wubalubadubdub 1 Yuriy Ackermann Yuriy Ackermann Sr. - - PowerPoint PPT Presentation
Universal Second Factor authentication or why 2FA today is wubalubadubdub 1 Yuriy Ackermann Yuriy Ackermann Sr. Certification Engineer Sr. Certification Engineer @FIDOAlliance @FIDOAlliance twitter/github: @herrjemand twitter/github:
1
twitter/github: @herrjemand twitter/github: @herrjemand
2
3
Why passwords not enough Why 2FA has not succeeded Introduction to U2F DEMO Q&A
4
Weak Phishing pwned Reuse
Typical passwords life cycle
Two Factor Authentication - aka 2FA Two Factor Authentication - aka 2FA
haveibeenpwned.com
5
Passwords verify verify
6
7
Three main types
(TOTP and HOTP) (PKI and OTP)
8
9
Phishing!! UX Shared key Synced time Cost DRIVERS Phishing UX Centralised Fragile Still phishable UX Privacy Security SIM reissue SIM spoof Coverage NIST Ban
10
11
12
13
14
15
16
17
18
19
Step one: Challenge-Response Challenge-Response
20
Step two: Phishing protection Phishing protection
21
Step three: Application-specific key-pair Application-specific key-pair
Relying Party
22
23
Step four: Replay Attack Protection Replay Attack Protection
24
Step five: Device attestation Device attestation
25
Metadata service Metadata service
26
Step five and a half: Key exercise protection Key exercise protection User must confirm their decision to perform 2FA, by performing user gesture
e.g. e.g. Fingerprint Retina scan Pincode Remembering your wife's birthday. Solving Rubikscube ...anything you want. Pressing button
27
Web Android iOS
mail.google.com apk-key- hash:FD18FA com.google.SecurityKe y.dogfood
GMail GMail
28
{ "trustedFacets": [{ "version": { "major": 1, "minor" : 0 }, "ids": [ "https://accounts.google.com", "https://myaccount.google.com", "https://security.google.com", "android:apk-key-hash:FD18FA800DD00C0D9D7724328B6D...", "android:apk-key-hash:/Rj6gA3QDA2ddyQyi21JXly6gw9D...", "ios:bundle-id:com.google.SecurityKey.dogfood" ] }] }
MUST MUST be served over VALID VALID HTTPS!
...no self signed certs. ...no self signed certs.
29
30
31
dongleauth.info dongleauth.info
32
Yes Yes* (Nightly Nightly) No* (Soon... Soon...) Maybe? Yes
33
A W3C standard for PublicKey credential authentication
https://www.w3.org/Webauthn/
34
Passwords are hard 2FA is wubalubadubdub, and we need to do something about it. FIDO U2F is sweet. Protocol is cute You can have multiple identities There are existing solutions... ...and people do use it
35
36
You must use HTTPS You must use HTTPS Start using TLS Channel ID's U2F is just 2FA. Don't use as primary factor.
37
https://github.com/Yubico/pam-u2f https://github.com/Yubico/python-u2flib-server https://github.com/Yubico/python-u2flib-host https://github.com/herrjemand/flask-fido-u2f https://github.com/gavinwahl/django-u2f https://github.com/google/u2f-ref-code https://github.com/conorpp/u2f-zero https://developers.yubico.com/U2F/ https://fidoalliance.org/specifications/download/ https://github.com/LedgerHQ <- JavaCard FIDO Dev (fido-dev) mailing list Specs and data Specs and data Things to play with Things to play with
38
39
twitter/github: @herrjemand twitter/github: @herrjemand
40
41
42