Using YubiKey and FIDO U2F for secure authentication

Transcript

1. FIDO2 WTF @vixentael

2. Anastasiia Voitova, @vixentael Head of customer solutions, Security software engineer

   @ Cossack Labs. cossacklabs.com Building & breaking software in critical infra, payment processors, ML/AI, IoT and robotic devices, communication systems — where data security is a hard requirement.

3. @vixentael What we will talk about 1. AuthN, MFA. 2.

   FIDO, FIDO2, WebAuthN. 3. WebAuthN: register, login. 4. Tokens: hardware token, phone as token. 5. Why so fragile? 6. The options!

4. Authentication, 1FA, MFA

5. @vixentael ID, authN, authZ Identi fi cation — establish identity.

   User is X. Authentication — verify the user is who they claim to be. Establish trust the user. Con fi rm that user is X. Authorization – if the user X is allowed to have access / perform function Y.

6. @vixentael MFA 1. Thing I know 2. Thing I have

   3. Thing I am password passphrase pin code sec question hw token OTP, TOTP phone phone number email smart card face fi ngers voice iris NIST SP 800-63B: Digital Identity Guidelines

7. @vixentael MFA: 1+2 | 1+3 | 2+3 1. Thing I

   know 2. Thing I have 3. Thing I am password passphrase pin code sec question hw token OTP, TOTP phone phone number email smart card face fi ngers voice iris NIST SP 800-63B: Digital Identity Guidelines

8. FIDO, FIDO2, WebAuthN

9. @vixentael FIDO and FIDO2 FIDO U2F – FIDO Universal Second

   Factor. Physical key, 2FA. FIDO UAF – FIDO Universal Authentication Framework. Passwordless. CTAP – Client to Authenticator Protocols. WebAuthN – web API protocol. www.w3.org/TR/webauthn-1/

10. @vixentael FIDO and FIDO2 FIDO U2F – FIDO Universal Second

    Factor. Physical key, 2FA. FIDO UAF – FIDO Universal Authentication Framework. Passwordless. CTAP – Client to Authenticator Protocols. WebAuthN – web API protocol. FIDO2, 1-2FA }

11. @vixentael FIDO and FIDO2 FIDO U2F – FIDO Universal Second

    Factor. Physical key, 2FA. FIDO UAF – FIDO Universal Authentication Framework. Passwordless. CTAP – Client to Authenticator Protocols. WebAuthN – web API protocol. CTAP1, CTAP2 FIDO2, 1-2FA }

12. @vixentael FIDO U2F FIDO U2F – FIDO Universal Second Factor,

    2FA. Works together with password. Device computes crypto keys, doesn’t store anything. U2F – “user presence” (something we have) — just tap a button on a hw token.

13. @vixentael FIDO2 FIDO UAF + WebAuthN. Passwordless. Works instead of

    password. Device stores unique crypto keypair per each account, each website. Requires “user veri fi cation” – tap the button + enter pin code on HW token. nitrokey.com/blog/2022/ fi do2-webauthn-passkeys-2022-and-2023

14. @vixentael OWASP ASVS github.com/OWASP/ASVS/blob/master/5.0/en/0x11-V2-Authentication.md Applications should strongly encourage users to

    enroll in MFA, and should allow users to re-use tokens they already possess, such as FIDO or U2F tokens.

15. WebAuthN operations

16. @vixentael Register user https://webauthn.guide/ Client: let’s register. Server: here is

    random string. Client: generate keypair, store securely, send to server {username, public key, random string}. Server: receive, create user and store username and public key.

17. @vixentael Login user Client: let’s login. Server: here is random

    string. Client: sign string, send to server {username, signed string}. Server: receive, verify signature with public key, login user.

18. @vixentael Cryptography Elliptic curves: ECDSA, EdDSA. RSA: RSASSA-PSS, RSASSA-PKCS1 MHcCAQEEILOkJDyU6QgsNh6VLmU6wBkAZmUVf44nQz+ZsXJ/PeohoAoGCCqGSM49

    AwEHoUQDQgAEwzECZSx1Z8bNCp61Jms3q/HtOW4ESkE8RmRnQYmJdO/aVWceJ8R5 5LS67Dv7rhWOK0NY0VE+nVY3MqIXBEzFnw== MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwzECZSx1Z8bNCp61Jms3q/HtOW4E SkE8RmRnQYmJdO/aVWceJ8R55LS67Dv7rhWOK0NY0VE+nVY3MqIXBEzFnw== private key, secp256r1 public key, secp256r1

19. @vixentael Pros & cons of FIDO2 • Stronger than passwords.

    • No need to remember password. • No phishing. • Backend doesn’t store secrets. Can’t steal passwords. • Passwordless is easy for users. • Interoperability between devices.

20. @vixentael Pros & cons of FIDO2 • Stronger than passwords.

    • No need to remember password. • No phishing. • Backend doesn’t store secrets. Can’t steal passwords. • Passwordless is easy for users. • Interoperability between devices. • Requires device. • Usability challenges, learning curve. • Limited adoption. • Lose device — lose access* • Hard to backup and recover* * — Apple and Google provide own recovery mechanisms linked to AppleID / Google account.

21. @vixentael

22. @vixentael 1. Thing I know 2. Thing I have 3.

    Thing I am password passphrase pin code sec question hw token OTP, TOTP phone phone number email smart card face fi ngers voice iris MFA: 1+2 | 1+3 | 2+3

23. @vixentael Using FIDO2 as MFA 1. Thing I know 2.

    Thing I have 3. Thing I am password passphrase pin code hw token phone face fi ngers 1 + 2; 1 + 3; 2 + 3

24. Types of tokens

25. @vixentael Hardware token A small portable specialized HSM. 
 -

    createKeypair(entityID) 
 - exportPublickey(entityID) 
 - signData(data) Protects keypairs per account. 
 Not a fl ash drive! 
 Can’t export private keys. 
 Supports USB, USB-C, BLE, NFC… “Security key”

26. @vixentael Hardware token External hardware token.

27. @vixentael Hardware token on MacBook

28. @vixentael Hardware token on iPhone

29. @vixentael Passkeys (phone as token) iPhone, Android phone or laptop

    as hardware token. Generates keypairs. Stores in secure storage. Looks easier than password.

30. @vixentael My Mac as passkey. Passkeys (laptop as token)

31. @vixentael Passkeys (laptop as token)

32. @vixentael Passkeys (phone as token)

33. Why so fragile?

34. @vixentael Why so fragile? Operating system iOS 14+, Android 10+.

    MacOS, Linux, Windows. Passkeys Cryptographic co-processors, phones, laptops. Browser support Chrome, Safari, Firefox, others API application API platform support Security tokens HW tokens: USB, USBC, BLE, NFC.

35. @vixentael Why so fragile? Operating system iOS 14+, Android 10+.

    MacOS, Linux, Windows. Passkeys Cryptographic co-processors, phones, laptops. Browser support Chrome, Safari, Firefox, others API application API platform support Security tokens HW tokens: USB, USBC, BLE, NFC. token token server

36. @vixentael System support (2020 pic) fi doalliance.org/expanded-support-for- fi do-authentication-in-ios-and- macos/

37. @vixentael Azure Active Directory learn.microsoft.com/en-us/azure/active-directory/authentication/ fi do2-compatibility

38. @vixentael YubiCo support (YubiKeys) support.yubico.com/hc/en-us/articles/360016615020-Operating- system-and-web-browser-support-for-FIDO2-and-U2F

39. Authentication? Easy!

40. @vixentael