Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
1
WebAuthn and security
keys = unlocking the key
to authentication
Christiaan Brand
Product Manager, Google
2
It’s no secret -
passwords aren't enough
123456
Most popular
password in 2015
password
2nd most popular
password in 2015
*Verizon data breach report, 2015
123456789
Most popular
password in 2018
qwerty
2nd most popular
password in 2018
*techviral.net
success rate for
a well designed
password phishing
page
of account vulnerabilities
were due to weak or
stolen passwords
*V...
3.3B+
credentials leaked
in dumps
67M
accounts proactively
re-secured
17%
minimum password
reuse rate
* * * *
Data breache...
999.
SMS usability
Coverage issues,
delay, user cost
Device usability
One per site,
expensive, fragile
User experience
Users fi...
9
Password
Server
https://www.google.com
Web authentication
10
https://www.goggle.com
https://www.goggle.com
Phishing attack | Step 1
11
https://www.goggle.com
Phishing attack | Step 2
12
Password Password
google.comgoggle.com
https://www.goggle.com
Phishing attack | Step 3
13
At Google,
on our journey to replacing
the password, we started by
making the password safer
14
Introducing security key
Your password
Security key
Account data
15
Based on
asymmetric
cryptography
● User’s device mints new key pair,
gives public key to server
● Server asks user’s de...
16
How security key works
“I promise a user is here”,
“the server challenge was: 337423”,
“the origin was: google.com”
Ser...
17
Security key defeats phishing
Password
goggle.com
Password
“I promise a user is here”,
“the server challenge was: 33742...
18
Google’s
experience
19
Deployment at Google
Enterprise use case
● Mandated for Google employees
● Corporate SSO (web)
● SSH
● Forms basis of a...
20
Use cases at Google
Bootstrapping
● It’s only used when employee signs in on a new device the first time.
● It protects...
21
Time to
authenticate
OTP via SMS
OTP via app
Security Keys
OTP
Security Keys
50
40
30
20
10
0
Timetoauthenticate(s)
50
...
22
Time to
authenticate
OTP via SMS
OTP via app
Security Keys
OTP
Security Keys
50
40
30
20
10
0
Timetoauthenticate(s)
50
...
23
Second factor
support
incidents
Supportincidentsperuserpermonth
PercentofusersusingSecurityKeys
100
80
60
40
20
0Jul201...
24
Second factor
support
incidents
Supportincidentsperuserpermonth
PercentofusersusingSecurityKeys
100
80
60
40
20
0Jul201...
25
We’re not
quite done
26
We made the password a lot safer with U2F,
but we want to go one step further: we want
to remove the password from the ...
27
What is WebAuthn? How does it relate to FIDO2?
W3C WebAuthnFIDO CTAP
FIDO2
Client
(Computer, phone)
Built-in authentica...
28
WebAuthn
enables user
journeys
that are:
Simple
Very intuitive and
easy for user
Secure
Resistant to phishing
WebAuthn ...
29
Authentication has two core user journeys
WebAuthn / FIDO2 enables multiple use cases
BootstrapRe-authentication
30
Meet
Elisa
31
Elisa wants to sign in to her bank
She starts on her mobile browser and
enrolls in fingerprint after sign-in
Registerin...
32
1. Registering built-in authenticator for re-auth (mobile web)
Request
UV=true
X-Plat=false
Result
credential
(internal...
33
1. Registering built-in authenticator for re-auth (mobile web)
She signs in with
her username and
password
34
1. Registering built-in authenticator for re-auth (mobile web)
Tri-Bank shows a promo
asking Elisa if she wants
to opt ...
35
Elisa comes back to
Tri-Bank in another session
2a. Using built-in authenticator for re-auth (mobile web)
36
2a. Using built-in authenticator for re-auth (mobile web)
The next time Elisa
opens Tri-Bank on
mobile browser,
she get...
37
2a. Using built-in authenticator for re-auth (mobile web)
Using only her
fingerprint, she’s
able to sign in
without usi...
38
Elisa downloads Tri-Bank
from the Play Store
She launches the app for the first time
to sign in to check her funds
2b. ...
39
Request
UV=true
X-Plat=false
Result
credential
(internal,caBLE)
Request
credentialId
(internal)
Request
(Alternative)
{...
40
2b. Using built-in authenticator for re-auth (native mobile app)
Elisa chooses
“Sign In” and also
chooses an
account
Re...
41
Elisa is now asked
to authenticate
with the
fingerprint dialog
2b. Using built-in authenticator for re-auth (native mob...
42
Elisa wants to sign in to
her bank on her
desktop computer
3. Cross-platform bootstrap
43
Elisa chooses to
sign in on her
desktop browser
Request
credentialId
(internal)
Request (Alternative)
{empty credential...
44
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK...
45
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK...
46
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK...
47
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK...
48
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK...
49
When Elisa comes back to
Tri-Bank on the Macbook Pro
50
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK...
51
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK...
52
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK...
53
Note that we’re
inheriting the strength
of the credentials from
the initial bootstrap
If in Step 1 we only ask the
user...
54
Now let’s
meet Jim
55
Jim has a
fingerprint-enabled
security key
and is signing into his
desktop computer
5. Typeless bootstrap flow
56
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK...
57
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK...
58
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK...
59
Jim is asked to
verify with a 2nd
verification step
5a. Typeless bootstrap flow (registration)
60
He gets a
promotion for
typeless
verification,
and enrolls
5a. Typeless bootstrap flow (registration)
61
5a. Typeless bootstrap flow (registration)
Jim inserts
Security Key and
taps the sensor
on the key
62
Jim’s Security Key
is enrolled and
ready to be used
5a. Typeless bootstrap flow (registration)
63
Jim uses a new device with
his registered security key
64
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK...
65
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK...
66
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK...
67
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK...
68
How can I
get started?
Desktop/laptop
● WebAuthn support was
launched in Chrome 67.
● The initial release
supports only...
69
Questions?
70
That’s a wrap
Próxima SlideShare
Cargando en…5
×

Web Authn & Security Keys: Unlocking the Key to Authentication

1.560 visualizaciones

Publicado el

A look at Google's approach to strong authentication with FIDO, including an exploration of how security keys have been deployed within Google and how simple and secure user journeys are with Web Authn.

Publicado en: Internet
  • Sé el primero en comentar

Web Authn & Security Keys: Unlocking the Key to Authentication

  1. 1. 1 WebAuthn and security keys = unlocking the key to authentication Christiaan Brand Product Manager, Google
  2. 2. 2 It’s no secret - passwords aren't enough
  3. 3. 123456 Most popular password in 2015 password 2nd most popular password in 2015 *Verizon data breach report, 2015
  4. 4. 123456789 Most popular password in 2018 qwerty 2nd most popular password in 2018 *techviral.net
  5. 5. success rate for a well designed password phishing page of account vulnerabilities were due to weak or stolen passwords *Verizon data breach report, 2017 43% 81% *Google study
  6. 6. 3.3B+ credentials leaked in dumps 67M accounts proactively re-secured 17% minimum password reuse rate * * * * Data breaches, phishing, or malware? Understanding the risks of stolen credentials (Thomas et al.) https://ai.google/research/pubs/pub46437
  7. 7. 999.
  8. 8. SMS usability Coverage issues, delay, user cost Device usability One per site, expensive, fragile User experience Users find it hard Phishable OTPs are increasingly phished ? Any second factor improves user security, but...
  9. 9. 9 Password Server https://www.google.com Web authentication
  10. 10. 10 https://www.goggle.com https://www.goggle.com Phishing attack | Step 1
  11. 11. 11 https://www.goggle.com Phishing attack | Step 2
  12. 12. 12 Password Password google.comgoggle.com https://www.goggle.com Phishing attack | Step 3
  13. 13. 13 At Google, on our journey to replacing the password, we started by making the password safer
  14. 14. 14 Introducing security key Your password Security key Account data
  15. 15. 15 Based on asymmetric cryptography ● User’s device mints new key pair, gives public key to server ● Server asks user’s device to sign data to verify user ● One device, many services, “bring your own device” enabled Core idea - standard public key cryptography
  16. 16. 16 How security key works “I promise a user is here”, “the server challenge was: 337423”, “the origin was: google.com” Server Password https://www.google.com
  17. 17. 17 Security key defeats phishing Password goggle.com Password “I promise a user is here”, “the server challenge was: 337423”, “the origin was: goggle.com” Server https://www.goggle.com
  18. 18. 18 Google’s experience
  19. 19. 19 Deployment at Google Enterprise use case ● Mandated for Google employees ● Corporate SSO (web) ● SSH ● Forms basis of all authentication Consumer use case ● Available as opt-in for Google consumers ● Adopted by other relying parties too: Dropbox, Github
  20. 20. 20 Use cases at Google Bootstrapping ● It’s only used when employee signs in on a new device the first time. ● It protects against phishing. ● Removable security key is carried as part of the badge. Hardware credential binding ● Once signed into a device, long-lived tokens (cookies, etc) are usually issued. ● Occasionally, a local security key touch is required, which is presented in combination with this local token. ● This is to ensure the token is still being presented from a machine we trust.
  21. 21. 21 Time to authenticate OTP via SMS OTP via app Security Keys OTP Security Keys 50 40 30 20 10 0 Timetoauthenticate(s) 50 40 30 20 10 0 Timetopresent2ndfactor(s) Google employees Consumer users
  22. 22. 22 Time to authenticate OTP via SMS OTP via app Security Keys OTP Security Keys 50 40 30 20 10 0 Timetoauthenticate(s) 50 40 30 20 10 0 Timetopresent2ndfactor(s) Google employees Consumer users "If you've been reading your e-mail" takeaway: Security keys are faster to use than OTPs
  23. 23. 23 Second factor support incidents Supportincidentsperuserpermonth PercentofusersusingSecurityKeys 100 80 60 40 20 0Jul2014 Sep 2014 N ov 2014 Jan 2014 M ar2014 M ay 2014 Jul2014 Sep 2014 N ov 2014 OTP Security Key Active Security Key users
  24. 24. 24 Second factor support incidents Supportincidentsperuserpermonth PercentofusersusingSecurityKeys 100 80 60 40 20 0Jul2014 Sep 2014 N ov 2014 Jan 2014 M ar2014 M ay 2014 Jul2014 Sep 2014 N ov 2014 OTP Security Key Active Security Key users "If you've been reading your e-mail" takeaway: Security keys cause fewer support incidents than OTPs
  25. 25. 25 We’re not quite done
  26. 26. 26 We made the password a lot safer with U2F, but we want to go one step further: we want to remove the password from the equation That’s where FIDO2 and WebAuthn come in
  27. 27. 27 What is WebAuthn? How does it relate to FIDO2? W3C WebAuthnFIDO CTAP FIDO2 Client (Computer, phone) Built-in authenticator (fingerprint) Remote server (Website) Removable authenticator (Phone, security key)
  28. 28. 28 WebAuthn enables user journeys that are: Simple Very intuitive and easy for user Secure Resistant to phishing WebAuthn / What is WebAuthn?
  29. 29. 29 Authentication has two core user journeys WebAuthn / FIDO2 enables multiple use cases BootstrapRe-authentication
  30. 30. 30 Meet Elisa
  31. 31. 31 Elisa wants to sign in to her bank She starts on her mobile browser and enrolls in fingerprint after sign-in Registering and using built-in authenticator for re-auth (mobile web)
  32. 32. 32 1. Registering built-in authenticator for re-auth (mobile web) Request UV=true X-Plat=false Result credential (internal,caBLE) Elisa opens launches her mobile browser, Chrome, and goes to Tri-Bank
  33. 33. 33 1. Registering built-in authenticator for re-auth (mobile web) She signs in with her username and password
  34. 34. 34 1. Registering built-in authenticator for re-auth (mobile web) Tri-Bank shows a promo asking Elisa if she wants to opt in to fingerprint to sign in She opts in and continues to her account
  35. 35. 35 Elisa comes back to Tri-Bank in another session 2a. Using built-in authenticator for re-auth (mobile web)
  36. 36. 36 2a. Using built-in authenticator for re-auth (mobile web) The next time Elisa opens Tri-Bank on mobile browser, she gets a fingerprint dialog Request credentialId (internal) Since the user already signed in on this device, the credential ID is encoded in the cookie and the RP requests the “internal” transport only (since they don’t want the user to see prompts about external authenticators).
  37. 37. 37 2a. Using built-in authenticator for re-auth (mobile web) Using only her fingerprint, she’s able to sign in without using her username + password on mobile web Request credentialId (internal)
  38. 38. 38 Elisa downloads Tri-Bank from the Play Store She launches the app for the first time to sign in to check her funds 2b. Using built-in authenticator for re-auth (native mobile app)
  39. 39. 39 Request UV=true X-Plat=false Result credential (internal,caBLE) Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK 2b. Using built-in authenticator for re-auth (native mobile app) She installs Tri-Bank from Google Play Store and opens the app
  40. 40. 40 2b. Using built-in authenticator for re-auth (native mobile app) Elisa chooses “Sign In” and also chooses an account Request credentialId (internal)
  41. 41. 41 Elisa is now asked to authenticate with the fingerprint dialog 2b. Using built-in authenticator for re-auth (native mobile app)
  42. 42. 42 Elisa wants to sign in to her bank on her desktop computer 3. Cross-platform bootstrap
  43. 43. 43 Elisa chooses to sign in on her desktop browser Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK 3. Cross-platform bootstrap
  44. 44. 44 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK Elisa enters her account username and chooses to proceed “next” 3. Cross-platform bootstrap
  45. 45. 45 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK She’s asked to verify the new device using her Pixel 2 phone’s fingerprint that she’s been using to sign in to Tri-Bank 3. Cross-platform bootstrap
  46. 46. 46 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK Because Elisa has a Macbook with Touch ID, Tri-bank asks her if she wants to use local fingerprint on the device 3. Cross-platform bootstrap
  47. 47. 47 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK Elisa gets prompted to try using the local fingerprint on the device 3. Cross-platform bootstrap
  48. 48. 48 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK She opts-in and continues to her account 3. Cross-platform bootstrap
  49. 49. 49 When Elisa comes back to Tri-Bank on the Macbook Pro
  50. 50. 50 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK 4. Using built-in authenticator for re-auth Elisa comes back to sign in on her desktop browser
  51. 51. 51 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK 4. Using built-in authenticator for re-auth A fingerprint dialog appears above the sign-in page and Elisa touches the sensor
  52. 52. 52 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK 4. Using built-in authenticator for re-auth Elisa’s identity is accepted and she’s signed in
  53. 53. 53 Note that we’re inheriting the strength of the credentials from the initial bootstrap If in Step 1 we only ask the user for a username + password, the strength of all the derived credentials are only as good as a username + password. If in Step 1 we ask for a stronger credential (2nd factor security key), all of the derived credentials would inherit those stronger attributes too.
  54. 54. 54 Now let’s meet Jim
  55. 55. 55 Jim has a fingerprint-enabled security key and is signing into his desktop computer 5. Typeless bootstrap flow
  56. 56. 56 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK 5a. Typeless bootstrap flow (registration) Jim comes to sign in with his desktop computer
  57. 57. 57 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK Jim enters his account username and chooses to proceed “next” 5a. Typeless bootstrap flow (registration)
  58. 58. 58 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK Jim enters his account password 5a. Typeless bootstrap flow (registration)
  59. 59. 59 Jim is asked to verify with a 2nd verification step 5a. Typeless bootstrap flow (registration)
  60. 60. 60 He gets a promotion for typeless verification, and enrolls 5a. Typeless bootstrap flow (registration)
  61. 61. 61 5a. Typeless bootstrap flow (registration) Jim inserts Security Key and taps the sensor on the key
  62. 62. 62 Jim’s Security Key is enrolled and ready to be used 5a. Typeless bootstrap flow (registration)
  63. 63. 63 Jim uses a new device with his registered security key
  64. 64. 64 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK Jim decides to use his friend’s Windows computer to sign-in 5b. Typeless bootstrap flow (log in)
  65. 65. 65 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK Jim inserts Security Key and taps on the sensor 5b. Typeless bootstrap flow (log in)
  66. 66. 66 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK He chooses account he wants amongst the other accounts that are registered on the SK 5b. Typeless bootstrap flow (log in)
  67. 67. 67 Request credentialId (internal) Request (Alternative) {empty credentialId} Will result in prompt to insert removable SK He signed in without username or password 5b. Typeless bootstrap flow (log in)
  68. 68. 68 How can I get started? Desktop/laptop ● WebAuthn support was launched in Chrome 67. ● The initial release supports only external tokens. ● Support for built-in modalities is coming later in the fall. Android ● FIDO2 APIs on Android are available in pre-release mode. ● Support for FIDO2 on the web (to built-in fingerprint sensor) will come later in the fall. Visit webauthndemo.appspot.com to try it out
  69. 69. 69 Questions?
  70. 70. 70 That’s a wrap

×