Ackermann Yuriy
Sunny Wellington
A developer from
Student @VUW
...Previously worked @MMC & @SLSNZ
Recently fell in love with
♥ Security and Crypto ♥
DISCLAIMER
NOT security expert!
Todays menu:
Why passwords don't exactly work?
People use weak passwords
People reuse passwords
Passwords are easy phished and keylogged
Passwords are hard to remember
Second Factor Authentication
aka 2FA
Solution?
Do you use 2FA?
Current 2FA solutions
OTP
Tokens
SMS
(TOTP and HOTP)
(RSA and OTP tokens)
Google Authenticator
Yubikey
Bank tokens
So what's the problem?
OTP
Tokens
SMS
(TOTP and HOTP)
(RSA and OTP tokens)
Current state of 2FA
Solution
FIDO U2F
What is FIDO?
Fast IDentity Online
Currently two standards
UAF and U2F
Passwordless authentication
Biometrics
Universal second factor authentication
Currently 2 standards
UAF and U2F
Passwordless authentication
Biometrics
Universal second factor authentication
...talk to me about UAF after the talk.
What is U2F?
Open protocol, for secure 2FA
What U2F's goal?
Strong authentication + Privacy
How does it work?
User level
Browser level
Secure 2FA in five steps
1: Challenge-response
2: Fishing protection
3: Application-specific keys
4. Device cloning detection
5. Key Attestation
Defence against dark arts
key exercise
User must confirm his decision to perform 2FA, by performing user gesture
(i.e. pressing the button)
Multiple identities for a single relying party
Gmail
Webapp
iOS app
Android app
How do we deal with it?
(identity 1)
(identity 2)
(identity 3)
Application Facets
{
"trustedFacets": [{
"version": { "major": 1, "minor" : 0 },
"ids": [
"https://accounts.google.com",
"https://myaccount.google.com",
"https://security.google.com",
"android:apk-key-hash:FD18FA800DD00C0D9D7724328B6D495E5CBA830F43A9AD232E0D1F2566F7F95B",
"android:apk-key-hash:/Rj6gA3QDA2ddyQyi21JXly6gw9Dqa0jLg0fJWb3+Vs",
"ios:bundle-id:com.google.SecurityKey.dogfood"
]
}]
}
Must be server over HTTPS!
So, what do we get from it?
Transport types
Currently ready specs for
USB
NFC
BLE
But, since U2F is just protocol
It can have different implementations
In hardware
and software
U2F keys
Hardware
Software
Current users
http://www.dongleauth.info/
Current users
http://www.dongleauth.info/
Browser support
Yes
(need JS polyfill)
Plugin required
(Work in progress)
Yes*(Insider build)
(As part of FIDO2.0)
Browser support
Yes
(need JS polyfill)
Plugin
(In active dev)
Yes
*(Insider build)
What we have covered
DEMO
Security conciderations
Things to play with
Specs and data
So, what next?
We need
Special thanks
@tveastman
@johnclegg
@ruthmcdavitt
@mytch444
Questions?
...and you can poke me online as well keybase.io/herrjemand