Universal Second Factorauthentication

or why 2FA today is

wubalubadubdub1

Yuriy AckermannYuriy AckermannSr. Certification EngineerSr. Certification Engineer

@FIDOAlliance@FIDOAlliancetwitter/github: @herrjemandtwitter/github: @herrjemand

2

3

Today we will learnToday we will learn

Why passwords not enoughWhy 2FA has not succeededIntroduction to U2FDEMOQ&A

4

Why not just passwords?

Weak Phishing pwnedReuse

Typical passwords life cycle

SOLUTION!SOLUTION!Two Factor Authentication - aka 2FATwo Factor Authentication - aka 2FA

haveibeenpwned.com

5

What is 2FA?

Passwords verifyverify

2FA authenticateauthenticate

6

Do you use 2FA?

7

What does 2FA looks like?

Three main types

Apps Tokens SMS(TOTP and HOTP) (PKI and OTP)

8

So we solved it?

Right?

9

Why 2FA has not succeeded?

Apps Tokens SMSPhishing!!UXShared keySynced time

CostDRIVERSPhishingUXCentralisedFragile

Still phishableUXPrivacySecurity

SIM reissueSIM spoof

CoverageNIST Ban

10

11

12

Current state of 2FACurrent state of 2FA

I am in the deep pain,I am in the deep pain,please help!please help! 13

So how do we solve it?

We need:Easy to useOpenSecureStandardized

protocol.14

Introducing

Universal Second Factoraka FIDO U2F

15

How does U2F works?

16

User layerUser layer

17

Browser layer

18

Protocol Layer

19

Step one: Challenge-ResponseChallenge-Response

20

Step two: Phishing protectionPhishing protection

21

Step three: Application-specific key-pairApplication-specific key-pairRelying

Party

22

To Wrap, or not to Wrap?

23

Step four: Replay Attack ProtectionReplay Attack Protection

24

Step five: Device attestationDevice attestation

25

Metadata serviceMetadata service

26

Step five and a half: Key exercise protectionKey exercise protection

User must confirm theirdecision to perform 2FA, by

performing user gesture

e.g.e.g.

Fingerprint Retina scan PincodeRemembering your wife's birthday.Solving Rubikscube

...anything you want.

Pressing button

27

Multiple identifiers

Web Android iOS

How do we deal with it?How do we deal with it?

mail.google.com apk-key-hash:FD18FA

com.google.SecurityKey.dogfood

GMailGMail

28

Application Facets{ "trustedFacets": [{ "version": { "major": 1, "minor" : 0 }, "ids": [ "https://accounts.google.com", "https://myaccount.google.com", "https://security.google.com",

"android:apk-key-hash:FD18FA800DD00C0D9D7724328B6D...", "android:apk-key-hash:/Rj6gA3QDA2ddyQyi21JXly6gw9D...",

"ios:bundle-id:com.google.SecurityKey.dogfood" ] }]}

MUSTMUST be served over VALIDVALID HTTPS!...no self signed certs....no self signed certs.

29

Implementations

30

31

Current users

dongleauth.infodongleauth.info32

Browser support

Yes Yes*(NightlyNightly)

No*(Soon...Soon...)

Maybe?Yes

33

WebAuthN

A W3C standard for PublicKey credentialauthentication

https://www.w3.org/Webauthn/

34

Today we learnedToday we learnedPasswords are hard2FA is wubalubadubdub, and we need to dosomething about it.FIDO U2F is sweet.Protocol is cuteYou can have multiple identitiesThere are existing solutions......and people do use it

35

DEMO

36

You must use HTTPSYou must use HTTPSStart using TLS Channel ID'sU2F is just 2FA. Don't use as primary factor.

Security Security considerationsconsiderations

37

https://github.com/Yubico/pam-u2fhttps://github.com/Yubico/python-u2flib-serverhttps://github.com/Yubico/python-u2flib-hosthttps://github.com/herrjemand/flask-fido-u2fhttps://github.com/gavinwahl/django-u2fhttps://github.com/google/u2f-ref-codehttps://github.com/conorpp/u2f-zero

https://developers.yubico.com/U2F/https://fidoalliance.org/specifications/download/https://github.com/LedgerHQ <- JavaCardFIDO Dev (fido-dev) mailing list

Specs and dataSpecs and data

Things to play withThings to play with

38

What's next?

WE NEED

39

Questions?Questions?twitter/github: @herrjemandtwitter/github: @herrjemand

40

Quick thanks toQuick thanks toFeitian and YubicoFeitian and Yubico

for swag!for swag!

41

Thank you Thank you OWASP!OWASP!

42