Post on 16-Aug-2020
Universal Second Factorauthentication
or why 2FA today is
wubalubadubdub1
Yuriy AckermannYuriy AckermannSr. Certification EngineerSr. Certification Engineer
@FIDOAlliance@FIDOAlliancetwitter/github: @herrjemandtwitter/github: @herrjemand
2
3
Today we will learnToday we will learn
Why passwords not enoughWhy 2FA has not succeededIntroduction to U2FDEMOQ&A
4
Why not just passwords?
Weak Phishing pwnedReuse
Typical passwords life cycle
SOLUTION!SOLUTION!Two Factor Authentication - aka 2FATwo Factor Authentication - aka 2FA
haveibeenpwned.com
5
What is 2FA?
Passwords verifyverify
2FA authenticateauthenticate
6
Do you use 2FA?
7
What does 2FA looks like?
Three main types
Apps Tokens SMS(TOTP and HOTP) (PKI and OTP)
8
So we solved it?
Right?
9
Why 2FA has not succeeded?
Apps Tokens SMSPhishing!!UXShared keySynced time
CostDRIVERSPhishingUXCentralisedFragile
Still phishableUXPrivacySecurity
SIM reissueSIM spoof
CoverageNIST Ban
10
11
12
Current state of 2FACurrent state of 2FA
I am in the deep pain,I am in the deep pain,please help!please help! 13
So how do we solve it?
We need:Easy to useOpenSecureStandardized
protocol.14
Introducing
Universal Second Factoraka FIDO U2F
15
How does U2F works?
16
User layerUser layer
17
Browser layer
18
Protocol Layer
19
Step one: Challenge-ResponseChallenge-Response
20
Step two: Phishing protectionPhishing protection
21
Step three: Application-specific key-pairApplication-specific key-pairRelying
Party
22
To Wrap, or not to Wrap?
23
Step four: Replay Attack ProtectionReplay Attack Protection
24
Step five: Device attestationDevice attestation
25
Metadata serviceMetadata service
26
Step five and a half: Key exercise protectionKey exercise protection
User must confirm theirdecision to perform 2FA, by
performing user gesture
e.g.e.g.
Fingerprint Retina scan PincodeRemembering your wife's birthday.Solving Rubikscube
...anything you want.
Pressing button
27
Multiple identifiers
Web Android iOS
How do we deal with it?How do we deal with it?
mail.google.com apk-key-hash:FD18FA
com.google.SecurityKey.dogfood
GMailGMail
28
Application Facets{ "trustedFacets": [{ "version": { "major": 1, "minor" : 0 }, "ids": [ "https://accounts.google.com", "https://myaccount.google.com", "https://security.google.com",
"android:apk-key-hash:FD18FA800DD00C0D9D7724328B6D...", "android:apk-key-hash:/Rj6gA3QDA2ddyQyi21JXly6gw9D...",
"ios:bundle-id:com.google.SecurityKey.dogfood" ] }]}
MUSTMUST be served over VALIDVALID HTTPS!...no self signed certs....no self signed certs.
29
Implementations
30
31
Current users
dongleauth.infodongleauth.info32
Browser support
Yes Yes*(NightlyNightly)
No*(Soon...Soon...)
Maybe?Yes
33
WebAuthN
A W3C standard for PublicKey credentialauthentication
https://www.w3.org/Webauthn/
34
Today we learnedToday we learnedPasswords are hard2FA is wubalubadubdub, and we need to dosomething about it.FIDO U2F is sweet.Protocol is cuteYou can have multiple identitiesThere are existing solutions......and people do use it
35
DEMO
36
You must use HTTPSYou must use HTTPSStart using TLS Channel ID'sU2F is just 2FA. Don't use as primary factor.
Security Security considerationsconsiderations
37
https://github.com/Yubico/pam-u2fhttps://github.com/Yubico/python-u2flib-serverhttps://github.com/Yubico/python-u2flib-hosthttps://github.com/herrjemand/flask-fido-u2fhttps://github.com/gavinwahl/django-u2fhttps://github.com/google/u2f-ref-codehttps://github.com/conorpp/u2f-zero
https://developers.yubico.com/U2F/https://fidoalliance.org/specifications/download/https://github.com/LedgerHQ <- JavaCardFIDO Dev (fido-dev) mailing list
Specs and dataSpecs and data
Things to play withThings to play with
38
What's next?
WE NEED
39
Questions?Questions?twitter/github: @herrjemandtwitter/github: @herrjemand
40
Quick thanks toQuick thanks toFeitian and YubicoFeitian and Yubico
for swag!for swag!
41
Thank you Thank you OWASP!OWASP!
42