google & fido authentication

Google & FIDO AuthenticationSimpler, stronger authentication with U2F and FIDO2

Alexei CzeskisSecurineeraczeskis@google.com

Key Threats

Password Reuse Phishing Interception

Social MediaBANK

One Time Passwords Aren't Perfect

SMS UsabilityCoverage Issues, Delay, User Cost

Device UsabilityOne Per Site,

Expensive, Fragile

User ExperienceUsers find it hard

PhishableOTPs are increasingly

phished

$?

Security Supply ChainBuild from the ground upManufacture our own components

Abuse & Spam Used machine learning to solveToday less than 0.001% spam in your Gmail inbox

Demo

Example Attack https://www.goggle.com

Introducing Security Key (U2F)Your Password

Security Key

Account Data

Based on Asymmetric CryptographyCore idea - Standard public key cryptography

● User's device mints new key pair, gives public key to server● Server asks user's device to sign data to verify the user.● One device, many services, "bring your own device" enabled

How Security Keys Work

“I promise a user is here”,“the server challenge was: 337423”,“the origin was: google.com”

https://www.google.com

Password

Server

“I promise a user is here”,“the server challenge was: 529402”,“the origin was: goggle.com”

https://www.goggle.com

goggle.comPassword Password

Server

Phishing Defeated

Google’s Deployment Experience

Deployment at Google

● Enterprise use case○ Mandated for Google employees○ Corporate SSO (Web)○ SSH○ Forms basis of all authentication

● Consumer use case○ Available as opt-in for Google consumers○ Adopted by other relying parties too: Dropbox,

Github, Facebook, Salesforce, ...

Time to Authenticate

Security Keys: Practical Cryptographic Second Factors for the Modern Web

Security Keys are faster to use

than OTPs

Second Factor Support Incidents

Security Keys: Practical Cryptographic Second Factors for the Modern Web

Security Keys cause fewer

support incidents than

OTPs

Security Supply ChainBuild from the ground upManufacture our own components

Abuse & Spam Used machine learning to solveToday less than 0.001% spam in your Gmail inbox

Productionizing Enterprise FIDO Support

Other Enterprises Can Have This Too

Does this work with a mobile?

How do we deploy this at scale?

What if they lose their key?

Productionizing FIDO Support

Security Supply ChainBuild from the ground upManufacture our own components

Abuse & Spam Used machine learning to solveToday less than 0.001% spam in your Gmail inbox

Using FIDO for Targeted Users

Recently Launched

https://google.com/advancedprotection

Security Supply ChainBuild from the ground upManufacture our own components

Abuse & Spam Used machine learning to solveToday less than 0.001% spam in your Gmail inbox

Re-Authentication

Re-Authenticating on a Known DeviceRe-authenticating on a known device

● Happens often(i.e., transaction authorization)

● Needs to be fast

● Server has device reputation(cookies, profiling, etc)

Building Native FIDO

https://developer.android.com/training/articles/security-key-attestation.html

● Android attestation of hardware backed cryptographic keys.

● New building block for strong FIDO support on Android

Android Infrastructure

Fingerprint APIFIDO APIs

Keys

tore

Native Android apps Chrome (WebAuthN)

Demo

Security Supply ChainBuild from the ground upManufacture our own components

Abuse & Spam Used machine learning to solveToday less than 0.001% spam in your Gmail inbox

How Can You Get Started?

Resources● To use with Google

○ Use through 2-Step VerificationOR

○ Enroll in the Advanced Protection Program(https://google.com/advancedprotection)

● Also use with GitHub, Dropbox, SalesForce, Facebook

● And / or play with some code https://github.com/google/u2f-ref-code https://developers.yubico.com/U2F/Libraries/List_of_libraries.html Maybe use Android Hardware Key Attestation.

● Check out W3C WebAuthn (https://www.w3.org/TR/webauthn/)

● We're always happy to answer questions

Alexei Czeskisaczeskis@google.com