1

U2F Case StudyExamining the U2F paradox

3

What is Universal 2nd

Factor (U2F)?

4

Simple, Secure, Scalable 2FA

5

Didn’t We Solve This Already?

SMS OTP DevicesCoverageDelayCostBatteryPolicy

One per siteProvisioning costsBattery

Smart CardsReaders/driversMiddlewareCost

6

Bad User experience Still phishableUsers find it hard to use Successful attacks

carried out today

MitMSuccessful attacks carried out today

And...

7

Why U2F?• Simple

– To register and authenticate -- a simple touch!– No drivers or client software to install

• Secure– Public key cryptography– Protects against phishing and man-in-the-middle

•Scalable– One U2F device, many services

•Protects Privacy – No secrets shared between service providers

8

1. Enter username/pwd 2. Insert U2F Key 3. Touch device

Google Login With U2F

9

1. Enter username/pwd 2. Insert U2F Key 3. Touch device

Dropbox Login With U2F

10

1. Enter username/pwd 2. Insert U2F Key 3. Touch device

GitHub Login With U2F

11

1. Enter username/pwd 2. Insert U2F Key 3. Touch device

Your Login With U2F

12

1. Enter username/pwd 2. Insert U2F Key 3. Touch device

Your Login With U2F

13

1. Enter username/pwd 2. Insert U2F Key 3. Touch device

Your Login With U2F

14

Protocol Overview

Serversendschallenge1

Serverreceivesandverifiesdevicesignatureusingattestationcert5Keyhandleandpublickeyarestoredindatabase6

Devicegenerates keypair2Devicecreateskeyhandle3Devicesignschallenge+clientinfo4

Registration

Serversendschallenge+keyhandle1

Serverreceivesandverifiesusingstoredpublickey4

Deviceunwraps/derivesprivatekeyfromkeyhandle2Devicesignschallenge+clientinfo3

Authentication

Individu

alwith

U2FDevice

,RelyingParty

16

Protocol DesignStep-By-Step

17

U2F Device Client

Relying Party

challenge

challenge

Sign with kpriv signature(challenge)

s

Checksignature (s)using kpub

s

Lookupkpub

Authentication

18

U2F Device Client

Relying Party

challenge

challenge, origin, channel id

Sign with kpriv

signature(c)

c, sCheck susing kpub

Verify origin & channel id

s

Lookupkpub

Phishing/MitM Protection

19

U2F Device Client

Relying Party

handle, app id, challenge

h, a; challenge, origin, channel id, etc.

c

aCheckapp id

Lookupthe kpriv

associated with h

Sign with kpriv

signature(a,c)

c, sCheck susing kpub

Verify origin & channel id

s

h

Lookup the kpub

associated with h

Application-Specific Keys

20

U2F Device Client

Relying Party

handle, app id, challenge

h, a; challenge, origin, channel id, etc.

c

aCheckapp id

Lookupthe kpriv

associated with h

Sign with kpriv

counter++

counter, signature(a,c, counter)

counter, c, sCheck susing kpub

Verify origin, channel id & counter

s

h

Lookup the kpub

associated with h

Device Cloning

21

U2F Device Client

Relying Party

app id, challenge

a; challenge, origin, channel id, etc.

c

aCheckapp id

Generate:kpub

kpriv

handle h kpub, h, attestation cert, signature(a,c,kpub,h)

c, kpub, h, attestation cert, s

Associate kpub with handle hfor user

s

Registration + Device Attestation

22

Bad User Experience

StillPhishable

MitM

x xxSo How Did We Do?

23

ResourcesStrengthen 2 step verification with Security Key

Yubico Security Key

Yubico Libraries, Plugins, Sample Code, Documentation

FIDO U2F Protocol Specification

Yubico Demo Server - Test U2F

Yubico Demo Server - Test Yubico OTP

Google security blog

yubico.com/security-key

developers.yubico.com

fidoalliance.org/specifications

demo.yubico.com/u2f

demo.yubico.com

24

Questions, Comments

Derek Hansonderek@yubico.com

@derekhanson@yubico