Post on 02-Jun-2020
© 2
020
Yubi
co
© 2020 Yubico
FIDO2: The Future of Strong Authentication
Jeffery FrederickSr. Solutions Engineer, YubicoJeff.Frederick@Yubico.com
© 2
020
Yubi
co
© 2020 Yubico
Cryptography
© 2
020
Yubi
co
● Symmetric key encryption● Asymmetric key encryption
Authentication typically uses a combination of cryptographic methods to meet the CIANA objectives.
Cryptography Methods
© 2
020
Yubi
co
Symmetric key encryption (shared secret)
Sender Recipient
“Shared secret” keyBoth the Sender and Recipient use the
same key to encrypt/decrypt
CiphertextEncrypt Decrypt
© 2
020
Yubi
co
“Shared secret” problem
● We have a lock and 2 keys shared with 2 different people that can lock and and unlock it
● Can we guarantee that there are only 2 copies floating around?
● What’s stopping people from copying the key and sharing with others?
© 2
020
Yubi
co
Asymmetric key encryption (public key crypto)
Sender Recipient
Recipients public keyDifferent keys are used to
encrypt/decrypt. Only the Recipient has the “secret” private key, thus only they
can decrypt
Recipients private key
CiphertextEncrypt Decrypt
© 2
020
Yubi
co
© 2020 Yubico
The Password Problem
© 2
020
Yubi
co
SSL/TLS
The Password wayRegistration
Create new account
Sure! Enter username & password
Server (Database)
username
passwordWebsite
Store username & password
© 2
020
Yubi
co
SSL/TLS
The Password wayAuthentication
Hi, I’m back! Login please
Sure! Enter username & password
Server (Database)
username
passwordWebsite
Fetch username & passwordGreat, it is really you. Welcome back!
© 2
020
Yubi
co
Password Problems
Something Authentication
Internet
Password could be stolen from the server
Too many passwords to remember Malware
MitM
Code Injection
Inconvenient to type password on device
© 2
020
Yubi
co
Secrets on Server
Basic Auth
© 2
020
Yubi
co
Public Key Crypto = No Secret on Server
Public KeyCrypto
Basic Auth
No AuthenticationSecrets on Server
Stolen Public Keys of No Use
Only Public Keys are stored on the server, not private ones
© 2
020
Yubi
co
Multi-factor Authentication
Two-factor authentication method where the user provides two types of identification…
1. Something you know - a PIN or a password 2. Something you have - a physical device such as a YubiKey3. Something you are - such as biometrics
© 2
020
Yubi
co
© 2020 Yubico
FIDO2 Overview
© 2
020
Yubi
co
20181960s
FIDO2/WebAuthnFIDO U2FPasswords
20141990s
RSA Keyfob Soft Token
2010s
Evolving strong authentication standards
1970s
Smart Card
2019+
© 2
020
Yubi
co
Single Factor: PasswordlessReplaces weak passwords with strong authentication for single factor authentication. Touch/tap and go! Good for time-critical login (e.g. retail kiosks)
Multi-Factor: Passwordless + PIN or BiometricMulti-factor with combination of a hardware authenticator with touch and a PIN (e.g. financial transactions, submitting a prescription, standard Windows login flow)
Two Factor: Password + AuthenticatorSecond factor in a two factor authentication solution
FIDO2 overview New open authentication standard offering new authentication choices
© 2
020
Yubi
co
Shared secret between a user and a server No shared secret, uses asymmetric/public key cryptography
Stored on server; susceptible to breach Stored local on device; not susceptible to remote attack (PIN unlocks authenticator)
Policy may demand frequent change May never need to change
May require complexity; difficult to remember May be short, simple, with no complexity requirement; easy to remember
*With FIDO2, may use biometric alternative to PIN
Passwords PIN
Passwords vs PIN
© 2
020
Yubi
co
FIDO2’s protection at scale
Origin boundkeys
User presence
Hardware w/strong
crypto
Native Browser/OS
support
Secure backup
Many apps,no shared
secrets
© 2
020
Yubi
co
FIDO2 keys are Proven UnphishableYubiKeys at Google have eliminated account takeovers.
OTP through Mobile Apps and SMS didn’t stop account takeovers
YubiKeys made mandatory for Google Employees and Contractors
Stopped account takeovers.
85,000+ Employees in over 70 Countries
© 2
020
Yubi
co
Cross Platform SupportOne Authenticator → Many Devices
© 2
020
Yubi
co
FIDO2 Use Cases
● Logon to Web Services / Web Sites● OS Logon● Log on to “fat client” applications● Token as a carrier of a validated identity● Authorization of transactions ● Password less experience● Multi factor authentication
© 2
020
Yubi
co
© 2020 Yubico
FIDO2/WebAuthn
© 2
020
Yubi
co
Authenticator(security key, fingerprint reader, etc.)
Client(application, browser, platform)
Relying Party(web service, site)
Building Blocks of FIDO
© 2
020
Yubi
co
● FIDO2 = CTAP + WebAuthn● A set of open standards utilizing public-key cryptography to enable strong first factor, second
and multi-factor authentication● CTAP is built into the platform thus developers only need to understand the WebAuthn
standard as CTAP is integrated into the platform and browsers
Relying Party
Browser
Client/Platform
Platform
Application
CTAP
WebAuthN
Authenticator
How FIDO2 authentication works
© 2
020
Yubi
co
What is CTAP?
● Application layer protocol used to communicate between an external authenticator (i.e. security key) and a client (desktop) or a platform (OS)
● Authenticator generates and securely stores credentials● Private keys, PINs, and biometric information never leave the authenticator● Communicates over USB, NFC, and Bluetooth
Authenticator
Browser
Client/Platform
Platform
ApplicationCTAP
Client to Authenticator Protocol
CTAP1 and/or CTAP2
© 2
020
Yubi
co
What is WebAuthn?
● Specification that enables the creation and use of strong public key-based credentials by web applications
● Strongly authenticate users● Built into widely adopted platforms (e.g. Windows), standardized by W3C, with support by all
major browsers (e.g. Google, Mozilla, Edge, Safari, etc.)● Includes FIDO2 and U2F, allowing backwards compatibility of U2F with capable authenticators
Relying Party
Browser
Client/Platform
Platform
Application
WebAuthNW3C Web Authentication API
© 2
020
Yubi
co
Generate private key, public key, key handle,Credential
Challenge, Origin, Token Binding,User Info
Private key (per service/site)Attestation key
(per device)
1
4
Verify Challenge, Origin, Token Binding Verify Attestation Signature Store Public key and Key handleor Credential ID
5
Registration Request
7
8 Successful registration
Relying Party(web
service/site)Authenticator
(YubiKey)
Challenge,User Info2
Client(app,
web browser, platform)
Public key, Key handle, Credential IDAttestation Signature (Challenge, Origin,Token Binding)
6 Public key,Key handle,Credential IDAttestation Signature(Challenge, Origin,Token Binding)
3
How FIDO Registration Works
© 2
020
Yubi
co
Require test of user presence before private key can be used
Challenge, Origin, Token Binding
Private key (per service/site)
Public key
1
4
Check signature using public key to verify Origin and Token Binding
5
Login Request
7
8 Successful login
Relying Party(web
service/site)Authenticator
(YubiKey)Challenge2
Client(app,
web browser, platform)
Credential ID,Signed Response 6 Credential ID,
Signed response
3
How FIDO Authentication Works
© 2
020
Yubi
co
Require test of user presencebefore private key can be used
Challenge, Origin, Token Binding
Private key (per service/site)
Public key
4
Check signature using public key to verify Origin and Token Binding
5
7
8 Successful login
Relying Party(web
service/site)Authenticator
(YubiKey)Challenge2
Client(app,
web browser, platform)
Signed response includes Origin
6 Signed response includes Origin
3
1 Login Request
FIDO Credential Phishing Protection
© 2
020
Yubi
co
Require test of user presence before private key can be used
Challenge, Origin, Token Binding
Private key (per service/site)
Public key
4
Check signature using public key to verify origin and Token Binding
5
7
8 Successful login
Relying Party(web
service/site)Authenticator
(YubiKey)Challenge2
Client(app, web
Browser, platform)
Signed response includes Token Binding
6 Signed responseincludes Token Binding
3
1 Login Request
FIDO MitM Protection
© 2
020
Yubi
co
How it worksRegistration (1) Authentication (2)
© 2
020
Yubi
co
FIDO2 Solution Summary
● Allows secure login without a password○ Strong layered security supporting strong single, second, and multi-factor
authentication
○ Strong defense against phishing and MitM
○ High usability with rapid login● Built into widely adopted platforms (e.g. Windows) standardized by
W3C, with support by all major browsers (e.g. Google, Mozilla, Edge, etc.)
● IAM/other vendors are adding support, encourage yours to do the same!
● FIDO2 is here!
© 2
020
Yubi
co
FIDO Alliance
© 2
020
Yubi
co
Board Members
© 2
020
Yubi
co
Fido Alliance - Overview
The FIDO Alliance is working to change the nature of authentication with open standards that are more secure than passwords and SMS OTPs, simpler for consumers to use, and easier for service providers to deploy and manage.
The FIDO Alliance works to fulfill its mission by:
● Developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users
● Operating industry certification programs to help ensure successful worldwide adoption of the specifications● Submitting mature technical specification(s) to recognized standards development organization(s) for formal
standardization
© 2
020
Yubi
co
Terminology
● RP - Relying Party, for example a Web application.● Authenticators - An Authenticator is a device with a TPM. There are two different
Authenticators: platform (internal) and cross-platform (roaming).● userHandle - Mapping of the user, a pseudo random byte sequence not identifying the user.● User Presence - Used to ensure that a user is physically present and in control of the
Authenticator.● User Verification - Serves to ensure that the person authenticating to a service is in fact who
they say they are for the purposes of that service.● Attestation - The attestation is how authenticators prove to the relying party that the keys they
generate originate from a genuine device with certified characteristics. There is an option to do attestation when creating the key pair.
● Resident Keys - The private key and a userHandle is stored in persistent memory on the authenticator, instead of encrypted and stored on the relying party server.
© 2
020
Yubi
co
Waterproof Crush Resistant
Made in the USA to precise standardsThe YubiKey Product LLine
© 2
020
Yubi
co
FIDO2 FIDO U2F Smart Card (PIV)
OATH(TOTP/HOTP)
OpenPGPConfig Slot 1 and 2
YubiKey Multiple Protocol Support
© 2
020
Yubi
co
Resources
© 2
020
Yubi
co
Get Started● Read the specifications: fidoalliance.org/specifications/overview/● Yubico U2F Dev site: dev.yubico.com
Implement
● Google reference code: github.com/google/u2f-ref-code● Build your own U2F server: dev.yubico.com/U2F/libraries● Use Yubico standalone U2F server: dev.yubi.co/u2fval
Test
● Yubico U2F demo server: demo.yubico.com/u2f● Google U2F demo server: u2fdemo.appspot.com
40
FIDO U2F- learn more
© 2
020
Yubi
co
Get Started● Read the specifications: fidoalliance.org/specifications/overview/● Read about: Microsoft about FIDO2, CTAP and WebAuthn● WebAuthn Resources: https://github.com/herrjemand/● Yubico about FIDO2: What is FIDO2?● Brighttalk FIDO2 Demystified: FIDO2 Authentication Demystified
Implement● Yubico WebAuthn Libraries: developers.yubico.com/WebAuthn/Libraries/● Yubico WebAuthn Developer Guide: https://dev.yubico.com/WebAuthn
Test
● Yubico FIDO2 demo server: demo.yubico.com/playground
41
FIDO2 - learn more
© 2
020
Yubi
co
Learn More About FIDO2
Developer ProgramPress Release: Yubico Launches Developer Program
developers.yubico.com
The Yubico Developer Program provides resources to enable rapid implementation of strong authentication for web and mobile applications.
Technical WebinarsFIDO2 Authentication Demystified
FIDO2 WebAuthn Data Flows, Attestation
FIDO2 WebAuthn Server Validation
BlogsYubico at RSA 2018: Passwordless Logins, Developer Programs, and More
Yubico Launches Passwordless Login with new Security Key and FIDO2
Yubico and Microsoft Introduce Passwordless Login
What is FIDO2?
Microsoft Blog: All about FIDO2, CTAP2 and WebAuth