Balázs Engedy has been working as a software engineer on the Chromium project for the past six years. For most of his waking (and sleeping) hours, he's concerned with users’ privacy and password hygiene on the Web. He holds an M.S. in Computer Science from the Budapest University of Technology and Economics. In his free time, he’s an avid sci-fi enthusiast and space opera fan.View the profile
About the talk
Secure, frictionless, easy to implement – choose all three! This session will cover best practices and introduce technologies (WebAuthn, One-tap Sign-up, reCAPTCHA V3) that developers can leverage to keep users' data safe, streamline users’ onboarding experience, and prevent creation of fake accounts.
So today's session is about what's new with Anna and sign in on the web. Are you enjoying Google I also? We only have a few hours left for rest of Google are you but I'm pretty sure we'll be excited to learn a new things from this session. Okay, so I need your help with this liquor. So let me start with this question for you. What makes good sign up? Reconsider there are three principles. First Security Is the most important gatekeeper for a website to protect users information from
abusive behaviors and Atticus? Building a website with a Bonneville sign in sign means giving attackers a chance to Bob using website and in the worst-case it critically your business. So building your website its first class security is quite important. But that doesn't mean that you can sacrifice user experience. Americus is adding better security creates more Elvis the goals and brings more friction for your users to enter your your website. Thinking about uses user first web experience. You should make sure logging into your website is as seamless as possible
while having good security. And finally good sign up and sign in are often overlooked as a critical part of user flow the reporters tend to be more excited about new ideas and Innovative features and pay less attention to make their sign up and sign in secure and low friction. That's why it's important that is easy enough and Locust weather today will cover 3 topics and auto sign in. recaptcha V3 and web Authentication Debra Messing son up on Sunday securely using username and password
is challenging. I'm not saying that it's technically impossible but the users safety realized how they create their own passwords. Your password has to be weak forgotten reused or solo. Bullish is going to explain more about this this challenge later in the session. But this is why I'm recommending identity Federation for many years. Identity Federation is a way for users to sign up or sign in using an account posted on the third party website, which is called identity provider. Identity Federation is usually built upon standard
a One-Stop sign up and auto sign in. It's a new user experience for identity Federation with Google that allows users to sign up with just one touch. We have number of Partners already on board or implementing with this library and they're producing amazing results. Let me briefly talked about a few of them. Renting a real estate company in the US. So an 80% increase in sign-ups after implementing contact sign up. Also over 40% of these new users return to their website more than five times after signing up. Trivago is one of the world's leading Hotel
search engines operating in 55 countries 50% more with twice as many as to implementing this Library. fitler Club letras en Taco popular music in Brazil for chorus lyrics and songs. 43 times more user setting up after integrating one that sign up. This is not disciple. I said 43 * which means four thousand three hundred percent more users. That's incredible number and user engagement such as favorite artists creating play this or commenting liking Kors has also increased almost 50% per user. This is impressive. So
here's how it works. The user voice user opens the sign-up page on the Google accounts and they're fine. It's just that it takes less than 10 seconds. Animation the flight might be too quick to catch up what's going on, but it's actually easy. What the fun of is revolutionary because on top of those benefits. I have briefly mentioned earlier in the session for identity Federation in general. It's completely fossil list and weaker as only want that for users to sign up.
in advance that are making use of this Library. What's a user Taps on wild a account the promise we resolved and if you will receive a result that contains an ID talking. user ID talkin to verify user identity on your supper If you already have a Google signing back in you can reuse it. What's ID tokens verified extract the user's profile information and establish a new session and that users. That's a bonus when the user session expires or the user lands on your website from a different device. You can let them let you can let a user sign back in
so you can use that information to authenticate the user. When are you replace the sign at the bottom? The user probably wants to keep signed out in that case called disable auto sign in Google yodel. Retrieve will stop returning ID talking until the user explicity side parking. So that's the one that sign-up let me recap. What the sign up is secure because it's Google's identity Federation. It provides a great user experience for user to sign up as just one and also saying. Is easy to implement with cichlids simple apis? to learn more
about Monticello Please video. Google.com / identity and more detailed documentation. Okay so far I've been talkin about identity Federation. But I guess that many of you might be interested in some solutions about when you are using password or username and password. Are you in this fashion? I talked about challenges with passwords. What can you do if an attacker already knows your users password and tries to hijack account? I need many kisses is done by Bots. This means if you could future a sport the number of account hijacks
degrees. And that's what we captured. 6 years ago it asked users to read a distorted text like this. But we knew we could do better. weedmd receptor V2 where users can simply tap a checkbox to verify B2 is smart enough to determine if an interaction is abusive Jefferies that simple gesture and if we capture is still uncertain it asks an additional challenge images with a street sign. This is an example question. Mini boss cannot answer easily. And we are protecting over 2 million
websites every week from spam and abuse. But what evolved also. The attacks against recapture over the last few years have evolved from brute force or random gas boat to a smarter and even they began to bring machine learning Solutions and abusive schumann's to try to break the challenges and attack websites. But we want to stop but whether or not they can find the street signs in a set of images. Today we are announcing public beta of recaptcha V3. This new version comes at a high level.
First it requires no interactive challenges to its scores traffic visit engine and it breaks down your traffic by action. Let me walk you through each one. Industry recaptcha detects Twitter and interaction with a website is abusive without even a single tap. This means you can keep your website with safe without interact interrupting any users. Any set of simple? Yes or no answer. It will give you a score which ranges from 0 to 1.00. The score is calculated by the recapture adaptive risk analysis engine and the signals from interactions with your
website. Based on the score you can Define your zones fresh hold to determine whether you you should do father verification on the request. Missing you get a Logan request with a barely low score of 0.2. The case, for example, you can request an additional authentication Factor such as email reschedule. Or send an email to an admin to ask for moderation. Or Shuttle search request from but as a protection from scraping. is recaptcha Los Angeles Creek Library When do you submit the form request a week after talking? I'm finally
submit the form along with their of 10 Taka. One less thing about V3 is that it enables you to put it into almost all parts of your website. Not only but also many other places for example from home page to reading pause Logan's adding comments and searches. Wherever your website has potentially risky actions, you can protect this week after. Play the song you can define a tag for each action. Archos will also become a signal into the adapter risk analysis engine. Are the result you can treat scores differently depending on the actions
also, you can see the traffic break down and score description for action in the recapture admin console. So that's recaptcha V3. Let me recap week after B3 makes it website more secure by stopping Bots. It doesn't require user gesture by eliminating challenges. So there's zero friction. It gives you the flexibility as to how you want to treat suspicious traffic. No more about recaptcha V3, please visit G. Co / / recaptcha V3 IO. Okay. I've been talkin about to learn features
It can handle two different types of credentials. first floor recording show and figurative Prudential and no we have a new type of credential being added to this API which is called public key Prudential with that. Let me invite to talk about Activision Tyrone I'm obliged. I'm a software engineer on the Chrome web identity team. Avicii order Dimensions the passwords craze a number of issues. I would like to talk a little bit more about two of them in particular.
The first one is password to use when your users are using the same password on multiple different websites and a second one is fishing users into entering their credentials into fake websites historically. This issues have been really hard for developers to address because they both have to do with your users being only human. So suppose one of your user users. Let's call her Jane Doe has accounts on 50 different websites on how many other websites is using the same path that she's using
at your sides. To answer the question. We've calculated some statistics inside. I want Chrome password manager users. And if he's anything like them using the password on different websites, that's 20% of all her accounts. What does that mean? It means that if Jane's password is compromised on any one of those 10 websites. It's compromised on all of them including yours. So how often does this happen according to another study during a. Of just one year later beaches exposed a total of
1.9 billion usernames and passwords. So this means that even if you have implemented all the password management best practices, for instance, you serve your login page and preferably during Tire websites over https. You never store or log plain text passwords. You always hash passwords and maybe you do even more you're still not done. So suppose you're using two-factor authentication to login. Jane has to enter her password plus an OTP a one-time password for instance of six digit
number that she receives to her phone. Shirley. Jane is safe now, right? Well, unfortunately otp's are faced just as easily as passwords. Let me show you what happens as soon as Jane and throws her password into the phishing page connects to the real website and initiates login flow using the Fresh Stolen passwords. The real website asks the attacker for the OTP intern asks Jane in the meantime. The six digit number is sent over SMS to change phone. Jane is under the
impression that she's logging into the real website. So she expects that she gets asked for the one time password. So as soon as it arrives, she enters it into the fishing page the attacker dancing performance the OTP to the real website and with that they just gained access to change account. Similar attacks are possible. If Jane is using time-based otp's generated by an app on her phone or a hardware token or if the sign in Jane has to confirm that login attempt on her mobile device. The problem is that all of these cases
to recognize button a phishing page? Remember to study from before it's almost no estimates that the round 12.4 million users fell victim to fishing doing the same one year. This is my last year. What is the recommended using security Keys instead many of you are familiar with the u2f universal second Factor security keys that look like this some of you may even be using them for two-factor verification already. Demaino's on the main advantage of security
Keys over otp's is that they cannot be fooled by fishing security Keys talk directly to the browser. They can verify that the URL of the page that Jane is visiting is the legitimate and that's a slightly different URL corresponding to a phishing site. So this removes the human error Factor it is no longer James burden to verify the URL but their security keys are so awesome. How come we are all using them on every website already today? Unfortunately a key piece of the puzzle had been missing previously their head and being a good way to
try out the initial feature set with the latest drum beat up. So, let's see. What makes this API so great. First it's backwards compatible with existing u2f security Keys the very same key that you registered through the UTF. API cannot be used through the web authentication API. That means that you can migrate your site from you to have to worry about them without any user Visible Changes is much more than just a p i r a boson also enables authenticators that come in a wide variety of form-factors much more exciting than USB
Hardware tokens. So it's harder tokens are not your cup of tea. Don't fall asleep just yet. Rebels and also brings many new features that enabled exciting you use cases the single most important feature is probably that authenticators can now perform user verification. This means that the authenticator can locally verify the user if Jane drops her off and Decatur on the street, you cannot just pick it up and use it it only responds to Jane. Using verification can take many forms. It can be done using
Biometrics such as a fingerprint scan or an easy to remember PIN code. Andrea Natale talking about external hardware tokens with the built-in fingerprint reader in your notebook or phone can also become a user verifying authenticator regardless a phone for form factor. What makes user verifying authenticators. So interesting is that they do not need to be combined these passwords to implement two-factor authentication. There's already something that you have and something that you are so you get great security and you also get a great user experience
you no longer have to type your it is especially frustrating on mobile devices. So let me show you what I'm talking about. Genesis of the demo device, please. Suppose that I'm browsing the web and I find something. I want to buy. I haven't met here a pixel 2 phone with a fingerprint sensor. So suppose I have this camera cleaning plates. That's very nice. And that's a really good deal for just $0.10. So I added to my cards. Then I go to check out. And then I choose to complete my checkout with PayPal. I guess we directed to PayPal. Because
PayPal supports the vamp off of vacation API. I can easily verify my identity using just my fingerprint. Sorry. select the credit card shipping address then I guess we directed back to the merchant. And they're my order is confirmed. So I didn't have to type a password and it was still secure and it was so much better user experience back to the lights, please. So how does it work first? Let's take a look at how authenticators work in the first place. There is a one-time setup flow during which the
user registers and authenticator with an account during registration. The authenticator generates a new public-private. Keep are the private key is stored locally and cannot be extracted from the authenticator. The public key is sent to the server that every time the user once the authenticate. They have to prove to the website that they possess the private key. This is done through the challenge response bass brother called the web server sends a challenge to the authenticator which in turn uses the private key to provide a pictographic signature for this challenge. The signature is
sent to the web server which verifies it against the public key and the challenge with verifying authenticators releasing the signature is also a gated unsuccessful user verification such as a fingerprint scan. So your fingerprint never leaves the device is only used to locally unlock the Authenticator. Snow, let me walk you through the one-time setup flew in more detail. You did not see this because I ordered it last week. There are three important participant in this flow the authenticator itself the web application
running in the browser and web server. Suppose that it is. Once again Jane who is no setting up the fingerprint reader in her phone as an Authenticator? Topeka off the registration flow the server first generates a challenge a large random number that would be only used for the registration process and sit on a ventilator the server stores a challenge in association with the user account and transmitted along with user information to the web app running in the browser then calls the web authentication API. This is what it looks like in codes
mentioned that extends the credential management API. So it's available under navigate to duck prudential's to create a new public key for that. You can create with the public option you specify the challenge you received from the server user information that will be displayed on the authenticator if it has a display and the crypto algorithms that you wish to use. In addition to these parameters that adjust specified the browser also expects the authoritative domain name of the calling web application then all this information is sent to be authenticator
which asks for user consent. This is required. So that malicious websites cannot use the API to track the user this protects the users privacy. Once user consent is given. The authenticator generates new public-private key pair. It stores the private key internally along with the credential ID user information and importantly the domain name this credential belongs to the API call. This resolved resolved with the publicly Prudential which contains the unique identifier the public game and the signature calculated over to challenge the domain
name the Publican the credential ID and some other parameters these values to the server. They are you need to validate the signature and the last step is the signature checks out. The server has the store. Should I leave and the public keep in association with the user accounts and don't forget to invalidate a challenge. It's only valid for one transaction. this concludes the registration flow and remember you only have to do this once Now, let's take a closer. Look at how Jane can use the authenticator to login without the password the next time.
The starting State here is that the authenticator already has a private game and the server has a corresponding public key in association with James account. Remember that authentication is performed using a challenge response base protocol where Jane calculates the cryptographic signature to prove possession of the private key. So once again the flow starts with the server generating a challenge a large random number, which is used to prevent replay attacks, then the service transmits the credential ID and the challenge to the verification which intern Falls the web authentication API
signature. You need to call Navigator Credit shows of Gatsby the public option you specified a challenge that you received from the server. The credential for which you want to get cryptographic signature and here you see that they also asked the authenticator to locally verify the user. In addition to these parameters that which are specified. Once again the browser extract the authoritative domain name of the calling web application and send all this information to the Authenticator. The authenticator
looks up information stored for this credential ID next and this is very important the authenticator checks that the domain name of the calling website matches. The one that was provided at the time the credential was created. This is what makes these authenticators resistance to fishing. If Jane is on the phishing page with a slightly different URL the authenticator. What is the discrepancy? So next if it is 23 of app site the authenticator performs local verification using the fingerprint reader is the fingerprint checks out. The authenticator
uses the private key to generate a cryptographic signature over the domain name and the challenge. The API call is the unresolved with the signature which is sent to the server there. Once again, it is verified that corresponds The Challenge and the public key and if it does then the server consider James authentication successful as the last step again, don't forget to invalidate the challenge. This concludes the registration the authentication flow. But if you have down to the large user base, you know that you cannot just replace your identity management overnight. What's so
great about webauthn. Is it one step at a time? You can use more and more of the API to get more and more of the security and disability benefits. First you can use it as a drop-in replacement for the u2f API for second-factor authentication then with minimal changes, you can Implement password as reauthentication before sensitive operations such as making a purchase for instance. This can be done using the fingerprint reader built into your phone or mobile device and finally wants your users warm up to the idea of
signing in using a fingerprint or hardware token. You might even consider making it their primary login mechanism. To summarize we talked about the web authentication API which provides strong authentication on the web using public key cryptography. It brings new features and form factors that enabled a password that slogan experience making it very easy for users to sign into your site security and it all comes in the form of a simple to use standardized open that platform API, which is available across all platforms and browsers
with that back to AJ to wrap it up. Okay, thank you boss. So we've been walking through for a low-friction signing up. Rattata b340 friction loss prevention And what station for stronger authentication with open Center API 18 but we have published an article about it. By now you should have understood what makes a good sign up and good sign in. great security great, you'll experience and great Dipper Xperience. If you have any questions, please visit us the website on the box, which is right
Buy this talk
Access to all the recordings of the event
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.