U2F Tutorial - Authentication Tokens for Enterprise and Consumers
Download as PPTX, PDF1 like3,336 views
A technical tutorial on deploying FIDO U2F specifications for security tokens for enterprise and consumer authentication.
Ad
More Related Content
What's hot (20)
Similar to U2F Tutorial - Authentication Tokens for Enterprise and Consumers (20)
Ad
More from FIDO Alliance (20)
Ad
Recently uploaded (20)
U2F Tutorial - Authentication Tokens for Enterprise and Consumers
- 1. U2F Tutorial: Authentication Tokens for Enterprise and Consumers MIGUEL RODRIGUEZ, EXPERT SERVICES, YUBICO
- 2. 2 ©2018Yubico Agenda ● About FIDO U2F and Security Keys ● Exploring FIDO U2F ● FIDO U2F Demos ● Integrating FIDO U2F
- 3. 3 ©2018Yubico © 2017 Yubico About FIDO U2F and Security Keys
- 4. 4 ©2017Yubico FIDO U2F / Security Keys Co-developed by Yubico and Google, completed and published as a standard by the FIDO Alliance in 2014 # of ServicesAny Shared SecretsNoOne Authenticator
- 5. 5 ©2018Yubico U2F Value Secure Eliminates Phishing & Prevents MitM Simple Insert and Touch Gold Contact Scalable Use the Same Key for Unlimited Services Private No Shared Secrets Between Services No Shared Secrets with Yubico
- 6. 6 Google Case Study U2F YubiKey vs Google Authenticator ● 4x faster to login ● Significant fraud reduction ● Support reduced by 92% ● YubiKey mandatory for all Google staff and contractors ● Support for Google end users
- 7. 7 ©2018Yubico © 2017 Yubico Exploring FIDO U2F Protocol flows
- 8. 8 Relying PartyUser Side U2F Code USB (HID) API U2F JS APISecure Hardware (optional) Transport USB (HID) Web Application U2F Library FIDO Client/ BrowserU2F Authenticator U2F Entities NFC API Bluetooth API NFC Bluetooth User Action Public Keys + Key Handles + Attestation Certificates
- 9. 9 ©2018Yubico Generate private key, public key, key handle AppId, Challenge, origin, channel ID Private key (per service/site) 1 4 Verify client data, verify signature, store public key and key handle 5 Registration request 7 8 Successful registration How FIDO Registration Works Relying Party (e.g. web service/site) Authenticator (e.g. YubiKey) AppId, Challenge2 Client (e.g. web browser) Public key, key handle, signature 6 PK,KH, sig, client data 3 andFIDO
- 10. 10 ©2018Yubico Require test of user presence before private key can be used Challenge, origin, channel ID Private key (per service/site) Public key 1 4 Check signature using public key to verify origin and channel ID 5 Login request 7 8 Successful login How FIDO Authentication Works Relying Party (e.g. web service/site) Authenticator (e.g. YubiKey) Challenge2 Client (e.g. web browser) Signed response 6 Signed response 3 andFIDO
- 11. 11 ©2018Yubico © 2017 Yubico Demo 1 FIDO U2F and Firefox
- 12. 12 ©2018Yubico © 2017 Yubico Demo 2 FIDO U2F and Android
- 13. 13 ©2018Yubico © 2017 Yubico Integrating FIDO U2F
- 14. 14 ©2018Yubico Integrating FIDO U2F- client side ● Typically a U2F enabled browser ● Use the u2f-api.js library (high level API) ○ Simplest way to get started ● Call two functions ○ u2f.register ○ u2f.sign ● If not a browser use a U2F host library (Python, C)
- 15. 15 ©2018Yubico Integrating FIDO U2F- client side Errors 1. OTHER_ERROR: An error otherwise not enumerated here. 2. BAD_REQUEST: One of the following reasons: ○ The visited URL doesn’t match the App ID. ○ The App ID does not conform with the rules for App ID’s. ○ The U2F API is called with bad parameters (e.g. calling u2f.register with the parameters in the wrong order). 3. CONFIGURATION_UNSUPPORTED: Client configuration is not supported. 4. DEVICE_INELIGIBLE: The presented device is not eligible for this request. For a registration request this may mean that the token is already registered, and for a sign request it may mean that the token does not know the presented key handle. 5. TIMEOUT: Timeout reached before request could be satisfied.
- 16. 16 ©2018Yubico Integrating FIDO U2F- server side ● Some servers are tightly coupled with the web application ● Others are decoupled (U2F as REST or SOAP API) ● Pros and cons dependent on the web application ● Messages between the U2F Authenticator and the U2F Server are standardized ● Server implementation based on typical considerations ○ Cost ○ Ease-of-integration ○ Support ○ Scalability ○ Etc.
- 17. 17 ©2018Yubico Integrating FIDO U2F- server side Tools for implementation (open source) ● Server libraries, in several programming languages: ○ C (libu2f-server) ○ Java (java-u2flib-server) ○ PHP (php-u2flib-server ○ Python (python-u2flib-server) ● Stand alone server (demo only): ○ Yubico U2FVAL server (REST, Python)
- 18. 18 ©2018Yubico Integrating FIDO U2F- server side ● Server-side U2F library has 4 basic functions: ○ Start registration ○ Finish registration ○ Start authentication ○ Finish authentication
- 19. 19 ©2018Yubico Integrating FIDO U2F- server side Registration
- 20. 20 ©2018Yubico Generate private key, public key, key handle AppId, Challenge, origin, channel ID Private key (per service/site) 1 4 Verify client data, verify signature, store public key and key handle 5 Registration request 7 8 Successful registration Integrating FIDO U2F - server side Relying Party Authenticator (e.g. YubiKey) start_registration 2 Client (e.g. web browser) Public key, key handle, signature 6 end_registration 3 andFIDO Generate challenge
- 21. 21 ©2018Yubico Integrating FIDO U2F- server side Authentication
- 22. 22 ©2018Yubico Integrating FIDO U2F- server side Authentication: create challenges for all registered devices
- 23. 23 ©2018Yubico Integrating FIDO U2F- server side Authentication: successful for one registered device
- 24. Get Started ● Read the specifications: fidoalliance.org/specifications/overview/ ● Go through a MiniTwit U2F tutorial: MiniTwit training video Implement ● Google reference code: github.com/google/u2f-ref-code ● Build your own U2F server: dev.yubi.co/U2F/libraries ● Use Yubico standalone U2F server: dev.yubi.co/u2fval Test ● Yubico U2F demo server: demo.yubico.com/u2f ● Google U2F demo server: u2fdemo.appspot.com FIDO U2F - Learn More 24
- 25. 25 ©2017Yubico