Universal Second Factor authentication

or why 2FA today is

wubalubadubdub

Ackermann Yuriy

keybase.io/herrjemand

jeman.de

Student @VUW

A developer from

Sunny Wellington

DISCLAIMER

NOT a security expert

Today we will learn

  • Why passwords not enough
  • Why 2FA has not succeeded
  • Inroduction to U2F
  • DEMO
  • Q&A

Why not just passwords?

Weak

Phishing

Reuse

Typical passwords life cycle

SOLUTION!

Second Factor Authentication - aka 2FA

What is 2FA?

Passwords verify

2FA authenticate

Do you use 2FA?

What does 2FA look like?

Three main types

Apps

Tokens

SMS

(TOTP and HOTP)

(PKI and OTP)

So we solved it?

Right!

Right?

Why 2FA has not succeeded?

Apps

Tokens

SMS

  • Phishing!!
  • UX
  • Shared key
  • Synced time
  • Cost
  • DRIVERS
  • Phishing
  • UX
  • Centralised
  • Fragile
  • Still phishable
  • UX
  • Privacy
  • Security
    • SIM reissue
    • SIM spoof
  • Coverage
  • NIST Ban

Current state of 2FA

I am in the deep pain,

please help!

So how do we solve it?

We need:

  • Easy to use

  • Open

  • Secure

  • Standardized

protocol.

Introducing

Universal Second Factor

aka U2F

made by FIDO

How does U2F works?

User layer

Browser layer

We need to go deeper...

Cooking secure 2FA

in five and half steps

Step one: Challenge-Response

Step two: Phishing protection

Step three: Application-specific key-pair

Step four: Device cloning protection

Step five: Device attestation

Step five and a half: Key exercise protection

User must confirm their decision to perform 2FA, by performing user gesture

e.g.

Fingerprint

Retina scan

Pincode

Remembering your wife's birthday.

Solving Rubikscube

...anything you want.

Pressing button

Multiple identifiers

Web

Android

iOS

How do we deal with it?

mail.google.com

apk-key-hash:FD18FA

com.google.SecurityKey.dogfood

GMail

Application Facets

{
  "trustedFacets": [{
    "version": { "major": 1, "minor" : 0 },
    "ids": [
      "https://accounts.google.com",
      "https://myaccount.google.com",
      "https://security.google.com",

      "android:apk-key-hash:FD18FA800DD00C0D9D7724328B6D...",
      "android:apk-key-hash:/Rj6gA3QDA2ddyQyi21JXly6gw9D...",

      "ios:bundle-id:com.google.SecurityKey.dogfood"
    ]
  }]
}

MUST be served over VALID HTTPS!

...no self signed certs.

U2F is just a protocol

So we can have different implementations

In hardware

software

and

Current users

dongleauth.info

Browser support

Yes

(need JS polyfill)

Plugin

(In active dev)

No*

(Not yet...)

...what's all this U2F is about?

WebAuthN

New standard for credential access, management, and authentication

https://www.w3.org/Webauthn/

FIRST!!!!!!!!!!!1111111!

Today we learned

  • Passwords are hard
  • 2FA is wubalubadubdub, and we need to do something about it.
  • U2F is sweet.
    • ​Protocol is cute
    • You can have multiple identities
    • There are existing solutions...
    • ...and people do use it
  • You must use HTTPS
  • Start using TLS Channel ID's
  • U2F is just 2FA. Don't use as primary factor.

Security considerations

  • https://github.com/Yubico/pam-u2f
  • https://github.com/Yubico/python-u2flib-server
  • https://github.com/Yubico/python-u2flib-host
  • https://github.com/herrjemand/flask-fido-u2f
  • https://github.com/gavinwahl/django-u2f
  • https://github.com/google/u2f-ref-code
  • https://github.com/conorpp/u2f-zero
  • https://u2f.jeman.de/
  • https://developers.yubico.com/U2F/
  • https://fidoalliance.org/specifications/download/
  • https://github.com/LedgerHQ  <-  JavaCard
  • FIDO Dev (fido-dev) mailing list

Specs and data

Things to play with

What's next?

WE NEED

Special thanks to

@tvestman

@mytch444

@SummerOfTech

@johnclegg

@ruthmcdavitt

Organisers

Sponsors

Thank you all for coming

Questions?

Poke me at  keybase.io/herrjemand

jeman.de

To Wrap, or not to Wrap?

Made with Slides.com