FIDO U2F
Universal Second Factor
keybase.io/herrjemand
Ackermann Yuriy
Student @VUW
...Previously worked @MMC & @SLSNZ
Recently fell in love with
♥ Security and Crypto ♥
DISCLAIMER
NOT security expert!
Todays menu:
- Issues with passwords
- Issues with 2FA
- What is U2F?
- How does it work?
- Five steps to secure 2FA
- Implementations?
- Who uses it?
- How does it work?
- Demo
Why passwords don't exactly work?
People use weak passwords
People reuse passwords
Passwords are easy phished and keylogged
Passwords are hard to remember
Second Factor Authentication
aka 2FA
Solution?
Do you use 2FA?
Current 2FA solutions
OTP
Tokens
SMS
(TOTP and HOTP)
(RSA and OTP tokens)
Google Authenticator
Yubikey
Bank tokens
So what's the problem?
OTP
Tokens
SMS
(TOTP and HOTP)
(RSA and OTP tokens)
- Phishable
- Require shared key
- Require synced time
- User experience
- Expensive
- Require drivers
- User experience
- Fragile
- One per site
- Expensive($ pSMS)
- Requires coverage
- AUS Govt eg
- Privacy
- SIM can be reissued
- Snowden and Telegram. Russia
- No standard
- User experience
Current state of 2FA
Solution
FIDO U2F
What is FIDO?
Fast IDentity Online
Currently two standards
UAF and U2F
Passwordless authentication
Biometrics
Universal second factor authentication
Currently 2 standards
UAF and U2F
Passwordless authentication
Biometrics
Universal second factor authentication
Universifying the 2nd
out of your factor
1 minute history of FIDO Alliance
Yubico was established by Stina and Jacob Ehrensvärd
2007
After multiple trys&fails Yubikey was developed
2008
Yubico opened office in Pal Alto
2012
Google was like:
in 2012
- Hey Yubico! Cool cryptokeys you make. Wanna Alliance?
Google:
- FUCK YEA!!!
Yubico:
FIDO Alliance was established
2013
Three FIDO core goals
- Usability
- Security & Privacy
- Standardization
What is U2F?
Open protocol, for secure 2FA
What U2F's goal?
Strong authentication + Privacy
How does it work?
User level
Browser level
Secure 2FA in five steps
1: Challenge-response
2: Fishing protection
3: Application-specific keys
4. Device cloning detection
5. Key Attestation
Defence against dark arts
key exercise
User must confirm his decision to perform 2FA, by performing user action
(i.e. pressing the button)
Multiple identities for a single relying party
Gmail
Webapp
iOS app
Android app
How do we deal with it?
(identity 1)
(identity 2)
(identity 3)
Application Facets
{
"trustedFacets" : [{
"version": { "major": 1, "minor" : 0 },
"ids": [
"https://login.example.com",
"https://secure.example.com",
"android:apk-key-hash:585215fd5153209a7e246f53286035838a0be227"
]
}]
}Must be server over HTTPS!
So, what do we get from it?
Transport types
Currently ready specs for
USB
NFC
BLE
But, since U2F is just protocol
It can have different implementations
In hardware
and software
U2F keys
Hardware
Software
Current users
http://www.dongleauth.info/
Browser support
Yes
(need JS polyfill)
Plugin required
(Work in progress)
Yes*(Insider build)
(As part of FIDO2.0)
Linux need /udev/ fix, only if you are using Yubikey NEO/NEO-N
Quick disclaimer
https://www.yubico.com/faq/enable-u2f-linux/
What we have covered
- Passwords don't exactly work
- Current 2FA solutions
- ...and their problems
- U2F
- Protocol
- Implementations
- Current market state
DEMO
Security conciderations
- You must* use HTTPS
- Mozilla U2F HTTPS only
- Start using TLS Channel ID
- U2F is just 2FA
Things to play with
- https://github.com/Yubico/pam-u2f
- https://github.com/Yubico/python-u2flib-server
- https://github.com/Yubico/python-u2flib-host
- https://github.com/gavinwahl/django-u2fhttps://github.com/google/u2f-ref-code`
- https://github.com/mplatt/virtual-u2f
Specs and data
- https://developers.yubico.com/U2F/
- https://fidoalliance.org/specifications/download/
- https://github.com/yubico
- https://github.com/LedgerHQ <- JavaCard
- FIDO Dev (fido-dev) mailing list
So, what next?
We need
Quick thanks to all these people
@tveastman
@dannywadair
@ruthmcdavitt
@0x_a6
Questions?
...and you can poke me online as well keybase.io/niemand
u2f-python
By Ackermann Yuriy
u2f-python
FIDO U2F - Universal Second Factor
