Universal Second Factor authentication
or why 2FA today is
wubalubadubdub
Yuriy Ackermann
Sr. Certification Engineer @FIDOAlliance
twitter/github: @herrjemand
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2956744/CC-BY_icon.svg.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477598/300px-American_Express_logo.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477599/aetna-300x127.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477600/Amazon-logo-RGB.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477601/arm-logo-limited-use.gif)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477602/bac_lo1_293_186_h_300_37.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477603/bc-card.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477604/daon-logo_300x100-300x100.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477605/Feitian_Sponsor.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477606/fingerprint.jpeg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477607/Gemalto_Sponsor.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477608/googlelogo_color_272x92dp.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477609/infineon-logo-300.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477610/intel-logo-300x198.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477611/LenovoLockup-POS-Color_300_126-300x126.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477612/LINE_Logo.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477613/library_logos_alibabaev_large_300_127.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477614/logo.gif)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477615/mcsig_pos_ppt_png_300_215.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477616/microsoft-logo_300_110.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477617/Nok-Nok-Labs-2018-Board.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477618/ntt-docomo.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477625/NXP_logo_RGB_web_00_300_160.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477626/paypal-fido.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477627/Qualcomm_Logo-fido.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477628/Raonsecure-CI.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477629/RSA-logo.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477630/Samsung_Logo_for_TV__Internet_300_100.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477631/synaptics-logo_300_65.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477632/usaalogo2.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477633/vasco-logo-300.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477634/vbm_blugrad01_300_97.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4477635/yubico-logo2.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4633035/FIDO_Alliance_logo_black_RGB.png)
Today we will learn
- Why passwords not enough
- Why 2FA has not succeeded
- Introduction to U2F
- DEMO
- Q&A
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Why not just passwords?
Weak
Phishing
Reuse
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2952801/10561-200.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2952805/font-awesome_4-6-3_recycle_256_0_000000_none.png)
Typical passwords life cycle
SOLUTION!
Two Factor Authentication - aka 2FA
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4635044/eulz0TdB_400x400.png)
pwned
haveibeenpwned.com
What is 2FA?
Passwords verify
2FA authenticate
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Do you use 2FA?
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
What does 2FA looks like?
Three main types
Apps
Tokens
SMS
(TOTP and HOTP)
(PKI and OTP)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2952908/screen568x568.jpeg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2952947/SID800.gif)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2559299/2fa_0.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
So we solved it?
Right?
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Why 2FA has not succeeded?
Apps
Tokens
SMS
- Phishing!!
- UX
- Shared key
- Synced time
- Cost
- DRIVERS
- Phishing
- UX
- Centralised
- Fragile
- Still phishable
- UX
- Privacy
- Security
- SIM reissue
- SIM spoof
- Coverage
- NIST Ban
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2953008/bank-token-automation1.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2953007/camera.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2953006/bank-token-automation.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2953024/otp_viewer.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2955750/Photo-juin-09-7-30-15-300x225.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Current state of 2FA
I am in the deep pain,
please help!
So how do we solve it?
We need:
-
Easy to use
-
Open
-
Secure
-
Standardized
protocol.
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Introducing
Universal Second Factor
aka FIDO U2F
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
How does U2F works?
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3916466/green-tick-in-circle_21335495.jpg)
User layer
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4634604/Security-Key-In-Use-2_1024x1024.jpg)
Browser layer
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4633382/U2FDeviceAuthr.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4633383/U2FDeviceUser.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4633385/U2FDevice.png)
Protocol Layer
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Step one: Challenge-Response
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Step two: Phishing protection
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Step three: Application-specific key-pair
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Relying
Party
To Wrap, or not to Wrap?
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2979364/wrapping_example_against_nowrapping.jpg)
Step four: Replay Attack Protection
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Step five: Device attestation
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Metadata service
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4634744/fido-metadata-service-arch-detail.png)
Step five and a half: Key exercise protection
User must confirm their decision to perform 2FA, by performing user gesture
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2573094/neonano.jpg)
e.g.
Fingerprint
Retina scan
Pincode
Remembering your wife's birthday.
Solving Rubikscube
...anything you want.
Pressing button
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Multiple identifiers
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2578157/gmail_iphone_6_hero.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2578161/mobile-phone.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2578158/gmail-new.png)
Web
Android
iOS
How do we deal with it?
mail.google.com
apk-key-hash:FD18FA
com.google.SecurityKey.dogfood
GMail
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Application Facets
{
"trustedFacets": [{
"version": { "major": 1, "minor" : 0 },
"ids": [
"https://accounts.google.com",
"https://myaccount.google.com",
"https://security.google.com",
"android:apk-key-hash:FD18FA800DD00C0D9D7724328B6D...",
"android:apk-key-hash:/Rj6gA3QDA2ddyQyi21JXly6gw9D...",
"ios:bundle-id:com.google.SecurityKey.dogfood"
]
}]
}
MUST be served over VALID HTTPS!
...no self signed certs.
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Implementations
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2958642/ledger-nano-solo-large.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2958644/ledger-unplugged-solo-large.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2958649/u2f_hyperfido.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2958650/usb-security-key-on-keychain-fido-u2f-510px.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2958651/41bDYzmtXUL._SX425_.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2958654/YubiKey-NEO-1000-2016.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2958653/31fzyjYkBtL._SX300_.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2958657/hypr_biometric_token_home_1.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2959281/68747470733a2f2f692e696d6775722e636f6d2f4865725a6857512e6a7067.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4634729/71ob_sZtgLL._SY355_.jpg)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4634733/27756243-cf523e90-5daa-11e7-9981-ef0ff26e2c89.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4634738/unnamed.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Current users
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2959316/GitHub-Mark.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2959317/glyph-vflK-Wlfk.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2959318/KN-NzuRl.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2959322/uk-gov-final-logo200px.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2897100/GitLab_Logo.svg.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2959346/duo.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2959345/mobile-app-icon_2x.png)
dongleauth.info
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/3436909/fb_icon_325x325.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Browser support
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2578031/Google_Chrome_icon__2011_.svg.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2578030/Microsoft_Edge_logo.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2578029/firefox-512.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2959392/safari_icon_large.png)
Yes
Yes*
(Nightly)
No*
(Soon...)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Maybe?
Yes
WebAuthN
A W3C standard for PublicKey credential authentication
https://www.w3.org/Webauthn/
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Today we learned
- Passwords are hard
- 2FA is wubalubadubdub, and we need to do something about it.
-
FIDO U2F is sweet.
- Protocol is cute
- You can have multiple identities
- There are existing solutions...
- ...and people do use it
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
DEMO
- You must use HTTPS
- Start using TLS Channel ID's
- U2F is just 2FA. Don't use as primary factor.
Security considerations
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
- https://github.com/Yubico/pam-u2f
- https://github.com/Yubico/python-u2flib-server
- https://github.com/Yubico/python-u2flib-host
- https://github.com/herrjemand/flask-fido-u2f
- https://github.com/gavinwahl/django-u2f
- https://github.com/google/u2f-ref-code
- https://github.com/conorpp/u2f-zero
- https://developers.yubico.com/U2F/
- https://fidoalliance.org/specifications/download/
- https://github.com/LedgerHQ <- JavaCard
- FIDO Dev (fido-dev) mailing list
Specs and data
Things to play with
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
What's next?
WE NEED
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2573598/giphy.gif)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2573598/giphy.gif)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2573598/giphy.gif)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2573598/giphy.gif)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2573598/giphy.gif)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2573598/giphy.gif)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2573598/giphy.gif)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2573598/giphy.gif)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/2573598/giphy.gif)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Questions?
twitter/github: @herrjemand
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Quick thanks to
Feitian and Yubico
for swag!
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4633438/Feitian_Board_1-copy-600x600.png)
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4633440/Yubico-logo-website.png)
Thank you OWASP!
![](https://s3.amazonaws.com/media-p.slid.es/uploads/490263/images/4518978/FIDO_Alliance_tagline_Black.png)
Universal Second Factor authentication, or why 2FA today is wubalubadubdub? - OWASP LONDON FEB 2018
By FIDO Alliance
Universal Second Factor authentication, or why 2FA today is wubalubadubdub? - OWASP LONDON FEB 2018
OWASP London presentation on FIDO Universal Second Factor Authentication.
- 3,363