U2F Under the Hood

1

What is U2F ?

Universal 2nd Factor

Open standard

Physical device using USB, NFC or Bluetooth(depends on model)

Goal: Strong authentication and online privacy

Initially developed by Google and Yubico

Maintained by FIDO Alliance

Draft W3C standard (Web Authentication)

Support in Chrome (now), FF and Edge (soon)

2

Dashlane User Experience

3

Registering an U2F key

Request to add a key Insert key in USB port Push button on key (if present) Done !

Dashlane User Experience

Login with a registered U2F key

4

Enter 1st authentication factor Insert key in USB port Push button on key (if present) Done !

How does it work ?

5

Base Challenge – Response protocol

6

FIDO Authenticator(USB key)

FIDO Client(Browser or App)

Relying Party(Website)

challenge

challenge

Sign challengewith private key

sig(challenge)

sig(challenge)

Classic Public/Private key challenge-response Uses ECC (Elliptic Curve Cryptography)

Decrypt signature with public key

Validate data

Generate and store random challenge

Registration challenge

7

FIDO Authenticator(USB key)

FIDO Client(Browser or App)

Relying Party(Website)

app id, challenge

Sign challenge, public key, app id and key handle

pub key, handle,sig(challenge, pub key, handle, app id)

Decrypt signature

Validate data

Authenticator generates new public/private key pair for each registration Additional data during registration:

Application id (challenge) Public key + key handle (response)

app id, challenge

Generate key pair and key handle

pub key, handle,sig(challenge, pub key, handle, app id)

Store pub key, handle in account

Generate and store random challenge

Authentication challenge

8

FIDO Authenticator(USB key)

FIDO Client(Browser or App)

Relying Party(Website)

Generate and store random challenge

handle, app id, challenge

Sign challenge and app id

sig(challenge, app id)

Decrypt signature

Validate data

Additional data during authentication:

Application id + key handle

Find private key for key handle

Grant access

handle, app id, challenge

Find key handle in user account

sig(challenge, app id)

9

Advantages

Strong privacy

Only guarantee of successful authentication challenge : Same U2F key used for auth and registration

No unique identifier for the key

New key pair generated at every registration

No reliance on shared secret with the website (contrary to OTP)

A single U2F key can be used: By same user on 2 websites

By 2 users on 1 website

By 1 user creating 2 accounts on same website

website can’t track the user by U2F key usage

Tracking is still possible by other means, of course10

Protection against website security breach

OTP is vulnerable to security breach

If attacker steals shared secret, he can generate passwords

If the attacker steals U2F public key and key handle

Public key cryptography makes them useless for attacker

He can’t compute the private key

So he can’t authenticate on legitimate site

11

Protection against MITM or Phishing

Attacker intercepts and forwards user’s requests

Phishing mail with link to hacker’s site mimicking legitimate site

DNS spoof to redirect goodsite.com to hacker’s server

…

OTP is vulnerable

One-Time Passwords are still passwords

If the attacker can use it before the user, he wins

12

Protection against MITM or Phishing

U2F challenge message contains legitimate site’s app id

If the attacker doesn’t change the app id (https://goodsite.com)

Browser knows challenge comes from wrong site (https://hacker.com) or using wrong protocol (http://goodsite.com using DNS spoof)

Browser denies usage of U2F key

If the attacker changes the app id U2F key signs attacker’s app id with its private key

Legitimate site can see the app id in response doesn’t match his own13

Support for unlimited number of websites

OTP requires client and server sharing a secret

Not a problem for software clients (e.g. Google Authenticator)

Cheap hardware has very limited storage Yubikeys using OTP support at most 2 sites

U2F private key is retrieved from key handle

Software clients use key handle as index in private key map

Hardware clients can encrypt part of private key in key handle Uses no storage very cheap device

Safe as long as nobody else can decrypt key handle

14

Support for unlimited number of websites

Yubico’s implementation

15

Questions ?

16

We’re changing the world… one password at a time

Dashlane wants to make identity and

payment simple and secure everywhere!

17

Want to be a part of life in the Dashlane?

Visit dashlane.com/jobs for all the info!

Dashlane is a premier, award-winning password manager and

digital wallet, intrinsically designed to make identity and payments

simple and secure on every website and every device.

We’re a rapidly growing, tech startup using the world’s best security

and privacy architecture to simplify the lives of more than 3 billion

Internet users worldwide.

Since our first product launch in 2013, our brilliant team of engineers and developers tirelessly work on new coding challenges, build code using

the latest up-to-date frameworks for native development across desktop and mobile, use cutting-edge web service architecture, and are at the

forefront of building applications that help millions of people every day!

So far, all of our hard work has been paying off! Dashlane was recently recognized by Google as one of the “Best of 2015” apps! Google also

recognized our Android password manager as an Editors’ Choice winner on the Google Play Store, and selected Dashlane to demo its adoption

of Android M fingerprint technology at Google I/O!

We work with the latest technology!

See our code in action! Check out some of our

projects on Github!

Github.com/Dashlane

In addition, each member of the Dashlane team can take some time to

share his insights in Tech Conferences and become a thought leader

in the tech community.

18

Alexis Fogel

@ Droid Con

Goo.gl/7h4guk

Emmanuel Schalit

@ The Dublin

Web Summit

Goo.gl/M4H7vg

Emmanuel Schalit

@ Le Wagon

Goo.gl/kvPLG0

Desktop Mobile Web App/Server Security

Dashlane is dedicated to building high-quality user experiences on Mobile, Desktop, and on the web using the latest up-to-date

technologies and languages.

Ready to join #LifeInTheDashlane?

We’re filling our ranks from top to bottom with

some of the smartest and friendliest developers

and engineers in the industry! Come join us!

Visit Dashlane.com/jobs to learn more about

joining the Dashlane team!

19

Dashlane.com/stackoverflow

Dashlane.com/linkedin

Dashlane.com/vimeo

Dashlane.com/blog

Also visit us here: