keybase.io/herrjemand
Ackermann Yuriy
Sunny Wellington
A developer from
Student @VUW
...Previously worked @MMC & @SLSNZ
Recently fell in love with
♥ Security and Crypto ♥
authentication
Universal Second Factor
or why 2FA today is wubalubadubdub
DISCLAIMER
NOT security expert!
Todays menu:
- Issues with passwords
- Issues with 2FA
- What is U2F?
- How does it work?
- Five steps to secure 2FA
- Implementations?
- Who uses it?
- How does it work?
- Demo
Why passwords don't exactly work?
People use weak passwords
People reuse passwords
Passwords are easy phished and keylogged
Passwords are hard to remember
Second Factor Authentication
aka 2FA
Solution?
Do you use 2FA?
Current 2FA solutions
OTP
Tokens
SMS
(TOTP and HOTP)
(RSA and OTP tokens)
Google Authenticator
Yubikey
Bank tokens
So what's the problem?
OTP
Tokens
SMS
(TOTP and HOTP)
(RSA and OTP tokens)
- Phishable
- Require shared key
- Require synced time
- Bad UX
- Expensive
- Require drivers
- Bad UX
- Fragile
- One per site
- Phishable
- Expensive
- Requires coverage
- AUS Govt eg
- Privacy
- SIM can be reissued
- Telegram. Russia
- Not standardised
- NIST Bans SMS
- Bad UX
Current state of 2FA
Solution
FIDO U2F
What is FIDO?
Fast IDentity Online
Currently two standards
UAF and U2F
Passwordless authentication
Biometrics
Universal second factor authentication
Currently 2 standards
UAF and U2F
Passwordless authentication
Biometrics
Universal second factor authentication
...talk to me about UAF after the talk.
Universifying the 2nd
out of your factor
What is U2F?
Open protocol, for secure 2FA
What U2F's goal?
Strong authentication + Privacy
How does it work?
User level
Browser level
Secure 2FA in five steps
1: Challenge-response
2: Fishing protection
3: Application-specific keys
4. Device cloning detection
5. Key Attestation
Defence against dark arts
key exercise
User must confirm his decision to perform 2FA, by performing user gesture
(i.e. pressing the button)
Multiple identities for a single relying party
Gmail
Webapp
iOS app
Android app
How do we deal with it?
(identity 1)
(identity 2)
(identity 3)
Application Facets
{
"trustedFacets": [{
"version": { "major": 1, "minor" : 0 },
"ids": [
"https://accounts.google.com",
"https://myaccount.google.com",
"https://security.google.com",
"android:apk-key-hash:FD18FA800DD00C0D9D7724328B6D495E5CBA830F43A9AD232E0D1F2566F7F95B",
"android:apk-key-hash:/Rj6gA3QDA2ddyQyi21JXly6gw9Dqa0jLg0fJWb3+Vs",
"ios:bundle-id:com.google.SecurityKey.dogfood"
]
}]
}Must be server over HTTPS!
So, what do we get from it?
Transport types
Currently ready specs for
USB
NFC
BLE
But, since U2F is just protocol
It can have different implementations
In hardware
and software
U2F keys
Hardware
Software
Current users
http://www.dongleauth.info/
Current users
http://www.dongleauth.info/
Browser support
Yes
(need JS polyfill)
Plugin required
(Work in progress)
Yes*(Insider build)
(As part of FIDO2.0)
Browser support
Yes
(need JS polyfill)
Plugin
(In active dev)
Yes
*(Insider build)
What we have covered
- Passwords don't exactly work
- Current 2FA solutions
- ...and their problems
- U2F
- Protocol
- Implementations
- Current market state
DEMO
Security conciderations
- You must use HTTPS
- Start using TLS Channel ID's
- U2F is just 2FA. Don't use as primary factor.
Things to play with
- https://github.com/Yubico/pam-u2f
- https://github.com/Yubico/python-u2flib-server
- https://github.com/Yubico/python-u2flib-host
- https://github.com/gavinwahl/django-u2f
- https://github.com/google/u2f-ref-code
- https://u2f.jeman.de/
Specs and data
- https://developers.yubico.com/U2F/
- https://fidoalliance.org/specifications/download/
- https://github.com/yubico
- https://github.com/LedgerHQ <- JavaCard
- FIDO Dev (fido-dev) mailing list
So, what next?
We need
Special thanks
@tveastman
@johnclegg
@ruthmcdavitt
@mytch444
Questions?
...and you can poke me online as well keybase.io/herrjemand