keybase.io/herrjemand

Ackermann Yuriy

Sunny Wellington

A developer from

Student @VUW

...Previously worked @MMC & @SLSNZ

Recently fell in love with

Security and Crypto

authentication

Universal Second Factor

or why 2FA today is wubalubadubdub

DISCLAIMER

NOT security expert!

Todays menu:

  • Issues with passwords
  • Issues with 2FA
  • What is U2F?
    • How does it work?
      • Five steps to secure 2FA
    • Implementations?
    • Who uses it?
  • Demo

Why passwords don't exactly work?

People use weak passwords

People reuse passwords

Passwords are easy phished and keylogged

Passwords are hard to remember

Second Factor Authentication

aka 2FA

Solution?

Do you use 2FA?

Current 2FA solutions

OTP

Tokens

SMS

(TOTP and HOTP)

(RSA and OTP tokens)

Google Authenticator

Yubikey

Bank tokens

So what's the problem?

OTP

Tokens

SMS

(TOTP and HOTP)

(RSA and OTP tokens)

  • Phishable
  • Require shared key
  • Require synced time
  • Bad UX
  • Expensive
  • Require drivers
  • Bad UX
  • Fragile
  • One per site
  • Phishable
  • Expensive
  • Requires coverage
    • AUS Govt eg
  • Privacy
  • SIM can be reissued
    • Telegram. Russia
  • Not standardised
  • NIST Bans SMS
  • Bad UX

Current state of 2FA

Solution

FIDO U2F

What is FIDO?

Fast IDentity Online

Currently two standards

UAF and U2F

Passwordless authentication

Biometrics

Universal second factor authentication

Currently 2 standards

UAF and U2F

Passwordless authentication

Biometrics

Universal second factor authentication

...talk to me about UAF after the talk.

Universifying the 2nd

out of your factor

What is U2F?

Open protocol, for secure 2FA

What U2F's goal?

Strong authentication + Privacy

How does it work?

User level

Browser level

Secure 2FA in five steps

1: Challenge-response

2: Fishing protection

3: Application-specific keys

4. Device cloning detection

5. Key Attestation

Defence against dark arts

key exercise

User must confirm his decision to perform 2FA, by performing user gesture

(i.e. pressing the button)

Multiple identities for a single relying party

Gmail  

Webapp

iOS app

Android app

How do we deal with it?

(identity 1)

(identity 2)

(identity 3)

Application Facets

{
  "trustedFacets": [{
    "version": { "major": 1, "minor" : 0 },
    "ids": [
      "https://accounts.google.com",
      "https://myaccount.google.com",
      "https://security.google.com",

      "android:apk-key-hash:FD18FA800DD00C0D9D7724328B6D495E5CBA830F43A9AD232E0D1F2566F7F95B",
      "android:apk-key-hash:/Rj6gA3QDA2ddyQyi21JXly6gw9Dqa0jLg0fJWb3+Vs",

      "ios:bundle-id:com.google.SecurityKey.dogfood"
    ]
  }]
}

Must be server over HTTPS

So, what do we get from it?

Transport types

Currently ready specs for

USB

NFC

BLE

But, since U2F is just protocol

It can have different implementations

In hardware

 and software

U2F keys

Hardware

Software

Current users

http://www.dongleauth.info/

Current users

http://www.dongleauth.info/

Browser support

Yes

(need JS polyfill)

Plugin required

(Work in progress)

Yes*(Insider build)

(As part of FIDO2.0)

Browser support

Yes

(need JS polyfill)

Plugin

(In active dev)

Yes

*(Insider build)

What we have covered

  • Passwords don't exactly work
  • Current 2FA solutions
    • ...and their problems
  • U2F
    • Protocol
    • Implementations
    • Current market state

DEMO

Security conciderations

  • You must use HTTPS
  • Start using TLS Channel ID's
  • U2F is just 2FA. Don't use as primary factor.

Things to play with

  • https://github.com/Yubico/pam-u2f
  • https://github.com/Yubico/python-u2flib-server
  • https://github.com/Yubico/python-u2flib-host
  • https://github.com/gavinwahl/django-u2f
  • https://github.com/google/u2f-ref-code
  • https://u2f.jeman.de/

Specs and data

  • https://developers.yubico.com/U2F/
  • https://fidoalliance.org/specifications/download/
  • https://github.com/yubico
  • https://github.com/LedgerHQ  <-  JavaCard
  • FIDO Dev (fido-dev) mailing list

So, what next?

We need

Special thanks

@tveastman

@johnclegg

@ruthmcdavitt

@mytch444

Questions?

...and you can poke me online as well keybase.io/herrjemand

Made with Slides.com