Hackers and crackers are exposing the password as the Internet’s weakest security link. To combat these attacks, organizations need to ensure that access to online information is protected and restricted to authorized users, and diminish the reliance on passwords. Join us as we detail a new security feature in WSO2 Identity Server (5.1.0) by enhancing account security with the FIDO Alliance’s U2F public key cryptography specification for strong authentication. In this webinar, WSO2, Yubico co-creator of U2F, and WSO2’s premier integrator Yenlo explain the technology, discuss the use cases for strong authentication, and demonstrate the power and ease-of-use of the U2F security key. WSO2 will present the Authentication framework of WSO2 Identity server, Multi factor and Multi step authentication configuration and more. See the recording of the WSO2 Identity Server webinar here: http://www.yenlo.com/en/web-wso2-identity-server-fido

1. FIDO
Universal
Second
Factor
(U2F)
for
WSO2
Identity
Server
Ishara Karunarathna, Senior Software Engineer, WSO2
Jerrod Chong, Solutions Team leader, Yubico
Rob Blaauboer, Integration Consultant Yenlo
December
8th 2015

2. About
the
presenters
2
Ishara
Karunarathna
Senior
Software
Engineer,
WSO2
Ishara
is
a
Senior
Software
Engineer
at
WSO2
and
a
key
member
of
WSO2
Identity
server
team,
contributing
towards
the
Identity
Server
and
WSO2's
platform
security.
He
has
participated
in
several
customer
engagements
helping
them
to
realize
enterprise
use
cases
and
to
build
solutions
On
top
of
WSO2
platform.
Jerrod
Chong
Solutions
Team
leader,
Yubico
Jerrod
leads
the
Solutions
team
at
Yubico
with
over
fifteen
years
of
experience
specializing
in
enterprise
security
solutions.
He
works
with
small,
medium
and
enterprise
customers
to
consult
and
build
open
scalable
security
solutions.
Jerrod
is
also
an
active
contributor
in
the
FIDO
Alliance
U2F
technical
working
group
and
security
certification
development
committee.
Rob
Blaauboer
Senior
Consultant,
Yenlo
Rob
is
a
Senior
Business
Consultant
and
Solution
Architect
with
more
than
twenty
years
experience.
In
addition
to
his
work
he
is
an
active
blogger
working
on
a
number
of
articles
on
the
'Internet
of
Things'
and
a
WSO2
'Getting
Started
with
...'
series
in
which
he
talks
about
WSO2
components
and
their
purpose
especially
aimed
at
non
technical
readers.

3. 3
• Global
enterprise,
founded
in
2007
with
an
international
focus
on
delivering
integration
solutions
based
on
Java
open
source
• #1
in
the
field
of
Integration
Solutions
• #1
in
Managed
Services
for
middleware
environments
• #1
Global
Strategic
Alliance
partner
of
WSO2
• WSO2
Product
Support
• WSO2
Development
• WSO2
QuickStarts
• WSO2
Training
&
Certifications
• WSO2
24/7
Managed
Services
• WSO2
Events
About Yenlo

4. What
Yenlo
delivers
4
Enterprise
Architecture Software
Development Managed
Services
WSO2
Product
Support WSO2
Development
Support WSO2
QuickStart
WSO2
Training
&
Certifications WSO2
Managed
Services WSO2
Events

5. Agenda
5
Making
WSO2
Identity
Server
more
secure
with
FIDO
UAF
&
U2F
• Our security is at risk
• introduction to FIDO and Why FIDO U2F
•Introduction WSO2 IS
• Demo
• Benefits of the solution
• Q&A

6. Our security is at risk

7. Making it more secure
Starts at the basis!
Access to a mail service enables a hacker to
access many more systems
Gmail supports Fido and other 2nd factors
Sensitive information should be secured

8. What is a factor?
o Something you know is for instance as password
or even a username
o Something you have is a smartcard, token or
smartphone
o Something you are is your face, voice and
fingerprint (and many more, even the way you
type)
o The more factors the better

9. Depending on the use case the level of security
needs to be higher
o Logging in to a news website: userId and
password
o Logging in to an eCommerce website like
Amazon: userId and password and the option to
increase the level of security
o Logging into your internet banking or
government services: userId and password and
a challenge / response

10. 10
FIDO Universal 2nd Factor
Simple, secure, open and scalable 2FA

11. 11
Benefits of U2F Over Other 2FA
One device, many sites,
with no shared secrets
Open standard, platform/
browser support
(no client, no driver)
Protection against
phishing and MitM

12. 12
Stats from Google Deployment
U2F vs Google Authenticator
● 4x faster to login
● Support reduced by 40%
● Significant fraud reduction

13. 13
Online services
Chip providers
Device providers
Biometrics technology
Enterprise servers
Open source sw/servers
Mobile apps & clients
Browsers
FIDO U2F Ecosystem
250+ Members

14. 1414
Server
sends
challenge1
Server
receives
and
verifies
device
signature
using
attestation
cert5
Key
handle
and
public
key
are
stored
in
database6
Device
generates
key
pair2
Device
creates
key
handle3
Device
signs
challenge
+
client
info4
Server
sends
challenge
+
key
handle
1
Server
receives
and
verifies
using
stored
public
key
4
Device
unwraps/derives
private
key
from
key
handle
2
Device
signs
challenge
+
client
info
3
Authentication
Individual with U2F Device
Relying
Party
Registration

15. 15
Relying Party
User Side
U2F Code
USB (HID) API
U2F JS APISecure U2F
Element (optional)
Transport
USB (HID)
Web Application
U2F Library
Public Keys +
Key Handles +
Certificates
User Action
FIDO Client
Browser
U2F Authenticator
U2F Entities
NFC API
Bluetooth API
NFC
Bluetooth

16. 16
Protocol Design
Step-­By-­Step

17. 17
U2F
Device Client
Relying
Party
challenge
challenge
Sign
with
kpriv signature(challenge)
s
Check
signature (s)
using kpub
s
Lookup
kpub
Authentication

18. 18
U2F
Device Client
Relying
Party
challenge
challenge, origin, channel id
Sign
with kpriv
signature(c)
c, s
Check s
using kpub
Verify origin &
channel id
s
Lookup
kpub
Phishing/MitM Protection

19. 19
U2F
Device Client
Relying
Party
handle, app id, challenge
h, a;; challenge, origin, channel id, etc.
c
a
Check
app id
Lookup
the kpriv
associated
with h
Sign
with kpriv
signature(a,c)
c, s
Check s
using kpub
Verify origin &
channel id
s
h
Lookup
the kpub
associate
d with h
Application-­Specific Keys

20. 20
U2F
Device Client
Relying
Party
app id, challenge
a;; challenge, origin, channel id, etc.
c
a
Check
app id
Generate:
kpub
kpriv
handle h kpub, h, attestation cert, signature(a,c,kpub,h)
c, kpub, h, attestation cert, s
Associate
kpub with
handle h
for user
s
Registration + Device Attestation

21. 21
Original DB
Original Database
user_id Password#
JohnDoe
4^hfd;;`gpo
U2F Database
U2F DB
Relation
Relying Party
user_id Meta U2F Data
JohnDoe
Yubico, Security
Key, USB
Key handle, public
key, certificate
JohnDoe
Yubico, YubiKey
NEO, USB + NFC
Key handle, public
key, certificate
Adding U2F Support

22. Yubico -­ inventors of the YubiKey
Find out more at yubi.co

23. Introduction
WSO2
Identity
Server

24. What is WSO2 Identity Server
An open source Identity & Entitlement management
server
o 100% free and open source with commercial
support
o Lightweight and high performance
o Highly modular and extensible
o User friendly with minimal learning curve
o Based on open standards

25. Authentication framework
o No more federation silos or spaghetti identity
anti-­patterns
o Multi-­option and multi-­step authentication
o Authentication Bridge
o Provisioning Bridge

26. Authentication framework

27. Local and federated authentication

28. FIDO U2F implementation in Identity server
o Implements the U2F authentication via local
authenticator

29. FIDO U2F implementation in Identity server
oImplements the U2F registration via user
dashboard

30. ADDING
FIDO
TO
A
LOGIN
SEQUENCE

31. Demo scenario
o Prerequisites for the demo
o Start WSO2 Identity Server 5.1.0
o Log in on User Dashboard
o Add U2F device (Yubico)

32. Secure Single Sign-On solution

33. Demo …….

34. FIDO
AND
WSO2
IDENTITY
SERVER:
WHAT
ARE
THE
BENEFITS?

35. Making it more secure
Fido is an open standard
One key can be used for multiple applications
+
WSO2 is an open platform
Integration is easy
=
Level of security increases
Cost is relatively low

36. Questions
&
Answers

37. http://www.slideshare.net/YenloBV
Download
the
webinar
presentation
on
slideshare:
30

38. Contact us !