WebAuthn, Yubikeys, and You: What we wish we knew before rolling out WebAuthn for internal use

this is to talk about rolling out webuthen newbie keys to everybody at Discord for corporate authentication um but first a little bit about me hi I'm Alex I work on platform security at Discord a lot of infrastructure a lot of I.T stuff before that Healthcare technology uh platform is a service company called Alto with an app Sarah did electrical engineering back end full stack and that brought me to security over the last decade or so and I want to talk a little about Discord security we have a pretty uh awesome security team nowadays our real intention is to make a secure way the easy way we want to come meet our users where they work means we want developers people who are Engineers to come talk to us about the tools that they're using we know how to work on those tools we make PRS the same way they do we always want the right solution we don't just want the easy one and that's kind of hard in security right like it's really easy for us to come up with rules it's hard for us to come up with things that actually make people's lives better and move the security needle forward was it mean to actually enable developers enabling our users supporting BYOD I think if you're a security professional you probably have had challenges around BYOD within your org if you haven't had that you're either very fortunate or you just don't know about it yet with 400 plus people like we have an engine product we absolutely have that as a challenge we have desktops we have MacBooks and many more in many many countries makes it challenging to do something like say ship UB keys to all of them so if you want something that's better security and better user experience what do we want security feature we want more MFA props we want more multi-factor authentication prompts things like if you're accessing a production uh piece of infrastructure you know accessing a Production Service uh you're accessing a sensitive application like your hris system or doing the role escalations I want to have some sort of check be like hey are you actually who you say you are a presence check in there and you know if we just start saying more MFA props all the time the misery index creeps up so how do we do that while sustaining the misery index where it's at or ideally Bringing Down the misery index so emergency to web authen but first we're going to talk about MFA and kind of the state of MFA and why web authent is what we chose so why MFA at all starting from the beginning password reuse is incredibly incredibly uncommon um you've probably seen people successfully or successfully do credential stuffing attacks you know having breaches from things like have it been pounds and try to use that on multiple websites some and within your org beyond that phishing attacks are incredibly prevalent uh we all have people who have been fished we've all been fished anyone in this room can be fished whether you think you can or cannot you absolutely can be and the goal of MFA is to raise the cost to attackers it's not going to make it impossible but it's making it harder for somebody to take your credentials and log into a different website nobody really uses MFA the stock is really focused on corporate users and this is for users of Twitter Circa I think July 2021 is when this report last was pulled but for all types of MFA across Twitter 2.6 of accounts had any type of MFA at all the changeover from a July to December of that period was plus 6.3 percent so really not growing a whole lot and I think this is pretty similar but we see at other places really single digit percentages of MFA obviously you have more levers you can push with corporate MFA but it's something that users are telling us that they don't really like using because it's very high friction so there's a whole Spectrum right you have a lot of options of MFA you have um no MFA right we have one factor we just have passwords we have SMS and email we have totp probably the one that a lot of us are pushing out in orgs and tftp or push notifications something that we probably have in a lot of places we have web authen which I promised we would come back to and then perfect security is you live on a Mountaintop you uh three computer out the window and you never log on the internet again but you can't get away with that while running a business so we go to the next best option so what do we do web authentic the primer on a better MFA so what is this what about that is a web authentication API so the auth n stands for it's an open standard leveraging public key cartography so you in general have a public key that you advertise out and a private key you keep on your device talk through the registration flow in a minute why is this thing so good like why are people talking about this why am I talking about this why did I spend too long working on this uh it's because it's really strong right leveraging public key cartography is something that we've used for a lot of problems in the past let's bring it to this domain it's scoped you have it scoped to a certain website you know you do it for for instance discordapp.com you don't have to do it to Discord weird a that looks like an idpu.com let's go up to a certain domain and to test it you're tested from the Hardware security module on your device so these are kind of put on the principles let's talk through what this registration flow looks like so you have a device in this case it's a cell phone but there's a wide plethora of devices all of them valid you register by saying I want to create a new account with the site the site says sure generate me a public key you donate the private key as well so the key pair is generated we send the public key off to The Ether and the private key is only ever kept on the device and you've registered a website and just as a shout out webauthen.guide is a great website it's where all these graphs are pulled from so you have registration now you have the handshake when you're actually trying to authenticate you have a device come and say hey I want to sign in so the device says please or sorry the service says please sign this data because payload so I know that it's really you so I can do that at a station we're talking about so on the device you come back you say cool here's a Blog I want to sign up my private key and then you pass that back up saying here's a signature it shows like no one can be tempered in transit and the website says let's take that public key let's verify the signature and great it checks out you can sign in so how do we use web authent I talked a little about logistics it's going to be the second half of this talk but um the spoilers you probably already have things that could act as a web weapon authenticator you may already be using it under the hood even if you don't know that it's kind of two big categories there's external and roaming authenticators Yuba Keys Titan security Keys other things like that and then there are internal or platform authenticators you know MacBook Touch ID face ID on iPhones Android fingerprint unlock Windows hello things that are inherent to the platform whereas the roaming key is something that you plug in walk around with it can roam with you you don't need to be tied to your laptop for that one to work so it's a little bit of a breakdown of ATL account takeover prevention rates by type this is from Google security blog which is excellent comparing on device prompts so push notification SMS code security key and then a few other types of MFA and you can see that the efficacy of security Keys is really really good which is awesome this is even for targeted attacks which are the yellow bars I'm colorblind I hope they're yellow the bottom and you can see that they have 100 for all the cases that they've been auditing which is really great so by the way Google research has made it really easy to make this case internally I'll quote that more later but just shout out thank you for making it easy to make this sell so more Google research here we've had no reported or confirmed account takeover since inline security keys at Google and that is Google I imagine people are trying to hack Google people who work there and they said they haven't seen anybody get compromised in this way it's really cool to be able to take one of these threats off the table because we have enough keeping all of us up at night so then what about that at Discord I work at Discord this is how I make the case for better corporate MFA for Discord and hopefully can help all you make the case if you're not already using web but then internally so security is not an island we've hired a lot of talks about this this weekend people need to come to terms with us and US agree to them like how important a thing is and how much is it worth disrupting workflows ideally like I said we can move the security bar up without blowing up people's workloads without increasing that misery index ideally stakeholders go up at misery index either stays flat or goes down so we had a lot of stakeholders to work with I.T Engineers CX people who were both ftes within the company as well as people who work outside of the company all of whom work together to make Discord great so the mission here was that we had to show that this was safer than the status quo it's in better MFA more effective I want to show that it was easier too this wouldn't just be incurring that misery index on there we also want to show that it was cost effective you know you're talking about buying new Hardware in a lot of these cases so it's going to cost some money it's going to cause some disruption how do you show that's worthwhile to do this so safer again shout out to Google he made my job here really easy we've had no confirmed uh no reported or confirmed account takeover since employing security keys at Google that's big right so really easy to make that case saying this is the de facto standard people have been moving toward and it's not just Google there's also great research coinbase security blog also has some great uh talking about rolling out this internally as well easier to use so you can all see here it's kind of a jumbled mess of all the different Topp authenticators and I'm not knocking to be on authentication whatsoever I use it all the time but you know you're getting your phone out of your pocket you're logging in I use authy and I have to use my fingerprint ID twice to log into that people feel the urgency as well of the time-based nature of this too and something that just adds friction every time you add this prompt if I want to say do this every time you're pushing a commit or every time you're logging into a server it's going to make people get their phone in and out of their pocket unless you have a cell phone holster and if you do it's still going to increase the misery index quite a bit so I think it's easier to use web out then and we're hearing that from our you know users at the end of the day as well the most common experience at discordant is 80 of people are working on MacBook Pros and they register the Touch ID on the device and you just tap it when you get the prompt for other devices we have Windows hello you also have ubiques of a wide variety I'll talk more about what we lean toward later on but you don't have to fish uh phones in your pocket and if you're fishing resistant with web authen MFA as well the friction is really low and which means you can say we can start playing with MFA prompts and adding them all over the place without increasing that misery index is it cost effective that's the next big one right uh two factors per user is about you know 30 to 75 per person depending upon the kind of prompt that you're doing the kind of uh you know keys that you're rolling out you also have to worry about an increased burden on it distribute and service like we have to talk about shipping this to every new hire everybody who comes in Discord works from everywhere so we have an office most people never come into it so how do we enable that how do we enable people in countries all around the world without you know ruining it's life because they are great it really helped me roll this project and they would not be as happy about it if I you know took up all their time servicing lockout requests for instance if you're comparing this not to an action right you're comparing this to the cost of an action the cost of an action on average from 2022 report from IBM a successful phishing attack at a company is about five million dollars 4.9 million dollars I think we can all think through like whoever gets fish depending upon who that person is and what kind of standing access they have it can probably go a lot higher than that too so again shout out to research from Google this is talking about the support incident so the burden to I.T you can see here that the support incidence of lockouts precipitously dropped as people adopt Hardware security Keys which is awesome to see so you can see over time the support rate from OTP drops and for Hardware security Keys it's flies they rolled it out throughout the org for the deployment we found the increased user productivity and the decreased support costs were worth the increased Hardware cost so that's big it really helped make the case this way not only are you decreasing the burden in I.T but you're also saying the decree increases your productivity from being locked out less often less support requests means that people are getting far fewer lockouts than they were before so it's not just that cost in I.T it's the cost amortized across your whole organization it's big cost savings everyone gets Yuba Keys some people get you two UB keys somebody gets a Mac like a touch ID keyboard something like that we have a wide spectrum of devices that we support here but it's cost effective and we can make exceptions like that because really savings are worth at the end of the day so we sell people but what's the plan we sold them on step one get everyone asterisks and to OCTA and get every asterisk app into octave anybody here who's been early on Security Programs knows that time is a flat circle you see a lot of the same themes you get people behind MFA or behind SSO rather it's the first thing that you do for us we did that with OCTA something we started the ball rolling on prior to starting this project step two get two plus authenticators to everybody a platform in a roaming is what we decided upon but it could really be any of those some groups we wanted to go with uh three for redundancy so execs or people who are super admins in Octa G Suite super admins people have high privileged accounts that are hard to service if they get locked out or have a lot of risk we got multiple authenticators for those because again you're talking a cost of like thirty dollars for an authenticator fifty dollars for an authenticator much lower than the uh the risk of compromise or the risk of lockout in these cases step three uh we've heard this a few times this weekend in other talks but it's important to start testing on us so when we laid out the strategy if we wanted to start rolling this out too gradually the first step is security if this is a bad experience we want to feel that pain first and when we come to other users we want to say hey we've been dealing with this for a month and it's actually better than it was before it builds trust with your users if you're going through this sort of stuff and not just imposing it upon them and saying we'll get to it later so we did security infrastructure it execs engineering all ftes and then everybody again Discord has people all over the world in all different capacities working for us that all help make Discord great we want to make sure we encompassed all of them reduce the risk across the board from there we had an exception group in octave so this is kind of octa-specific whatever your SSO provider is probably has similar functionality but for us we had an authentication policy that said everybody needs to get password and web authent prompt to log in or webathon prompts on these certain cases except for people in this exception group so it's allow us to say okay we can opt in the whole category but if this one person infrastructure is on paternity leave or whatever else we can opt them out so which is awesome to have you can say like these long tail cases you know someone's ubiki got lost in the mail it was stolen whatever that's fine add them to the exception group but follow up on them judiciously and then over time you see you shrink the number of people in the exception group but you keep it around in case there are lockouts or loss authenticators there's always cases like this where somebody gets stuck in some sort of exception case so it gives you that flexibility we had a lot of moving pieces here but we had enough uh you know kind of back doors if we needed to to get people into a working condition while we roll This Out so we had some tools to work with here right I talked earlier about platform versus roaming authenticators the first most common thing was that people had MacBooks already they had Touch ID on there so this is something people already knew how to use people are often using this to log into their devices it's a really familiar interface which is nice but past that you can also have Windows hello other devices like that you can also have web compatible keyboards you know some people keep their laptops in docked mode we're pretty lacks about like you can use any Factor as long as a web authen factor and we will probably support you we want to meet your users where they are because we're asking for a change of behavior so it's important to come to them has that we want a roaming authenticator so it's important to have two plus factors to decrease that lockout we talked about earlier so we chose to use the UB key security key C NFC uh it's kind of a mouthful it's this blue key about 30 bucks a pop and one of the really cool things about it is you can bootstrap a new phone using NFC so if you have a phone you want to use it as an OCTA authenticator itself with Web Bot then you can tap on the back with NFC and use it that way one of the other things sort of like a ux philosophy here you don't want both your factors to often travel together you know you can have the low profile 5c Nanos that live inside the laptops but if the Key C and A C is Big it's probably not going to travel with laptops because it sticks out like this and so we want them to live in separate locations that was my theory of the case so it is 2fa for us it's 2fa you can use these for uh your single factor for pass keys I'm not going to touch on that too much today but very exciting highly recommend reading more so we have a plan sounds pretty easy right let's talk about what actually happens so we have a plan timeline all good projects should have a plan timeline and they should all be as optimistic as I was so we started this off in May 2022. um June we had it all rolled out to or we wanted to have it all rolled out security it infront execs so on and so forth basically one month after another we're like cool four weeks is long enough to get some address and ship out Keys no problem it's like basically Amazon right what could go wrong uh it went pretty well um but everybody was a long tail after that you can see it pushing off the page there so we went into this year people who were ftes we were able to get to them pretty quickly but that long tail case is a very very long tail because you're talking International Logistics at this point and if you take away one thing this talk is that when you go through this figure out your International Logistics Way in advance so if I come into a distributed Global team is really really hard and I don't work for importers but just pay for importers for these countries that are really difficult for something I wish that we did uh