Universal Second Factor authentication
or why 2FA today is
wubalubadubdub
Yuriy Ackermann
Sr. Certification Engineer @FIDOAlliance
twitter/github: @herrjemand
Today we will learn
- Why passwords not enough
- Why 2FA has not succeeded
- Introduction to U2F
- DEMO
- Q&A
Why not just passwords?
Weak
Phishing
Reuse
Typical passwords life cycle
SOLUTION!
Two Factor Authentication - aka 2FA
pwned
haveibeenpwned.com
What is 2FA?
Passwords verify
2FA authenticate
Do you use 2FA?
What does 2FA looks like?
Three main types
Apps
Tokens
SMS
(TOTP and HOTP)
(PKI and OTP)
So we solved it?
Right?
Why 2FA has not succeeded?
Apps
Tokens
SMS
- Phishing!!
- UX
- Shared key
- Synced time
- Cost
- DRIVERS
- Phishing
- UX
- Centralised
- Fragile
- Still phishable
- UX
- Privacy
- Security
- SIM reissue
- SIM spoof
- Coverage
- NIST Ban
Current state of 2FA
I am in the deep pain,
please help!
So how do we solve it?
We need:
-
Easy to use
-
Open
-
Secure
-
Standardized
protocol.
Introducing
Universal Second Factor
aka FIDO U2F
How does U2F works?
User layer
Browser layer
Protocol Layer
Step one: Challenge-Response
Step two: Phishing protection
Step three: Application-specific key-pair
Relying
Party
To Wrap, or not to Wrap?
Step four: Replay Attack Protection
Step five: Device attestation
Metadata service
Step five and a half: Key exercise protection
User must confirm their decision to perform 2FA, by performing user gesture
e.g.
Fingerprint
Retina scan
Pincode
Remembering your wife's birthday.
Solving Rubikscube
...anything you want.
Pressing button
Multiple identifiers
Web
Android
iOS
How do we deal with it?
mail.google.com
apk-key-hash:FD18FA
com.google.SecurityKey.dogfood
GMail
Application Facets
{
"trustedFacets": [{
"version": { "major": 1, "minor" : 0 },
"ids": [
"https://accounts.google.com",
"https://myaccount.google.com",
"https://security.google.com",
"android:apk-key-hash:FD18FA800DD00C0D9D7724328B6D...",
"android:apk-key-hash:/Rj6gA3QDA2ddyQyi21JXly6gw9D...",
"ios:bundle-id:com.google.SecurityKey.dogfood"
]
}]
}
MUST be served over VALID HTTPS!
...no self signed certs.
Implementations
Current users
dongleauth.info
Browser support
Yes
Yes*
(Nightly)
No*
(Soon...)
Maybe?
Yes
WebAuthN
A W3C standard for PublicKey credential authentication
https://www.w3.org/Webauthn/
Today we learned
- Passwords are hard
- 2FA is wubalubadubdub, and we need to do something about it.
-
FIDO U2F is sweet.
- Protocol is cute
- You can have multiple identities
- There are existing solutions...
- ...and people do use it
DEMO
- You must use HTTPS
- Start using TLS Channel ID's
- U2F is just 2FA. Don't use as primary factor.
Security considerations
- https://github.com/Yubico/pam-u2f
- https://github.com/Yubico/python-u2flib-server
- https://github.com/Yubico/python-u2flib-host
- https://github.com/herrjemand/flask-fido-u2f
- https://github.com/gavinwahl/django-u2f
- https://github.com/google/u2f-ref-code
- https://github.com/conorpp/u2f-zero
- https://developers.yubico.com/U2F/
- https://fidoalliance.org/specifications/download/
- https://github.com/LedgerHQ <- JavaCard
- FIDO Dev (fido-dev) mailing list
Specs and data
Things to play with
What's next?
WE NEED
Questions?
twitter/github: @herrjemand
Quick thanks to
Feitian and Yubico
for swag!
Thank you OWASP!
Universal Second Factor authentication, or why 2FA today is wubalubadubdub? - OWASP LONDON FEB 2018
By FIDO Alliance
Universal Second Factor authentication, or why 2FA today is wubalubadubdub? - OWASP LONDON FEB 2018
OWASP London presentation on FIDO Universal Second Factor Authentication.
- 3,511