Google Case Study: Becoming Unphishable- Brand

Becoming Unphishabletowards simpler, stronger authenitcationChristiaan BrandGoogle

Introduction and Agenda

Part of the team responsible for authentication at GoogleAgendaPasswords are brokenIntroducing Security Key Googles ExperienceSome numbersWere not quite doneHow can you get started?

Passwords are broken

Passwords are broken

Phishing has become increasingly sophisticatedMore than of incidents [in 2015] involved phishing. With a 23% effectiveness rate*OTPs help against shared password, but its not safe to rely on them for phishing

* http://www.verizonenterprise.com/DBIR/2015/

REUSEDPHISHEDKEYLOGGED

Is Phishing Effective?

Todays solution: One Time Passwords

SMS USABILITYCoverage Issues - Delay - User CostDEVICE USABILITYOne Per Site - Expensive - FragileUSER EXPERIENCEUsers find it hardPHISHABLEGerman Police re: iTan: ".. we still lose money"

Introducing Security Key

Introducing Security Key

Designed to solve authentication challengesFor enterprisesFor consumers

Based on FIDO U2F standardSafe: Unphishable / UnMITMableEasy: Insert and press buttonCompact: One device, many services

Simple operation

123Userid & PasswordInsert, Press buttonSuccessful Sign in

Based on Asymmetric CryptographyCore idea - Standard public key cryptography

User's device mints new key pair, gives public key to serverServer asks user's device to sign data to verify the user.One device, many services, "bring your own device" enabled

Googles experience

Deployment at GoogleEnterprise use caseMandated for Google employeesCorporate SSO (Web)SSHForms basis of all authentication

Consumer use caseAvailable as opt-in for Google consumersAdopted by other relying parties too: Dropbox, Github

Time to authenticate

Time to authenticate Security Keys are faster to use than OTPs"If you've been reading your e-mail" takeaway:

Second Factor Support Incidents

Second Factor Support Incidents Security Keys cause fewer support incidents than OTPs"If you've been reading your e-mail" takeaway:

We're not quite done...

Ongoing workWireless protocolsNFC, BLEMore browsersFirefox, Edge, more?More platformsAndroid, Windows, OS X/iOS?V2 of the protocolDevice-centric authentication

How can you get started?

U2F use casesInternal enterprise authentication (B2B)Authenticate to your own web applications, mobile applications, etc

Authenticate to your service providers (token necklace)U2F works well in a non-federated environmentComplete isolation between various RPs

External customer authentication Authenticate your high-value customers using U2F

ResourcesTo use with GoogleEnable 2-Step Verification on your accountGo to: https://security.google.com Click: 2-Step VerificationClick on the Security Keys tab

Also use with GitHub, Dropbox

And / or play with some code https://github.com/google/u2f-ref-code https://developers.yubico.com/U2F/Libraries/List_of_libraries.html

Q & A