Download - Google Case Study: Becoming Unphishable
![Page 1: Google Case Study: Becoming Unphishable](https://reader036.vdocument.in/reader036/viewer/2022062823/58763ceb1a28ab68098b7421/html5/thumbnails/1.jpg)
BECOMING UNPHISHABLETOWARDS SIMPLER, STRONGER
AUTHENITCATIONChristiaan Brand
![Page 2: Google Case Study: Becoming Unphishable](https://reader036.vdocument.in/reader036/viewer/2022062823/58763ceb1a28ab68098b7421/html5/thumbnails/2.jpg)
Introduction and Agenda
Part of the team responsible for authentication at GoogleAgenda• Passwords are broken• Introducing Security Key • Google’s Experience
• Some numbers• We’re not quite done
• How can you get started?
![Page 3: Google Case Study: Becoming Unphishable](https://reader036.vdocument.in/reader036/viewer/2022062823/58763ceb1a28ab68098b7421/html5/thumbnails/3.jpg)
Passwords are broken
![Page 4: Google Case Study: Becoming Unphishable](https://reader036.vdocument.in/reader036/viewer/2022062823/58763ceb1a28ab68098b7421/html5/thumbnails/4.jpg)
Passwords are broken
Phishing has become increasingly sophisticated● More than ⅔ of incidents [in 2015] … involved
phishing. With a 23% effectiveness rate*● OTPs help against shared password, but it’s not safe to
rely on them for phishing
* http://www.verizonenterprise.com/DBIR/2015/
REUSED PHISHED KEYLOGGED
![Page 5: Google Case Study: Becoming Unphishable](https://reader036.vdocument.in/reader036/viewer/2022062823/58763ceb1a28ab68098b7421/html5/thumbnails/5.jpg)
Is Phishing Effective?
![Page 6: Google Case Study: Becoming Unphishable](https://reader036.vdocument.in/reader036/viewer/2022062823/58763ceb1a28ab68098b7421/html5/thumbnails/6.jpg)
Today’s solution: One Time Passwords
SMS USABILITY
Coverage Issues - Delay - User Cost
DEVICE USABILITY
One Per Site - Expensive - Fragile
USER EXPERIENCEUsers find it hardPHISHABLE
German Police re: iTan:
".. we still lose money"
![Page 7: Google Case Study: Becoming Unphishable](https://reader036.vdocument.in/reader036/viewer/2022062823/58763ceb1a28ab68098b7421/html5/thumbnails/7.jpg)
Introducing Security Key
![Page 8: Google Case Study: Becoming Unphishable](https://reader036.vdocument.in/reader036/viewer/2022062823/58763ceb1a28ab68098b7421/html5/thumbnails/8.jpg)
Introducing Security KeyDesigned to solve authentication challenges• For enterprises• For consumers
Based on FIDO U2F standard• Safe: Unphishable /
UnMITMable• Easy: Insert and press button• Compact: One device, many
services
![Page 9: Google Case Study: Becoming Unphishable](https://reader036.vdocument.in/reader036/viewer/2022062823/58763ceb1a28ab68098b7421/html5/thumbnails/9.jpg)
Simple operation
1 2 3
Userid & Password Insert, Press button
Successful Sign in
![Page 10: Google Case Study: Becoming Unphishable](https://reader036.vdocument.in/reader036/viewer/2022062823/58763ceb1a28ab68098b7421/html5/thumbnails/10.jpg)
Based on Asymmetric Cryptography
Core idea - Standard public key cryptography
• User's device mints new key pair, gives public key to server
• Server asks user's device to sign data to verify the user.• One device, many services, "bring your own device"
enabled
![Page 11: Google Case Study: Becoming Unphishable](https://reader036.vdocument.in/reader036/viewer/2022062823/58763ceb1a28ab68098b7421/html5/thumbnails/11.jpg)
Google’s experience
![Page 12: Google Case Study: Becoming Unphishable](https://reader036.vdocument.in/reader036/viewer/2022062823/58763ceb1a28ab68098b7421/html5/thumbnails/12.jpg)
Deployment at Google• Enterprise use case
• Mandated for Google employees• Corporate SSO (Web)• SSH• Forms basis of all authentication
• Consumer use case• Available as opt-in for Google consumers• Adopted by other relying parties too:
Dropbox, Github
![Page 13: Google Case Study: Becoming Unphishable](https://reader036.vdocument.in/reader036/viewer/2022062823/58763ceb1a28ab68098b7421/html5/thumbnails/13.jpg)
Time to authenticate
![Page 14: Google Case Study: Becoming Unphishable](https://reader036.vdocument.in/reader036/viewer/2022062823/58763ceb1a28ab68098b7421/html5/thumbnails/14.jpg)
Time to authenticate
Security Keys are faster to use than OTPs
"If you've been reading your e-mail" takeaway:
![Page 15: Google Case Study: Becoming Unphishable](https://reader036.vdocument.in/reader036/viewer/2022062823/58763ceb1a28ab68098b7421/html5/thumbnails/15.jpg)
Second Factor Support Incidents
![Page 16: Google Case Study: Becoming Unphishable](https://reader036.vdocument.in/reader036/viewer/2022062823/58763ceb1a28ab68098b7421/html5/thumbnails/16.jpg)
Second Factor Support Incidents
Security Keys cause fewer support incidents than OTPs
"If you've been reading your e-mail" takeaway:
![Page 17: Google Case Study: Becoming Unphishable](https://reader036.vdocument.in/reader036/viewer/2022062823/58763ceb1a28ab68098b7421/html5/thumbnails/17.jpg)
We're not quite done...
![Page 18: Google Case Study: Becoming Unphishable](https://reader036.vdocument.in/reader036/viewer/2022062823/58763ceb1a28ab68098b7421/html5/thumbnails/18.jpg)
Ongoing work• Wireless protocols
• NFC, BLE• More browsers
• Firefox, Edge, more?• More platforms
• Android, Windows, OS X/iOS?• V2 of the protocol
• Device-centric authentication
![Page 19: Google Case Study: Becoming Unphishable](https://reader036.vdocument.in/reader036/viewer/2022062823/58763ceb1a28ab68098b7421/html5/thumbnails/19.jpg)
How can you get started?
![Page 20: Google Case Study: Becoming Unphishable](https://reader036.vdocument.in/reader036/viewer/2022062823/58763ceb1a28ab68098b7421/html5/thumbnails/20.jpg)
U2F use cases• Internal enterprise authentication (B2B)
Authenticate to your own web applications, mobile applications, etc
• Authenticate to your service providers (“token necklace”)
U2F works well in a non-federated environmentComplete isolation between various RPs
• External customer authentication Authenticate your high-value customers using U2F
![Page 21: Google Case Study: Becoming Unphishable](https://reader036.vdocument.in/reader036/viewer/2022062823/58763ceb1a28ab68098b7421/html5/thumbnails/21.jpg)
Resources• To use with Google
Enable 2-Step Verification on your accountGo to: https://security.google.com Click: 2-Step VerificationClick on the Security Keys tab
• Also use with GitHub, Dropbox
• And / or play with some code https://github.com/google/u2f-ref-code https://developers.yubico.com/U2F/Libraries/List_of_libraries.html
![Page 22: Google Case Study: Becoming Unphishable](https://reader036.vdocument.in/reader036/viewer/2022062823/58763ceb1a28ab68098b7421/html5/thumbnails/22.jpg)
Q & A