SlideShare uma empresa Scribd logo

Easy public-private-keys-strong-authentication-using-u2 f

Cyber Security Alliance
Cyber Security Alliance

Strong AuthN - MultiOTP

Tecnologia
1 de 15
Baixar para ler offline
Easy public/private keys usage protected with strong authentication, using U2F/UAF from theBased on documentation and presentation from fidoalliance, Yubicoand GoogleRump Session, 6 November 2014Application Security Forum Western Switzerland André Liechti (@andreliechti, @multiOTP) Last update : 2014-12-09
FIDO Alliance, whoisthat? FIDO (Fast IDentityOnline) 2007 PayPal launched Security Key (classic OTP token) Low adoption rate, because harder to use for end users Late 2009 Ramesh Kesanupalli(CTO of Validity Sensors) visited Michael Barrett (PayPal's CISO). Barretinsisted on two things: solution based on a (future) industry standard must support Validity’s hardware and also their competitors July 2012 FIDO Alliance nominallyformedPayPal, Lenovo, NokNokLabs, Validity Sensors, Infineon, and Agnitio February 2013 Alliance publicly launched and growing. Google, Yubico, ... 2014-11-06 2
FIDO Alliance members(150 in November2014) Board Level 21 members : Alibaba Group, ARM, Bank of America, BlackBerry, CrucialTec, Discover, Google, IdentityX, Lenovo, MasterCard, Microsoft, NokNokLabs, NXP, OberthurTechnologies, PayPal, Qualcomm, RSA, Samsung, Synpatics, Visa, Yubico Sponsor Level 48 members Associate Level 81 members 2014-11-06 3
FIDO Alliance mission The Mission of the FIDO Alliance is to change the nature of online authentication by: Developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users. Operating industry programs to help ensure successful worldwide adoption of the Specifications. Submitting mature technical Specification(s) to recognized standards development organization(s) for formal standardization. 2014-11-06 4
Online Authentication: whatU2F/UAF are tryingto solve? Avoid asking users for (secure?) passwords only because: same password is reused for a lot of services phishing is still working well plenty of hardware and software keyloggersare available Existing solutions have known problems: Most of hardware devices are fragile, you must have one for each service, you have battery issues SMS costs are not negligible, you can be out of coverage End user don’t always understand how to use it Some phishing attacks are still possible 2014-11-06 5
UAF : passwordlessexperience UAF: Universal Authentication Framework Passwordlessexperience 2014-11-06 6
U2F : second factor experience U2F: Universal Second Factor protocol Second factor experience 2014-11-06 7
U2F Protocol Core Idea: Standard Public Key Cryptography User's device mints new key pair, gives public key to server Server asks user's device to sign data to verify the user One device, many services -“Bring Your Own Authenticator” Design Considerations: Privacy: Site SpecificKeys, No unique ID per device Security: No phishing, Man-In-The-Middles Trust: User decide what authenticator to use Pragmatics: Affordabletoday Usability: No delays, Fast crypto in device 2014-11-06 8
U2F flow 2014-11-06 9
U2F Registration 2014-11-06 10
U2F Authentication 2014-11-06 11
U2F and MITM attack The client send: I promise a user was here The server challenge was: KSDJsdASAS-AIS_Me The originwas: accounts.acme.com The TLS connection state was: 345567 MITM attackdetection Origin mismatch for key handle Incorrect origin name ChannelIDmismatch 2014-11-06 12
What if I want to accept U2F logins for my service? Server: Implement registration flow decide how to handle attestation certificates verify registration response store public key, key handle with user account Server: Implement login flow check username/password, look up key handle verify authentication response (origin, signature, counter, …) Check your account recovery flow 2014-11-06 13
Yubicoimplementation details “ There is no practical limit to the U2F secured services the YubiKeycan be associated with. During the registration process, the key pairs are generated on the device (secure element) but the key pairs are not stored on the YubiKey. Instead, the key pair (public key and encrypted private key) are stored by each relying party/service that initiated the registration. Therefore, this approach allows for an unlimited number of services to be associated with the YubiKey. ” 2014-11-06 14
U2F demo with YubikeyFIDO U2F Security Key http://demo.yubico.com/u2f 2014-11-06 15

Recomendados

Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsecCyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0Cyber Security Alliance
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
44cafe heart bleed
44cafe heart bleed44cafe heart bleed
44cafe heart bleediphonepentest
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat Security Conference
 

Recomendados

Operation emmental appsec
Operation emmental appsecOperation emmental appsec
Operation emmental appsecCyber Security Alliance
 
iOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itiOS malware: what's the risk and how to reduce it
iOS malware: what's the risk and how to reduce itCyber Security Alliance
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0Cyber Security Alliance
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
44cafe heart bleed
44cafe heart bleed44cafe heart bleed
44cafe heart bleediphonepentest
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest
 
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...
BlueHat v17 || Where, how, and why is SSL traffic on mobile getting intercept...BlueHat Security Conference
 
Who needs iot security?
Who needs iot security?Who needs iot security?
Who needs iot security?Justin Black
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewallmohannadalhanahnah
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIArash Ramez
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101OWASP
 
CCNP Security-IPS
CCNP Security-IPSCCNP Security-IPS
CCNP Security-IPSmohannadalhanahnah
 
Flak+technologies
Flak+technologiesFlak+technologies
Flak+technologiesTatyana Kobets
 
How to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoHow to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoArash Ramez
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsSlawomir Jasek
 
Mirai botnet
Mirai botnetMirai botnet
Mirai botnetOWASP
 
1.3. (In)security Software
1.3. (In)security Software1.3. (In)security Software
1.3. (In)security Softwaredefconmoscow
 
RSA SecurID Access
RSA SecurID AccessRSA SecurID Access
RSA SecurID AccessMarketingArrowECS_CZ
 
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted ApplicationsDEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted ApplicationsCisco DevNet
 
Code by the sea: Web Application Security
Code by the sea: Web Application SecurityCode by the sea: Web Application Security
Code by the sea: Web Application SecurityBoy Baukema
 
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep diveTargeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep diveCisco DevNet
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)Fatih Ozavci
 
Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysFatih Ozavci
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsChristopher Gerritz
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceFatih Ozavci
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCanSecWest
 
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CloudIDSummit
 
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity ServerWSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity ServerWSO2
 

Mais conteúdo relacionado

Mais procurados

Who needs iot security?
Who needs iot security?Who needs iot security?
Who needs iot security?Justin Black
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIArash Ramez
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101OWASP
 
How to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoHow to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoArash Ramez
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsSlawomir Jasek
 
Mirai botnet
Mirai botnetMirai botnet
Mirai botnetOWASP
 
1.3. (In)security Software
1.3. (In)security Software1.3. (In)security Software
1.3. (In)security Softwaredefconmoscow
 
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted ApplicationsDEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted ApplicationsCisco DevNet
 
Code by the sea: Web Application Security
Code by the sea: Web Application SecurityCode by the sea: Web Application Security
Code by the sea: Web Application SecurityBoy Baukema
 
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep diveTargeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep diveCisco DevNet
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)Fatih Ozavci
 
Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysFatih Ozavci
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsChristopher Gerritz
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceFatih Ozavci
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCanSecWest
 

Mais procurados (20)

Who needs iot security?
Who needs iot security?Who needs iot security?
Who needs iot security?
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewall
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101
 
CCNP Security-IPS
CCNP Security-IPSCCNP Security-IPS
CCNP Security-IPS
 
Flak+technologies
Flak+technologiesFlak+technologies
Flak+technologies
 
How to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part TwoHow to do Cryptography right in Android Part Two
How to do Cryptography right in Android Part Two
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 
Mirai botnet
Mirai botnetMirai botnet
Mirai botnet
 
1.3. (In)security Software
1.3. (In)security Software1.3. (In)security Software
1.3. (In)security Software
 
RSA SecurID Access
RSA SecurID AccessRSA SecurID Access
RSA SecurID Access
 
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted ApplicationsDEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
 
Code by the sea: Web Application Security
Code by the sea: Web Application SecurityCode by the sea: Web Application Security
Code by the sea: Web Application Security
 
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep diveTargeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
 
Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP Gateways
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
 
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCSW2017 Weston miller csw17_mitigating_native_remote_code_execution
CSW2017 Weston miller csw17_mitigating_native_remote_code_execution
 

Destaque

CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CloudIDSummit
 
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity ServerWSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity ServerWSO2
 
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) SpecificationCIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) SpecificationCloudIDSummit
 
ARM: Trusted Zone on Android
ARM: Trusted Zone on AndroidARM: Trusted Zone on Android
ARM: Trusted Zone on AndroidKan-Han (John) Lu
 
NTT DOCOMO Deployment Case Study: Your Security, More Simple.
NTT DOCOMO Deployment Case Study: Your Security, More Simple.NTT DOCOMO Deployment Case Study: Your Security, More Simple.
NTT DOCOMO Deployment Case Study: Your Security, More Simple.FIDO Alliance
 
FIDO U2F Specifications: Overview & Tutorial
FIDO U2F Specifications: Overview & TutorialFIDO U2F Specifications: Overview & Tutorial
FIDO U2F Specifications: Overview & TutorialFIDO Alliance
 
Technical Overview of FIDO Solution
Technical Overview of FIDO SolutionTechnical Overview of FIDO Solution
Technical Overview of FIDO SolutionForgeRock
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Alliance
 
Strong Authentication Trends in Government
Strong Authentication Trends in GovernmentStrong Authentication Trends in Government
Strong Authentication Trends in GovernmentFIDO Alliance
 
Tracey Rancifer: 12 Tips on Staying Inspired
Tracey Rancifer: 12 Tips on Staying InspiredTracey Rancifer: 12 Tips on Staying Inspired
Tracey Rancifer: 12 Tips on Staying InspiredTracey Rancifer
 
Presentacion maria power point
Presentacion maria power pointPresentacion maria power point
Presentacion maria power pointEsmeralda Martinez
 
Punjabi Suits Online Shopping at Craft Shops India
Punjabi Suits Online Shopping at Craft Shops IndiaPunjabi Suits Online Shopping at Craft Shops India
Punjabi Suits Online Shopping at Craft Shops IndiaCraft Shops India
 
Guidebook to Video Intros
Guidebook to Video IntrosGuidebook to Video Intros
Guidebook to Video IntrosFiverr
 
The Numinous Place at Off The Page
The Numinous Place at Off The PageThe Numinous Place at Off The Page
The Numinous Place at Off The PageDean Johnson
 
Lightning Components Workshop
Lightning Components WorkshopLightning Components Workshop
Lightning Components WorkshopGordon Bockus
 
Customer experience transformation utilities june 25th 2014 copy
Customer experience transformation utilities june 25th 2014 copyCustomer experience transformation utilities june 25th 2014 copy
Customer experience transformation utilities june 25th 2014 copyphilippklaus
 
TAFE 2017 - Sponsors & Social: The Art of Partnership Promotion
TAFE 2017 - Sponsors & Social: The Art of Partnership PromotionTAFE 2017 - Sponsors & Social: The Art of Partnership Promotion
TAFE 2017 - Sponsors & Social: The Art of Partnership PromotionSaffire
 

Destaque (20)

CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
 
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity ServerWSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
 
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) SpecificationCIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
 
ARM: Trusted Zone on Android
ARM: Trusted Zone on AndroidARM: Trusted Zone on Android
ARM: Trusted Zone on Android
 
NTT DOCOMO Deployment Case Study: Your Security, More Simple.
NTT DOCOMO Deployment Case Study: Your Security, More Simple.NTT DOCOMO Deployment Case Study: Your Security, More Simple.
NTT DOCOMO Deployment Case Study: Your Security, More Simple.
 
FIDO U2F Specifications: Overview & Tutorial
FIDO U2F Specifications: Overview & TutorialFIDO U2F Specifications: Overview & Tutorial
FIDO U2F Specifications: Overview & Tutorial
 
Technical Overview of FIDO Solution
Technical Overview of FIDO SolutionTechnical Overview of FIDO Solution
Technical Overview of FIDO Solution
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2F
 
Strong Authentication Trends in Government
Strong Authentication Trends in GovernmentStrong Authentication Trends in Government
Strong Authentication Trends in Government
 
Tracey Rancifer: 12 Tips on Staying Inspired
Tracey Rancifer: 12 Tips on Staying InspiredTracey Rancifer: 12 Tips on Staying Inspired
Tracey Rancifer: 12 Tips on Staying Inspired
 
Presentacion maria power point
Presentacion maria power pointPresentacion maria power point
Presentacion maria power point
 
Punjabi Suits Online Shopping at Craft Shops India
Punjabi Suits Online Shopping at Craft Shops IndiaPunjabi Suits Online Shopping at Craft Shops India
Punjabi Suits Online Shopping at Craft Shops India
 
Guidebook to Video Intros
Guidebook to Video IntrosGuidebook to Video Intros
Guidebook to Video Intros
 
Impacto De Las Ti Cs
Impacto De Las Ti CsImpacto De Las Ti Cs
Impacto De Las Ti Cs
 
Lean at Redbubble
Lean at RedbubbleLean at Redbubble
Lean at Redbubble
 
Meeting seminar 2 copy
Meeting seminar 2 copyMeeting seminar 2 copy
Meeting seminar 2 copy
 
The Numinous Place at Off The Page
The Numinous Place at Off The PageThe Numinous Place at Off The Page
The Numinous Place at Off The Page
 
Lightning Components Workshop
Lightning Components WorkshopLightning Components Workshop
Lightning Components Workshop
 
Customer experience transformation utilities june 25th 2014 copy
Customer experience transformation utilities june 25th 2014 copyCustomer experience transformation utilities june 25th 2014 copy
Customer experience transformation utilities june 25th 2014 copy
 
TAFE 2017 - Sponsors & Social: The Art of Partnership Promotion
TAFE 2017 - Sponsors & Social: The Art of Partnership PromotionTAFE 2017 - Sponsors & Social: The Art of Partnership Promotion
TAFE 2017 - Sponsors & Social: The Art of Partnership Promotion
 

Semelhante a Easy public-private-keys-strong-authentication-using-u2 f

Fido U2F PROTOCOL
Fido U2F PROTOCOLFido U2F PROTOCOL
Fido U2F PROTOCOLAther Ali
 
Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali OWASP Delhi
 
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity ServerWSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity ServerYenlo
 
U2F Case Study: Examining the U2F Paradox
U2F Case Study: Examining the U2F ParadoxU2F Case Study: Examining the U2F Paradox
U2F Case Study: Examining the U2F ParadoxFIDO Alliance
 
FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016FIDO Alliance
 
Security Keys Presentation.pptx
Security Keys Presentation.pptxSecurity Keys Presentation.pptx
Security Keys Presentation.pptxAlok Sharma
 
Google & FIDO Authentication
Google & FIDO AuthenticationGoogle & FIDO Authentication
Google & FIDO AuthenticationFIDO Alliance
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsAll Things Open
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationSylvain Maret
 
SSL VPN Evaluation Guide
SSL VPN Evaluation GuideSSL VPN Evaluation Guide
SSL VPN Evaluation Guide Array Networks
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 
Securing the Cloud for a Connected Society
Securing the Cloud for a Connected SocietySecuring the Cloud for a Connected Society
Securing the Cloud for a Connected SocietyCOMPUTEX TAIPEI
 
FIDO-U2F-Case-Study_Hanson.pptx
FIDO-U2F-Case-Study_Hanson.pptxFIDO-U2F-Case-Study_Hanson.pptx
FIDO-U2F-Case-Study_Hanson.pptxVladVlad504281
 
A CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONS
A CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONSA CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONS
A CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONSIJNSA Journal
 
u10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacobu10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji JacobBeji Jacob
 
Ping solutions overview_111904
Ping solutions overview_111904Ping solutions overview_111904
Ping solutions overview_111904eaiti
 
A cryptographic mutual authentication scheme for web applications
A cryptographic mutual authentication scheme for web applicationsA cryptographic mutual authentication scheme for web applications
A cryptographic mutual authentication scheme for web applicationsIJNSA Journal
 

Semelhante a Easy public-private-keys-strong-authentication-using-u2 f (20)

Fido U2F PROTOCOL
Fido U2F PROTOCOLFido U2F PROTOCOL
Fido U2F PROTOCOL
 
Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali
 
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity ServerWSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
 
U2F Case Study: Examining the U2F Paradox
U2F Case Study: Examining the U2F ParadoxU2F Case Study: Examining the U2F Paradox
U2F Case Study: Examining the U2F Paradox
 
FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016
 
Security Keys Presentation.pptx
Security Keys Presentation.pptxSecurity Keys Presentation.pptx
Security Keys Presentation.pptx
 
Google & FIDO Authentication
Google & FIDO AuthenticationGoogle & FIDO Authentication
Google & FIDO Authentication
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source Applications
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
 
SSL VPN Evaluation Guide
SSL VPN Evaluation GuideSSL VPN Evaluation Guide
SSL VPN Evaluation Guide
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
Securing the Cloud for a Connected Society
Securing the Cloud for a Connected SocietySecuring the Cloud for a Connected Society
Securing the Cloud for a Connected Society
 
FIDO-U2F-Case-Study_Hanson.pptx
FIDO-U2F-Case-Study_Hanson.pptxFIDO-U2F-Case-Study_Hanson.pptx
FIDO-U2F-Case-Study_Hanson.pptx
 
A CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONS
A CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONSA CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONS
A CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONS
 
u10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacobu10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacob
 
Tatyana-Arnaudova - English
Tatyana-Arnaudova - EnglishTatyana-Arnaudova - English
Tatyana-Arnaudova - English
 
Webinar hiware
Webinar hiwareWebinar hiware
Webinar hiware
 
Ping solutions overview_111904
Ping solutions overview_111904Ping solutions overview_111904
Ping solutions overview_111904
 
A cryptographic mutual authentication scheme for web applications
A cryptographic mutual authentication scheme for web applicationsA cryptographic mutual authentication scheme for web applications
A cryptographic mutual authentication scheme for web applications
 
UL TS - CSA NL SUMMIT
UL TS - CSA NL SUMMITUL TS - CSA NL SUMMIT
UL TS - CSA NL SUMMIT
 

Mais de Cyber Security Alliance

Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Cyber Security Alliance
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksCyber Security Alliance
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCyber Security Alliance
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsCyber Security Alliance
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Cyber Security Alliance
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupCyber Security Alliance
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptCyber Security Alliance
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0Cyber Security Alliance
 

Mais de Cyber Security Alliance (20)

Bug Bounty @ Swisscom
Bug Bounty @ SwisscomBug Bounty @ Swisscom
Bug Bounty @ Swisscom
 
Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?Robots are among us, but who takes responsibility?
Robots are among us, but who takes responsibility?
 
Why huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacksWhy huntung IoC fails at protecting against targeted attacks
Why huntung IoC fails at protecting against targeted attacks
 
Corporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomwareCorporations - the new victims of targeted ransomware
Corporations - the new victims of targeted ransomware
 
Blockchain for Beginners
Blockchain for Beginners Blockchain for Beginners
Blockchain for Beginners
 
Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16Le pentest pour les nuls #cybsec16
Le pentest pour les nuls #cybsec16
 
Introducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging appsIntroducing Man in the Contacts attack to trick encrypted messaging apps
Introducing Man in the Contacts attack to trick encrypted messaging apps
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Rump : iOS patch diffing
Rump : iOS patch diffingRump : iOS patch diffing
Rump : iOS patch diffing
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100Create a-strong-two-factors-authentication-device-for-less-than-chf-100
Create a-strong-two-factors-authentication-device-for-less-than-chf-100
 
Offline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setupOffline bruteforce attack on wi fi protected setup
Offline bruteforce attack on wi fi protected setup
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScriptWarning Ahead: SecurityStorms are Brewing in Your JavaScript
Warning Ahead: SecurityStorms are Brewing in Your JavaScript
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
Rump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabriceRump attaque usb_caralinda_fabrice
Rump attaque usb_caralinda_fabrice
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
Colt sp sec2014_appsec-nf-vfinal
Colt sp sec2014_appsec-nf-vfinalColt sp sec2014_appsec-nf-vfinal
Colt sp sec2014_appsec-nf-vfinal
 
Asfws2014 tproxy
Asfws2014 tproxyAsfws2014 tproxy
Asfws2014 tproxy
 
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
Asfws 2014 slides why .net needs ma-cs and other serial(-ization) tales_v2.0
 

Último

CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Easy public-private-keys-strong-authentication-using-u2 f

  • 1. Easy public/private keys usage protected with strong authentication, using U2F/UAF from theBased on documentation and presentation from fidoalliance, Yubicoand GoogleRump Session, 6 November 2014Application Security Forum Western Switzerland André Liechti (@andreliechti, @multiOTP) Last update : 2014-12-09
  • 2. FIDO Alliance, whoisthat? FIDO (Fast IDentityOnline) 2007 PayPal launched Security Key (classic OTP token) Low adoption rate, because harder to use for end users Late 2009 Ramesh Kesanupalli(CTO of Validity Sensors) visited Michael Barrett (PayPal's CISO). Barretinsisted on two things: solution based on a (future) industry standard must support Validity’s hardware and also their competitors July 2012 FIDO Alliance nominallyformedPayPal, Lenovo, NokNokLabs, Validity Sensors, Infineon, and Agnitio February 2013 Alliance publicly launched and growing. Google, Yubico, ... 2014-11-06 2
  • 3. FIDO Alliance members(150 in November2014) Board Level 21 members : Alibaba Group, ARM, Bank of America, BlackBerry, CrucialTec, Discover, Google, IdentityX, Lenovo, MasterCard, Microsoft, NokNokLabs, NXP, OberthurTechnologies, PayPal, Qualcomm, RSA, Samsung, Synpatics, Visa, Yubico Sponsor Level 48 members Associate Level 81 members 2014-11-06 3
  • 4. FIDO Alliance mission The Mission of the FIDO Alliance is to change the nature of online authentication by: Developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users. Operating industry programs to help ensure successful worldwide adoption of the Specifications. Submitting mature technical Specification(s) to recognized standards development organization(s) for formal standardization. 2014-11-06 4
  • 5. Online Authentication: whatU2F/UAF are tryingto solve? Avoid asking users for (secure?) passwords only because: same password is reused for a lot of services phishing is still working well plenty of hardware and software keyloggersare available Existing solutions have known problems: Most of hardware devices are fragile, you must have one for each service, you have battery issues SMS costs are not negligible, you can be out of coverage End user don’t always understand how to use it Some phishing attacks are still possible 2014-11-06 5
  • 6. UAF : passwordlessexperience UAF: Universal Authentication Framework Passwordlessexperience 2014-11-06 6
  • 7. U2F : second factor experience U2F: Universal Second Factor protocol Second factor experience 2014-11-06 7
  • 8. U2F Protocol Core Idea: Standard Public Key Cryptography User's device mints new key pair, gives public key to server Server asks user's device to sign data to verify the user One device, many services -“Bring Your Own Authenticator” Design Considerations: Privacy: Site SpecificKeys, No unique ID per device Security: No phishing, Man-In-The-Middles Trust: User decide what authenticator to use Pragmatics: Affordabletoday Usability: No delays, Fast crypto in device 2014-11-06 8
  • 12. U2F and MITM attack The client send: I promise a user was here The server challenge was: KSDJsdASAS-AIS_Me The originwas: accounts.acme.com The TLS connection state was: 345567 MITM attackdetection Origin mismatch for key handle Incorrect origin name ChannelIDmismatch 2014-11-06 12
  • 13. What if I want to accept U2F logins for my service? Server: Implement registration flow decide how to handle attestation certificates verify registration response store public key, key handle with user account Server: Implement login flow check username/password, look up key handle verify authentication response (origin, signature, counter, …) Check your account recovery flow 2014-11-06 13
  • 14. Yubicoimplementation details “ There is no practical limit to the U2F secured services the YubiKeycan be associated with. During the registration process, the key pairs are generated on the device (secure element) but the key pairs are not stored on the YubiKey. Instead, the key pair (public key and encrypted private key) are stored by each relying party/service that initiated the registration. Therefore, this approach allows for an unlimited number of services to be associated with the YubiKey. ” 2014-11-06 14
  • 15. U2F demo with YubikeyFIDO U2F Security Key http://demo.yubico.com/u2f 2014-11-06 15