Web Authn & Security Keys: Unlocking the Key to Authentication

1
WebAuthn and security
keys = unlocking the key
to authentication
Christiaan Brand
Product Manager, Google

2
It’s no secret -
passwords aren't enough

123456
Most popular
password in 2015
password
2nd most popular
password in 2015
*Verizon data breach report, 2015

123456789
Most popular
password in 2018
qwerty
2nd most popular
password in 2018
*techviral.net

success rate for
a well designed
password phishing
page
of account vulnerabilities
were due to weak or
stolen passwords
*Verizon data breach report, 2017
43% 81%
*Google study

3.3B+
credentials leaked
in dumps
67M
accounts proactively
re-secured
17%
minimum password
reuse rate
* * * *
Data breaches, phishing, or malware? Understanding the risks of stolen
credentials (Thomas et al.) https://ai.google/research/pubs/pub46437

SMS usability
Coverage issues,
delay, user cost
Device usability
One per site,
expensive, fragile
User experience
Users find it hard
Phishable
OTPs are increasingly phished
?
Any second factor improves user security,
but...

9
Password
Server
https://www.google.com
Web authentication

10
https://www.goggle.com
Phishing attack | Step 1

11

12
Password Password
google.comgoggle.com

13
At Google,
on our journey to replacing
the password, we started by
making the password safer

14
Introducing security key
Your password
Security key
Account data

15
Based on
asymmetric
cryptography
● User’s device mints new key pair,
gives public key to server
● Server asks user’s device to sign
data to verify user
● One device, many services, “bring
your own device” enabled
Core idea - standard public key cryptography

16
How security key works
“I promise a user is here”,
“the server challenge was: 337423”,
“the origin was: google.com”
Server
Password
https://www.google.com

17
Security key defeats phishing
Password
goggle.com
Password
“I promise a user is here”,
“the server challenge was: 337423”,
“the origin was: goggle.com”
Server

19
Deployment at Google
Enterprise use case
● Mandated for Google employees
● Corporate SSO (web)
● SSH
● Forms basis of all authentication
Consumer use case
● Available as opt-in for Google consumers
● Adopted by other relying parties too:
Dropbox, Github

20
Use cases at Google
Bootstrapping
● It’s only used when employee signs in on a new device the first time.
● It protects against phishing.
● Removable security key is carried as part of the badge.
Hardware credential binding
● Once signed into a device, long-lived tokens (cookies, etc) are usually issued.
● Occasionally, a local security key touch is required, which is presented in
combination with this local token.
● This is to ensure the token is still being presented from a machine we trust.

21
Time to
authenticate
OTP via SMS
OTP via app
Security Keys
OTP
Security Keys
50
40
30
20
10
0
Timetoauthenticate(s)
50
40
30
20
10
0
Timetopresent2ndfactor(s)
Google employees Consumer users

22
Time to
authenticate
OTP via SMS
OTP via app
Security Keys
OTP
Security Keys
50
40
30
20
10
0
Timetoauthenticate(s)
50
40
30
20
10
0
Timetopresent2ndfactor(s)
Google employees Consumer users
"If you've been reading your e-mail" takeaway:
Security keys are faster
to use than OTPs

23
Second factor
support
incidents
Supportincidentsperuserpermonth
PercentofusersusingSecurityKeys
100
80
60
40
20
0Jul2014
Sep
2014
N
ov
2014
Jan
2014
M
ar2014
M
ay
2014
Jul2014
Sep
2014
N
ov
2014
OTP
Security Key
Active Security Key users

24
Second factor
support
incidents
Supportincidentsperuserpermonth
PercentofusersusingSecurityKeys
100
80
60
40
20
0Jul2014
Sep
2014
N
ov
2014
Jan
2014
M
ar2014
M
ay
2014
Jul2014
Sep
2014
N
ov
2014
OTP
Security Key
Active Security Key users
"If you've been reading your e-mail" takeaway:
Security keys cause fewer
support incidents than OTPs

26
We made the password a lot safer with U2F,
but we want to go one step further: we want
to remove the password from the equation
That’s where FIDO2 and WebAuthn come in

27
What is WebAuthn? How does it relate to FIDO2?
W3C WebAuthnFIDO CTAP
FIDO2
Client
(Computer, phone)
Built-in authenticator
(fingerprint)
Remote server
(Website)
Removable authenticator
(Phone, security key)

28
WebAuthn
enables user
journeys
that are:
Simple
Very intuitive and
easy for user
Secure
Resistant to phishing
WebAuthn / What is WebAuthn?

29
Authentication has two core user journeys
WebAuthn / FIDO2 enables multiple use cases
BootstrapRe-authentication

31
Elisa wants to sign in to her bank
She starts on her mobile browser and
enrolls in fingerprint after sign-in
Registering and using built-in authenticator for re-auth (mobile web)

32
1. Registering built-in authenticator for re-auth (mobile web)
Request
UV=true
X-Plat=false
Result
credential
(internal,caBLE)
Elisa opens
launches her
mobile browser,
Chrome, and goes
to Tri-Bank

33
She signs in with
her username and
password

34
Tri-Bank shows a promo
asking Elisa if she wants
to opt in to fingerprint to
sign in
She opts in and
continues to her account

35
Elisa comes back to
Tri-Bank in another session
2a. Using built-in authenticator for re-auth (mobile web)

36
The next time Elisa
opens Tri-Bank on
mobile browser,
she gets a
fingerprint dialog
Request
credentialId
(internal)
Since the user already signed in on this device, the credential ID is encoded in the
cookie and the RP requests the “internal” transport only (since they don’t want the user
to see prompts about external authenticators).

37
Using only her
fingerprint, she’s
able to sign in
without using her
username + password
on mobile web
Request
credentialId
(internal)

38
Elisa downloads Tri-Bank
from the Play Store
She launches the app for the first time
to sign in to check her funds
2b. Using built-in authenticator for re-auth (native mobile app)

39
Request
UV=true
X-Plat=false
Result
credential
(internal,caBLE)
Request
credentialId
(internal)
Request
(Alternative)
{empty
credentialId}
Will result in
prompt to insert
removable SK
She installs
Tri-Bank from
Google Play Store
and opens the app

40
Elisa chooses
“Sign In” and also
chooses an
account
Request
credentialId
(internal)

41
Elisa is now asked
to authenticate
with the
fingerprint dialog

42
Elisa wants to sign in to
her bank on her
desktop computer
3. Cross-platform bootstrap

43
Elisa chooses to
sign in on her
desktop browser
Request
credentialId
(internal)
Request (Alternative)
{empty credentialId}
Will result in prompt to insert removable SK

44
Request
credentialId
(internal)
Elisa enters her
account username
and chooses to
proceed “next”

45
Request
credentialId
(internal)
She’s asked to verify
the new device using
her Pixel 2 phone’s
fingerprint that she’s
been using to sign in
to Tri-Bank

46
Request
credentialId
(internal)
Because Elisa has a
Macbook with Touch
ID, Tri-bank asks her
if she wants to use
local fingerprint on
the device

47
Request
credentialId
(internal)
Elisa gets
prompted to
try using the
local fingerprint
on the device

48
Request
credentialId
(internal)
She opts-in and
continues to her
account

49
When Elisa comes back to
Tri-Bank on the Macbook Pro

50
Request
credentialId
(internal)
4. Using built-in authenticator for re-auth
Elisa comes back
to sign in on her
desktop browser

51
Request
credentialId
(internal)
A fingerprint
dialog appears
above the sign-in
page and Elisa
touches the sensor

52
Request
credentialId
(internal)
Elisa’s identity is
accepted and
she’s signed in

53
Note that we’re
inheriting the strength
of the credentials from
the initial bootstrap
If in Step 1 we only ask the
user for a username +
password, the strength of
all the derived credentials
are only as good as a
username + password.
If in Step 1 we ask for a
stronger credential (2nd
factor security key), all of
the derived credentials
would inherit those
stronger attributes too.

55
Jim has a
fingerprint-enabled
security key
and is signing into his
desktop computer
5. Typeless bootstrap flow

56
Request
credentialId
(internal)
5a. Typeless bootstrap flow (registration)
Jim comes to
sign in with his
desktop computer

57
Request
credentialId
(internal)
Jim enters his
account username
and chooses to
proceed “next”

58
Request
credentialId
(internal)
Jim enters his
account password

59
Jim is asked to
verify with a 2nd
verification step

60
He gets a
promotion for
typeless
verification,
and enrolls

61
Jim inserts
Security Key and
taps the sensor
on the key

62
Jim’s Security Key
is enrolled and
ready to be used

63
Jim uses a new device with
his registered security key

64
Request
credentialId
(internal)
Jim decides to
use his friend’s
Windows computer
to sign-in
5b. Typeless bootstrap flow (log in)

65
Request
credentialId
(internal)
Jim inserts
Security Key and
taps on the sensor

66
Request
credentialId
(internal)
He chooses account
he wants amongst
the other accounts
that are registered
on the SK

67
Request
credentialId
(internal)
He signed in
without username
or password

68
How can I
get started?
Desktop/laptop
● WebAuthn support was
launched in Chrome 67.
● The initial release
supports only
external tokens.
● Support for built-in
modalities is coming
later in the fall.
Android
● FIDO2 APIs on Android
are available in
pre-release mode.
● Support for FIDO2 on
the web (to built-in
fingerprint sensor) will
come later in the fall.
Visit webauthndemo.appspot.com to try it out

Web Authn & Security Keys: Unlocking the Key to Authentication

More Related Content

Web Authn & Security Keys: Unlocking the Key to Authentication