Google & FIDO Authentication

1. Google & FIDO Authentication
Simpler, stronger authentication with U2F and FIDO2
Alexei Czeskis
Securineer
aczeskis@google.com

2. Key Threats
Password Reuse Phishing Interception
Social Media
BANK

3. One Time Passwords Aren't Perfect
SMS Usability
Coverage Issues,
Delay, User Cost
Device Usability
One Per Site,
Expensive, Fragile
User Experience
Users find it hard
Phishable
OTPs are increasingly
phished
$
?

4. Demo

5. Example Attack
https://www.goggle.com

6. Introducing Security Key (U2F)
Your Password
Security Key
Account Data

7. Based on Asymmetric Cryptography
Core idea - Standard public key cryptography
● User's device mints new key pair, gives public key to server
● Server asks user's device to sign data to verify the user.
● One device, many services, "bring your own device" enabled

8. How Security Keys Work
“I promise a user is here”,
“the server challenge was: 337423”,
“the origin was: google.com”
https://www.google.com
Password
Server

9. “I promise a user is here”,
“the server challenge was: 529402”,
“the origin was: goggle.com”
https://www.goggle.com
goggle.com
Password Password
Server
Phishing Defeated

10. Google’s Deployment Experience

11. Deployment at Google
● Enterprise use case
○ Mandated for Google employees
○ Corporate SSO (Web)
○ SSH
○ Forms basis of all authentication
● Consumer use case
○ Available as opt-in for Google consumers
○ Adopted by other relying parties too: Dropbox,
Github, Facebook, Salesforce, ...

12. Time to Authenticate
Security Keys: Practical Cryptographic Second Factors for the Modern Web
Security Keys
are faster to use
than OTPs

13. Second Factor Support Incidents
Security Keys: Practical Cryptographic Second Factors for the Modern Web
Security Keys
cause fewer
support
incidents than
OTPs

14. Productionizing Enterprise FIDO Support

15. Other Enterprises Can Have This Too
Does this work
with a mobile?
How do we deploy
this at scale?
What if they
lose their key?

16. Productionizing FIDO Support

17. Using FIDO for Targeted Users

18. Recently Launched
https://google.com/advancedprotection

19. Re-Authentication

20. Re-Authenticating on a Known Device
Re-authenticating on a known device
● Happens often
(i.e., transaction authorization)
● Needs to be fast
● Server has device reputation
(cookies, profiling, etc)

21. Building Native FIDO
https://developer.android.com/training/articles/security-key-attestation.html
● Android attestation of hardware
backed cryptographic keys.
● New building block for strong
FIDO support on Android

22. Android Infrastructure
Fingerprint APIFIDO APIs
Keystore
Native Android appsChrome (WebAuthN)

23. Demo

24. How Can You Get Started?

25. Resources
● To use with Google
○ Use through 2-Step Verification
OR
○ Enroll in the Advanced Protection Program
(https://google.com/advancedprotection)
● Also use with GitHub, Dropbox, SalesForce, Facebook
● And / or play with some code
https://github.com/google/u2f-ref-code
https://developers.yubico.com/U2F/Libraries/List_of_libraries.html
Maybe use Android Hardware Key Attestation.
● Check out W3C WebAuthn (https://www.w3.org/TR/webauthn/)
● We're always happy to answer questions
Alexei Czeskis
aczeskis@google.com