3. One Time Passwords Aren't Perfect
SMS Usability
Coverage Issues,
Delay, User Cost
Device Usability
One Per Site,
Expensive, Fragile
User Experience
Users find it hard
Phishable
OTPs are increasingly
phished
$
?
7. Based on Asymmetric Cryptography
Core idea - Standard public key cryptography
● User's device mints new key pair, gives public key to server
● Server asks user's device to sign data to verify the user.
● One device, many services, "bring your own device" enabled
8. How Security Keys Work
“I promise a user is here”,
“the server challenge was: 337423”,
“the origin was: google.com”
https://www.google.com
Password
Server
9. “I promise a user is here”,
“the server challenge was: 529402”,
“the origin was: goggle.com”
https://www.goggle.com
goggle.com
Password Password
Server
Phishing Defeated
11. Deployment at Google
● Enterprise use case
○ Mandated for Google employees
○ Corporate SSO (Web)
○ SSH
○ Forms basis of all authentication
● Consumer use case
○ Available as opt-in for Google consumers
○ Adopted by other relying parties too: Dropbox,
Github, Facebook, Salesforce, ...
12. Time to Authenticate
Security Keys: Practical Cryptographic Second Factors for the Modern Web
Security Keys
are faster to use
than OTPs
13. Second Factor Support Incidents
Security Keys: Practical Cryptographic Second Factors for the Modern Web
Security Keys
cause fewer
support
incidents than
OTPs
20. Re-Authenticating on a Known Device
Re-authenticating on a known device
● Happens often
(i.e., transaction authorization)
● Needs to be fast
● Server has device reputation
(cookies, profiling, etc)
25. Resources
● To use with Google
○ Use through 2-Step Verification
OR
○ Enroll in the Advanced Protection Program
(https://google.com/advancedprotection)
● Also use with GitHub, Dropbox, SalesForce, Facebook
● And / or play with some code
https://github.com/google/u2f-ref-code
https://developers.yubico.com/U2F/Libraries/List_of_libraries.html
Maybe use Android Hardware Key Attestation.
● Check out W3C WebAuthn (https://www.w3.org/TR/webauthn/)
● We're always happy to answer questions
Alexei Czeskis
aczeskis@google.com