1. Proprietary + Confidential
Becoming Unphishable
Towards Simpler, Stronger Authentication
Christiaan Brand, Google

2. Largest and most
secure infrastructure

3. Proprietary + Confidential
Mobile UI
Application
Network
Software
Hardware
Google Security Stack

4. Today we tackle authentication

5. Proprietary + Confidential
Protect Yourself And Your Users
It's easier than you think for someone to steal a password
Password Reuse Phishing Interception
Social Media
BANK

6. Proprietary + Confidential
123456
Most popular password in 2015
Source: SplashData:
https://www.teamsid.com/wor
st-passwords-2015/
password
2nd most popular password in 2015

7. Proprietary + Confidential
76%
of account
vulnerabilities were due
to weak or stolen
passwords
43%
success rate
for a well designed
phishing page
goo.gl/YYDM79

8. Proprietary + Confidential
SMS Usability
Coverage Issues,
Delay, User Cost
Device Usability
One Per Site,
Expensive, Fragile
User Experience
Users find it hard
Phishable
OTPs are increasingly
phished
$
?
Today: The reality of One Time Passwords

9. Confidential + Proprietary
Web authentication
Password
Server
https://www.google.com

10. Confidential + Proprietary
https://www.goggle.com
https://www.goggle.com

11. Confidential + Proprietary
https://www.goggle.com
Password
google.com
Password
Phishing attack

12. Confidential + Proprietary
https://www.goggle.com

13. Introducing the Security Key
Your Password
Security Key
Account Data

14. Core idea - Standard public key cryptography
● User's device mints new key pair, gives public key to server
● Server asks user's device to sign data to verify the user.
● One device, many services, "bring your own device" enabled
Based on Asymmetric Cryptography

15. Confidential + Proprietary
“I promise a user is here”,
“the server challenge was: 337423”,
“the origin was: google.com”
https://www.google.com
Password
Server
How security key works

16. Confidential + Proprietary
“I promise a user is here”,
“the server challenge was: 529402”,
“the origin was: goggle.com”
https://www.goggle.com
Password Password
Server
Security key defeats phishing

17. Google’s Experience

18. ● Enterprise use case
○ Mandated for Google employees
○ Corporate SSO (Web)
○ SSH
○ Forms basis of all authentication
● Consumer use case
○ Available as opt-in for Google consumers
Deployment at Google

19. Use cases at Google
● Bootstrapping
○ Only used when an employee signs in on a new device the first time
○ This protects against phishing
○ Removable Security Key is carried as part of badge
● Hardware credential binding
○ Once I’ve signed in to a device, long lived tokens (cookies, etc) is usually
issued
○ Every once in a while, a local security key touch is required which is
presented in combination with this local token - this is done to ensure that
the token is still presented from a machine we trust

20. Time to authenticate

21. Security Keys are faster to use than OTPs
"If you've been reading your e-mail" takeaway:
Time to authenticate

22. Second factor support incidents

23. Security Keys cause fewer support incidents
than OTPs
"If you've been reading your e-mail" takeaway:
Second factor support incidents

24. We’re not quite done

25. Proprietary + Confidential
Does this work
with a mobile?
How do we deploy
this at scale?
What if they
lose their key?
But what about other enterprises?

26. Proprietary + Confidential
Making progress towards stronger authentication
Productizing FIDO U2F

27. Proprietary + Confidential
Demo: Bootstrapping account

28. How can you get started?

29. Proprietary + Confidential
Resources
● To use with Google
Enable 2-Step Verification on your account
Go to: https://security.google.com
Click: 2-Step Verification
Click on the Security Keys tab
● Also use with GitHub, Dropbox, SalesForce
● And / or play with some code
https://github.com/google/u2f-ref-code
https://developers.yubico.com/U2F/Libraries/List_of_libraries.html

30. Proprietary + Confidential
Questions?