Passwordless authentication: Balancing Security and UsabilityFind a method that provides the highest...
Transcript of Passwordless authentication: Balancing Security and UsabilityFind a method that provides the highest...
Passwordless authentication: Balancing Security and Usability
John Gilbert
GM & Regional VP
Yubico
2© 2019 Yubico
Who is Yubico?Making secure access ubiquitous
• Founded in 2007
• 280 people in 8 countries
• 6 years of profitability
• Backed by top investors
• Principal Author of U2F
• Principal Author of FIDO 2.0
WEB AuthN authentication
• Board Member of FIDO Alliance
3© 2019 Yubico
The Need for Security
Trust New DeviceLog Into End Point
Log Into Service (Multi Factor Auth)
(Passwordless)
High Value/High Risk
Approvals
(Multi Factor Auth)
4© 2019 Yubico
Passwords are broken …A shift is underway...
5© 2019 Yubico
The Cost of Easy
yubico
6© 2019 Yubico
Phishing, Credential Theft and Online Fraud
High costs for victim remediation
Lost employee or consumer
productivity
Non-compliance legal complications
7© 2019 Yubico
The Secure vs Easy Dilemma
Easy to Use & Deploy
Moderate
Security
Strong
Unphishable
Security
Weak
Security
8© 2019 Yubico
Authentication via Mobile SMS is Vulnerable
Victim’s Phone
123-456-7890Now Attacker’s Phone
123-456-7890
Via SMS
Text Message
Attacker: Reset
Password
Uses Victim’s email:
Security Passcode:
978322
Online ServiceAttacker: Hello,
I had an issue with
my phone. Can
you port my phone
# to a new phone?
Your Online
Service
security
passcode is
978322.
Cell Phone
Provider:
Confirming your
phone # is now
ported to a new
device
1
Attacker Has Reset Code
to use Victim’s email and reset account
2
9© 2019 Yubico
● Small Multi-Factor Authentication (MFA) security devices
● Provide secure login for computers, phones, online services, and servers.
● Protect individuals and companies against Phishing, MITM attacks and
Credential Theft
● They are easy to use with minimal training required,
● Quick and easy to deploy and roll out
● Do not require specialist software to support them
● Reduce risk
● Deliver significant cost savings in reduced support costs.
What is a YubiKey?
10© 2019 Yubico
Stronger Security: Stops PhishingModern Authentication based on open standards
3.
User
presence
6.
Many apps,
no shared
secrets
2.
Origin
bound
keys
1.
Hardware
w/strong
crypto
4.
Native
Browser/OS
support
5.
Secure
backup
11© 2019 Yubico
The Secure v’s Easy Dilemma
Easy to Use & Deploy
Moderate
Security
Strong
Unphishable
Security
Weak
Security
Root of Trust
12© 2019 Yubico
1 3
Easier to Use: Touch to Authenticate
1. Enter username/pwd 2. Insert Key 3. Touch/tap device
13© 2019 Yubico
1
Registration &
Provisioning
Users register for a web service
before they are provisioned an
account of their own
Authorization
User granted access to
authorized resources or
functionality within web service
4
Credential
Issuance
When the user registers, a
unique credential is created and
stored on the authenticator
2
Authentication
User is verified before given
access to the web service
account
3
User requests access for a new device
A Simplified Account Lifecycle Experience
14© 2019 Yubico
1
Registration &
ProvisioningAuthorization
4
Credential
Issuance
2
Authentication
3
A Simplified Account Lifecycle Experience
Root of Trust
15© 2019 Yubico
Portable Root of Trust Strengthens the account lifecycle experience
Faster and more
secure registration
Easy and fast
account recovery
Root of Trust
{Escalation of
privileges
16© 2019 Yubico
YubiKeys are Proven UnphishableYubiKeys at Google have eliminated account takeovers
OTP through Mobile
Apps and SMS
didn’t stop account
takeovers
Security Keys made
mandatory for Google
Employees and
Contractors
Stopped account
takeovers.
85,000+
Employees in over
70 Countries
17© 2019 Yubico
Goodbye to PasswordsFIDO2 makes MS Passwords a thing of the past!
18© 2019 Yubico
● Become passwordless to improve security and user experience
● Finding a solution for physical access, application security
attestation, and strong administration capacity across its IT map was
mandatory
The challenge
Case Study: multinational engineering group
● Supports open industry security standards
● More cost-effective than other solutions to deploy
and maintain
● Multi-purpose solution compatible with existing
infrastructure
● 25% reduction in support tickets for password
management
● The YubiKey was chosen for its capacity to address
a large variety of use cases: Windows login via the
smartcard functionalities, Office 365 using native
FIDO2, and other web applications, as well as
physical access to buildings and lockers.
The Solution Key Benefits
19© 2019 Yubico
● Find a method that provides the highest levels of security required by
PCI compliance, while ensuring that the use of strong authentication
does not become a bottleneck for the desired customer experience
The challenge
Case Study: retail point of sale provider
● Enables PCI compliance
● Easy and convenient user experience
● More cost-effective than other solutions to deploy
and maintain
● Highly secure pass through solution for clients
● Easy to manage and administer
● YubiKeys to streamline authentication to their Duo
implementation
● Convenient and secure MFA managed across 2500+
identities, powering over 11,000 authentications
every day
The Solution Key Benefits
Thank you!