Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Passwords are passé. WebAuthn is simpler, stronger and ready to go

210 views

Published on

The presentation shows what’s wrong with passwords.
Then it elaborates what is Two-Factor Authentication.

Finally, it demonstrates standard web API WebAuthn (Web Authentication).
The presentation were presented at OWASP Appsec IL 2018

https://appsecisrael2018.sched.com/event/FvfG/passwords-are-passe-webauthn-is-simpler-stronger-and-ready-to-go

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Passwords are passé. WebAuthn is simpler, stronger and ready to go

  1. 1. Passwords are passé. WebAuthn is simpler, stronger and ready to go Michael Furman Security Architect
  2. 2. What will we see today? • What’s wrong with passwords? • What is 2FA? • Why is 2FA better? • WebAuthn drilldown • WebAuthn benefits • What is my next step?
  3. 3. About Me • 20+ years in software engineering • 10+ years in application security • 4+ years Lead Security Architect at Tufin • www.linkedin.com/in/furmanmichael/ • ultimatesecpro@gmail.com • Read my blog https://ultimatesecurity.pro/ • Follow me on twitter @ultimatesecpro • I like to travel, read books and listen to music.
  4. 4. About Tufin • Market Leader in Security Policy Orchestration for firewalls and cloud – New Tufin products integrate security into DevOps pipeline • Established in 2005 • Used in over 2,000 enterprises, including 40 Fortune 100 companies • We are constantly growing! www.tufin.com/careers/
  5. 5. What’s wrong with passwords? • Subject to brute force attacks • Can be stolen via phishing attacks
  6. 6. What is a brute force attack? “A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works.” https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
  7. 7. How to prevent a brute force attack? • Enforce brute force protection – Lock user after subsequent login failures • Enforce complex passwords – Passphrases
  8. 8. Complex passwords. Really? • Do users really use complex passwords? • List of common passwords https://en.wikipedia.org/wiki/List_of_the_most_common_passwords – First place: ‘123456’ – Second place: ‘password’
  9. 9. How to enforce complex passwords? • Password policies • What is a password policy? A Password Policy is the set of restrictions and/or requirements that a user must follow to ensure that their password is strong.
  10. 10. Sample password policy • Minimum 12 characters • Must include: – uppercase letters – lowercase letters – digits – non-alphanumeric (special) characters • Must be different from username
  11. 11. Sample password policy • Change every 60 days • Password cannot be reused • Prevent incremental changes (e.g. Passw0rd, Passw1rd, Passw2rd) My “favorite” password policy
  12. 12. Do password policies work? • Technically? Yes. But ... • Frustrates users • Users evade policies – Write the passwords down – Forget the replaced password • Potentially increase administrative costs
  13. 13. What is a phishing attack? • Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. • It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. https://www.incapsula.com/web-application- security/phishing-attack-scam.html
  14. 14. Can I prevent phishing attacks? • Complex • Multi-million$ industry of its own • E.g. https://www.owasp.org/index.php/Phishing
  15. 15. Best password advice • Passwords are like underwear Picture is from https://it.ie/keep-passwords-secure/
  16. 16. What is Two-Factor Authentication? Two-factor authentication (2FA) is a method of confirming a user's claimed identity by utilizing a combination of two different factors: 1. Something they know 2. Something they have or something they are https://en.wikipedia.org/wiki/Two-step_verification
  17. 17. Why 2FA is more secure? • The attacker should not know the 2nd factor! • Weaker passwords are still crackable, but who cares!
  18. 18. Types of 2FA • Text Message (SMS) • OTP • WebAuthn
  19. 19. 2FA using Text Messages (SMS) • SMS contains authentication code
  20. 20. Is 2FA using SMS secure? • “NIST is no longer recommending Two-Factor authentication using SMS” Bruce Schneier blog (2016) https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html NIST stands for National Institute of Standards and Technology • SMS can be intercepted Signaling System No. 7 (SS7) protocols vulnerability
  21. 21. 2FA using one-time password (OTP) • Authentication using OTP generated by: – Mobile device applications • Google Authenticator • FreeOTP – Dedicated device • RSA SecurID Picture is from https://en.wikipedia.org/wiki/RSA_SecurID
  22. 22. 2FA using OTP Mobile device: Registration • Scan QR code (shared secret) provided by server on mobile device
  23. 23. 2FA using OTP Mobile device: Authentication • Provide OTP generated by mobile device to server to complete authentication
  24. 24. Is 2FA using OTP secure? • No currently known vulnerabilities • Possible attack vector: – OTP relies on a shared secret key (QR code) – An attacker may gain access to these keys – High complexity
  25. 25. 2FA Migration from SMS to OTP • Instagram https://techcrunch.com/2018/07/17/instagram-2-factor/ • Facebook https://www.theverge.com/2018/5/23/17385654/facebook- two-factor-authentication-process-app-phone-number
  26. 26. Ideal 2FA? • Biometric scan – Fingerprint – Retina
  27. 27. Fingerprint Scan Example Picture is from the “Back to the Future Part II” movie
  28. 28. Retina Scan Example Picture is from the “Despicable Me” movie
  29. 29. Is biometric scan secure? Picture is from the “Demolition Man” movie
  30. 30. What is WebAuthn? • WebAuthn (Web Authentication) – standard web API (Credential Management API) – is incorporated into browsers – allows very secure 2FA – based on the FIDO specification https://www.w3.org/TR/webauthn/
  31. 31. What is FIDO? • FIDO = Fast Identity Online • FIDO Alliance started from a conversation in 2009 – Ramesh Kesanupalli (CTO of Validity Sensors) asked Michael Barrett (PayPal’s CISO) if he was interested in fingerprint- enabling paypal.com – Michael replied that he was, but only if it could be achieved via open standards • FIDO Alliance launched in 2013 with six member companies – over 250 members worldwide today https://fidoalliance.org/about/history/
  32. 32. How WebAuthn Works • Registration • Authentication
  33. 33. WebAuthn Components Diagram is from https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
  34. 34. WebAuthn Components • Server (Relying Party) - server side component of application uses WebAuthn to register and authenticate users • JavaScript Application - client side component of application uses WebAuthn to register and authenticate users
  35. 35. WebAuthn Components • Browser – a WebAuthn-compatible browser • Authenticator – creates and stores credentials – embedded into an operating system – USB or Bluetooth Security Key
  36. 36. Demo
  37. 37. WebAuthn Registration Diagram is from https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
  38. 38. WebAuthn Registration • Step 0: Application requests registration • Step 1: Server sends challenge, user Info, and Relying Party info
  39. 39. WebAuthn Registration • Step 2: Browser calls authenticatorMakeCredential() on Authenticator • Step 3: Authenticator creates new PKI Key Pair and attestation • Step 4: Authenticator returns Public Key and other data to browser
  40. 40. WebAuthn Registration • Step 5: Browser creates final data (including Public Key) and JavaScript application sends response to server • Step 6: Server validates and finalizes registration – store the new Public Key associated with the user's account for future use
  41. 41. WebAuthn Authentication Diagram is from https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
  42. 42. WebAuthn Authentication • Authentication flow similar to registration flow • Primary differences: – authentication doesn't require user or relying party information – authentication creates an assertion using previously generated key pair
  43. 43. WebAuthn Authentication • Step 0: Application requests authentication • Step 1: Server sends challenge • Step 2: Browser calls authenticatorGetCredential() on Authenticator • Step 3: Authenticator creates an assertion • Step 4: Authenticator returns data to browser
  44. 44. WebAuthn Authentication • Step 5: Browser creates final data (including Public Key) and JavaScript application sends response to server • Step 6: Server validates and finalizes authentication
  45. 45. Demo
  46. 46. WebAuthn Benefits • Fingerprint or facial biometrics authenticators • Based on PKI • User credentials and biometric templates: – never leave the user’s device – never stored on backend servers Very secure 2FA
  47. 47. WebAuthn Adoption • Google Chrome version 67 • Mozilla Firefox version 60 • Microsoft Edge build 17723 • Use services that adopted WebAuthn https://www.yubico.com/setup/#security-key • Google employees use Titan Security Keys https://thehackernews.com/2018/07/google-titan- security-key-fido.html
  48. 48. What is my next step? • Implement it yourself https://developers.google.com/web/updates/2018/05/webauthn https://hacks.mozilla.org/2018/01/using-hardware-token-based-2fa-with- the-webauthn-api/ https://www.yubico.com/why-yubico/for-developers/ • Wait for someone else to do it for you! e.g. Keycloak https://ultimatesecurity.pro/post/oidc-presentation/
  49. 49. Summary • Bad 2FA is better than no 2FA • WebAuthn is a better, more secure 2FA • Prepare for WebAuthn
  50. 50. Thank you! • Contact me – www.linkedin.com/in/furmanmichael/ – ultimatesecpro@gmail.com – https://ultimatesecurity.pro/ – @ultimatesecpro

×