google case study: becoming unphisable: towards simpler, stronger authentication -fido alliance...
TRANSCRIPT
![Page 1: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/1.jpg)
Proprietary + Confidential
Becoming UnphishableTowards Simpler, Stronger Authentication
Christiaan Brand, Google
![Page 2: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/2.jpg)
Largest and most secure infrastructure
![Page 3: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/3.jpg)
Proprietary + Confidential
Mobile UI Application
Network
SoftwareHardware
Google Security Stack
![Page 4: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/4.jpg)
Tomorrow We work on
Quantum resistant encryption
Abuse & Spam Used machine
learning to solveToday less than 0.001% spam in your Gmail inbox
Security Supply ChainBuilt from the
ground upManufactured our own components
![Page 5: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/5.jpg)
Today we tackle authentication
![Page 6: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/6.jpg)
Proprietary + Confidential
Protect Yourself And Your UsersIt's easier than you think for someone to steal a password
Password Reuse Phishing Interception
Social MediaBANK
![Page 7: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/7.jpg)
Proprietary + Confidential
123456Most popular password in 2015
Source: SplashData: https://www.teamsid.com/wor
st-passwords-2015/
password2nd most popular password in 2015
![Page 8: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/8.jpg)
Proprietary + Confidential
76%of account vulnerabilities were due to weak or stolen passwords
43% success rate for a well designed phishing page
goo.gl/YYDM79
![Page 9: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/9.jpg)
Proprietary + Confidential
SMS UsabilityCoverage Issues, Delay, User Cost
Device UsabilityOne Per Site,
Expensive, Fragile
User ExperienceUsers find it hard
PhishableOTPs are increasingly
phished
$?
Today: The reality of One Time Passwords
![Page 10: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/10.jpg)
Proprietary + Confidential
Based on FIDO U2F standardSafe: Protects against phishingEasy: Insert and press buttonCompact: One device, many services
Introducing FIDO U2F
Your Password
Security Key
Account Data
![Page 11: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/11.jpg)
Core idea - Standard public key cryptography
● User's device mints new key pair, gives public key to server● Server asks user's device to sign data to verify the user.● One device, many services, "bring your own device" enabled
Based on Asymmetric Cryptography
![Page 12: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/12.jpg)
Security Supply ChainBuild from the ground upManufacture our own components
Abuse & Spam Used machine learning to solveToday less than 0.001% spam in your Gmail inbox
Google’s Experience
![Page 13: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/13.jpg)
● Enterprise use case○ Mandated for Google employees○ Corporate SSO (Web)○ SSH
○ Forms basis of all authentication
● Consumer use case○ Available as opt-in for Google consumers○ Adopted by other relying parties too: Dropbox, Github
Deployment at Google
![Page 14: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/14.jpg)
Time to authenticate
![Page 15: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/15.jpg)
Time to authenticate
![Page 16: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/16.jpg)
Second factor support incidents
![Page 17: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/17.jpg)
Second factor support incidents
![Page 18: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/18.jpg)
Security Supply ChainBuild from the ground upManufacture our own components
Abuse & Spam Used machine learning to solveToday less than 0.001% spam in your Gmail inbox
We’re not quite done
![Page 19: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/19.jpg)
Proprietary + Confidential
Does this work with a mobile?
How do we deploy this at scale?
What if they lose their key?
We are not there yet for the Enterprise
![Page 20: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/20.jpg)
Proprietary + Confidential
Making progress towards stronger authenticationProductizing FIDO U2F
![Page 21: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/21.jpg)
Proprietary + Confidential
DemoDemo: Bootstrapping account
![Page 22: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/22.jpg)
Security Supply ChainBuild from the ground upManufacture our own components
Abuse & Spam Used machine learning to solveToday less than 0.001% spam in your Gmail inbox
How can you get started?
![Page 23: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/23.jpg)
Proprietary + Confidential
● Internal enterprise authentication (B2B)Authenticate to your own web applications, mobile applications, etc
● Authenticate to your service providers (“token necklace”)
U2F works well in a non-federated environmentComplete isolation between various RPs
● External customer authentication Authenticate your high-value customers using U2F
FIDO U2F use cases
![Page 24: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/24.jpg)
Proprietary + Confidential
Resources● To use with Google
Enable 2-Step Verification on your accountGo to: https://security.google.com Click: 2-Step VerificationClick on the Security Keys tab
● Also use with GitHub, Dropbox, SalesForce
● And / or play with some code https://github.com/google/u2f-ref-code https://developers.yubico.com/U2F/Libraries/List_of_libraries.html
![Page 25: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand](https://reader031.vdocuments.site/reader031/viewer/2022021922/58763c771a28ab68098b72c1/html5/thumbnails/25.jpg)
Proprietary + Confidential
Questions?