1 Stop sweating the password and learn to love public key cryptography Chris Streeks Solutions Engineer, Yubico
Stop Sweating the Password! 2 Agenda Introduction The modern state of Phishing How to become unphishable Walking through FIDO U2F Wrap-up 2
What is my password? Encryption Computer Login Developer? Tools Online Services Privileged Access Password Mgmt Remote Access & VPN Identity Access Mgmt 3
What s worse than one password? Two passwords. 4
But it s not just passwords... Smart Cards SMS Mobile Push One Time Password 5
...resulting in cognitive overload... making your users vulnerable to phishing. 6
NIST on Password Complexity Key Takeaways from 800-63B Please stop forcing users to create passwords they cannot remember Password length is the primary factor in characterizing strength Many attacks associated with the use of passwords are not affected by password complexity or length 7
NIST on Phishing Risk Policy Recommendations: Decouple Identity assurance from Authenticator assurance Deprecate the use of SMS as Out-of-Band verifier FIDO U2F approved for use at highest Authenticator assurance level (AAL3) 8
Modern Phishing in 2017 Increasing Volume & Sophistication 2017 Yubico 9
Anatomy of a Phishing Attack 1 Initial Reconnaissance Phish User Use Stolen Credentials to Access System Impersonate user to gain access to higher privileged account Extract data or install backdoor for future access 10
Phishing with Fake Mobile Login 11 11
Phishing with Fake Login load stuff from this URL bar instead of from the web This plausiblelooking URL is treated as HTML to display, and just gets overwritten later Loads of blank spaces: if I didn t have a high-dpi monitor this d push the rest of screen Load some JavaScript that pulls in the actual phishing page in an iframe 12
Phishing with Attachment Not an attachment, but an embedded image that links out to a fake sign in with Google page 13 13
Phishing with Mobile Push Attacker s IP 172.58.72.166 User s Push Attacker s Push 14
Emoji Phishing 15
Homograph Phishing Attacker exploits characters that look alike 16 16
Social Engineering SMS 1 Hello, I had an issue with my phone can you port my phone # to 999-888-7777? 2 SMS Text Message Online Service 3 Password Reset Victim s email: gotvish@vishyou.com Security Passcode: 978322 Victim s Phone 123-456-7890 Attacker s Phone 999-888-7777 Cellphone Provider Your Online Service security passcode is 978322. 17
Phishing is effective! 1,220,523 total number of phishing attacks (+65% YOY) 1 81% of breaches due to compromised passwords (+63% YOY) 2 4.44 million phishing URLs identified in Q2 2016 3 Sources: 1 Anti-Phishing Working Group Report 2 2017 Verizon Data Breach Report 3 Cyren CyberThreat Report 18
How to Become Unphishable With Strong Authentication 2017 Yubico 19
Current State of Authentication Smart Card Security Trusted Platform Module Mobile Push One Time Password Biometric Username/Password Simplicity 20
Stop Phishing with Strong Auth Username/ Password One Time Password Mobile Push Smart Card FIDO U2F Computer Login Web Applications Remote Access (VPN/RDP/VDI) Weak Moderate Moderate Strong? Weak Moderate Moderate Strong Strong Weak Moderate Moderate Strong - Privileged Access Weak Moderate Moderate Strong - 21
Exploring FIDO U2F Usability meets Security 2017 Yubico 22
What is FIDO U2F Open authentication standard Retains the benefits of PKI Co-authored by Yubico & Google 23
Core FIDO Benefits Usability Ease of Registration Ease of Authentication Security Phishing protections Man-in-the-Middle attack protections Unique secrets for every service 24
U2F User Experience 25
and FIDO How FIDO Authentication Works 1 Login request User 4 Require test of user presence before private key can be used Authenticator (e.g. YubiKey) 3 Challenge, origin, channel ID Client (e.g. web browser) 2 Challenge Relying Party (e.g. web service/site) Private key (per service/site) 5 Signed response 6 Signed response 7 Public key Check signature using public key to verify origin and channel ID 8 Successful login 26
Credential Phishing Attack Attacker site acm3.com acme.com Impersonate phished credentials Phishing Pwd, OTP, SMS, Push Attacker 27
and FIDO U2F Credential Phishing Protection 1 Login request Authenticator (e.g. YubiKey) 3 Challenge, origin, channel ID Client (e.g. web browser) 2 Challenge Relying Party (e.g. web service/site) 4 Require test of user presence before private key can be used Private key (per service/site) 5 Signed response 6 Signed response 7 Public key Check signature using public key to verify origin and channel ID 8 Successful login 28
U2F Credential Phishing Protection Attacker site acm3.com acme.com Unable to use signed response Require proof of user presence Phishing password Attacker 29
U2F Credential Phishing Protection Attacker site acm3.com acme.com Require proof of user presence Unable to invoke Trusted Path to Authenticator Attacker 30
Hijack User Login Session 1 Use fake/stolen cert - Heartbleed, BEAST MitM acme.com 4 2 Successful authentication 3 Steal authentication assertion Attacker use cookie 31
MitM Protection Token Binding (Channel ID) TLS Bind Token with Token Binding ID acme.com Token Binding using client Private Key Token Binding ID: Hash<Public Key> + algorithm Token Binding (Public Key) 32
and FIDO U2F MitM Protection 1 Login request Authenticator (e.g. YubiKey) 3 Challenge, origin, channel ID Client (e.g. web browser) 2 Challenge Relying Party (e.g. web service/site) 4 Require test of user presence before private key can be used Private key (per service/site) 5 Signed response includes channel ID 6 Signed response Public key includes channel ID 7 Check signature using public key to verify origin and channel ID 8 Successful login 33
U2F MitM Protection MitM Assertion Token Bound acme.com 2 1 Cannot use authentication Steal authentication assertion - assertion attacker client channel ID mismatch Attacker 34
FIDO Current Status Supported browsers Google Chrome, Opera Mozilla Firefox (Native support in current Firefox Nightly build) Supported platforms Android, Chrome OS FIDO 2 (U2F merged into FIDO 2) Client-To-Authenticator Protocol (CTAP) for external authenticators W3C standardizing web authentication specification Microsoft and Yubico working on delivering products that enable FIDO 2 35
Wrap-up A quick case study with Google 2017 Yubico 36
Google Login with FIDO Secure Eliminates Phishing & Prevents MitM Simple Insert and Touch Gold Contact Scalable Use the Same Key for Unlimited Services Private No Shared Secrets Between Services No Shared Secrets with Yubico 37
Google Internal Research Study U2F vs Google Authenticator 4x faster to login Significant fraud reduction Support reduced by 40% Read more: yubico.com/google-study 38
Google Used Internally Mandated for Google employees Corporate SSO (Web) SSH Custom authentication Available to End-Customers Available to all Enterprise and Consumer customers for free Adopted by other relying parties: Facebook, Salesforce, Dropbox, GitHub, and more 39
Yubico Enterprise Authentication Employee Users Computer Login Web Applications Remote Access Employee Admins Privileged Access Vendor & Supplier Remote Access Web Applications IDENTITY ACCESS CONTROL SYSTEMS On-premises Services Cloud Services Customer Web Applications 40
41 Stop Sweating the Password! Questions -&- Answers 41