Universal Second Factor authentication
or why 2FA today is
wubalubadubdub
Ackermann Yuriy
keybase.io/herrjemand
jeman.de
Student @VUW
A developer from
Sunny Wellington
DISCLAIMER
NOT a security expert
Today we will learn
- Why passwords not enough
- Why 2FA has not succeeded
- Inroduction to U2F
- DEMO
- Q&A
Why not just passwords?
Weak
Phishing
Reuse
Typical passwords life cycle
SOLUTION!
Second Factor Authentication - aka 2FA
What is 2FA?
Passwords verify
2FA authenticate
Do you use 2FA?
What does 2FA look like?
Three main types
Apps
Tokens
SMS
(TOTP and HOTP)
(PKI and OTP)
So we solved it?
Right!
Right?
Why 2FA has not succeeded?
Apps
Tokens
SMS
- Phishing!!
- UX
- Shared key
- Synced time
- Cost
- DRIVERS
- Phishing
- UX
- Centralised
- Fragile
- Still phishable
- UX
- Privacy
- Security
- SIM reissue
- SIM spoof
- Coverage
- NIST Ban
Current state of 2FA
I am in the deep pain,
please help!
So how do we solve it?
We need:
-
Easy to use
-
Open
-
Secure
-
Standardized
protocol.
Introducing
Universal Second Factor
aka U2F
made by FIDO
How does U2F works?
User layer
Browser layer
We need to go deeper...
Cooking secure 2FA
in five and half steps
Step one: Challenge-Response
Step two: Phishing protection
Step three: Application-specific key-pair
Step four: Device cloning protection
Step five: Device attestation
Step five and a half: Key exercise protection
User must confirm their decision to perform 2FA, by performing user gesture
e.g.
Fingerprint
Retina scan
Pincode
Remembering your wife's birthday.
Solving Rubikscube
...anything you want.
Pressing button
Multiple identifiers
Web
Android
iOS
How do we deal with it?
mail.google.com
apk-key-hash:FD18FA
com.google.SecurityKey.dogfood
GMail
Application Facets
{
"trustedFacets": [{
"version": { "major": 1, "minor" : 0 },
"ids": [
"https://accounts.google.com",
"https://myaccount.google.com",
"https://security.google.com",
"android:apk-key-hash:FD18FA800DD00C0D9D7724328B6D...",
"android:apk-key-hash:/Rj6gA3QDA2ddyQyi21JXly6gw9D...",
"ios:bundle-id:com.google.SecurityKey.dogfood"
]
}]
}MUST be served over VALID HTTPS!
...no self signed certs.
U2F is just a protocol
So we can have different implementations
In hardware
software
and
Current users
dongleauth.info
Browser support
Yes
(need JS polyfill)
Plugin
(In active dev)
No*
(Not yet...)
...what's all this U2F is about?
WebAuthN
New standard for credential access, management, and authentication
https://www.w3.org/Webauthn/
FIRST!!!!!!!!!!!1111111!
Today we learned
- Passwords are hard
- 2FA is wubalubadubdub, and we need to do something about it.
-
U2F is sweet.
- Protocol is cute
- You can have multiple identities
- There are existing solutions...
- ...and people do use it
- You must use HTTPS
- Start using TLS Channel ID's
- U2F is just 2FA. Don't use as primary factor.
Security considerations
- https://github.com/Yubico/pam-u2f
- https://github.com/Yubico/python-u2flib-server
- https://github.com/Yubico/python-u2flib-host
- https://github.com/herrjemand/flask-fido-u2f
- https://github.com/gavinwahl/django-u2f
- https://github.com/google/u2f-ref-code
- https://github.com/conorpp/u2f-zero
- https://u2f.jeman.de/
- https://developers.yubico.com/U2F/
- https://fidoalliance.org/specifications/download/
- https://github.com/LedgerHQ <- JavaCard
- FIDO Dev (fido-dev) mailing list
Specs and data
Things to play with
What's next?
WE NEED
Special thanks to
@tvestman
@mytch444
@SummerOfTech
@johnclegg
@ruthmcdavitt
Organisers
Sponsors
Thank you all for coming
Questions?
Poke me at keybase.io/herrjemand
jeman.de
To Wrap, or not to Wrap?
Universal Second Factor authentication, or why 2FA today is wubalubadubdub? - Kiwi PyCon 2016
By Ackermann Yuriy
Universal Second Factor authentication, or why 2FA today is wubalubadubdub? - Kiwi PyCon 2016
KiwiPyCon 2016 presentation on FIDO Universal Second Factor Authentication.
