Security Beyond Richard Young | IBM Research P@s$w0rds richardyoung00 github.com/richardyoung00 

hello! I’m Richard Young Research Engineer | IBM Research richardyoung00 github.com/richardyoung00 

Passwords ********** 

Compatible Time-Sharing System (CTSS) on an IBM 709 The first computer system to use passwords The first computer system to have a password breach Photograph by ArnoldReinhold distributed under a CC-BY 3.0 license 

p@ssw0rd A075D17F3D453073 853F813838C15B80 23B8C48703843635 4FE599C3942E1F95 SHA256 

Most commonly used Passwords 2019 123456 8D969EEF6ECAD3C29A3A629280E686CF0C3F5D5A86AFF3CA12020C923ADC6C92 123456789 15E2B0D3C33891EBB0F1EF609EC419420C20E320CE94C65FBC8C3312448EB225 qwerty 65E84BE33532FB784C48129675F9EFF3A682B27168C0EA744B2CF58EE02337C5 password 5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8 111111 BCB15F821479B4D5772BD0CA866C00AD5F926E3580720659CC80D39C9D09802A 12345678 EF797C8118F02DFB649607DD5D3F8C7623048C9C063D532CC95C5ED7A898A64F abc123 6CA13D52CA70C883E0F0BB101E425A89E8624DE51DB2D2392593AF6A84118090 password1 0B14D501A594442A01C6859541BCB3E8164D183D32937B851835442F69D5C94E 1234567 8BB0CF6EB9B17D0F7D22B456F121257DC1254E1F01665370476383EA776DF414 12345 5994471ABB01112AFCC18159F6CC74B4F511B99806DA59B3CAF5A9C173CACFC5 https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere https://haveibeenpwned.com/Passwords 

p@ssw0rdE1F53135E559C253 SHA256 Hash Salt 29C4D3702945534ED7D8E17E793B7DE3EE5 5156F5A78C295B3747BA4A8F09547 E1F53135E559C253 password random salt 

haveibeenpwned.com 

Online best practices in 2019 • Do not reuse passwords • Use a password manager • Enable 2 Factor Authentication 

2 Factor Authentication Something you know Something you have Something you are ********** Your password: Your one time pin code is 1234 

Google Titan Security Key 

WebAuthn Web Authentication API FIDO2 Project = WebAuthn + CTAP 

ARM TrustZone Google Titan M Apple Secure Enclave androidcentral 

Public key encryption Public key Private key Encrypt message with recipients public key Recipient decrypts with their private key 

Public key authentication Public key Private key Server verifies signature with senders public key User signs message with their private key 

caniuse.com/webauthn 

Check if WebAuthn is supported if (window.PublicKeyCredential) { // continue with webauthn } else { // fallback to another authentication mechanism } 

Register navigator.credentials.create() Public key Username example.com Public key Private key https://example.com 

const publicKeyCreateOptions = { challenge: "randomStringFromServer", // needs to be converted to ArrayBuffer rp: { name: ”WebAuthn Demo", id: ”webauthn-demo.mybluemix.net", }, user: { id: ”uniqueUserId", // needs to be converted to ArrayBuffer name: "[email protected]", displayName: "Jane Smith", }, pubKeyCredParams: [{alg: -7, type: "public-key"}], authenticatorSelection: { userVerification: "preferred", }, timeout: 60000, attestation: "none" }; const credential = await navigator.credentials.create({ publicKey: publicKeyCreateOptions }); Creating a public key credential in the browser 

PublicKeyCredential { id: 'KQmbqdGtsdf3FsDpu4sjseh4cfdADSUllTBsv4NSSX9...', rawId: ArrayBuffer(59), response: AuthenticatorAttestationResponse { clientDataJSON: ArrayBuffer(121), attestationObject: ArrayBuffer(306), }, type: 'public-key' } 

const { Fido2Lib } = require("fido2-lib"); var f2l = new Fido2Lib() const registrationOptions = await f2l.attestationOptions(); // send registrationOptions to client and get clientAttestationResponse const attestationExpectations = { challenge: "33EHav-jZ1v9qwH783aU-j0ARx6r5o-YHh- wd7C6jPbd7Wh6ytbIZosIIACehwf9-s6hXhySHO-HHUjEwZS29w", origin: "https://webauthn-demo.mybluemix.net", factor: "either" }; const regResult = await f2l.attestationResult(clientAttestationResponse, attestationExpectations); Verifying registration credential on the server 

User ID Credential ID Public Key Counter 1234 LIlbeyvWUIR1HFCs- 7wlUbptxAKlQDPJtAz CgTtFfr0UsD3Wy0RKa DFuAH9m0QJPBFR3yzK nE6eIgnXEtanggQ -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjLKE vZAk9z6xKZdZH2lWgd+gSvEJFypDNjMAEuuBUXbt Dh8D86AsFN7nY899Eu5qDB8cE6Z85RBqowWRiCVq NA== -----END PUBLIC KEY----- 1 1234 2z-cxbofIjk2wNhusK o0eA4qViq71d5kgmMs XhsV-Nj2sR65hZkGl swb6f4Qa4yYSh2r2PO LaMTE7Tg2A0RqtA -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEimn1 o0vDw6Y0MSibqSyWBbzxme/ssaPU14C+CRR8I9If G75PRxd+d6PWYzX4+84vq3sDlzCBP/iqK/Ra2rrf +Q== -----END PUBLIC KEY----- 10 1235 … … … User Credentials 

Login navigator.credentials.get() Payload signed with private key Credential ID’s for user Find correct credential https://example.com 

const publicKeyRequestOptions = { challenge: "randomStringFromServer", // needs to be converted to ArrayBuffer allowCredentials: [{ id: "LIlbeyvWUIR1HFCs-7wlUbptx...", // needs to be converted to ArrayBuffer type: 'public-key', },{ id: "2z-cxbofIjk2wNhusK o0eA4q...", // needs to be converted to ArrayBuffer type: 'public-key', }], timeout: 60000, }; const assertion = await navigator.credentials.get({ publicKey: publicKeyRequestOptions }); Requesting login credential in the browser 

PublicKeyCredential { id: 'NSSmbqdGtpu4sjseh4xSvrbcHDTBsv4XcADSUllKQg2T9...', rawId: ArrayBuffer(59), response: AuthenticatorAssertionResponse { authenticatorData: ArrayBuffer(191), clientDataJSON: ArrayBuffer(118), signature: ArrayBuffer(70), userHandle: ArrayBuffer(10), }, type: 'public-key' } 

const { Fido2Lib } = require("fido2-lib"); const loginOptions = await f2l.assertionOptions(); // send loginOptions to client and get clientAssertionResponse const assertionExpectations = { challenge: "eaTyUNnyPDDdK8SNEgTEUvz1Q8dylkjjTimYd5X7QAo-F8_Z1lsJi3BilUpFZHkI", origin: "https://webauthn-demo.mybluemix.net", factor: "either", publicKey: "-----BEGIN PUBLIC KEY-----\n" + "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERez9aO2wBAWO54MuGbEqSdWahSnG\n" + "MAg35BCNkaE3j8Q+O/ZhhKqTeIKm7El70EG6ejt4sg1ZaoQ5ELg8k3ywTg==\n" + "-----END PUBLIC KEY-----\n", prevCounter: 362 }; var authnResult = await f2l.attestationResult(clientAssertionResponse, assertionExpectations); Verifying login credential on the server 

Some challenges • Adding multiple authenticators • Migrating to a new authenticator • Systems without authenticators • Requires some code/database changes to implement on existing systems 

Resources • codelabs.developers.google.com/codelabs/webauthn-reauth • www.w3.org/TR/webauthn - W3C spec • fidoalliance.org/fido2 - Fido2 documentation • webauthn.io – server side implementations • github.com/richardyoung00/webauthn – example implementation Credits • github.com/apowers313/fido2-lib © Adam Powers under MIT licence • Presentation template by SlidesCarnival.com • Duo security information webauthn.guide richardyoung00 github.com/richardyoung00