Passwordless authentication: Balancing Security and Usability

John Gilbert

GM & Regional VP

Yubico

2© 2019 Yubico

Who is Yubico?Making secure access ubiquitous

• Founded in 2007

• 280 people in 8 countries

• 6 years of profitability

• Backed by top investors

• Principal Author of U2F

• Principal Author of FIDO 2.0

WEB AuthN authentication

• Board Member of FIDO Alliance

3© 2019 Yubico

The Need for Security

Trust New DeviceLog Into End Point

Log Into Service (Multi Factor Auth)

(Passwordless)

High Value/High Risk

Approvals

(Multi Factor Auth)

4© 2019 Yubico

Passwords are broken …A shift is underway...

5© 2019 Yubico

The Cost of Easy

yubico

6© 2019 Yubico

Phishing, Credential Theft and Online Fraud

High costs for victim remediation

Lost employee or consumer

productivity

Non-compliance legal complications

7© 2019 Yubico

The Secure vs Easy Dilemma

Easy to Use & Deploy

Moderate

Security

Strong

Unphishable

Security

Weak

Security

8© 2019 Yubico

Authentication via Mobile SMS is Vulnerable

Victim’s Phone

123-456-7890Now Attacker’s Phone

123-456-7890

Via SMS

Text Message

Attacker: Reset

Password

Uses Victim’s email:

gotvish@vishyou.com

Security Passcode:

978322

Online ServiceAttacker: Hello,

I had an issue with

my phone. Can

you port my phone

# to a new phone?

Your Online

Service

security

passcode is

978322.

Cell Phone

Provider:

Confirming your

phone # is now

ported to a new

device

1

Attacker Has Reset Code

to use Victim’s email and reset account

2

9© 2019 Yubico

● Small Multi-Factor Authentication (MFA) security devices

● Provide secure login for computers, phones, online services, and servers.

● Protect individuals and companies against Phishing, MITM attacks and

Credential Theft

● They are easy to use with minimal training required,

● Quick and easy to deploy and roll out

● Do not require specialist software to support them

● Reduce risk

● Deliver significant cost savings in reduced support costs.

What is a YubiKey?

10© 2019 Yubico

Stronger Security: Stops PhishingModern Authentication based on open standards

3.

User

presence

6.

Many apps,

no shared

secrets

2.

Origin

bound

keys

1.

Hardware

w/strong

crypto

4.

Native

Browser/OS

support

5.

Secure

backup

11© 2019 Yubico

The Secure v’s Easy Dilemma

Easy to Use & Deploy

Moderate

Security

Strong

Unphishable

Security

Weak

Security

Root of Trust

12© 2019 Yubico

1 3

Easier to Use: Touch to Authenticate

1. Enter username/pwd 2. Insert Key 3. Touch/tap device

13© 2019 Yubico

1

Registration &

Provisioning

Users register for a web service

before they are provisioned an

account of their own

Authorization

User granted access to

authorized resources or

functionality within web service

4

Credential

Issuance

When the user registers, a

unique credential is created and

stored on the authenticator

2

Authentication

User is verified before given

access to the web service

account

3

User requests access for a new device

A Simplified Account Lifecycle Experience

14© 2019 Yubico

1

Registration &

ProvisioningAuthorization

4

Credential

Issuance

2

Authentication

3

A Simplified Account Lifecycle Experience

Root of Trust

15© 2019 Yubico

Portable Root of Trust Strengthens the account lifecycle experience

Faster and more

secure registration

Easy and fast

account recovery

Root of Trust

{Escalation of

privileges

16© 2019 Yubico

YubiKeys are Proven UnphishableYubiKeys at Google have eliminated account takeovers

OTP through Mobile

Apps and SMS

didn’t stop account

takeovers

Security Keys made

mandatory for Google

Employees and

Contractors

Stopped account

takeovers.

85,000+

Employees in over

70 Countries

17© 2019 Yubico

Goodbye to PasswordsFIDO2 makes MS Passwords a thing of the past!

18© 2019 Yubico

● Become passwordless to improve security and user experience

● Finding a solution for physical access, application security

attestation, and strong administration capacity across its IT map was

mandatory

The challenge

Case Study: multinational engineering group

● Supports open industry security standards

● More cost-effective than other solutions to deploy

and maintain

● Multi-purpose solution compatible with existing

infrastructure

● 25% reduction in support tickets for password

management

● The YubiKey was chosen for its capacity to address

a large variety of use cases: Windows login via the

smartcard functionalities, Office 365 using native

FIDO2, and other web applications, as well as

physical access to buildings and lockers.

The Solution Key Benefits

19© 2019 Yubico

● Find a method that provides the highest levels of security required by

PCI compliance, while ensuring that the use of strong authentication

does not become a bottleneck for the desired customer experience

The challenge

Case Study: retail point of sale provider

● Enables PCI compliance

● Easy and convenient user experience

● More cost-effective than other solutions to deploy

and maintain

● Highly secure pass through solution for clients

● Easy to manage and administer

● YubiKeys to streamline authentication to their Duo

implementation

● Convenient and secure MFA managed across 2500+

identities, powering over 11,000 authentications

every day

The Solution Key Benefits

Thank you!