Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance...

25
Proprietary + Confidential Becoming Unphishable Towards Simpler, Stronger Authentication Christiaan Brand, Google

Transcript of Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance...

Page 1: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Proprietary + Confidential

Becoming UnphishableTowards Simpler, Stronger Authentication

Christiaan Brand, Google

Page 2: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Largest and most secure infrastructure

Page 3: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Proprietary + Confidential

Mobile UI Application

Network

SoftwareHardware

Google Security Stack

Page 4: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Tomorrow We work on

Quantum resistant encryption

Abuse & Spam Used machine

learning to solveToday less than 0.001% spam in your Gmail inbox

Security Supply ChainBuilt from the

ground upManufactured our own components

Page 5: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Today we tackle authentication

Page 6: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Proprietary + Confidential

Protect Yourself And Your UsersIt's easier than you think for someone to steal a password

Password Reuse Phishing Interception

Social MediaBANK

Page 7: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Proprietary + Confidential

123456Most popular password in 2015

Source: SplashData: https://www.teamsid.com/wor

st-passwords-2015/

password2nd most popular password in 2015

Page 8: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Proprietary + Confidential

76%of account vulnerabilities were due to weak or stolen passwords

43% success rate for a well designed phishing page

goo.gl/YYDM79

Page 9: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Proprietary + Confidential

SMS UsabilityCoverage Issues, Delay, User Cost

Device UsabilityOne Per Site,

Expensive, Fragile

User ExperienceUsers find it hard

PhishableOTPs are increasingly

phished

$?

Today: The reality of One Time Passwords

Page 10: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Proprietary + Confidential

Based on FIDO U2F standardSafe: Protects against phishingEasy: Insert and press buttonCompact: One device, many services

Introducing FIDO U2F

Your Password

Security Key

Account Data

Page 11: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Core idea - Standard public key cryptography

● User's device mints new key pair, gives public key to server● Server asks user's device to sign data to verify the user.● One device, many services, "bring your own device" enabled

Based on Asymmetric Cryptography

Page 12: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Security Supply ChainBuild from the ground upManufacture our own components

Abuse & Spam Used machine learning to solveToday less than 0.001% spam in your Gmail inbox

Google’s Experience

Page 13: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

● Enterprise use case○ Mandated for Google employees○ Corporate SSO (Web)○ SSH

○ Forms basis of all authentication

● Consumer use case○ Available as opt-in for Google consumers○ Adopted by other relying parties too: Dropbox, Github

Deployment at Google

Page 14: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Time to authenticate

Page 15: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Time to authenticate

Page 16: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Second factor support incidents

Page 17: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Second factor support incidents

Page 18: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Security Supply ChainBuild from the ground upManufacture our own components

Abuse & Spam Used machine learning to solveToday less than 0.001% spam in your Gmail inbox

We’re not quite done

Page 19: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Proprietary + Confidential

Does this work with a mobile?

How do we deploy this at scale?

What if they lose their key?

We are not there yet for the Enterprise

Page 20: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Proprietary + Confidential

Making progress towards stronger authenticationProductizing FIDO U2F

Page 21: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Proprietary + Confidential

DemoDemo: Bootstrapping account

Page 22: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Security Supply ChainBuild from the ground upManufacture our own components

Abuse & Spam Used machine learning to solveToday less than 0.001% spam in your Gmail inbox

How can you get started?

Page 23: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Proprietary + Confidential

● Internal enterprise authentication (B2B)Authenticate to your own web applications, mobile applications, etc

● Authenticate to your service providers (“token necklace”)

U2F works well in a non-federated environmentComplete isolation between various RPs

● External customer authentication Authenticate your high-value customers using U2F

FIDO U2F use cases

Page 24: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Proprietary + Confidential

Resources● To use with Google

Enable 2-Step Verification on your accountGo to: https://security.google.com Click: 2-Step VerificationClick on the Security Keys tab

● Also use with GitHub, Dropbox, SalesForce

● And / or play with some code https://github.com/google/u2f-ref-code https://developers.yubico.com/U2F/Libraries/List_of_libraries.html

Page 25: Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

Proprietary + Confidential

Questions?