Passwords are insecure and can be compromised through brute force attacks or phishing. Two-factor authentication (2FA) provides stronger authentication but existing 2FA methods have vulnerabilities. WebAuthn is a new web authentication standard that allows for simpler and more secure 2FA using public-key cryptography. With WebAuthn, user credentials never leave the user's device and are not stored on servers, providing stronger security compared to passwords and other 2FA methods. WebAuthn is gaining adoption in browsers and services and offers a more secure path forward for authentication.
2. What will we see today?
• What’s wrong with passwords?
• What is 2FA?
• Why is 2FA better?
• WebAuthn drilldown
• WebAuthn benefits
• What is my next step?
3. About Me
• 20+ years in software engineering
• 10+ years in application security
• 4+ years Lead Security Architect at Tufin
• www.linkedin.com/in/furmanmichael/
• ultimatesecpro@gmail.com
• Read my blog https://ultimatesecurity.pro/
• Follow me on twitter @ultimatesecpro
• I like to travel, read books and listen to music.
4. About Tufin
• Market Leader in Security Policy Orchestration for
firewalls and cloud
– New Tufin products integrate security into DevOps
pipeline
• Established in 2005
• Used in over 2,000 enterprises, including 40
Fortune 100 companies
• We are constantly growing!
www.tufin.com/careers/
5. What’s wrong with passwords?
• Subject to brute force attacks
• Can be stolen via phishing attacks
6. What is a brute force attack?
“A brute-force attack is an attempt to discover a
password by systematically trying every possible
combination of letters, numbers, and symbols
until you discover the one correct combination
that works.”
https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
7. How to prevent a brute force attack?
• Enforce brute force protection
– Lock user after subsequent login failures
• Enforce complex passwords
– Passphrases
8. Complex passwords. Really?
• Do users really use complex passwords?
• List of common passwords
https://en.wikipedia.org/wiki/List_of_the_most_common_passwords
– First place: ‘123456’
– Second place: ‘password’
9. How to enforce complex passwords?
• Password policies
• What is a password policy?
A Password Policy is the set of restrictions
and/or requirements that a user must follow
to ensure that their password is strong.
10. Sample password policy
• Minimum 12 characters
• Must include:
– uppercase letters
– lowercase letters
– digits
– non-alphanumeric (special) characters
• Must be different from username
11. Sample password policy
• Change every 60 days
• Password cannot be reused
• Prevent incremental changes
(e.g. Passw0rd, Passw1rd, Passw2rd)
My “favorite” password policy
12. Do password policies work?
• Technically? Yes. But ...
• Frustrates users
• Users evade policies
– Write the passwords down
– Forget the replaced password
• Potentially increase administrative costs
13. What is a phishing attack?
• Phishing is a type of social engineering attack
often used to steal user data, including login
credentials and credit card numbers.
• It occurs when an attacker, masquerading as a
trusted entity, dupes a victim into opening an
email, instant message, or text message.
https://www.incapsula.com/web-application-
security/phishing-attack-scam.html
14. Can I prevent phishing attacks?
• Complex
• Multi-million$ industry of its own
• E.g. https://www.owasp.org/index.php/Phishing
15. Best password advice
• Passwords are like underwear
Picture is from https://it.ie/keep-passwords-secure/
16. What is Two-Factor Authentication?
Two-factor authentication (2FA) is a method of
confirming a user's claimed identity by utilizing a
combination of two different factors:
1. Something they know
2. Something they have or something they are
https://en.wikipedia.org/wiki/Two-step_verification
17. Why 2FA is more secure?
• The attacker should not know the 2nd factor!
• Weaker passwords are still crackable,
but who cares!
19. 2FA using Text Messages (SMS)
• SMS contains authentication code
20. Is 2FA using SMS secure?
• “NIST is no longer recommending Two-Factor
authentication using SMS”
Bruce Schneier blog (2016)
https://www.schneier.com/blog/archives/2016/08/nist_is_no_long.html
NIST stands for National Institute of Standards and Technology
• SMS can be intercepted
Signaling System No. 7 (SS7) protocols vulnerability
21. 2FA using one-time password (OTP)
• Authentication using OTP generated by:
– Mobile device applications
• Google Authenticator
• FreeOTP
– Dedicated device
• RSA SecurID
Picture is from https://en.wikipedia.org/wiki/RSA_SecurID
22. 2FA using OTP Mobile device:
Registration
• Scan QR code (shared secret) provided by
server on mobile device
23. 2FA using OTP Mobile device:
Authentication
• Provide OTP generated by mobile device to
server to complete authentication
24. Is 2FA using OTP secure?
• No currently known vulnerabilities
• Possible attack vector:
– OTP relies on a shared secret key (QR code)
– An attacker may gain access to these keys
– High complexity
25. 2FA Migration from SMS to OTP
• Instagram
https://techcrunch.com/2018/07/17/instagram-2-factor/
• Facebook
https://www.theverge.com/2018/5/23/17385654/facebook-
two-factor-authentication-process-app-phone-number
29. Is biometric scan secure?
Picture is from the “Demolition Man” movie
30. What is WebAuthn?
• WebAuthn (Web Authentication)
– standard web API (Credential Management API)
– is incorporated into browsers
– allows very secure 2FA
– based on the FIDO specification
https://www.w3.org/TR/webauthn/
31. What is FIDO?
• FIDO = Fast Identity Online
• FIDO Alliance started from a conversation in 2009
– Ramesh Kesanupalli (CTO of Validity Sensors) asked Michael
Barrett (PayPal’s CISO) if he was interested in fingerprint-
enabling paypal.com
– Michael replied that he was, but only if it could be achieved via
open standards
• FIDO Alliance launched in 2013 with six member companies
– over 250 members worldwide today
https://fidoalliance.org/about/history/
34. WebAuthn Components
• Server (Relying Party) - server side component
of application uses WebAuthn to register and
authenticate users
• JavaScript Application - client side component
of application uses WebAuthn to register and
authenticate users
35. WebAuthn Components
• Browser – a WebAuthn-compatible browser
• Authenticator – creates and stores credentials
– embedded into an operating system
– USB or Bluetooth Security Key
38. WebAuthn Registration
• Step 0: Application requests registration
• Step 1: Server sends challenge, user Info, and
Relying Party info
39. WebAuthn Registration
• Step 2: Browser calls
authenticatorMakeCredential() on
Authenticator
• Step 3: Authenticator creates new PKI Key
Pair and attestation
• Step 4: Authenticator returns Public Key and
other data to browser
40. WebAuthn Registration
• Step 5: Browser creates final data (including
Public Key) and JavaScript application sends
response to server
• Step 6: Server validates and finalizes
registration
– store the new Public Key associated with the
user's account for future use
42. WebAuthn Authentication
• Authentication flow similar to registration
flow
• Primary differences:
– authentication doesn't require user or relying
party information
– authentication creates an assertion using
previously generated key pair
43. WebAuthn Authentication
• Step 0: Application requests authentication
• Step 1: Server sends challenge
• Step 2: Browser calls
authenticatorGetCredential() on Authenticator
• Step 3: Authenticator creates an assertion
• Step 4: Authenticator returns data to browser
44. WebAuthn Authentication
• Step 5: Browser creates final data (including
Public Key) and JavaScript application sends
response to server
• Step 6: Server validates and finalizes
authentication
46. WebAuthn Benefits
• Fingerprint or facial biometrics authenticators
• Based on PKI
• User credentials and biometric templates:
– never leave the user’s device
– never stored on backend servers
Very secure 2FA
47. WebAuthn Adoption
• Google Chrome version 67
• Mozilla Firefox version 60
• Microsoft Edge build 17723
• Use services that adopted WebAuthn
https://www.yubico.com/setup/#security-key
• Google employees use Titan Security Keys
https://thehackernews.com/2018/07/google-titan-
security-key-fido.html
48. What is my next step?
• Implement it yourself
https://developers.google.com/web/updates/2018/05/webauthn
https://hacks.mozilla.org/2018/01/using-hardware-token-based-2fa-with-
the-webauthn-api/
https://www.yubico.com/why-yubico/for-developers/
• Wait for someone else to do it for you!
e.g. Keycloak
https://ultimatesecurity.pro/post/oidc-presentation/
49. Summary
• Bad 2FA is better than no 2FA
• WebAuthn is a better, more secure 2FA
• Prepare for WebAuthn
Hi everyone,Thank you for joining the last lecture for today.What will we see today?First, we will understand what is wrong with passwords.
Then, we will learn what is two factor authentication and why it is better.
I will elaborate WebAuthn and we will know its benefits.
Finally, we will see our next step.
Before we begin, a couple of words about me and the company I work for - Tufin.
I have many years of experience in software development.
Like most of you here today, I particularly like application security.
I started to work in this area more than 10 years ago, and enjoy each day I work on it.
For the last few years, I am responsible for the application security of all Tufin products.
Recently I have started to write a blog – you are more then welcomed to read it.
Something personal: I like traveling, reading books and listening to music.I particularly enjoy listen to jazz.
And now, a couple of words about Tufin.
Tufin is a great company.
It is already over 13 years old.
We have a lot of customers.
Our customers are all around the world: in Israel, USA, Europe, Asia.
Some are huge companies, others are much smaller.
We have customers in many industries. For example: AT&T, BMW and Visa.
Recently we have started to develop products that integrate security into DevOps pipeline.You are more then welcomed to visit our booth.
Tufin is always growing.
When I joined the company about 5 years ago, it took up only one and half floors.
Now it takes up almost 4 floors and that is only in Israel. We have also expanded abroad. We recently opened up a new main office in Boston.
We are always looking for good people.
We are looking for Java, C++, DevOps people.We are looking for Docker and Kubernetes gurus.
You can visit our site to see our open positions in RnD, Sales, Marketing and additional areas.
What’s wrong with passwords?
Passwords are subject to brute force attacks.
Passwords can be stolen via phishing attacks.
You may configure your authentication service to lock a user after more than 5 failed logins.Or you may enforce complex passwords.
Raise your hand if you use complex password.‘123456’ and ‘password’ on the first places.
We may use password policies to enforce complex passwords.
Lets see the sample password policy.
Prevent incremental changes is my “favorite” one.
It is not simple to follow password policies.You need to remember complex passwords, replace them on time …
In addition, somebody need to manage policies.
Do we have a way to prevent successful authentication even the password is cracked?
We will see later…
What is a phishing attack?
Phishing is a type of attack used to steal user confidential data. Couple of phishing attacks were recently in Israel.
can we prevent phishing attacks? Of course we can, but1. It is the complex task.
2. It is subject to human failure
3. If it succeeds, then user is in trouble
I will not elaborate it today since possible to talk about it couple of hours.
What we will see from this presentation that there is a better authentication schema that prevent accessing the account with a stolen password!
Before we will start our two factor authentication journey I want to give you the best password advice: passwords are like underwear.
Do not think someone use underwear more than one month?So, remember to change your passwords.
Can you imagine the situation when you share underwear with someone else?
Or you use underwear of someone else?
Same with passwords
*do not share it with other people
One more question: have you seen even once someone pin an underwear to a display?
Or leave an underwear under a keyboard?
It is not a smart or safe idea. Therefore, do not do the same for your passwords.
Lets start to talk about Two-Factor Authentication.
Attacker will not be able to access your account – only you know the second factor.
It is good way to prevent phishing attacks.
Stages of implementing a 2FA authentication:
1) Registration – you need to register the two factor authentication with your account.
2) Generation – a second factor is generated.
3) Delivery – the second factor should be delivered to a user.
4) Authentication – the user authenticates using the second factor.
Lets start with the SMS example.First, you need to register – you need to configure your phone number in your account.
Then, during the authentication an authentication service generates a long number.
The number is delivered via SMS to your phone.
Is it secure?
Another example is the authentication using one-time password.
Similar: First, you need to register.Usually you need to scan a QR cone on your mobile device.
The device generates OTP.
You need to provide the OTP code to your authentication server to complete authentication.
==============
There are two different algorithms to choose from for your OTP generators.
Time Based (TOTP)
Counter Based (HOTP).
For TOTP, your token generator will hash the current time and a shared secret.
For HOTP a shared counter is used instead of the current time.
Is this OTP secure?
We do not have known vulnerabilities.
The theoretical attack may use the shared secrets.
Social network providers (e.g. Instagram, Facebook) understand the weakness of the 2FA via SMS.
Therefore they are migrating from SMS to OTP.
Note that SMS was formally declared as unsecure in 2016 – what took them so long?!?!
What would be ideal 2FA?
The ideal 2FA should use the biometric data.The fingerprint or retina scan are good examples.
Once again, movies lead the way in technology
The fingerprint scan of Jennifer Parker works even in the future.
Jennifer can easily enter into her home by using her finger as the “key”.
Even animated movies ...
The Retina Scan allows Gru to enter the bank using the most secure technological advances.
Is biometric scan secure?
Yes, but there is a way to brute force the biometric scan, at least in movies.
The criminal Simon escapes from the prison using the retina scan of a stolen eyeball.In reality, though, we can trust biometric scans: US and Israel immigration trusts biometric scans to let people enter their borders without human intervention.
WebAuthn (Web Authentication) is Credential Management API that allows very secure 2FA.
WebAuthn is based on the FIDO specification.
What is FIDO?
FIDO stands for Fast Identity Online.
The story of the FIDO Alliance is very interesting.
It started from a conversation in 2009 between CTO of Validity Sensors and CISO of PayPal.Ramesh asked Michael if he was interested in fingerprint-enabling paypal.com.
Michael replied positively, but he wanted to achieve it via open standardsbecause Michael did not want to bind PayPal to a specific vendor.
You should read the history of FIDO –it’s really exciting.
----------------------------U2F Universal 2nd Factor
UAF Universal Authentication Framework protocol
Remember the 4 stages:
Registration
Generation
Delivery
Authentication
WebAuthn requires only registration and authentication.
WebAuthn does not require Generation, since your biometric data is already with you.By the same logic, Delivery of biometric data is not needed.
so WebAuthn cut out 2 of the 4 stages!
https://demo.yubico.com/webauthn/
The fact that a browser can access a physical authenticator is amazing!
The slide shows the WebAuthn Registration flow.
Very important that Steps 2, 3 and 4 part of the protocol already implemented by browsers and authenticators.
The application related steps are 1,5 and 6.
You may implement these steps and to use with any compatible browser and authenticators.
Lets elaborate these steps.
I do not expect you will remember these steps after the presentation, but it will be great you will see the big picture.
WebAuthn is – finally - being adopted quite rapidly.
For example:
All the major browser have adopted WebAuthn.
Google employees use WebAuthn to access Google’s services.
you can also adopt WebAuthn
How can I adopt WebAuthn in my application?
Do it yourself - open guidelines and implement it.
remember that the application related steps include only 1, 5 and 6.
Or
2. Wait for someone else to do it for you!
For example, Keycloak!
Tufin has already adopted Keycloak, and we are just waiting when it will implement WebAuthn.The Keycloak RFE already been opened.
The takeaways:
First of all, better to use any 2FA than to be without 2FA.
Second, WebAuthn is a very secure 2FA.
And, last but not least, you should prepare for using WebAuthn.
Thank you for participating in my lecture!
Please contact me if you need any additional information, or if you want to send me your resume.