Presentation is loading. Please wait.

Presentation is loading. Please wait.

FIDO U2F Universal 2nd Factor

Published byAngel Norris Modified over 6 years ago

Similar presentations

Presentation on theme: "FIDO U2F Universal 2nd Factor"— Presentation transcript:

1 FIDO U2F Universal 2nd Factor
open standard strong authentication for the web

2 Presentation Structure
U2F Overview Problem being solved Value to the end user Value to the Service Provider (RP) Value to the device vendor, integration vendor How U2F works Protocol design considerations U2F Spec layers More use cases Current Status The larger view UAF + U2F as a complementary whole Working Group Logistics Meeting schedule, communication etc

3 Web passwords are broken REUSED PHISHED KEYLOGGED

4 Today's solution: One time codes: SMS or Device SMS USABILITY
DEVICE USABILITY Coverage Issues - Delay - User Cost One Per Site - Expensive - Fragile USER EXPERIENCE PHISHABLE Users find it hard German Police re: iTan: ".. we still lose money"

5 The U2F Solution: How it works
One device, many services Easy: Press button Safe: Un-phishable Security

6 Simple for Users 1 2 3 Userid & Password Present U2F device.
Successful Sign in Presenting a U2F device over various transports: For USB U2F device = Insert and press button For NFC U2F device = tap For Bluetooth U2F device = press button For built-in onboard U2F device = button or equiv. UI gesture

7 User self-registration
1 Userid & Password 2 Present U2F device 3 Backup Options 4 Registration Done

8 Usage on Mobiles Today Tomorrow
Use NFC, Bluetooth or on-board U2F capability. Today Use your computer to bless your mobile (one time action)

9 Small, Reliable, Secure Battery-less options Robust
Strong Client Side Security

10 U2F Protocol Think "Smartcard re-imagined for modern consumer web"
Core idea: Standard public key cryptography: User's device mints new key pair, gives public key to server Server asks user's device to sign data to verify the user. One device, many services, "bring your own device" enabled Lots of refinement for this to be consumer facing: Privacy: Site Specific Keys, No unique ID per device Security: No phishing, man-in-the-middles Trust: Verify who made the device Pragmatics: Affordable today, ride hardware cost curve down Speed for user: Fast crypto in device (Elliptic Curve) Think "Smartcard re-imagined for modern consumer web"

11 Under the hood U2F spec layers Common Crypto Layer Spec
Transport Layer Specs: User device <-> u2f device First transport spec: Driverless USB Immediate followons: NFC, Bluetooth, on-board Direct Access from Browser: No client middleware to install Simple Javascript API: 'Create Key Pair' and 'Sign' Not just tied to login! Use anytime you want to strongly verify user. Following phase: Native OS APIs UI seen by user completely under server control Easy server side integration

12 FIDO ALLIANCEU2F WORKING GROUP MANY DEVICES & FORM FACTORS
Open Ecosystem CONSULTING BROWSER SUPPORT OPEN FIDO ALLIANCEU2F WORKING GROUP MOBILE OS SUPPORT MANY DEVICES & FORM FACTORS ADOPTION

13 U2F: Univ. 2nd Factor: In a nutshell
User has 2nd factor strong auth. device Works with any service which supports it Mental model "Like a key on your chain, a card in your wallet" For the user: Easy Secure Login One device, Many services Simple UX - press button or tap, no software install Passwords can be made simple -- 4 digit pins like ATM? For the web site (RP): Open Strong Security Open: Not proprietary, multiple vendors, no central service required Self provisioned: No pre-seeding req, "Bring your own token" possible Strong Security: Non-Phishable, Blocks most practical MITMs Strong Privacy: One site cannot use credential given to another

14 Other usage models beyond "One key you carry"
Token for home machine husband and wife share husband for Sites A and B, wife for Sites C and D One token at home, one token at work User provisions both for paypal, can pay from either place One token plugged in at home, one token to carry Convenience, home computer always ready to go One (tiny) token plugged permanently into work laptop Laptop becomes the 2nd factor (maybe built into next-gen laptops?) Husband/wife, separate tokens, Each activates own key, protocol has no problem with multiple keys One account, multiple users, each with own token Small business users share an account with strong auth Account lockdown to a single device Only one token, permanently with office machine Same token for work account and personal account Work (= enterprise) leverages user's "bring your own token" Different token for work account and personal account If enterprise doesn't like self-provision, can ship pre-provisioned token

15 Current U2F Status Targeting Review Draft Spec: Dec 2013
Crypto Layer Spec Transport layer Spec: USB Ongoing work on on other transports NFC, Bluetooth LE, Onboard on Android. Working-Draft Protocol Version implemented Multiple interoperable servers from members One token implementation availablle Other token implementations actively planned Google deployed in-house for employees

16 U2F Schematic

17 How they fit: UAF + U2F UAF = Universal Authentication Framework
Larger View, password less, local device auth for sign = OSTP U2F = Universal 2nd Factor Critical bridge to future, "classic" 2-factor, incremental change for RP Service (RP) password still present, but can be simple (4 digit PIN?) How do they fit together? Message to Service Provider (RP): At registration: Discover user has FIDO UAF enabled device? Register that for passwordless experience Else offer user FIDO U2F token in a browser. Self-register for simple password 2 factor experience At login: User has FIDO UAF enabled device + UAF registration? Exercise UAF experience Else user has U2F registration? Exerciser U2F login experience. Some RPs may want to offer only UAF, some only U2F That's no problem, FIDO is all about the right choice for RP and user Note that they can start offering "other" flavor later seamlessly. Backstory: Server talking both protocols possible today Harmonization is important, but can be medium term.

18 Working Group Logistics
Weekly Thursday 1030am-1130am Pacfic Primary meeting by telephone bridge Active ongoing discussion by

Download ppt "FIDO U2F Universal 2nd Factor"

Similar presentations

Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
Mobile Devices in the DoD

Mobile Devices in the DoD
McAfee One Time Password

McAfee One Time Password
Michal Bodlák. Referred to as mobile money, mobile money transfer, and mobile wallet generally refer to payment services operated under financial regulation.

Michal Bodlák. Referred to as mobile money, mobile money transfer, and mobile wallet generally refer to payment services operated under financial regulation.
Fast IDentity Online – a new industry alliance formed to develop technical standards that enable Internet Services to use Simpler Stronger Auth solutions.

Fast IDentity Online – a new industry alliance formed to develop technical standards that enable Internet Services to use Simpler Stronger Auth solutions.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Not Built On Sand. IT Has Scaled $$$ Technological capabilities: (1971  2013) Clock speed x4700 #transistors x608k Structure size /450 Price: (1980 

Not Built On Sand. IT Has Scaled $$$ Technological capabilities: (1971  2013) Clock speed x4700 #transistors x608k Structure size /450 Price: (1980 
15 Tactical Improvements to IT Security Virtual Keyboard, Two Factor Authentication, Active Confirmation and FAA Access to CPS Online Ganesh Reddy.

15 Tactical Improvements to IT Security Virtual Keyboard, Two Factor Authentication, Active Confirmation and FAA Access to CPS Online Ganesh Reddy.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Page 1 of 29 Net-Scale Technologies, Inc. Network Based Personal Information and Messaging Services Urs Muller Beat Flepp

Page 1 of 29 Net-Scale Technologies, Inc. Network Based Personal Information and Messaging Services Urs Muller Beat Flepp
Microsoft Passport www.passport.com Waldemar Swiercz.

Microsoft Passport Waldemar Swiercz.
Public Key Infrastructure from the Most Trusted Name in e-Security.

Public Key Infrastructure from the Most Trusted Name in e-Security.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
1 NETE4631 Working with Cloud-based Storage Lecture Notes #11.

1 NETE4631 Working with Cloud-based Storage Lecture Notes #11.
“The FIDO Alliance Today”

“The FIDO Alliance Today”
1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?

1. U2F Case Study Examining the U2F paradox 3 What is Universal 2 nd Factor (U2F)?
Secure Quick Reliable Login ● SQRL pronounced “squirrel”. ● Acronym confusion – QR no longer stands for “Quick Response” two-dimensional bar codes. Optional.

Secure Quick Reliable Login ● SQRL pronounced “squirrel”. ● Acronym confusion – QR no longer stands for “Quick Response” two-dimensional bar codes. Optional.
A l a d d I n. c o m Strong Authentication and Beyond Budai László, IT Biztonságtechnikai tanácsadó.

A l a d d I n. c o m Strong Authentication and Beyond Budai László, IT Biztonságtechnikai tanácsadó.

Similar presentations

Ads by Google