U2F - Universal 2nd Factor

ByAther Ali

1. The FIDO (Fast IDentity Online) Alliance is a non-profit organization nominally formed in July 2012 to address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords.

2. The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services.

3. This new standard for security devices and browser plugins will allow any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user has for online security.

FIDO Alliance has 2 UAF and U2F Specifications

Agenda

1. Introduction2. Threats 3. Todays Solutions4. U2F Solution5. Fido Ready Device6. Demo7. Behind the Scene8. How to implement

REUSED PHISHED KEYLOGGED

POSSIBLE THREATS

SMS USABILITYCoverage Issues - Delay - User Cost

DEVICE USABILITYOne Per Site - Expensive - Fragile

USER EXPERIENCEUsers find it hard

Today's solution: One time codes: SMS or Device

● One device, many services● Easy: Insert and press button● Safe: Un-phishable Security

The U2F solution: How it works

Core idea: Standard public key cryptography:User's device mints new key pair, gives public key to serverServer asks user's device to sign data to verify the user.One device, many services, "bring your own device" enabled

Lots of refinement for this to be consumer facing: Privacy: Site Specific Keys, No unique ID per device Security: No phishing, man-in-the-middles

Trust: Verify who made the device(Attestation Certificate)

Pragmatics: Affordable today, ride hardware cost curve down

Speed for user: Fast crypto in device (Elliptic Curve)

Think "Smartcard re-designed for modern consumer web"

U2F PROTOCOL

FIDO READY SECURITY KEY

http://www.amazon.in/gp/offer-listing/B00NLKA0D8/ref=sr_1_1_olp?ie=UTF8&qid=1434738887&sr=8-1&keywords=fido+key&condition=new

DEMO

https://demo.yubico.com/u2f?tab=login

server

PHISHER

Proof that User is there

“I promise a user is here”,“the server challenge was: 337423”, “the origin was: accounts.google.com”,“the TLS connection state was: 342384”

Signe

dproofThatUserIsThere

2. Processing

3. Verification

1. Setup

Relying Party

FIDO CLIENT

PROCESS FLOW

https://fidoalliance.org/specs/fido-u2f-v1.0-ps-20141009/fido-u2f-overview-ps-20141009.html#goal-strong-authentication-and-privacy-for-the-web

1. How it works2. How handle generated3. How it secure by Mitm, phishing , malware etc.4. Device is Genuine 5. Etc

Folllow the link

If you want to cover them in details the topics below

https://developers.yubico.com/Software_Projects/FIDO_U2F/For Developers

Thanks!E-mail: Mohammad.Ather55@gmail.com