Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevFest 2019: Security Beyond Passwords

Richard Young
November 30, 2019
Programming
0
110

DevFest 2019: Security Beyond Passwords

Passwords have become a standard for authentication on the web, but they have some major drawbacks. Every day there is an increasing number of phishing attacks and credential breaches on the web. Users tend to reuse passwords between websites and it is becoming increasingly more difficult to distinguish between phishing sites and real ones. The industry response to this has been to encourage users to make use of password managers and set up 2-factor authentication. This is not a foolproof way of preventing phishing attacks and it often means sacrificing usability.

WebAuthn or the Web Authentication API is a standard that has been developed to increase security for the authentication process on the web. It gives us the option of removing password based authentication, while remaining convenient and easy to use for end-users. In this talk I will show you how you can set up your web application to allow users to sign up and log in using existing authenticators such as fingerprint readers on their phone or laptop. Users will have secure multi-factor authentication to your website without ever needing to create a password.

Richard Young

November 30, 2019
Tweet

More Decks by Richard Young

See All by Richard Young
Machine Learning in the Browser (Jozi.JS Feb 2019)
richardyoung00
0
37

Other Decks in Programming

See All in Programming
Sidekiqで実現する 長時間非同期処理の中断と再開 / Pausing and Resuming Long-Running Asynchronous Jobs with Sidekiq
hypermkt
6
3k
役立つログに取り組もう
irof
28
9.4k
Tauriでネイティブアプリを作りたい
tsucchinoko
0
350
Java ジェネリクス入門 2024
nagise
0
690
Tuning GraphQL on Rails
pyama86
2
1.2k
cXML という電子商取引の トランザクションを支える プロトコルと向きあっている話
phigasui
3
2.3k
From Subtype Polymorphism To Typeclass-based Ad hoc Polymorphism - An Example
philipschwarz
PRO
0
190
リアーキテクチャxDDD 1年間の取り組みと進化
hsawaji
1
190
C++でシェーダを書く
fadis
6
3.9k
GitHub Actionsのキャッシュと手を挙げることの大切さとそれに必要なこと
satoshi256kbyte
5
420
OpenTelemetryでRailsのパフォーマンス分析を始めてみよう(KoR2024)
ymtdzzz
5
2k
みんなでプロポーザルを書いてみた
yuriko1211
0
190

Featured

See All Featured
GraphQLとの向き合い方2022年版
quramy
43
13k
Fashionably flexible responsive web design (full day workshop)
malarkey
404
65k
Practical Orchestrator
shlominoach
186
10k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Scaling GitHub
holman
458
140k
Bash Introduction
62gerente
608
210k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
How to train your dragon (web standard)
notwaldorf
88
5.7k
Art, The Web, and Tiny UX
lynnandtonic
297
20k

Transcript

  1. Security Beyond Richard Young | IBM Research P@s$w0rds richardyoung00 github.com/richardyoung00

  2. hello! I’m Richard Young Research Engineer | IBM Research richardyoung00

    github.com/richardyoung00

  3. Passwords **********

  4. Compatible Time-Sharing System (CTSS) on an IBM 709 The first

    computer system to use passwords The first computer system to have a password breach Photograph by ArnoldReinhold distributed under a CC-BY 3.0 license

  5. p@ssw0rd A075D17F3D453073 853F813838C15B80 23B8C48703843635 4FE599C3942E1F95 SHA256

  6. Most commonly used Passwords 2019 123456 8D969EEF6ECAD3C29A3A629280E686CF0C3F5D5A86AFF3CA12020C923ADC6C92 123456789 15E2B0D3C33891EBB0F1EF609EC419420C20E320CE94C65FBC8C3312448EB225 qwerty

    65E84BE33532FB784C48129675F9EFF3A682B27168C0EA744B2CF58EE02337C5 password 5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8 111111 BCB15F821479B4D5772BD0CA866C00AD5F926E3580720659CC80D39C9D09802A 12345678 EF797C8118F02DFB649607DD5D3F8C7623048C9C063D532CC95C5ED7A898A64F abc123 6CA13D52CA70C883E0F0BB101E425A89E8624DE51DB2D2392593AF6A84118090 password1 0B14D501A594442A01C6859541BCB3E8164D183D32937B851835442F69D5C94E 1234567 8BB0CF6EB9B17D0F7D22B456F121257DC1254E1F01665370476383EA776DF414 12345 5994471ABB01112AFCC18159F6CC74B4F511B99806DA59B3CAF5A9C173CACFC5 https://www.ncsc.gov.uk/blog-post/passwords-passwords-everywhere https://haveibeenpwned.com/Passwords

  7. p@ssw0rdE1F53135E559C253 SHA256 Hash Salt 29C4D3702945534ED7D8E17E793B7DE3EE5 5156F5A78C295B3747BA4A8F09547 E1F53135E559C253 password random salt

  8. haveibeenpwned.com

  9. Online best practices in 2019 • Do not reuse passwords

    • Use a password manager • Enable 2 Factor Authentication

  10. 2 Factor Authentication Something you know Something you have Something

    you are ********** Your password: Your one time pin code is 1234

  11. Google Titan Security Key

  12. WebAuthn Web Authentication API FIDO2 Project = WebAuthn + CTAP

  13. ARM TrustZone Google Titan M Apple Secure Enclave androidcentral

  14. Public key encryption Public key Private key Encrypt message with

    recipients public key Recipient decrypts with their private key

  15. Public key authentication Public key Private key Server verifies signature

    with senders public key User signs message with their private key

  16. caniuse.com/webauthn

  17. Check if WebAuthn is supported if (window.PublicKeyCredential) { // continue

    with webauthn } else { // fallback to another authentication mechanism }

  18. Register navigator.credentials.create() Public key Username example.com Public key Private key

    https://example.com

  19. const publicKeyCreateOptions = { challenge: "randomStringFromServer", // needs to be

    converted to ArrayBuffer rp: { name: ”WebAuthn Demo", id: ”webauthn-demo.mybluemix.net", }, user: { id: ”uniqueUserId", // needs to be converted to ArrayBuffer name: "[email protected]", displayName: "Jane Smith", }, pubKeyCredParams: [{alg: -7, type: "public-key"}], authenticatorSelection: { userVerification: "preferred", }, timeout: 60000, attestation: "none" }; const credential = await navigator.credentials.create({ publicKey: publicKeyCreateOptions }); Creating a public key credential in the browser

  20. PublicKeyCredential { id: 'KQmbqdGtsdf3FsDpu4sjseh4cfdADSUllTBsv4NSSX9...', rawId: ArrayBuffer(59), response: AuthenticatorAttestationResponse { clientDataJSON:

    ArrayBuffer(121), attestationObject: ArrayBuffer(306), }, type: 'public-key' }

  21. const { Fido2Lib } = require("fido2-lib"); var f2l = new

    Fido2Lib() const registrationOptions = await f2l.attestationOptions(); // send registrationOptions to client and get clientAttestationResponse const attestationExpectations = { challenge: "33EHav-jZ1v9qwH783aU-j0ARx6r5o-YHh- wd7C6jPbd7Wh6ytbIZosIIACehwf9-s6hXhySHO-HHUjEwZS29w", origin: "https://webauthn-demo.mybluemix.net", factor: "either" }; const regResult = await f2l.attestationResult(clientAttestationResponse, attestationExpectations); Verifying registration credential on the server

  22. User ID Credential ID Public Key Counter 1234 LIlbeyvWUIR1HFCs- 7wlUbptxAKlQDPJtAz

    CgTtFfr0UsD3Wy0RKa DFuAH9m0QJPBFR3yzK nE6eIgnXEtanggQ -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjLKE vZAk9z6xKZdZH2lWgd+gSvEJFypDNjMAEuuBUXbt Dh8D86AsFN7nY899Eu5qDB8cE6Z85RBqowWRiCVq NA== -----END PUBLIC KEY----- 1 1234 2z-cxbofIjk2wNhusK o0eA4qViq71d5kgmMs XhsV-Nj2sR65hZkGl swb6f4Qa4yYSh2r2PO LaMTE7Tg2A0RqtA -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEimn1 o0vDw6Y0MSibqSyWBbzxme/ssaPU14C+CRR8I9If G75PRxd+d6PWYzX4+84vq3sDlzCBP/iqK/Ra2rrf +Q== -----END PUBLIC KEY----- 10 1235 … … … User Credentials

  23. Login navigator.credentials.get() Payload signed with private key Credential ID’s for

    user Find correct credential https://example.com

  24. const publicKeyRequestOptions = { challenge: "randomStringFromServer", // needs to be

    converted to ArrayBuffer allowCredentials: [{ id: "LIlbeyvWUIR1HFCs-7wlUbptx...", // needs to be converted to ArrayBuffer type: 'public-key', },{ id: "2z-cxbofIjk2wNhusK o0eA4q...", // needs to be converted to ArrayBuffer type: 'public-key', }], timeout: 60000, }; const assertion = await navigator.credentials.get({ publicKey: publicKeyRequestOptions }); Requesting login credential in the browser

  25. PublicKeyCredential { id: 'NSSmbqdGtpu4sjseh4xSvrbcHDTBsv4XcADSUllKQg2T9...', rawId: ArrayBuffer(59), response: AuthenticatorAssertionResponse { authenticatorData:

    ArrayBuffer(191), clientDataJSON: ArrayBuffer(118), signature: ArrayBuffer(70), userHandle: ArrayBuffer(10), }, type: 'public-key' }

  26. const { Fido2Lib } = require("fido2-lib"); const loginOptions = await

    f2l.assertionOptions(); // send loginOptions to client and get clientAssertionResponse const assertionExpectations = { challenge: "eaTyUNnyPDDdK8SNEgTEUvz1Q8dylkjjTimYd5X7QAo-F8_Z1lsJi3BilUpFZHkI", origin: "https://webauthn-demo.mybluemix.net", factor: "either", publicKey: "-----BEGIN PUBLIC KEY-----\n" + "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERez9aO2wBAWO54MuGbEqSdWahSnG\n" + "MAg35BCNkaE3j8Q+O/ZhhKqTeIKm7El70EG6ejt4sg1ZaoQ5ELg8k3ywTg==\n" + "-----END PUBLIC KEY-----\n", prevCounter: 362 }; var authnResult = await f2l.attestationResult(clientAssertionResponse, assertionExpectations); Verifying login credential on the server

  27. Some challenges • Adding multiple authenticators • Migrating to a

    new authenticator • Systems without authenticators • Requires some code/database changes to implement on existing systems

  28. Resources • codelabs.developers.google.com/codelabs/webauthn-reauth • www.w3.org/TR/webauthn - W3C spec • fidoalliance.org/fido2

    - Fido2 documentation • webauthn.io – server side implementations • github.com/richardyoung00/webauthn – example implementation Credits • github.com/apowers313/fido2-lib © Adam Powers under MIT licence • Presentation template by SlidesCarnival.com • Duo security information webauthn.guide richardyoung00 github.com/richardyoung00