A look at Google's approach to strong authentication with FIDO, including an exploration of how security keys have been deployed within Google and how simple and secure user journeys are with Web Authn.
FIDO UAF (Universal Second Factor Framework) Specifications: Overview & Tutorial
by Todd Thiemann, Nok Nok Labs
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
A tutorial on how the process of writing an application using a browser’s WebAuthn API, plus how to install a server, how to generate authentication challenges & responses, and how to integrate with related IAM infrastructure.
Code: https://github.com/fido-alliance/webauthn-demo
Live slides: http://slides.com/herrjemand/jan-2018-fido-seminar-webauthn-tutorial#/
FIDO UAF (Universal Second Factor Framework) Specifications: Overview & Tutorial
by Todd Thiemann, Nok Nok Labs
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
A tutorial on how the process of writing an application using a browser’s WebAuthn API, plus how to install a server, how to generate authentication challenges & responses, and how to integrate with related IAM infrastructure.
Code: https://github.com/fido-alliance/webauthn-demo
Live slides: http://slides.com/herrjemand/jan-2018-fido-seminar-webauthn-tutorial#/
WebAuthn and Security Keys = Unlocking the key to authentication by John Fontana, Yubico on behalf of Christiaan Brand at Google
- Presented at FIDO Seoul Public Seminar on December 5th, 2018
FIDO U2F (Universal Authentication Framework) Specifications: Overview & Tutorial
by Jerrod Chong, Yubico
Explore how FIDO U2F works and how it is used in the world today.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
Authentication is a sneaky problem - the most secure options don't usually have widespread adoption, especially among consumer applications. But what if we could fix that? Narrator: we can. WebAuthn is a somewhat new authentication standard that uses our everyday devices like phones and computers and turns them into phishing-resistant security keys. It almost sounds too good to be true. This talk will dig into how the technology works, when you can and should use it, and how to get started. We'll dig into why this isn't widely adopted yet and if or when we can expect it to be. You'll walk away with a better understanding of a new authentication channel and possibly some hope for a more secure future.
Presented at GSMA Mobile Connect + FIDO Alliance: The Future of Strong Authentication
By: Rolf Lindemann, Senior Director of Technology and Products, Nok Nok Labs
Developer Tutorial: WebAuthn for Web & FIDO2 for AndroidFIDO Alliance
This tutorial walks through how to build a website with a simple re-authentication functionality using a fingerprint sensor. Re-authentication is a concept where a user signs into a website once, then authenticate again as they try to enter important sections of the website, or come back after a certain interval, etc in order to protect the account. It also covers how to build an Android app with a simple re-authentication functionality using a fingerprint sensor. "Re-authentication" is a concept where user signs into an app once, then authenticate again when they come back to your app, or trying to access an important section of your app.
Micheal Green - JustTech
Mary O'Shaughnessy - Her Justice
Sart Rowe - LSNTAP
In this webinar we look at what phishing is, how it impacts legal aid organizations, and how to take steps to reduce the likelihood and impact of getting hit with an attack.
W3C - Web Authentication API by Korea ETRI (Electronics and Telecommunication Research Institute)
- Presented at FIDO Technical Seminar on July 16th, 2018
Here are the discussions that are mentioned in P19 of "Fend Off Cyberattack with Episodic Memory"
https://www.slideshare.net/HitoshiKokumai/fend-off-cyberattack-with-episodic-memory-24feb2023
WebAuthn and Security Keys = Unlocking the key to authentication by John Fontana, Yubico on behalf of Christiaan Brand at Google
- Presented at FIDO Seoul Public Seminar on December 5th, 2018
FIDO U2F (Universal Authentication Framework) Specifications: Overview & Tutorial
by Jerrod Chong, Yubico
Explore how FIDO U2F works and how it is used in the world today.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
Authentication is a sneaky problem - the most secure options don't usually have widespread adoption, especially among consumer applications. But what if we could fix that? Narrator: we can. WebAuthn is a somewhat new authentication standard that uses our everyday devices like phones and computers and turns them into phishing-resistant security keys. It almost sounds too good to be true. This talk will dig into how the technology works, when you can and should use it, and how to get started. We'll dig into why this isn't widely adopted yet and if or when we can expect it to be. You'll walk away with a better understanding of a new authentication channel and possibly some hope for a more secure future.
Presented at GSMA Mobile Connect + FIDO Alliance: The Future of Strong Authentication
By: Rolf Lindemann, Senior Director of Technology and Products, Nok Nok Labs
Developer Tutorial: WebAuthn for Web & FIDO2 for AndroidFIDO Alliance
This tutorial walks through how to build a website with a simple re-authentication functionality using a fingerprint sensor. Re-authentication is a concept where a user signs into a website once, then authenticate again as they try to enter important sections of the website, or come back after a certain interval, etc in order to protect the account. It also covers how to build an Android app with a simple re-authentication functionality using a fingerprint sensor. "Re-authentication" is a concept where user signs into an app once, then authenticate again when they come back to your app, or trying to access an important section of your app.
Micheal Green - JustTech
Mary O'Shaughnessy - Her Justice
Sart Rowe - LSNTAP
In this webinar we look at what phishing is, how it impacts legal aid organizations, and how to take steps to reduce the likelihood and impact of getting hit with an attack.
W3C - Web Authentication API by Korea ETRI (Electronics and Telecommunication Research Institute)
- Presented at FIDO Technical Seminar on July 16th, 2018
Here are the discussions that are mentioned in P19 of "Fend Off Cyberattack with Episodic Memory"
https://www.slideshare.net/HitoshiKokumai/fend-off-cyberattack-with-episodic-memory-24feb2023
With the advanced technologies such as biometrics verification and cryptographic keys, IT around the world is moving towards passwordless authentication for its apps.
Subscribe for more insightful report at: https://kms-solutions.asia/
If you think you’re safe because you have two-factor authentication protecting your applications and data, you might want to rethink your security strategy. While certain two-factor methods can be secure, others can be easily defeated leaving you vulnerable to attacks.
Learn why simple two-factor authentication is not enough and what you can do to make sure you are protected. We'll present a new approach to authentication, which continuously analyzes risk-factors including, geo-location, behavioural biometrics and threat intelligence, to ensure your users are who they say they are.
Secure Code Generation for Multi-level Mutual AuthenticationTELKOMNIKA JOURNAL
Any secured system requires one or more logging policies to make that system safe. Static
passwords alone cannot be furthermore enough for securing systems, even with strong passwords illegal
intrusions occur or it suffers the risk of forgotten. Authentication using many levels (factors) might
complicate the steps when intruders try to reach system resources. Any person to be authorized for
logging-in a secured system must provide some predefined data or present some entities that identify
his/her authority. Predefined information between the client and the system help to get more secure level
of logging-in. In this paper, the user that aims to log-in to a secured system must provide a recognized
RFID card with a mobile number, which is available in the secured systems database, then the secured
system with a simple algorithm generates a One-time Password that is sent via GSM Arduino compatible
shield to the user announcing him/her as an authorized person.
Secure3 authentication for sensitive data on cloud using textual, chessboard ...eSAT Journals
Abstract Existing systems of authentication are plagued by many weaknesses. As a high speed cloud infrastructure is being developed and people are informationized, the sensitive data are also engaged in cloud feild. However, the existing cloud sensitive file upload and download on cloud was exposed to the danger of hacking. Recently, the personal information has been leaked by a high degree method such as Phishing or Pharming beyond snatching a user ID and Password. Seeing that most of examples which happened in the file uploading and downloading were caused by the appropriation of ID or Password belonging to others, a safe user confirmation system gets much more essential. In this paper, we propose a new authentication system file uploading and downloading on cloud using HADOOP technique. In HADOOP technique there are 3 technique but we can use HDFS (Hadoop Distributed File System).This authentication system is a combination of a three authentication system i.e. Secure3 in that 1)Textual,2)Chessboard,3)QR-code Authentication. In Textual authentication normal authentication is required to login .i.e username and password. In chessboard authentication user plays a steps of a chessboard and select that steps as authentication. In QR-code used Mobile OTP with the combination of QR-code which is a variant of the 2D barcode. we also include a priority of a sensitive data in that low priority sensitive data have only a Textual authentication system. Medium priority sensitive data have Textual +chessboard authentication system. High priority sensitive data have Textual +chessboard +QR-code authentication system. Keywords: OTP(one Time Password),QR(Quick-Response),CBS(Chess Board System),HDFS (Hadoop Distributed File System),IMEI(International Mobile Center Equipment Identity),AES(Advanced Encryption Standard).
Apache Milagro Presentation at ApacheCon Europe 2016Brian Spector
Apache Milagro (incubating) establishes a new internet security framework purpose-built for cloud-connected app-centric software and IoT devices that require Internet scale. Milagro's purpose is to provide a secure, free, and positive open source alternative to centralised and proprietary monolithic trust providers such as commercial certificate authorities and the certificate backed cryptosystems that rely on them.
Milagro is an open source, pairing-based cryptographic platform that delivers solutions for device and end user authentication, secure communications and fintech / blockchain security; issues challenging Cloud Providers and their customers. It does this without the need for certificate authorities, putting into place a new category of service providers called Distributed Trust Authorities (D-TA®).
Milagro's M-Pin® protocol, and its existing open-source MIRACL® implementation on which MILAGRO is built, is already in use by Experian, NTT, Ingram Micro, and Gov.UK and rolled out to perform at Internet scale for Zero Password® multi-factor authentication and certificate-less HTTPS / secure channel.
A secure communication in smart phones using two factor authenticationeSAT Journals
Abstract Most secure systems face security attacks mainly at the client side. Two Factor Authentication (TFA) provides improved protection to the system at the client side by prompting to provide something they know and something they have. This system uses a one time password(OTP) generation method which doesn’t require client-server communication, which frees the system from cost of sending a dynamic password each time the client wants to login. The OTP generation uses the factors that are unique to the user and is installed on a smart phone in Android platform owned by the user. An OTP is valid for a minutes time, after which, is useless. The system thus provides better client level security – a simple low cost method which protects system from hacking techniques like key logging, phishing, shoulder surfing, etc. Keywords—Authentication, OTP, key logging, phishing
A secure communication in smart phones using two factor authenticationseSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
Similar to Web Authn & Security Keys: Unlocking the Key to Authentication (20)
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
5. success rate for
a well designed
password phishing
page
of account vulnerabilities
were due to weak or
stolen passwords
*Verizon data breach report, 2017
43% 81%
*Google study
6. 3.3B+
credentials leaked
in dumps
67M
accounts proactively
re-secured
17%
minimum password
reuse rate
* * * *
Data breaches, phishing, or malware? Understanding the risks of stolen
credentials (Thomas et al.) https://ai.google/research/pubs/pub46437
8. SMS usability
Coverage issues,
delay, user cost
Device usability
One per site,
expensive, fragile
User experience
Users find it hard
Phishable
OTPs are increasingly phished
?
Any second factor improves user security,
but...
15. 15
Based on
asymmetric
cryptography
● User’s device mints new key pair,
gives public key to server
● Server asks user’s device to sign
data to verify user
● One device, many services, “bring
your own device” enabled
Core idea - standard public key cryptography
16. 16
How security key works
“I promise a user is here”,
“the server challenge was: 337423”,
“the origin was: google.com”
Server
Password
https://www.google.com
17. 17
Security key defeats phishing
Password
goggle.com
Password
“I promise a user is here”,
“the server challenge was: 337423”,
“the origin was: goggle.com”
Server
https://www.goggle.com
19. 19
Deployment at Google
Enterprise use case
● Mandated for Google employees
● Corporate SSO (web)
● SSH
● Forms basis of all authentication
Consumer use case
● Available as opt-in for Google consumers
● Adopted by other relying parties too:
Dropbox, Github
20. 20
Use cases at Google
Bootstrapping
● It’s only used when employee signs in on a new device the first time.
● It protects against phishing.
● Removable security key is carried as part of the badge.
Hardware credential binding
● Once signed into a device, long-lived tokens (cookies, etc) are usually issued.
● Occasionally, a local security key touch is required, which is presented in
combination with this local token.
● This is to ensure the token is still being presented from a machine we trust.
21. 21
Time to
authenticate
OTP via SMS
OTP via app
Security Keys
OTP
Security Keys
50
40
30
20
10
0
Timetoauthenticate(s)
50
40
30
20
10
0
Timetopresent2ndfactor(s)
Google employees Consumer users
22. 22
Time to
authenticate
OTP via SMS
OTP via app
Security Keys
OTP
Security Keys
50
40
30
20
10
0
Timetoauthenticate(s)
50
40
30
20
10
0
Timetopresent2ndfactor(s)
Google employees Consumer users
"If you've been reading your e-mail" takeaway:
Security keys are faster
to use than OTPs
26. 26
We made the password a lot safer with U2F,
but we want to go one step further: we want
to remove the password from the equation
That’s where FIDO2 and WebAuthn come in
27. 27
What is WebAuthn? How does it relate to FIDO2?
W3C WebAuthnFIDO CTAP
FIDO2
Client
(Computer, phone)
Built-in authenticator
(fingerprint)
Remote server
(Website)
Removable authenticator
(Phone, security key)
31. 31
Elisa wants to sign in to her bank
She starts on her mobile browser and
enrolls in fingerprint after sign-in
Registering and using built-in authenticator for re-auth (mobile web)
32. 32
1. Registering built-in authenticator for re-auth (mobile web)
Request
UV=true
X-Plat=false
Result
credential
(internal,caBLE)
Elisa opens
launches her
mobile browser,
Chrome, and goes
to Tri-Bank
33. 33
1. Registering built-in authenticator for re-auth (mobile web)
She signs in with
her username and
password
34. 34
1. Registering built-in authenticator for re-auth (mobile web)
Tri-Bank shows a promo
asking Elisa if she wants
to opt in to fingerprint to
sign in
She opts in and
continues to her account
35. 35
Elisa comes back to
Tri-Bank in another session
2a. Using built-in authenticator for re-auth (mobile web)
36. 36
2a. Using built-in authenticator for re-auth (mobile web)
The next time Elisa
opens Tri-Bank on
mobile browser,
she gets a
fingerprint dialog
Request
credentialId
(internal)
Since the user already signed in on this device, the credential ID is encoded in the
cookie and the RP requests the “internal” transport only (since they don’t want the user
to see prompts about external authenticators).
37. 37
2a. Using built-in authenticator for re-auth (mobile web)
Using only her
fingerprint, she’s
able to sign in
without using her
username + password
on mobile web
Request
credentialId
(internal)
38. 38
Elisa downloads Tri-Bank
from the Play Store
She launches the app for the first time
to sign in to check her funds
2b. Using built-in authenticator for re-auth (native mobile app)
40. 40
2b. Using built-in authenticator for re-auth (native mobile app)
Elisa chooses
“Sign In” and also
chooses an
account
Request
credentialId
(internal)
41. 41
Elisa is now asked
to authenticate
with the
fingerprint dialog
2b. Using built-in authenticator for re-auth (native mobile app)
42. 42
Elisa wants to sign in to
her bank on her
desktop computer
3. Cross-platform bootstrap
43. 43
Elisa chooses to
sign in on her
desktop browser
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK
3. Cross-platform bootstrap
53. 53
Note that we’re
inheriting the strength
of the credentials from
the initial bootstrap
If in Step 1 we only ask the
user for a username +
password, the strength of
all the derived credentials
are only as good as a
username + password.
If in Step 1 we ask for a
stronger credential (2nd
factor security key), all of
the derived credentials
would inherit those
stronger attributes too.
68. 68
How can I
get started?
Desktop/laptop
● WebAuthn support was
launched in Chrome 67.
● The initial release
supports only
external tokens.
● Support for built-in
modalities is coming
later in the fall.
Android
● FIDO2 APIs on Android
are available in
pre-release mode.
● Support for FIDO2 on
the web (to built-in
fingerprint sensor) will
come later in the fall.
Visit webauthndemo.appspot.com to try it out