Fast IDentity Online New wave of open authentication standards
1 like312 views
The FIDO Alliance defines standards for strong authentication including U2F, UAF and FIDO2/WebAuthn. WebAuthn is now an official W3C standard and supported by major browsers. It allows both external security keys and built-in
Fast IDentity Online New wave of open authentication standards
- 1. Fast IDentity Online New wave of open authentication standards Marius Vitkevičius Software architect @ Telesoftas .NET Crowd / 2019
- 2. 1 Passwords today: Reused | Keylogged | Phished | Leaked
- 4. 3 OTP code cards: Root of all evil SMS: Coverage, delay, cost OTP app (Google authenticator): Inconvenient, bad UX OTP device: Cost, one per site, batteries, bad UX Custom mobile app: Reach, cost, difficult to „get right“ Password alternatives/2nd factors Too many choices }
- 6. 5 Phishing example (legal) Legal phishing
- 7. 6 Meet U2F (universal second factor) security keys Created by Google and Yubico USB, NFC or Bluetooth Communicates with browser using custom API Phishing resistant (browser sends origin directly to token)
- 8. 7 U2F Mandatory for all employees Support of U2F for Google customers U2F statistics from Google U2F vs OTP • >2x faster to authenticate • Significant reduction in fraud cases • Support reduced by 40%
- 9. Open alliance, similar to: Defines standards and provides paid certification allowing you to put FIDO sticker on your product
- 12. 11 Essence of FIDO Authenticator FIDO authenticationUser verification Ask user for verification User provides gesture or biometrics Challenge Signed response
- 13. 12 Basic registration flow Authenticator Client (browser or OS) Relying party (server)
- 14. 13 Set of standards for strong authentication So, what is FIDO? U2F Universal second factor UAF Universal authentication framework CTAP Client to authenticator protocol FIDO2 (WebAuthn + CTAP2) Web authentication
- 15. 14 Web Authentication: evolution of U2F Official W3C standard: JavaScript API for communication with hardware authenticators Supported by all major browsers (not yet Safari): Driven by FIDO2 project (sub-spec of FIDO2) Can be used as a second factor and as a first factor (password-less) Multi-factor authenticators - protected by biometrics, PIN, etc. Attestation: verifiable information about authenticator properties and manufacturer Platform (built-in) authenticators + Bluetooth, NFC or USB external tokens
- 19. 18 Open standard Simple to use Strong Unphisable Reusable hardware authenticators (tokens) Built-in platform authenticators Decoupling user verification from authentication (GDPR friendly) WebAuthn goals for authentication
- 20. 19 Decoupling user verification from authentication FIDO authentication protocol Verification Local verification unlocks key on device Authentication Challenge signed by private key is used to authenticate to server
- 21. 20https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API WebAuthn registration flow (by Mozilla)
- 22. 21https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API WebAuthn authentication flow (by Mozilla)
- 23. 22 WebAuthn architecture overview (by Yubico)
- 30. 29 Not a silver bullet Developers are still responsible for designing smooth enrollment and account recovery flows
- 31. 30 : the new gold standard for authentication Protects against phishing and credential theft Allows hassle free login Already supported by major platforms FIDO2 = WebAuthn + CTAP2 WebAuthn = Security keys or built-in authenticators
- 32. 31 State of FIDO in .NET world https://github.com/abergs/fido2-net-lib - pre-release nuget package Crypto methods required by FIDO are not readily available in .NET No announced built-in support in .NET Core 3.0
- 33. 32 Demo https://webauthnsample.azurewebsites.net https://webauthndemo.appspot.com https://demo.yubico.com/webauthn (works only with external keys) https://fido2.azurewebsites.net (.NET Lib) https://webauthn.me – interactive demo from Auth0 Further reading https://webauthn.guide – simplified WebAuthn guide
- 34. 33 Questions?