Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Similar documents
Breaking FIDO Yubico. Are Exploits in There?

Deprecating the Password: A Progress Report. Dr. Michael B. Jones Identity Standards Architect, Microsoft May 17, 2018

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

Dissecting NIST Digital Identity Guidelines

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

Authentication Technology for a Smart eid Infrastructure.

Addressing Credential Compromise & Account Takeovers: Bearersensitive. Girish Chiruvolu, Ph.D., CISSP, CISM, MBA ISACA NTX April 19

SurePassID ServicePass User Guide. SurePassID Authentication Server 2017

Safelayer's Adaptive Authentication: Increased security through context information

Who What Why

FIDO Alliance: Standards-based Solutions for Simpler, Strong Authentication

ITU-T SG 17 Q10/17. Trust Elevation Frameworks

Authentication Methods

Portal Recipient Guide. The Signature Approval Process

Attacking Your Two-Factor Authentication (PS: Use Two-Factor Authentication)

Yubico with Centrify for Mac - Deployment Guide

More than just being signed-in or signed-out. Parul Jain, Architect,

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

MAN-IN-THE-MACHINE: EXPLOIT ILL-SECURE COMMUNICATION INSIDE THE COMPUTER

FIDO TECHNICAL OVERVIEW. All Rights Reserved FIDO Alliance Copyright 2018

Passwords Are Dead. Long Live Multi-Factor Authentication. Chris Webber, Security Strategist

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

Web Security, Summer Term 2012

Web Security, Summer Term 2012

SAML-Based SSO Solution

Measuring Authentication: NIST and Vectors of Trust

Secure All The Things Using a Yubikey for 2-Factor on (Almost) All Your Accounts. Jesse Stengel The University of Arizona

Securing today s identity and transaction systems:! What you need to know! about two-factor authentication!

Last mile authentication problem

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

THE SECURITY LEADER S GUIDE TO SSO

Secure access to your enterprise. Enforce risk-based conditional access in real time

Mobile Field Worker Security Advocate Series: Customer Conversation Guide. Research by IDC, 2015

Protect Yourself Against VPN-Based Attacks: Five Do s and Don ts

ASC Chairman. Best Practice In Data Security In The Cloud. Speaker Name Dr. Eng. Bahaa Hasan

Google Identity Services for work

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

Enterprise Adoption Best Practices

IDENTITY AND THE NEW AGE OF ENTERPRISE SECURITY BEN SMITH CISSP CRISC CIPT RSA FIELD CTO

We Believe: The market will soon require:

Rethinking Authentication. Steven M. Bellovin

Digital Identity Trends in Banking

A NEW MODEL FOR AUTHENTICATION

Portal Recipient Guide For Virtual Cabinet

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for Web Access Management with Multifactor Authentication

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Executive Summary Spear 150 Spear Street, Street, Suite 1400, San Francisco, CA CA

How Next Generation Trusted Identities Can Help Transform Your Business

Exploring the potential of Mobile Connect: From authentication to identity and attribute sharing. Janne Jutila, Head of Business Development, GSMA

Next Gen Security Technologies for Healthcare Authentication

A Practical Step-by-Step Guide to Managing Cloud Access in your Organization

Next Generation Authentication

Unlocking Office 365 without a password. How to Secure Access to Your Business Information in the Cloud without needing to remember another password.

Access Management Handbook

Securing Your Salesforce Org: The Human Factor. February 2016 User Group Meeting

Cyber security tips and self-assessment for business

Software Defined Perimeter & PrecisionAccess. Secure. Simple.

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

Keep the Door Open for Users and Closed to Hackers

Virtual Machine Encryption Security & Compliance in the Cloud

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Secure single sign-on for cloud applications

A National e-authentication Service

Internet is Global. 120m. 300m 1.3bn Users. 160m. 300m. 289m

Securing Office 365 & Other SaaS

Administering Jive Mobile Apps for ios and Android

Related Labs: Introduction to Universal Access and F5 SAML IDP (Self-paced)

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Practical Issues with TLS Client Certificate Authentication

PKI is Alive and Well: The Symantec Managed PKI Service

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Using HyperFIDO with Facebook

Security for an age of zero trust

1 Hitachi ID Privileged Access Manager. 2 Overview. 3 HiPAM 9.0. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Integrated Access Management Solutions. Access Televentures

Single Sign-On Showdown

Lecture 14 Passwords and Authentication

Mobile Devices prioritize User Experience

AS emas emudhra Authentication Solution

U.S. E-Authentication Interoperability Lab Engineer

FIDO ALLIANCE: UPDATES & OVERVIEW BRETT MCDOWELL EXECUTIVE DIRECTOR. All Rights Reserved FIDO Alliance Copyright 2017

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Universal Representation of a Consumer's Identity Is it Possible? Presenter: Rob Harris, VP of Product Strategy, FIS

THE FUTURE OF AUTHENTICATION FOR THE INTERNET OF THINGS

Secret-in.me. A pentester design of password secret manager

The security of Mozilla Firefox s Extensions. Kristjan Krips

WHITE PAPER AUTHENTICATION YOUR WAY SECURING ACCESS IN A CHANGING WORLD

Evaluating the Security Risks of Static vs. Dynamic Websites

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

The Future Of Protection. Ray Carlson Prescott Computer Society General Meeting December 2018

Topics. Ensuring Security on Mobile Devices

OAuth 2 and Native Apps

Vidder PrecisionAccess

CSci530 Final Exam. Fall 2011

Account Takeover: Why Payment Fraud Protection is Not Enough

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Security Specification

Fencing the Cloud. Roger Casals. Senior Director Product Management. Shared vision for the Identity: Fencing the Cloud 1

Transcription:

1 Stop sweating the password and learn to love public key cryptography Chris Streeks Solutions Engineer, Yubico

Stop Sweating the Password! 2 Agenda Introduction The modern state of Phishing How to become unphishable Walking through FIDO U2F Wrap-up 2

What is my password? Encryption Computer Login Developer? Tools Online Services Privileged Access Password Mgmt Remote Access & VPN Identity Access Mgmt 3

What s worse than one password? Two passwords. 4

But it s not just passwords... Smart Cards SMS Mobile Push One Time Password 5

...resulting in cognitive overload... making your users vulnerable to phishing. 6

NIST on Password Complexity Key Takeaways from 800-63B Please stop forcing users to create passwords they cannot remember Password length is the primary factor in characterizing strength Many attacks associated with the use of passwords are not affected by password complexity or length 7

NIST on Phishing Risk Policy Recommendations: Decouple Identity assurance from Authenticator assurance Deprecate the use of SMS as Out-of-Band verifier FIDO U2F approved for use at highest Authenticator assurance level (AAL3) 8

Modern Phishing in 2017 Increasing Volume & Sophistication 2017 Yubico 9

Anatomy of a Phishing Attack 1 Initial Reconnaissance Phish User Use Stolen Credentials to Access System Impersonate user to gain access to higher privileged account Extract data or install backdoor for future access 10

Phishing with Fake Mobile Login 11 11

Phishing with Fake Login load stuff from this URL bar instead of from the web This plausiblelooking URL is treated as HTML to display, and just gets overwritten later Loads of blank spaces: if I didn t have a high-dpi monitor this d push the rest of screen Load some JavaScript that pulls in the actual phishing page in an iframe 12

Phishing with Attachment Not an attachment, but an embedded image that links out to a fake sign in with Google page 13 13

Phishing with Mobile Push Attacker s IP 172.58.72.166 User s Push Attacker s Push 14

Emoji Phishing 15

Homograph Phishing Attacker exploits characters that look alike 16 16

Social Engineering SMS 1 Hello, I had an issue with my phone can you port my phone # to 999-888-7777? 2 SMS Text Message Online Service 3 Password Reset Victim s email: gotvish@vishyou.com Security Passcode: 978322 Victim s Phone 123-456-7890 Attacker s Phone 999-888-7777 Cellphone Provider Your Online Service security passcode is 978322. 17

Phishing is effective! 1,220,523 total number of phishing attacks (+65% YOY) 1 81% of breaches due to compromised passwords (+63% YOY) 2 4.44 million phishing URLs identified in Q2 2016 3 Sources: 1 Anti-Phishing Working Group Report 2 2017 Verizon Data Breach Report 3 Cyren CyberThreat Report 18

How to Become Unphishable With Strong Authentication 2017 Yubico 19

Current State of Authentication Smart Card Security Trusted Platform Module Mobile Push One Time Password Biometric Username/Password Simplicity 20

Stop Phishing with Strong Auth Username/ Password One Time Password Mobile Push Smart Card FIDO U2F Computer Login Web Applications Remote Access (VPN/RDP/VDI) Weak Moderate Moderate Strong? Weak Moderate Moderate Strong Strong Weak Moderate Moderate Strong - Privileged Access Weak Moderate Moderate Strong - 21

Exploring FIDO U2F Usability meets Security 2017 Yubico 22

What is FIDO U2F Open authentication standard Retains the benefits of PKI Co-authored by Yubico & Google 23

Core FIDO Benefits Usability Ease of Registration Ease of Authentication Security Phishing protections Man-in-the-Middle attack protections Unique secrets for every service 24

U2F User Experience 25

and FIDO How FIDO Authentication Works 1 Login request User 4 Require test of user presence before private key can be used Authenticator (e.g. YubiKey) 3 Challenge, origin, channel ID Client (e.g. web browser) 2 Challenge Relying Party (e.g. web service/site) Private key (per service/site) 5 Signed response 6 Signed response 7 Public key Check signature using public key to verify origin and channel ID 8 Successful login 26

Credential Phishing Attack Attacker site acm3.com acme.com Impersonate phished credentials Phishing Pwd, OTP, SMS, Push Attacker 27

and FIDO U2F Credential Phishing Protection 1 Login request Authenticator (e.g. YubiKey) 3 Challenge, origin, channel ID Client (e.g. web browser) 2 Challenge Relying Party (e.g. web service/site) 4 Require test of user presence before private key can be used Private key (per service/site) 5 Signed response 6 Signed response 7 Public key Check signature using public key to verify origin and channel ID 8 Successful login 28

U2F Credential Phishing Protection Attacker site acm3.com acme.com Unable to use signed response Require proof of user presence Phishing password Attacker 29

U2F Credential Phishing Protection Attacker site acm3.com acme.com Require proof of user presence Unable to invoke Trusted Path to Authenticator Attacker 30

Hijack User Login Session 1 Use fake/stolen cert - Heartbleed, BEAST MitM acme.com 4 2 Successful authentication 3 Steal authentication assertion Attacker use cookie 31

MitM Protection Token Binding (Channel ID) TLS Bind Token with Token Binding ID acme.com Token Binding using client Private Key Token Binding ID: Hash<Public Key> + algorithm Token Binding (Public Key) 32

and FIDO U2F MitM Protection 1 Login request Authenticator (e.g. YubiKey) 3 Challenge, origin, channel ID Client (e.g. web browser) 2 Challenge Relying Party (e.g. web service/site) 4 Require test of user presence before private key can be used Private key (per service/site) 5 Signed response includes channel ID 6 Signed response Public key includes channel ID 7 Check signature using public key to verify origin and channel ID 8 Successful login 33

U2F MitM Protection MitM Assertion Token Bound acme.com 2 1 Cannot use authentication Steal authentication assertion - assertion attacker client channel ID mismatch Attacker 34

FIDO Current Status Supported browsers Google Chrome, Opera Mozilla Firefox (Native support in current Firefox Nightly build) Supported platforms Android, Chrome OS FIDO 2 (U2F merged into FIDO 2) Client-To-Authenticator Protocol (CTAP) for external authenticators W3C standardizing web authentication specification Microsoft and Yubico working on delivering products that enable FIDO 2 35

Wrap-up A quick case study with Google 2017 Yubico 36

Google Login with FIDO Secure Eliminates Phishing & Prevents MitM Simple Insert and Touch Gold Contact Scalable Use the Same Key for Unlimited Services Private No Shared Secrets Between Services No Shared Secrets with Yubico 37

Google Internal Research Study U2F vs Google Authenticator 4x faster to login Significant fraud reduction Support reduced by 40% Read more: yubico.com/google-study 38

Google Used Internally Mandated for Google employees Corporate SSO (Web) SSH Custom authentication Available to End-Customers Available to all Enterprise and Consumer customers for free Adopted by other relying parties: Facebook, Salesforce, Dropbox, GitHub, and more 39

Yubico Enterprise Authentication Employee Users Computer Login Web Applications Remote Access Employee Admins Privileged Access Vendor & Supplier Remote Access Web Applications IDENTITY ACCESS CONTROL SYSTEMS On-premises Services Cloud Services Customer Web Applications 40

41 Stop Sweating the Password! Questions -&- Answers 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback