Talk given in May 2016

1. @thisNatasha
Web Authentication:
a Future Without Passwords?
Natasha Rooney, @thisNatasha

2. @thisNatasha
Passwords are kinda
crud.

3. @thisNatasha
Hard to Remember
Causes users to
reuse passwords

4. @thisNatasha
Phishable
Tell me your
password and get
a free pen!

5. @thisNatasha
Rely on trust
No guarantee the
website won’t
get hacked...

6. @thisNatasha@thisNatasha
781 data breaches
in 2015
170m records stolen
Average $3.8m per breach
http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html
@thisNatasha

7. @thisNatasha
"95% incidents involve
harvesting credentials stolen
from customer devices, then
logging into web applications
with them."
2015 Data Breach Investigations Report

8. @thisNatasha
Ha I know your passwordz
1. 123456
2. password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. football
8. 1234
9. 1234567
15. 1qaz2wsx
25. starwars (new!)
SplashData, compiled from more than 3.3 million leaked passwords during the 2015

9. @thisNatasha@thisNatasha
Some ways to help
We tried...
One time passcodes
Password aggregators
2 factor auth

10. @thisNatasha
All those methods are nice
but...

11. @thisNatasha
Still Phisable
and / or...

12. @thisNatasha
Security or
usability?
Make your choice.

13. @thisNatasha@thisNatasha
FIDO Alliance
Authentication Standards
Do not Sacrifice Usability
Privacy by Design

14. @thisNatasha
Bodies
Standards
Bodies

15. @thisNatasha
FIDO 2 step process
- User proves they have something
- Online using Public Key Cryptography
ONLINELOCAL
Authenticator

16. @thisNatasha
Quick intro to
Public Key Cryptography

17. @thisNatasha
Let’s get that Pikachu!
Jessie James

18. @thisNatasha@thisNatasha
Symmetric Crypto
(Caesar Cipher)

19. @thisNatasha
Key = 3
Let’s get that Pikachu!
=
Ohw’v jhw wkdw Slndfkx!
Jessie James

20. @thisNatasha
Key = 3
Let’s get that Pikachu!
=
Ohw’v jhw wkdw Slndfkx!
Jessie James

21. @thisNatasha
Key = 3
Let’s get that Pikachu!
=
Ohw’v jhw wkdw Slndfkx!
Jessie James
Ohw’v jhw wkdw Slndfkx!
=
Let’s get that Pikachu!

22. @thisNatasha@thisNatasha
Asymmetric Crypto
2 Keys
1 Secret Key
(keep it to yourself!)
1 Public Key
(share with others)

23. @thisNatasha
Jessie James
PUBLIC

24. @thisNatasha
Jessie James
Let’s get that Pikachu!
1cd87b63a2a933ca2...
PUBLIC
PUBLIC

25. @thisNatasha
Jessie James
Let’s get that Pikachu!
1cd87b63a2a933ca2...
Let’s get that Pikachu!
PUBLIC
PUBLIC

26. @thisNatasha
Jessie James
Let’s get that Pikachu!
1cd87b63a2a933ca2...
Let’s get that Pikachu!
PUBLIC
PUBLIC
PUBLIC

27. @thisNatasha

28. @thisNatasha
Does this key really
belong to james?
PUBLIC

29. @thisNatasha@thisNatasha
Certs
Certificate Authority (CA)
issues a Certificate
CA checks James’s identity
Digicert, Versign
(but anyone can be a CA)

30. @thisNatasha@thisNatasha
Certs
Certificate Authority (CA)
issues a Certificate
X.509
Version Number
Serial Number
Algorithm ID
Issuer
Validity period
Subject name
Subject Public Key Info
Certificate Signature Algorithm
Certificate Signature
...

31. @thisNatasha
Jessie James
Let’s get that Pikachu!
1cd87b63a2a933ca2...
Let’s get that Pikachu!
Giant Meowth
Certificate
Authority
PUBLIC
PUBLIC

32. @thisNatasha

33. @thisNatasha
Jessie James
Let’s get that Pikachu!
1cd87b63a2a933ca2...
Let’s get that Pikachu!
Giant Meowth
Certificate
Authority
PUBLIC
PUBLIC

34. @thisNatasha@thisNatasha
SSL / TLS
Also use
Public Key Cryptography
HTTPS

35. @thisNatasha
Back to FIDO...

36. @thisNatasha
FIDO 2 step process
- User proves they have something
- Online using Public Key Cryptography
ONLINELOCAL
Authenticator

37. @thisNatasha@thisNatasha
FIDO Frameworks UAF
U2F
2 Frameworks for your
convenience.

38. @thisNatasha
UAF: Universal Authentication Framework
- Same user as before?
- Biometric or otherwise
Challenge
1 2
?
3

39. @thisNatasha
U2F: Universal Second Factor
- Is a user present? Same as before?
- Prove you have something
1 2 3
Dongle / buttonVERIFICATION
AUTHENTICATION

40. @thisNatasha@thisNatasha
Registration
Creates Keys
Local:
- User does a normal login
- Invitation to use FIDO
- Keys created
Server:
- Public Key goes to Server

41. @thisNatasha@thisNatasha
Fido is kinda cool
because...
Deploy once for all
“authenticators”
No server has your
fingerprint (or other
biometric)
Usability
PKI stronger than user/pw

42. @thisNatasha
EXACTLY WHAT DOES THIS
HAVE TO DO WITH THE WEB?

43. @thisNatasha

44. @thisNatasha
Fido frameworks
Are coming to the web!

45. @thisNatasha

46. @thisNatasha@thisNatasha
WebAuth WG
3 Specs
Web Authentication API
Data Formats
Signature Formats

47. @thisNatasha
ONLINELOCAL
Authenticator
Web Authentication API
- Requesting asymmetric key pair
- Proving the browser has the private key
Setup User
Data
Send Public
Key
Local Browser

48. @thisNatasha
ONLINELOCAL
Authenticator
Web Authentication API
- Requesting asymmetric key pair
- Proving the browser has the private key
Ask for
Identity
Assertion
Prove we
have private
key
Local Browser

49. @thisNatasha

50. @thisNatasha
Registration
First Factor Auth
Device with own display
User is logged in.
var webauthnAPI = window.webauthn;
if (!webauthnAPI) { /* Platform not capable. Handle error. */ }
var userAccountInformation = {
rpDisplayName: "Acme", displayName: "John P. Smith",
name: "johnpsmith@example.com", id: "1098237235409872",
imageURL: "https://pics.acme.com/00/p/aBjjjpqPb.png"
};
// This Relying Party will accept any credential, but prefers an ES256 credential.
var cryptoParams = [
{
type: "ScopedCred", algorithm: "ES256"
},
{
type: "ScopedCred", algorithm: "RS256"
}
];
var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
var timeoutSeconds = 300; // 5 minutes
var blacklist = []; // No blacklist
var extensions = {"webauthn.location": true}; // Include location information
// in attestation
// Note: The following call will cause the authenticator to display UI.
webauthnAPI.makeCredential(userAccountInformation, cryptoParams, challenge,
timeoutSeconds, blacklist, extensions)
.then(function (newCredentialInfo) {
// Send new credential info to server for verification and registration.
}).catch(function (err) {
// No acceptable authenticator or user refused consent. Handle appropriately.
});

51. @thisNatasha
Registration
First Factor Auth
Device with own display
User is logged in.
var webauthnAPI = window.webauthn;
if (!webauthnAPI) { /* Platform not capable. Handle error. */ }
var userAccountInformation = {
rpDisplayName: "Acme", displayName: "John P. Smith",
name: "johnpsmith@example.com", id: "1098237235409872",
imageURL: "https://pics.acme.com/00/p/aBjjjpqPb.png"
};
// This Relying Party will accept any credential, but prefers an ES256 credential.
var cryptoParams = [
{
type: "ScopedCred", algorithm: "ES256"
},
{
type: "ScopedCred", algorithm: "RS256"
}
];
var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
var timeoutSeconds = 300; // 5 minutes
var blacklist = []; // No blacklist
var extensions = {"webauthn.location": true}; // Include location information
// in attestation
// Note: The following call will cause the authenticator to display UI.
webauthnAPI.makeCredential(userAccountInformation, cryptoParams, challenge,
timeoutSeconds, blacklist, extensions)
.then(function (newCredentialInfo) {
// Send new credential info to server for verification and registration.
}).catch(function (err) {
// No acceptable authenticator or user refused consent. Handle appropriately.
});
Credential Setup

52. @thisNatasha
Registration
First Factor Auth
Device with own display
User is logged in.
var webauthnAPI = window.webauthn;
if (!webauthnAPI) { /* Platform not capable. Handle error. */ }
var userAccountInformation = {
rpDisplayName: "Acme", displayName: "John P. Smith",
name: "johnpsmith@example.com", id: "1098237235409872",
imageURL: "https://pics.acme.com/00/p/aBjjjpqPb.png"
};
// This Relying Party will accept any credential, but prefers an ES256 credential.
var cryptoParams = [
{
type: "ScopedCred", algorithm: "ES256"
},
{
type: "ScopedCred", algorithm: "RS256"
}
];
var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
var timeoutSeconds = 300; // 5 minutes
var blacklist = []; // No blacklist
var extensions = {"webauthn.location": true}; // Include location information
// in attestation
// Note: The following call will cause the authenticator to display UI.
webauthnAPI.makeCredential(userAccountInformation, cryptoParams, challenge,
timeoutSeconds, blacklist, extensions)
.then(function (newCredentialInfo) {
// Send new credential info to server for verification and registration.
}).catch(function (err) {
// No acceptable authenticator or user refused consent. Handle appropriately.
});
Credential is created.
Client finds the authenticator.
Authenticator shows UI
Authenticator returns response.
Send public key to sever.

53. @thisNatasha
Authentication
User visit site...
var webauthnAPI = window.webauthn;
if (!webauthnAPI) { /* Platform not capable. Handle error. */ }
var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
var timeoutSeconds = 300; // 5 minutes
var whitelist = [{ type: "ScopedCred" }];
webauthnAPI.getAssertion(challenge, timeoutSeconds, whitelist)
.then(function (assertion) {
// Send assertion to server for verification
}).catch(function (err) {
// No acceptable credential or user refused consent. Handle appropriately.
});
Ask for identity assertion
Client finds authenticator

54. @thisNatasha
Authentication
User visit site...
var webauthnAPI = window.webauthn;
if (!webauthnAPI) { /* Platform not capable. Handle error. */ }
var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
var timeoutSeconds = 300; // 5 minutes
var whitelist = [{ type: "ScopedCred" }];
webauthnAPI.getAssertion(challenge, timeoutSeconds, whitelist)
.then(function (assertion) {
// Send assertion to server for verification
}).catch(function (err) {
// No acceptable credential or user refused consent. Handle appropriately.
});
Ask for identity assertion
Client finds authenticator

55. @thisNatasha
Authentication
User visit site…
(no locally stored data)
var webauthnAPI = window.webauthn;
if (!webauthnAPI) { /* Platform not capable. Handle error. */ }
var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
var timeoutSeconds = 300; // 5 minutes
var whitelist = [{ type: "ScopedCred" }];
webauthnAPI.getAssertion(challenge, timeoutSeconds, whitelist)
.then(function (assertion) {
// Send assertion to server for verification
}).catch(function (err) {
// No acceptable credential or user refused consent. Handle appropriately.
});
Authenticator returns response
Script sends assertion to server
Server validates
Onwards!

56. @thisNatasha
Must Use HTTPS
Security, yo.
Tips

57. @thisNatasha
Localstorage
Can be used for storing Credential ID.
Tips

58. @thisNatasha@thisNatasha
Warning!
Spec is being edited now!
All this could change...

59. @thisNatasha@thisNatasha
Recap
WebAuth (not now, but soon!)
Passwords are crud
Super Phisable
FIDO made some standards
UAF and U2F
Public Key Crypto
Symmetric and Asymmetric
W3C WebAuth Working Group
WebAuth API: Registration and
Authentication

60. @thisNatasha
Thank-you
People: Vijay Bharadwaj (Microsoft), Hubert Le Van Gong (PayPal),
Dirk Balfanz (Google), Alexei Czeskis (Google), Arnar Birgisson
(Google), Jeff Hodges (PayPal), Michael B. Jones (Microsoft), Rolf
Lindemann (Nok Nok Labs), Richard Barnes (Mozilla), Wendy Seltzer
(W3C), Anthony Nadalin, (Microsoft)

61. @thisNatasha
Extra for funsies.

62. @thisNatasha
Authentication
Same as before but with
locally stored data
& transaction
authorization extension
var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
var timeoutSeconds = 300; // 5 minutes
var acceptableCredential1 = {
type: "ScopedCred",
id: "ISEhISEhIWhpIHRoZXJlISEhISEhIQo="
};
var acceptableCredential2 = {
type: "ScopedCred",
id: "cm9zZXMgYXJlIHJlZCwgdmlvbGV0cyBhcmUgYmx1ZQo="
};
var whitelist = [acceptableCredential1, acceptableCredential2];
var extensions = { 'webauthn.txauth.simple':
"Wave your hands in the air like you just don’t care" };
webauthnAPI.getAssertion(challenge, timeoutSeconds, whitelist, extensions)
.then(function (assertion) {
// Send assertion to server for verification
}).catch(function (err) {
// No acceptable credential or user refused consent. Handle appropriately.
});