Universal Second Factor authentication
or why 2FA today is
wubalubadubdub
Yuriy Ackermann
Sr. Certification Engineer @FIDOAlliance
twitter/github: @herrjemand



































Today we will learn
- Why passwords not enough
- Why 2FA has not succeeded
- Introduction to U2F
- DEMO
- Q&A

Why not just passwords?
Weak
Phishing
Reuse


Typical passwords life cycle
SOLUTION!
Two Factor Authentication - aka 2FA


pwned
haveibeenpwned.com
What is 2FA?
Passwords verify
2FA authenticate

Do you use 2FA?

What does 2FA looks like?
Three main types
Apps
Tokens
SMS
(TOTP and HOTP)
(PKI and OTP)




So we solved it?
Right?

Why 2FA has not succeeded?
Apps
Tokens
SMS
- Phishing!!
- UX
- Shared key
- Synced time
- Cost
- DRIVERS
- Phishing
- UX
- Centralised
- Fragile
- Still phishable
- UX
- Privacy
- Security
- SIM reissue
- SIM spoof
- Coverage
- NIST Ban








Current state of 2FA
I am in the deep pain,
please help!
So how do we solve it?
We need:
-
Easy to use
-
Open
-
Secure
-
Standardized
protocol.

Introducing
Universal Second Factor
aka FIDO U2F

How does U2F works?


User layer


Browser layer




Protocol Layer

Step one: Challenge-Response

Step two: Phishing protection

Step three: Application-specific key-pair

Relying
Party
To Wrap, or not to Wrap?

Step four: Replay Attack Protection

Step five: Device attestation

Metadata service


Step five and a half: Key exercise protection
User must confirm their decision to perform 2FA, by performing user gesture

e.g.
Fingerprint
Retina scan
Pincode
Remembering your wife's birthday.
Solving Rubikscube
...anything you want.
Pressing button

Multiple identifiers



Web
Android
iOS
How do we deal with it?
mail.google.com
apk-key-hash:FD18FA
com.google.SecurityKey.dogfood
GMail

Application Facets
{
"trustedFacets": [{
"version": { "major": 1, "minor" : 0 },
"ids": [
"https://accounts.google.com",
"https://myaccount.google.com",
"https://security.google.com",
"android:apk-key-hash:FD18FA800DD00C0D9D7724328B6D...",
"android:apk-key-hash:/Rj6gA3QDA2ddyQyi21JXly6gw9D...",
"ios:bundle-id:com.google.SecurityKey.dogfood"
]
}]
}
MUST be served over VALID HTTPS!
...no self signed certs.

Implementations














Current users







dongleauth.info


Browser support




Yes
Yes*
(Nightly)
No*
(Soon...)

Maybe?
Yes
WebAuthN
A W3C standard for PublicKey credential authentication
https://www.w3.org/Webauthn/

Today we learned
- Passwords are hard
- 2FA is wubalubadubdub, and we need to do something about it.
-
FIDO U2F is sweet.
- Protocol is cute
- You can have multiple identities
- There are existing solutions...
- ...and people do use it

DEMO
- You must use HTTPS
- Start using TLS Channel ID's
- U2F is just 2FA. Don't use as primary factor.
Security considerations

- https://github.com/Yubico/pam-u2f
- https://github.com/Yubico/python-u2flib-server
- https://github.com/Yubico/python-u2flib-host
- https://github.com/herrjemand/flask-fido-u2f
- https://github.com/gavinwahl/django-u2f
- https://github.com/google/u2f-ref-code
- https://github.com/conorpp/u2f-zero
- https://developers.yubico.com/U2F/
- https://fidoalliance.org/specifications/download/
- https://github.com/LedgerHQ <- JavaCard
- FIDO Dev (fido-dev) mailing list
Specs and data
Things to play with

What's next?
WE NEED










Questions?
twitter/github: @herrjemand

Quick thanks to
Feitian and Yubico
for swag!



Thank you OWASP!

Universal Second Factor authentication, or why 2FA today is wubalubadubdub? - OWASP LONDON FEB 2018
By FIDO Alliance
Universal Second Factor authentication, or why 2FA today is wubalubadubdub? - OWASP LONDON FEB 2018
OWASP London presentation on FIDO Universal Second Factor Authentication.
- 3,552