YubiKey generates a six or eight character, time-based one-time password (OTP) (in
conjunction with a helper application) for logging into any service (such as Microsoft Cloud
accounts, Google Apps, Dropbox, EverNote) that supports OATH-TOTP, a strong
authentication standard. A new password is generated at a set time interval, typically every 30
seconds.
• PIV-Compatible Smart Card
• Smart cards contain a computer chip that brokers data exchanges. These same features are
contained in the YubiKey 5 Series, based on the industry standard Personal Identity and
Verification Card (PIV) interface over the CCID protocol, which supports PIV on a USB interface.
• OpenPGP
• In the physical world, documents and data are often validated with a signature. In the virtual
world, OpenPGP is a standards-based public key cryptography for signing, encrypting, and
decrypting texts, e-mails, files, etc.
8. WHERE CAN SECURITY KEYS BE USED?
Catalog for hundreds of services that work with the Yubikey
https://www.yubico.com/works-with-yubikey/catalog/
10. ARE SECURITY KEYS HACKABLE?
• Not yet, but just because it hasn’t or didn’t (not sure
how you ultimately prove that of course) get hacked,
doesn’t mean it can’t be hacked.
• Google has told the world that none of its 85,000
employees had been successfully hacked since they
started implementing Security Keys in early 2017.
11. ARE SECURITY KEYS HACKABLE? (CON’T)
• Security Keys are susceptible to 8 out of the 10 more popular attacks
• Man-in-the-Endpoint
• Fake Web Sites and Fake Authentication Experiences
• Downgrade/Not Required Attacks
• Tech Support Social Engineering Attacks
• Hijacking Shared Authentication Attacks
• Subject Hijacking
• Buggy Code
• Physical Attacks
• A hack found a specific design flaw with the U2F design when using WebUSB, but was reported
and corrected.
• Many times, it isn’t a design issue, it’s a human issue.
• E-BOOK - 12+ Ways to Hack Multi-Factor Authentication by Roger Grimes
12. SUMMARY
• Adding two-factor authentication remains one of the most basic and crucial steps to protecting
your sensitive accounts, and a U2F token like a Yubikey is the most secure form of that protection
you can use. Even two-factor authentication methods like text messages or Google Authenticator
still rely on temporary codes that the user enters when they log in; a convincing phishing site can
simply trick you into handing over those codes along with your username and password. A U2F
token like the Yubikey instead performs an authentication handshake with a website that not
only proves to a website that it's your unique key, but requires that the website prove its identity
too, preventing lookalike sites from stealing credentials.