About the talk
Christiaan Brand, Product Manager, Security and Identity, Google For organizations running websites or services, protecting against phishing with stronger user authentication is a major concern. FIDO2 WebAuthn provides a solution and is now supported across the web. Join this “How to FIDO” tutorial and get started with WebAuthn, and journey into phishing-resistant and passwordless authentication for applications and websites.
Christiaan Brand co-founded financial services security firm Entersekt in 2009. He has since moved to Google where he’s part of their security and identity teams. Brand is a frequent industry commentator on all areas involving cybercrime and cybersecurity and is Co-Chair of the FIDO2 technical working group with the FIDO (Fast IDentity Online) Alliance looking to standardize strong online security protocols.View the profile
Turn off the insects and welcome to my presentation titled Wimbledon 2010, how to find out I'm Christian and I'm a product manager at Google. A quick recap of the state of Internet Security sector over malware on the internet and it's really strange Spike happening around the start of the pandemic. Read me a good we sold his friend back in 2013 and join the fight of a lion's. IG Double Down On Fishing resistant authentication and the password with some strong fishing resistance. I can factor in recent years.
Our Focus has shifted towards you. A little bit about that when standard before we get started World Wide Web, Consortium with the Gators and and devices. And then you have the second specification, the fight OST that's supposed to be between a particular user agent, browser platform, and then physical authenticators. And in this particular presentation. We're going to be focusing little bit more on the former than the latter. Former is more for web developers. And if you're interested in making a, we're producing your own or Sandy, Taylor's that will work with the,
what's the fighters me to be honest. I do in Wimbledon relate to one another? Will we have this umbrella? And then we have different types of a fender remote. Do you have this as a protocol that kind of government on that particular? How old is protocol on hangs together? First and foremost, everything here is wrong user authentication. So when our user wants to sign into some remote server. Username password in some cases and it's okay. I think I know who you are.
You need to go to graphic to look at. Okay, I'm going to send, it doesn't really matter for the purposes of illustration indicator was a unique, private key. Was generated during summer enrollment registration ceremony at some point validate that basically say, the first thing that served in their possession a private key in time. So when the user is on google.com, the browser is attesting to the fact that the user is unreal Google account. And not, for example, on fake Google. Do
you know Google but because we're signing over the web Information on full. So I was like 9 in the middle attacks. You're buying knowing whither a user is on a legitimate site, in general. As the usual Santa getting to the remote server embedded, in the website, to drive across all house, wider protects against phishing attacks while users go to look like you are Elfs on the exact URL quick primer. Before we get, there will be a document with the link shown here. At the bottom
waited this, how to fight a guy. Before we get to that couple of like peanuts off of background year that we need to understand. The first one, is this talk a little bit about these. The earlier example, we've seen physical security keys there. That was my uncle to the middle USB, fob that you can plug into your into your device. That contains the users private keys inside of nomenclature today, is that would be a device. That could be, he works very well. It's on the lower right-hand side of my quadrant. That's a device
that works very well for second-factor authentication. And, you know, at the same time, they are defeating fishing, but they are who they say they are. Happy in spite of the other on the left upper side of verifying. We properties can use pretty much today as in way too conveniently. Real Santa Cat users into their web properties. This use games is all right, we all understand. Are you scared of? I have a phone? I download my favorite banking application on to it by signing with my username and my
password today. And tomorrow, when I come back, I can log back in. Right now. I'm looking at the experience is something that the way We can offer that same experience to local biometric modalities. That's a brand new type of physical security key manifestation, which can also identify user. How does an identifier user security key code or does he think he might have a fingerprint sensor that you can tap, you actually activate it. So that means that we can actually get rid of usernames and passwords and can identify the individual user
in addition to being able to being a physical instantiation of like a second Factor. Play something. I add my fingerprint that I have to unlock the device. Jeweler types of security keys that kind of fits almost permanently into our, you know, you are our laptops or desktops devices. If you're interested. Feel free to Aldi at the conversation here at you to put that in the in the chat box and I'll try to go on to some questions on that but that's more or less in Enterprise by where we use the security key fob defense-in-depth mechanisms single
dog, Mike. I log into the service today popping in my username and my password and then you know exercising. My Ortho can get signed on to my location. How can the remote web server be served in a day or two later that the token that's being sent for my machine is still being sent from my machine and some other machine. Able to use for a signature of this local thing to get her. I have in my device to do. So in addition to the Token that's being sent there, still has access to this physical piece of Hardware, that's tied to that particular user
accounts address and and with fire. Susan, Moore high level of Jamaica. Before we start, the first one is like if you have a website or where property or any kind of application with authentication for Google for example of your consumer and you're looking to Gmail and even if the user authenticated into a particular property with proven their multi-factor status, like there's really no reason why the same user comes back on the same machine a day later to keep on asking them for there. In a second factor, a section of something. We've already proven possession of the mobile phone.
Back to the second thing. I want to say, you're the first one is unless you have a good reason, maybe for now,, we talked and you just kind of being trained in depriving, the password, you know, how to find the day and then when the user gets filled, it was like a official website. One of those are kind of like to chew things. I just want to go out before we start eating the rest of you signed prints throughout the deck. Biological account. I get a new phone. I'm trying to sign into that device. I've never signed into it before. So the remote party has no idea who the user
s they have. No, I told them that I'm the person that's going to login on this device from a bad one cost with the uterus presenting, but they can't remember the password. You really were a lot of fishing protections. Focus sign in as you on one of their devices will typically look like an account bootstrapping. What is Mel Stark is a couple of UK this year. That's taken directly out of Eevee, how to find a guide for rent. Properties, that's interested in
starting to use fighter when we're both in, in their own. I think I do first foray into the Land of Oz. Where is with what we call user user password or user verifying platform authenticated available. That's like a mouthful of that features as a way to log that user in the future without having a password. And it tells you whether they will send again modalities. That's a silent. Actually engaged. Do you want a next time? You come to the password? You know,
you can call me. I'm basically going to look something like this and they have to fight a guy so you can copy and paste from there, you know, some information about the user and then you'll tell them that you're Looking for a bullet into the bathroom. You're not looking for a physical to looking for something of the type. I remember what that means. It actually has the ability to identify. We're looking for, for this particular time that you thought the password 5, their second Factor, whatever way you will tend to give them.
Don't have to do all this property and make sure that yes, the same private key is still present on the system and that the user did their local unlock gesture. Like they touch their fingerprint. They showed their face to both of these things are are validated at the point in time when you do the special labels and get gold. Remember it, you decide what type of transport? So basically, Have anyone that's working on that machine to be able to get him? You want to use your actually owns that device, it has their fingerprint registered
registered under that you need to say in order to do this properly. We have many properties that done this before. I know that you can Google, it works really. Well. You can just get the one that we've seen on mobile phones with apps for, for a really, long time, is the lower right-hand quadrant. When I have a very very high-profile web service like we're websites. You know, maybe we'll do it and you want to protect your users, asking them to get hold of a fighter compatible security,
security for their account password, or maybe some physical form of multi-factor, like, ODB codes or something on their particular account for this property. Yes, you can still have a message on the account. But of course, you know, if you're going to be working for the security of the user, Is my having your security key rates would be kind of. Looks like me different. Kind of shoes are the way that we getting this to the user Google accounts. You have like, you know, a list of different security keys that you can
add to your account. As many as I just have to have one of these presents. Do we change what we will be saying that we actually were looking for a cross-platform type of us and they're on the right hand side under oath in, to get her selection were saying, we want something that's. You can remember, it was broken when the user base to a new device to Bluetooth device. Between different devices looking for across any credentials, that already exists across
platforms important part. In this particular example that has come up with NFC and USB. You have this kind of one standard Iowa coming up from the browser, will the system that will prompt the user to activate instead of navigate to validated? As we saw in my earlier, kind of flow diagram. You'll be checking things like is the signature. Correct over, the right. Is everything else in this evening to write like this dump when they were kind of like, you know, covering the left upper on the bottom right-hand corner of my quadrant. Go to the
next section here. And that quadrant is about the user of verifying Romeo Santos in besting these types of devices. These devices have storage. They can keep your account on the Google and it's my in a Christian at google.com account. That's linked to this particular key. All that information is that we can stop Austin to user for you tonight, or you need to talk to my fingerprint. Even if I have one key and I use it with 50 different accounts, only using the same pin code for all the accounts and
physically get hold of Mikey. And that is my PIN to my fingerprint login to my account because that's needed for these are kind of like the next generation of Educators. And these really start to open the world to deposit was experienced about devices that can allow the user to login completely without using passwords and they go into a brand new machine. The devices were still looking at coming up with like smart card technology and and you know, the only
competing devices will briefly. Look at how to register a type of member is going to be very very similar to the second Factor. External device. Look at that. Second kind of an example of how you say. Hey, navigate to the really only big difference year is this requirement resident key and also the user verification feels you're with saying we really need you to verification. I would want to be this way that you did use a table to identify the user and have the account information for the browser open presented to them next time.
But these are going to go and used actually and actually just doing the registration. When the user says, I want to register a new security. You can tell the system to give you back whatever. The best thing is to use a house available. So you can tell her that, you'd prefer a user verifying Romeo, Santa get her, something for the user ID, and something to do verify the user credentials. I'm still going to need to see you in a couple of seconds. You can decide who you want to be
late. If you want to let me know world where users don't ever have to do with passwords again, for example that the bullet point. Prison key requirements for the cheese went, when you spoke. So that's kind of pretty important. And again, we want to live in a world about maybe even without you. And what is the mobile phone that usual Redi-Care? Easton start to act as a UV right now. One of the key problems is, how do you attach your phone to a laptop? Have some local attachment show is based on local connectivity in proximity. That's the thing to give you the fishing resistance. So
we're going to thinking that in the future of the mechanism of attachment will probably be some kind of like a Bluetooth Link, My download my Banks application or I go to my banking website. Next time I come back on the same phone banking website. I can just imagine he's not actually made available over Bluetooth in range at third with my phone can actually use that same credentials or tomorrow. I might be here and then instead of having to like five usernames and passwords.
I can just to prove that log in, with my fingerprint on my phone in an unsociable or the future of this protocol, right into the protocol, almost all of them the way that this registration. Keep your eyes on the phone. If you use fire to handle, all of this for you in the future, when these were they become available over Bluejuice, you'll be able to immediately on any other device to use your house and Frankie actress that sang with property owners that device on the phone itself. Again, we'll see if you know who
Steven Universe. Can I get back to me formation? I need for me to be going to get back off. The registration will contain the transport will tell you all this credential can be exercised in the future. Back and eternal on sports. That tells you the key or the energy, or maybe I can download, but you don't have to go through the Bluetooth devices. That's not physically the phone itself to wireless me. Reach out to the phone exercise. Some of the credentials you have for password list, five
multiples away that you would do this or why don't you just like, skip the password? And Running without a username or password. If you click on that particular about the issue was no allowance. You just won't say anything without human verification. Hack somebody that you know, you looking for Shepherd eustatius. You remember the real Vindication said, the second one is the only one that's kind of like stool in progress, but I did want to kind of give a quick indication of how that work, all three of the other day and you
can actually start working on your property. I didn't want to lose you that fourth one because if you would. We both invited today that experience will basically become available to you. As soon as the relevant has been helping set up a difference in time together and I wanted to have an appliance lie to you and kind of just going to give some quick next steps on what you can do. In the meantime is a pretty nice fighter server. In particular. You are a document that
are disgusting and finally have some soul. So where were you can play around with some of these apis on and One thing I didn't mention earlier is remember that, these web apis. If you have an Android browser, they have parallels on the Android system as well. So if you have an Android app that you don't have to keep debating with the key store and get biometric pumpkin seeds directly. You can actually be using the fighter apis to your own applications as well. And then you'll give keys that's shared between
between your website on the browser Angie the future even on other devices, which can then kind of the axis over this over the Bluetooth or Wireless links that that we working on. What if I hooked up with interesting, your friends have any questions, please? Feel free to ask them and I'll try my best to thank you.
Buy this talk
Buy this video
Our other topics
With ConferenceCast.tv, you get access to our library of the world's best conference talks.