Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to WebAuthn is simpler, stronger and ready to go
Similar to WebAuthn is simpler, stronger and ready to go (20)
More from Michael Furman
Recently uploaded
Recently uploaded (20)
WebAuthn is simpler, stronger and ready to go
- 1. Passwords are passé. WebAuthn is simpler, stronger and ready to go Michael Furman Security Architect
- 2. What will we see today? • What’s wrong with passwords? • What is 2FA? • Why is 2FA better? • WebAuthn drilldown • WebAuthn benefits • What is my next step?
- 3. About Me • 20+ years in software engineering • 10+ years in application security • 4+ years Lead Security Architect at Tufin • www.linkedin.com/in/furmanmichael/ • ultimatesecpro@gmail.com • Read my blog https://ultimatesecurity.pro/ • Follow me on twitter @ultimatesecpro • I like to travel, read books and listen to music.
- 4. About Tufin • Market Leader in Security Policy Orchestration for firewalls and cloud – New Tufin products integrate security into DevOps pipeline • Established in 2005 • Used in over 2,000 enterprises, including 40 Fortune 100 companies • We are constantly growing! www.tufin.com/careers/
- 5. What’s wrong with passwords? • Subject to brute force attacks • Can be stolen via phishing attacks
- 6. What is a brute force attack? “A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works.” https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
- 7. How to prevent a brute force attack? • Enforce brute force protection – Lock user after subsequent login failures • Enforce complex passwords – Passphrases
- 8. Complex passwords. Really? • Do users really use complex passwords? • List of common passwords https://en.wikipedia.org/wiki/List_of_the_most_common_passwords – First place: ‘123456’ – Second place: ‘password’
- 9. How to enforce complex passwords? • Password policies • What is a password policy? A Password Policy is the set of restrictions and/or requirements that a user must follow to ensure that their password is strong.
- 10. Sample password policy • Minimum 12 characters • Must include: – uppercase letters – lowercase letters – digits – non-alphanumeric (special) characters • Must be different from username
- 11. Sample password policy • Change every 60 days • Password cannot be reused • Prevent incremental changes (e.g. Passw0rd, Passw1rd, Passw2rd) My “favorite” password policy
- 12. Do password policies work? • Technically? Yes. But ... • Frustrates users • Users evade policies – Write the passwords down – Forget the replaced password • Potentially increase administrative costs
- 13. What is a phishing attack? • Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. • It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. https://www.incapsula.com/web-application- security/phishing-attack-scam.html
- 14. Can I prevent phishing attacks? • Complex • Multi-million$ industry of its own • E.g. https://www.owasp.org/index.php/Phishing
- 15. Best password advice • Passwords are like underwear Picture is from https://it.ie/keep-passwords-secure/
- 16. What is Two-Factor Authentication? Two-factor authentication (2FA) is a method of confirming a user's claimed identity by utilizing a combination of two different factors: 1. Something they know 2. Something they have or something they are https://en.wikipedia.org/wiki/Two-step_verification
- 17. Why 2FA is more secure? • The attacker should not know the 2nd factor! • Weaker passwords are still crackable, but who cares!
- 18. Types of 2FA • Text Message (SMS) • OTP • WebAuthn
- 19. 2FA using Text Messages (SMS) • SMS contains authentication code
- 20. Is 2FA using SMS secure? • “NIST is no longer recommending Two-Factor authentication using SMS” Bruce Schneier blog (2016) https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html NIST stands for National Institute of Standards and Technology • SMS can be intercepted Signaling System No. 7 (SS7) protocols vulnerability
- 21. 2FA using one-time password (OTP) • Authentication using OTP generated by: – Mobile device applications • Google Authenticator • FreeOTP – Dedicated device • RSA SecurID Picture is from https://en.wikipedia.org/wiki/RSA_SecurID
- 22. 2FA using OTP Mobile device: Registration • Scan QR code (shared secret) provided by server on mobile device
- 23. 2FA using OTP Mobile device: Authentication • Provide OTP generated by mobile device to server to complete authentication
- 24. Is 2FA using OTP secure? • No currently known vulnerabilities • Possible attack vector: – OTP relies on a shared secret key (QR code) – An attacker may gain access to these keys – High complexity
- 25. 2FA Migration from SMS to OTP • Instagram https://techcrunch.com/2018/07/17/instagram-2-factor/ • Facebook https://www.theverge.com/2018/5/23/17385654/facebook- two-factor-authentication-process-app-phone-number
- 26. Ideal 2FA? • Biometric scan – Fingerprint – Retina
- 27. Fingerprint Scan Example Picture is from the “Back to the Future Part II” movie
- 28. Retina Scan Example Picture is from the “Despicable Me” movie
- 29. Is biometric scan secure? Picture is from the “Demolition Man” movie
- 30. What is WebAuthn? • WebAuthn (Web Authentication) – standard web API (Credential Management API) – is incorporated into browsers – allows very secure 2FA – based on the FIDO specification https://www.w3.org/TR/webauthn/
- 31. What is FIDO? • FIDO = Fast Identity Online • FIDO Alliance started from a conversation in 2009 – Ramesh Kesanupalli (CTO of Validity Sensors) asked Michael Barrett (PayPal’s CISO) if he was interested in fingerprint- enabling paypal.com – Michael replied that he was, but only if it could be achieved via open standards • FIDO Alliance launched in 2013 with six member companies – over 250 members worldwide today https://fidoalliance.org/about/history/
- 32. How WebAuthn Works • Registration • Authentication
- 33. WebAuthn Components Diagram is from https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
- 34. WebAuthn Components • Server (Relying Party) - server side component of application uses WebAuthn to register and authenticate users • JavaScript Application - client side component of application uses WebAuthn to register and authenticate users
- 35. WebAuthn Components • Browser – a WebAuthn-compatible browser • Authenticator – creates and stores credentials – embedded into an operating system – USB or Bluetooth Security Key
- 36. Demo
- 37. WebAuthn Registration Diagram is from https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
- 38. WebAuthn Registration • Step 0: Application requests registration • Step 1: Server sends challenge, user Info, and Relying Party info
- 39. WebAuthn Registration • Step 2: Browser calls authenticatorMakeCredential() on Authenticator • Step 3: Authenticator creates new PKI Key Pair and attestation • Step 4: Authenticator returns Public Key and other data to browser
- 40. WebAuthn Registration • Step 5: Browser creates final data (including Public Key) and JavaScript application sends response to server • Step 6: Server validates and finalizes registration – store the new Public Key associated with the user's account for future use
- 41. WebAuthn Authentication Diagram is from https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
- 42. WebAuthn Authentication • Authentication flow similar to registration flow • Primary differences: – authentication doesn't require user or relying party information – authentication creates an assertion using previously generated key pair
- 43. WebAuthn Authentication • Step 0: Application requests authentication • Step 1: Server sends challenge • Step 2: Browser calls authenticatorGetCredential() on Authenticator • Step 3: Authenticator creates an assertion • Step 4: Authenticator returns data to browser
- 44. WebAuthn Authentication • Step 5: Browser creates final data (including Public Key) and JavaScript application sends response to server • Step 6: Server validates and finalizes authentication
- 45. Demo
- 46. WebAuthn Benefits • Fingerprint or facial biometrics authenticators • Based on PKI • User credentials and biometric templates: – never leave the user’s device – never stored on backend servers Very secure 2FA
- 47. WebAuthn Adoption • Google Chrome version 67 • Mozilla Firefox version 60 • Microsoft Edge build 17723 • Use services that adopted WebAuthn https://www.yubico.com/setup/#security-key • Google employees use Titan Security Keys https://thehackernews.com/2018/07/google-titan- security-key-fido.html
- 48. What is my next step? • Implement it yourself https://developers.google.com/web/updates/2018/05/webauthn https://hacks.mozilla.org/2018/01/using-hardware-token-based-2fa-with- the-webauthn-api/ https://www.yubico.com/why-yubico/for-developers/ • Wait for someone else to do it for you! e.g. Keycloak https://ultimatesecurity.pro/post/oidc-presentation/
- 49. Summary • Bad 2FA is better than no 2FA • WebAuthn is a better, more secure 2FA • Prepare for WebAuthn
- 50. Thank you! • Contact me – www.linkedin.com/in/furmanmichael/ – ultimatesecpro@gmail.com – https://ultimatesecurity.pro/ – @ultimatesecpro
Editor's Notes
- Hi everyone, Thank you for joining the last lecture for today. What will we see today? First, we will understand what is wrong with passwords. Then, we will learn what is two factor authentication and why it is better. I will elaborate WebAuthn and we will know its benefits. Finally, we will see our next step.
- Before we begin, a couple of words about me and the company I work for - Tufin. I have many years of experience in software development. Like most of you here today, I particularly like application security. I started to work in this area more than 10 years ago, and enjoy each day I work on it. For the last few years, I am responsible for the application security of all Tufin products. Recently I have started to write a blog – you are more then welcomed to read it. Something personal: I like traveling, reading books and listening to music. I particularly enjoy listen to jazz.
- And now, a couple of words about Tufin. Tufin is a great company. It is already over 13 years old. We have a lot of customers. Our customers are all around the world: in Israel, USA, Europe, Asia. Some are huge companies, others are much smaller. We have customers in many industries. For example: AT&T, BMW and Visa. Recently we have started to develop products that integrate security into DevOps pipeline. You are more then welcomed to visit our booth. Tufin is always growing. When I joined the company about 5 years ago, it took up only one and half floors. Now it takes up almost 4 floors and that is only in Israel. We have also expanded abroad. We recently opened up a new main office in Boston. We are always looking for good people. We are looking for Java, C++, DevOps people. We are looking for Docker and Kubernetes gurus. You can visit our site to see our open positions in RnD, Sales, Marketing and additional areas.
- What’s wrong with passwords? Passwords are subject to brute force attacks. Passwords can be stolen via phishing attacks.
- You may configure your authentication service to lock a user after more than 5 failed logins. Or you may enforce complex passwords.
- Raise your hand if you use complex password. ‘123456’ and ‘password’ on the first places.
- We may use password policies to enforce complex passwords.
- Lets see the sample password policy.
- Prevent incremental changes is my “favorite” one.
- It is not simple to follow password policies. You need to remember complex passwords, replace them on time … In addition, somebody need to manage policies. Do we have a way to prevent successful authentication even the password is cracked? We will see later…
- What is a phishing attack? Phishing is a type of attack used to steal user confidential data. Couple of phishing attacks were recently in Israel.
- can we prevent phishing attacks? Of course we can, but 1. It is the complex task. 2. It is subject to human failure 3. If it succeeds, then user is in trouble I will not elaborate it today since possible to talk about it couple of hours. What we will see from this presentation that there is a better authentication schema that prevent accessing the account with a stolen password!
- Before we will start our two factor authentication journey I want to give you the best password advice: passwords are like underwear. Do not think someone use underwear more than one month? So, remember to change your passwords. Can you imagine the situation when you share underwear with someone else? Or you use underwear of someone else? Same with passwords *do not share it with other people One more question: have you seen even once someone pin an underwear to a display? Or leave an underwear under a keyboard? It is not a smart or safe idea. Therefore, do not do the same for your passwords.
- Lets start to talk about Two-Factor Authentication.
- Attacker will not be able to access your account – only you know the second factor. It is good way to prevent phishing attacks.
- Stages of implementing a 2FA authentication: 1) Registration – you need to register the two factor authentication with your account. 2) Generation – a second factor is generated. 3) Delivery – the second factor should be delivered to a user. 4) Authentication – the user authenticates using the second factor.
- Lets start with the SMS example. First, you need to register – you need to configure your phone number in your account. Then, during the authentication an authentication service generates a long number. The number is delivered via SMS to your phone.
- Is it secure?
- Another example is the authentication using one-time password.
- Similar: First, you need to register. Usually you need to scan a QR cone on your mobile device.
- The device generates OTP. You need to provide the OTP code to your authentication server to complete authentication. ============== There are two different algorithms to choose from for your OTP generators. Time Based (TOTP) Counter Based (HOTP). For TOTP, your token generator will hash the current time and a shared secret. For HOTP a shared counter is used instead of the current time.
- Is this OTP secure? We do not have known vulnerabilities. The theoretical attack may use the shared secrets.
- Social network providers (e.g. Instagram, Facebook) understand the weakness of the 2FA via SMS. Therefore they are migrating from SMS to OTP. Note that SMS was formally declared as unsecure in 2016 – what took them so long?!?!
- What would be ideal 2FA? The ideal 2FA should use the biometric data. The fingerprint or retina scan are good examples.
- Once again, movies lead the way in technology The fingerprint scan of Jennifer Parker works even in the future. Jennifer can easily enter into her home by using her finger as the “key”.
- Even animated movies ... The Retina Scan allows Gru to enter the bank using the most secure technological advances.
- Is biometric scan secure? Yes, but there is a way to brute force the biometric scan, at least in movies. The criminal Simon escapes from the prison using the retina scan of a stolen eyeball. In reality, though, we can trust biometric scans: US and Israel immigration trusts biometric scans to let people enter their borders without human intervention.
- WebAuthn (Web Authentication) is Credential Management API that allows very secure 2FA. WebAuthn is based on the FIDO specification.
- What is FIDO? FIDO stands for Fast Identity Online. The story of the FIDO Alliance is very interesting. It started from a conversation in 2009 between CTO of Validity Sensors and CISO of PayPal. Ramesh asked Michael if he was interested in fingerprint-enabling paypal.com. Michael replied positively, but he wanted to achieve it via open standards because Michael did not want to bind PayPal to a specific vendor. You should read the history of FIDO –it’s really exciting. ---------------------------- U2F Universal 2nd Factor UAF Universal Authentication Framework protocol
- Remember the 4 stages: Registration Generation Delivery Authentication WebAuthn requires only registration and authentication. WebAuthn does not require Generation, since your biometric data is already with you. By the same logic, Delivery of biometric data is not needed. so WebAuthn cut out 2 of the 4 stages!
- https://demo.yubico.com/webauthn/ The fact that a browser can access a physical authenticator is amazing!
- The slide shows the WebAuthn Registration flow. Very important that Steps 2, 3 and 4 part of the protocol already implemented by browsers and authenticators. The application related steps are 1,5 and 6. You may implement these steps and to use with any compatible browser and authenticators.
- Lets elaborate these steps. I do not expect you will remember these steps after the presentation, but it will be great you will see the big picture.
- WebAuthn is – finally - being adopted quite rapidly. For example: All the major browser have adopted WebAuthn. Google employees use WebAuthn to access Google’s services. you can also adopt WebAuthn
- How can I adopt WebAuthn in my application? Do it yourself - open guidelines and implement it. remember that the application related steps include only 1, 5 and 6. Or 2. Wait for someone else to do it for you! For example, Keycloak! Tufin has already adopted Keycloak, and we are just waiting when it will implement WebAuthn. The Keycloak RFE already been opened.
- The takeaways: First of all, better to use any 2FA than to be without 2FA. Second, WebAuthn is a very secure 2FA. And, last but not least, you should prepare for using WebAuthn.
- Thank you for participating in my lecture! Please contact me if you need any additional information, or if you want to send me your resume.