keybase.io/herrjemand
jeman.de
A developer from
Sunny Wellington
DISCLAIMER
NOT a security expert
Today we will learn
Weak
Phishing
Reuse
Typical passwords life cycle
SOLUTION!
Second Factor Authentication - aka 2FA
Passwords verify
2FA authenticate
Three main types
Apps
Tokens
SMS
(TOTP and HOTP)
(PKI and OTP)
Apps
Tokens
SMS
Current state of 2FA
I am in the deep pain,
please help!
Step one: Challenge-Response
Step two: Phishing protection
Step three: Application-specific key-pair
Step four: Device cloning protection
Step five: Device attestation
Step five and a half: Key exercise protection
User must confirm their decision to perform 2FA, by performing user gesture
e.g.
Fingerprint
Retina scan
Pincode
Remembering your wife's birthday.
Solving Rubikscube
...anything you want.
Pressing button
Web
Android
iOS
How do we deal with it?
mail.google.com
apk-key-hash:FD18FA
com.google.SecurityKey.dogfood
GMail
{
"trustedFacets": [{
"version": { "major": 1, "minor" : 0 },
"ids": [
"https://accounts.google.com",
"https://myaccount.google.com",
"https://security.google.com",
"android:apk-key-hash:FD18FA800DD00C0D9D7724328B6D...",
"android:apk-key-hash:/Rj6gA3QDA2ddyQyi21JXly6gw9D...",
"ios:bundle-id:com.google.SecurityKey.dogfood"
]
}]
}
MUST be served over VALID HTTPS!
...no self signed certs.
So we can have different implementations
In hardware
software
and
dongleauth.info
Yes
(need JS polyfill)
Plugin
(In active dev)
No*
(Not yet...)
...what's all this U2F is about?
New standard for credential access, management, and authentication
https://www.w3.org/Webauthn/
FIRST!!!!!!!!!!!1111111!
Today we learned
Security considerations
Specs and data
Things to play with
Special thanks to
@tvestman
@mytch444
@SummerOfTech
@johnclegg
@ruthmcdavitt
Organisers
Sponsors
Thank you all for coming
Questions?
Poke me at keybase.io/herrjemand
jeman.de
To Wrap, or not to Wrap?