FIDO U2F

Universal Second Factor

keybase.io/herrjemand

Ackermann Yuriy

Student @VUW

...Previously worked @MMC & @SLSNZ

Recently fell in love with

♥ Security and Crypto 

DISCLAIMER

NOT security expert!

Todays menu:

  • Issues with passwords
  • Issues with 2FA
  • What is U2F?
    • How does it work?
      • Five steps to secure 2FA
    • Implementations?
    • Who uses it?
  • Demo

Why passwords don't exactly work?

People use weak passwords

People reuse passwords

Passwords are easy phished and keylogged

Passwords are hard to remember

Second Factor Authentication

aka 2FA

Solution?

Do you use 2FA?

Current 2FA solutions

OTP

Tokens

SMS

(TOTP and HOTP)

(RSA and OTP tokens)

Google Authenticator

Yubikey

Bank tokens

So what's the problem?

OTP

Tokens

SMS

(TOTP and HOTP)

(RSA and OTP tokens)

  • Phishable
  • Require shared key
  • Require synced time
  • User experience
  • Expensive
  • Require drivers
  • User experience
  • Fragile
  • One per site
  • Expensive($ pSMS)
  • Requires coverage
    • AUS Govt eg
  • Privacy
  • SIM can be reissued
    • Snowden and Telegram. Russia
  • No standard
  • User experience

Current state of 2FA

Solution

FIDO U2F

What is FIDO?

Fast IDentity Online

Currently two standards

UAF and U2F

Passwordless authentication

Biometrics

Universal second factor authentication

Currently 2 standards

UAF and U2F

Passwordless authentication

Biometrics

Universal second factor authentication

Universifying the 2nd

out of your factor

1 minute history of FIDO Alliance

Yubico was established by Stina and Jacob Ehrensvärd

2007

After multiple trys&fails Yubikey was developed

2008

Yubico opened office in Pal Alto

2012

Google was like:

in 2012

- Hey Yubico! Cool cryptokeys you make. Wanna Alliance?

Google:

- FUCK YEA!!!

Yubico:

FIDO Alliance was established

2013

Three FIDO core goals

  1. Usability
  2. Security & Privacy
  3. Standardization

What is U2F?

Open protocol, for secure 2FA

What U2F's goal?

Strong authentication + Privacy

How does it work?

User level

Browser level

Secure 2FA in five steps

1: Challenge-response

2: Fishing protection

3: Application-specific keys

4. Device cloning detection

5. Key Attestation

Defence against dark arts

key exercise

User must confirm his decision to perform 2FA, by performing user action

(i.e. pressing the button)

Multiple identities for a single relying party

Gmail  

Webapp

iOS app

Android app

How do we deal with it?

(identity 1)

(identity 2)

(identity 3)

Application Facets

{
  "trustedFacets" : [{
    "version": { "major": 1, "minor" : 0 },
    "ids": [
        "https://login.example.com",
        "https://secure.example.com",
        "android:apk-key-hash:585215fd5153209a7e246f53286035838a0be227"
    ]
  }]
}

Must be server over HTTPS

So, what do we get from it?

Transport types

Currently ready specs for

USB

NFC

BLE

But, since U2F is just protocol

It can have different implementations

In hardware

 and software

U2F keys

Hardware

Software

Current users

http://www.dongleauth.info/

Browser support

Yes

(need JS polyfill)

Plugin required

(Work in progress)

Yes*(Insider build)

(As part of FIDO2.0)

Linux need /udev/ fix, only if you are using Yubikey NEO/NEO-N

Quick disclaimer

https://www.yubico.com/faq/enable-u2f-linux/

What we have covered

  • Passwords don't exactly work
  • Current 2FA solutions
    • ...and their problems
  • U2F
    • Protocol
    • Implementations
    • Current market state

DEMO

Security conciderations

  • You must* use HTTPS
    • Mozilla U2F HTTPS only 
  • Start using TLS Channel ID
  • U2F is just 2FA

Things to play with

  • https://github.com/Yubico/pam-u2f
  • https://github.com/Yubico/python-u2flib-server
  • https://github.com/Yubico/python-u2flib-host
  • https://github.com/gavinwahl/django-u2fhttps://github.com/google/u2f-ref-code`
  • https://github.com/mplatt/virtual-u2f

Specs and data

  • https://developers.yubico.com/U2F/
  • https://fidoalliance.org/specifications/download/
  • https://github.com/yubico
  • https://github.com/LedgerHQ  <-  JavaCard
  • FIDO Dev (fido-dev) mailing list

So, what next?

We need

Quick thanks to all these people

@tveastman

@dannywadair

@ruthmcdavitt

@0x_a6

Questions?

...and you can poke me online as well keybase.io/niemand

Made with Slides.com