Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Using YubiKey and FIDO U2F for secure authentic...

vixentael
December 22, 2023

Using YubiKey and FIDO U2F for secure authentication

FIDO2 U2F (universal second factor) enhances online security by ensuring that user credentials remain secure and immune to phishing attacks. But building authentication system using FIDO2 U2F is quite complicated: it involves coordinating between various parties, web browsers, platforms, and security tokens, understanding cryptography, and adding another layer of complexity to the authentication process.

vixentael

December 22, 2023
Tweet

More Decks by vixentael

Other Decks in Programming

Transcript

  1. Anastasiia Voitova, @vixentael Head of customer solutions, Security software engineer

    @ Cossack Labs. cossacklabs.com Building & breaking software in critical infra, payment processors, ML/AI, IoT and robotic devices, communication systems — where data security is a hard requirement.
  2. @vixentael What we will talk about 1. AuthN, MFA. 2.

    FIDO, FIDO2, WebAuthN. 3. WebAuthN: register, login. 4. Tokens: hardware token, phone as token. 5. Why so fragile? 6. The options!
  3. @vixentael ID, authN, authZ Identi fi cation — establish identity.

    User is X. Authentication — verify the user is who they claim to be. Establish trust the user. Con fi rm that user is X. Authorization – if the user X is allowed to have access / perform function Y.
  4. @vixentael MFA 1. Thing I know 2. Thing I have

    3. Thing I am password passphrase pin code sec question hw token OTP, TOTP phone phone number email smart card face fi ngers voice iris NIST SP 800-63B: Digital Identity Guidelines
  5. @vixentael MFA: 1+2 | 1+3 | 2+3 1. Thing I

    know 2. Thing I have 3. Thing I am password passphrase pin code sec question hw token OTP, TOTP phone phone number email smart card face fi ngers voice iris NIST SP 800-63B: Digital Identity Guidelines
  6. @vixentael FIDO and FIDO2 FIDO U2F – FIDO Universal Second

    Factor. Physical key, 2FA. FIDO UAF – FIDO Universal Authentication Framework. Passwordless. CTAP – Client to Authenticator Protocols. WebAuthN – web API protocol. www.w3.org/TR/webauthn-1/
  7. @vixentael FIDO and FIDO2 FIDO U2F – FIDO Universal Second

    Factor. Physical key, 2FA. FIDO UAF – FIDO Universal Authentication Framework. Passwordless. CTAP – Client to Authenticator Protocols. WebAuthN – web API protocol. FIDO2, 1-2FA }
  8. @vixentael FIDO and FIDO2 FIDO U2F – FIDO Universal Second

    Factor. Physical key, 2FA. FIDO UAF – FIDO Universal Authentication Framework. Passwordless. CTAP – Client to Authenticator Protocols. WebAuthN – web API protocol. CTAP1, CTAP2 FIDO2, 1-2FA }
  9. @vixentael FIDO U2F FIDO U2F – FIDO Universal Second Factor,

    2FA. Works together with password. Device computes crypto keys, doesn’t store anything. U2F – “user presence” (something we have) — just tap a button on a hw token.
  10. @vixentael FIDO2 FIDO UAF + WebAuthN. Passwordless. Works instead of

    password. Device stores unique crypto keypair per each account, each website. Requires “user veri fi cation” – tap the button + enter pin code on HW token. nitrokey.com/blog/2022/ fi do2-webauthn-passkeys-2022-and-2023
  11. @vixentael OWASP ASVS github.com/OWASP/ASVS/blob/master/5.0/en/0x11-V2-Authentication.md Applications should strongly encourage users to

    enroll in MFA, and should allow users to re-use tokens they already possess, such as FIDO or U2F tokens.
  12. @vixentael Register user https://webauthn.guide/ Client: let’s register. Server: here is

    random string. Client: generate keypair, store securely, send to server {username, public key, random string}. Server: receive, create user and store username and public key.
  13. @vixentael Login user Client: let’s login. Server: here is random

    string. Client: sign string, send to server {username, signed string}. Server: receive, verify signature with public key, login user.
  14. @vixentael Cryptography Elliptic curves: ECDSA, EdDSA. RSA: RSASSA-PSS, RSASSA-PKCS1 MHcCAQEEILOkJDyU6QgsNh6VLmU6wBkAZmUVf44nQz+ZsXJ/PeohoAoGCCqGSM49

    AwEHoUQDQgAEwzECZSx1Z8bNCp61Jms3q/HtOW4ESkE8RmRnQYmJdO/aVWceJ8R5 5LS67Dv7rhWOK0NY0VE+nVY3MqIXBEzFnw== MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwzECZSx1Z8bNCp61Jms3q/HtOW4E SkE8RmRnQYmJdO/aVWceJ8R55LS67Dv7rhWOK0NY0VE+nVY3MqIXBEzFnw== private key, secp256r1 public key, secp256r1
  15. @vixentael Pros & cons of FIDO2 • Stronger than passwords.

    • No need to remember password. • No phishing. • Backend doesn’t store secrets. Can’t steal passwords. • Passwordless is easy for users. • Interoperability between devices.
  16. @vixentael Pros & cons of FIDO2 • Stronger than passwords.

    • No need to remember password. • No phishing. • Backend doesn’t store secrets. Can’t steal passwords. • Passwordless is easy for users. • Interoperability between devices. • Requires device. • Usability challenges, learning curve. • Limited adoption. • Lose device — lose access* • Hard to backup and recover* * — Apple and Google provide own recovery mechanisms linked to AppleID / Google account.
  17. @vixentael 1. Thing I know 2. Thing I have 3.

    Thing I am password passphrase pin code sec question hw token OTP, TOTP phone phone number email smart card face fi ngers voice iris MFA: 1+2 | 1+3 | 2+3
  18. @vixentael Using FIDO2 as MFA 1. Thing I know 2.

    Thing I have 3. Thing I am password passphrase pin code hw token phone face fi ngers 1 + 2; 1 + 3; 2 + 3
  19. @vixentael Hardware token A small portable specialized HSM. 
 -

    createKeypair(entityID) 
 - exportPublickey(entityID) 
 - signData(data) Protects keypairs per account. 
 Not a fl ash drive! 
 Can’t export private keys. 
 Supports USB, USB-C, BLE, NFC… “Security key”
  20. @vixentael Passkeys (phone as token) iPhone, Android phone or laptop

    as hardware token. Generates keypairs. Stores in secure storage. Looks easier than password.
  21. @vixentael Why so fragile? Operating system iOS 14+, Android 10+.

    MacOS, Linux, Windows. Passkeys Cryptographic co-processors, phones, laptops. Browser support Chrome, Safari, Firefox, others API application API platform support Security tokens HW tokens: USB, USBC, BLE, NFC.
  22. @vixentael Why so fragile? Operating system iOS 14+, Android 10+.

    MacOS, Linux, Windows. Passkeys Cryptographic co-processors, phones, laptops. Browser support Chrome, Safari, Firefox, others API application API platform support Security tokens HW tokens: USB, USBC, BLE, NFC. token token server