Passwords are dead? Long live WebAuthn!

thank you thank you hey everyone who's ready to hear about some exciting new password technology all right uh so today we're going to be talking about web off in it's a new technology that's aiming to kind of get rid of passwords on the websites you visit every day i am matt sal alex lariman sadly could not be here today he's still alive he's just in colorado so i'm going to be kind of blazing through his his uh portion of the talk and like an idiot i was like well since he's not giving his slides and i'm going to blaze through i'll do another demo so i added a second demo which will probably come and might be in the butt

here so what ready ready to crash and burn um like i said max out i'm a he mentioned i'm a pin tester i work for trust foundry and i've been testing mostly web apps for about seven years so okay so we're going to kind of fly over web authentic three chapters we're going to talk about what's wrong with passwords and why web offend needs to be a thing we're going to talk about what web often is and how it solves some of the problems and then we're going to kind of make predictions on what this might be for the future um okay so let's start what's wrong with passwords the biggest problem with passwords is

passwords must be strong or it must be complicated to be strong a lot of users pick a weak passwords but even even if they do pick a strong password it's going to be hard for them to remember it it's going to take them more time to type it in to their to their uh site that they're visiting and then there's time wasted for it departments or whoever resetting their passwords when they forget these long complicated passwords all this makes it an easy target for attackers so we're essentially saying like paint janice in accounting figure out a really secure password to keep hackers out of our company so we're putting the responsibility on fans to to

protect the entire company and that's not fair um so one solution let's use pass phrases who's seen the the correct horse battery staple that i got up here okay so we've all seen it so that the idea here is to use a long sentence instead of just a a string of random numbers you use a sentence of random words like correct force battery staple issue with that like they're easier to remember for sure but it still takes forever to type i use these a lot on the apps that i visit and typing you know 10 random words into your phone like with your with your keypad sucks um and in 2022 they estimate that there

will be uh the average internet user will have 207 web accounts that's a lot like think of how many correct horse battery stable random sentences you have to remember times 207 that's a lot um and many users because of these issues reuse their passwords and so raise your hand if you reuse your password everywhere no just don't worry i wrote this like we wrote this talk you know 18 months ago so i said a recent tech study in 2018 uh so it's not that recent anymore but uh virginia tech study found that 52 of users reuse their passwords and i i don't want to admit that i have a couple sites where i already use mine

but i'm the security guy and i reuse mine so um also have i've been pwned i hope you guys know about that site um they have eight billion records as of 20 uh 2020. there's probably more than that now um so have you been called yes yes you have like i have you know if i go in there and check it out you know seven or eight ten hits or something on there so uh all that to say like attackers even if you have a good password the sites you visit might leak your password and get breached um so let's use password managers um right now this is the best option we have so i hope that everyone is using

your password manager with strong hard to guess passwords um but this turns password managers themselves into a high-value target so all your eggs are counting in one basket so if you have them all around your computer or something someone gets into your password manager it's game over for all 207 sites that you're on and a password manager doesn't protect your password from getting breached from a site so even if you've got a great password you've got a right hygiene your your password could be stored in plain text on the site you visit and then that guy's got it so and people can put down passwords on their password manager there's no connection against that so

also uh what's wrong with passwords we can attack them so as attackers we like targeting passwords because finding a node and you know iis server or something is hard guessing jim's password is easy and fishing is fishing still a thing yes according to verizon report 32 percent of breaches involve fishing and when we have a full red team engagement that's our go-to like so if you're if you hire us to get into your organization we're going to send a few hundred fishes and someone somewhere is going to click on one of them then we're going to get in and we often measure time to domain out in an hour so once we get on your machine it's just a matter

of time before we open the whole thing um oh so you might say what about phishing training uh those have a little bit of impact but there's a vanderbilt study that found that training had almost no impact so it does reduce it a little bit but it's kind of negligible so you can't train users to not click fishes because it's a numbers game you know all i need is one user to click so if you're having a bad day if you haven't had your coffee when you read the email like everyone has a method it just takes one user for me to get in um and some of the fishes i've sent like i would fall for them and and

like i'm supposed to be on guard for these things so um just saying like if we're attacking users users are a soft target um then we can also attack the passwords themselves so we can use password spraying credential stuff in group coursing um because um again if you've got a thousand people in your company i just need one password so someone somewhere might have winter 2021 exclamation point as a pastor i get in so that makes them an easy target so what about mfa so this is also good to enable if you i'm not saying don't use mfn use mfa please use password managers please um but i'm sure you've heard sim swapping attacks where people target you know if you've

got a bunch of crypto on your on your coinbase app they'll target this guy's phone because he's got crypto and they'll do a swim sim swap attack attack so they can log into your coinbase account um and i've tested at least like three or four implementations of mfa this year that allowed me to brute force the mfa token so i couldn't enforce the password they said oh three tries and you're out um but if i had a valid username and password it would let me roll through a billion guesses on the nfa terminal until i got it so poor implementation of mfa could still be a target for me um and like i said mfa is not vulnerable or not

invulnerable to phishing attacks so how would this look we've got alice she's got her phone to receive her mfa token and she wants to go to the site while me being the bad guy i'm going to put a man in the middle site in between her and her real site i'm going to send her an email that says hey you know your octa credential is bad you need to update it or whatever the email says convince her to visit my email site she's going to enter her username and i'm going to give that to the real site she's going to enter her password and i'm going to give that to the real site but she's got mfa going so it's going to

send the mfa token to her phone and she's going to put it into my site and i'm going to give it to the real estate and guess what i'm logged in as alex now and we we actually did this recently we targeted octa so i wanted to give you a quick demo of like a man in the middle attack against octa.com so okay this is where this is the new demo i added so this is where everything's going to crash and burn so get your popcorn ready um so i've got uh octa trustfoundry.com also you get to type one-handed when you're holding a microphone so that's fine

so i i got an octa trial and i set up real users on octa.com so this is pretend like trust foundry is using we're not so if you try to hack this whatever um but this is actual option like creative real accounts on octo.com let's say i'm targeting i'm an evil guy and i want to target octa so i set up a server we call it evil genix this thing is awesome if you haven't played with it it makes it really easy to spin up man in the middle servers and so i created i bought a domain called id often.com and i set evilgenics up at trust boundary dash and so now i'm going to email a user at

trust foundry and get him to visit this evil site but don't worry i've got you know mfa on there so my users are safe right here's the url that i'm going to send to my unsuspecting victim [Music] and so first thing i want you to notice this is id dash optic.com if my user misses that id like which is a very good chance he will he's not going to notice that this is a fake site also i want you to notice how similar they look because they are the same site i'm passing information straight through like so it's identical to the site he visited um and matt's the user he's got mfa enabled he's gonna sign in

so back here on my evil genix it shows me his username and password as an attacker i don't really care about that because he's got mfa enabled but you'll notice here it's prompting him for mfa so i gotta log in real quick

don't worry this is not the part where i questioned her

so he's logged in with his mfa token and that gets passed through my evil site to id that shot or to the real octa at this part i i didn't set it up yet you could either redirect him to a page that says password not valid it normally redirects them to the actualocta.com but octa just recently added some protections to prevent that so it's in a infinite loop but as an attacker i don't care because i have his session back here that says all authorization tokens have been intercepted so i'm going to look at my sessions um right now there's my matt south user that i targeted i'm going to get his session token if i can read

and i'm going to take his session token and i'm going to put it into my evil browser like my attacker browser and i'm going to log in hello

so i'm going to go i'm going to go to the real octa.com thetressfoundry.com and i'm going to try to like i'm an evil guy i'm not well crappy here let me sign up i've been practicing this at home so i've only configured okay so i'm this is my evil browser and i'm gonna put that session token that i just jacked from from this unsuspecting victim in here so this is a cookie editor plugin for chrome i'm going to paste this session token so this is what i'm actually after as an attacker when i save it and refresh the page i am that user so evil guy stole your cookie and now i'm into your octa and if you've got aws in your octa

you've got coinbase in your octa or whatever you got in your octet i've got all of your companies and so even with mfa an attacker can still fish you and still get the goodies hey and then question firm sure

that was the demo that kept me up last night so um this is a quote from some fancy pants microsoft guy and essentially what he's saying is with passwords we put the onus of protecting your organization on the users and users have bad days users can pick dumb passwords users are not security experts like us so it can put your organization at risk and and and we try to make it their fault we're like oh that idiot didn't change your password without it and did something wrong they're people like we're we're asking people to protect organizations and people can mess up um and even us as security guys we make mistakes too like i fall from fishes and

i i get tricked sometimes too so web often to the rescue web often uses public key uh exchange public private key exchange um who who knows everything there is to know about public private key chain who wants to explain it just joking me either so public private key exchange is complicated but i want i want to bring alice back i want to like do a little high level refresher on why why this is good and why why we want it so alice wants to ssh to bob.com but she's smart and she knows how to use ssh keygen to generate herself a public and private key pair so alice when she sets up an account on

bob.com she's like hey bob.com this is my ssh public key this contains no information about alice this contains no passwords public keys you can give to anyone you want but they bob.com can use this to validate signatures from apps so if they send alex a challenge and she signs it with their private key they can use the public key to say alex for sure signing this so it's like a signature validation thing so when alice comes back later she says hey i'm back bob.com is like nice try sign this and prove that you're alex and alice says okay here's that that challenge i signed it and bob.com uses the public key to say okay cryptiv got

cryptographically validated that you are who you said you are and so this is awesome this is way more protection than uh normal passwords it's got increased security um but not everyone is walking around with private key pairs not everyone knows how to use ssh kj to make those those t-pairs or do they so there are a lot of places that you are walking around today with public private key parents who just don't know it so c-type and fido um uv keys have inherited unity's those are little public private key pairs windows hello which is a tpm on windows that pops up and says hey swipe your fingerprint that's like it has public private key pair of magic happening in

the background and even your swipe on your phone like your fingerprints on your phone so oftentimes we're already using this but that is for specific device like specific circumstances it doesn't translate to ebay.com it doesn't translate to facebook.com so what webauthen is trying to do to use this technology that we're already using on the sites we visit every day so how are we going to do that alice is back we're going to take her public private team that she's walking around with we're going to give her a little authenticator device that she can unlock with her fingerprint and it's the same conversation as before but alice doesn't have to be a security expert and know how to use ssh keygen to

get this going um okay so how is this gonna look to alex like when she goes to ebay.com like what's gonna happen when she when she tries to sign in well i'm glad you asked because i set up web office on ebay.com and so normally when you visit ebay.com you have to open your password vault and you have to type in your 54 character password i've set up web off in here i've visited the site already it's like hey management patty welcome back you want to sign in i'm like sure i didn't want to sign in and my tpm platform on windows is like hey give me your fingerprint all right oh wait and that's it did i have to type a 52

character password did i have to do anything special no and this is more secure because it's a public private key that just happened so if an attacker is trying to attack that he's trying to attack math and not my imagination or my creativity when it comes to making a password

um so i hope you can see that that was very easy for me to sign in like it made it's less friction on the user so that's what i wanted to show there quick but if there wasn't already a user cookie set you would have to put in your username yes and then you would yes and it recognized that i had already visited traditionally so the question was if if the if it didn't remember me how would this look to the user i would have to type in my username and then it would say okay matt swipe your fingerprint so there would have been a uh field where you type in your username good question other question so this

seems very relevant for user accounts i'm curious if there's an application for service accounts or non-interactive accounts um the question was this is good for user accounts but not how is it going to look for service counter non-interactive accounts that is a really good question it's going to be so the the purpose of it is mainly for like web applications like where you would use password authentication a service account might on the web might be for like an api maybe or something on the back end uh in which case you can use i don't know if web often would be a good fit for that um because it's mainly for users it's designed to get users

into sites easily if you're designing an api you could already design it to use public or private keys or you could already use like a 200 character long random string so it's um it's easier for the machine to to use it securely so i don't know if that needs to be question enough any other questions oh yeah good point service account isn't going to be a finish that's a good point um okay so if if we're uh let's pretend that you're in charge of the whole internet and you're trying to make web often work who needs to be involved like who are the players that we need to bring to the table to get this to work

any guesses you you are um how about an app developer so the people making the sites yes who else needs to be involved someone said browsers browsers yes browsers the browser manufacturers need to be in on this and like he said the app developers so site owners need to be in on this and then um the os people so the fact that microsoft popped up and said hey swing for fingerprint they need to be involved and if there's any hardware involved so the device manufacturers or the fingerprint guys they need to be involved so we've got all the players on the table um in 502 slash web off inland we call these the authenticator so the hardware

platform guys are the authenticator the client is the browser and then the relying party is the site that's trying to like rely on this authentication um so how are these guys that talk to each other so we've got something called the web often api um to confuse things which i'll get into later there's another web app that makes me i think this is a browser to website api and it's in json format usually we had to create new i say we i have no i have no requirements there's new javascript functions that needed to be created for the browsers to call authenticator functions and then there's another web authent api which when you're trying to research and

they can talk about web author and i keep talking about two different things you guys are confusing but this is like an os level api so think like javascript or java api or like c api so this is an api for how browsers can talk to platforms and operating systems and then uh ctap2 is a standardization for uh made by the fido alliance that's already in use that is a way to use authenticator devices so it's like a standard for for how to talk authenticate or talk and um i'm going to use the words 502 and live off in and see that so the 502 is the is the hardware people well 502 is hardware plus web wealth and api so

502's the whole thing ctab is the hardware stuff and uh like web offend is the web stuff and so um c type 2 on the hardware side supports new features over and above c-tap one specific so c-type one is the ub keys that you are used to like when you plug it in and just tap it and it does some some magic and lots of different things see tab 2 added the user verification so a fingerprint or a pin number so it's got additional features on top it also stores your private key locally so no sensitive data is ever sent from the authenticator it has the option for extensions which will allow for further improvements down

the road it's compatible with existing tpm models like microsoft hello and it's also backwards compatible with ctap1 so if you can use your ub key to authenticate to ebay if you wanted to because it's backwards compatible um and i kind of mentioned this web authent lives in the w3s w3c spec so web authen was designed by the browser guys and the website guys see tattoo was the hardware guys and fido two is kind of web often and ctap so if you see these acronyms flying around i just wanted i had to like untangle all that so i want to help them tangle it for you or maybe i tangled it more if i don't have them um

so there's two general commands like when you visit a site you're like hey i'm new to ebay i wanna i wanna register so there's a registered user come in and then when you come back you're like hey i'm matt i went back in there's an authenticate user command so there's two high level commands and this is just like passwords this is what you're doing already except when you register a user you'll register an authentication device and not a password um so how is this gonna work this is where we get technical so um if you want to like get out your phone and think about something else while i'm in the weeds go for it i don't want you insulted

um but this is where you're going to look at json vlogs and your eyes are going to roll in the back of your head but matt visits a site and he says hey i'm new to ebay i want to create a new account the site responds with this big json glove and i'm going to tell you what all of this is this is a challenge that it wants you to sign for the first time and this id is the domain this is important because this is what prevents phishing with web authentic so that domain name web update.io is going to match the domain that you're on in the browser so if it's web often evil dot io it's not going to

match so this is super important right there for phishing further down in the json blob uh the the site's saying i these are this is a list of the algorithms that i accept um and usually there's a about a dozen or two dozen algorithms there this authenticator selection most of it most sites aren't going to care about this stuff but if you're like a high security type situation you can specify these are the type of authenticators that i will accept to authenticate to this site um authentication attachment can be platform cross-platform or unspecified the platform authenticators like microsoft hello that you saw earlier cross-platform is like these like usb keys that you would plug into your device

and then unspecified means it'll take anything require a resonant key i think that's that's a setting to where it will remember your username so you don't even have to type in a username user verification those options are preferred discouraged or required and that user verification contains the form of a pin number or a fingerprint swipe or like a face scan it somehow verifies the user before it unlocks the privacy um and this is an advancement over normal ctap that i mentioned timeout down here is pretty self-explanatory this is how long the authenticator that relying party will wait for you to authenticate and then this is extensions down here where uh hopefully in the future people

will be building out cool like additional features but there's nothing there yet um and attestation this one's confusing so we'll talk about that later it's later what the heck is that destination so a successful registration ceremony always returns an attack station object when it confused me at first because i understood as i was researching attestation is a way to verify the device that you're using so you can attest so an example is all samsung galaxy 8 phones that were manufactured in a certain data a certain facility they are they have an attestation like uh certificate that you can verify like this is verifiably a samsung phone that was used to authenticate so you can attest like it's it's

validating the validators it's a verification of the authentication object but what confused me like i would i would always select none for attestation because as i was playing around i didn't want that test station because that's that's for a high security type situation like your department of defense or something you want to you want only certain authenticators to authenticate to your site um so i was always selecting none as i was testing and playing around but i kept seeing this attestation object coming back i was like no i said no attack station at gestation come to find out the attestation object is the public key that gets sent to the site when you're first signing up

so there's that test agent object which is different than the attack station option just to confuse everyone um hopefully that cleared it up hopefully it confused more so that was when i registered for an account um that was coming from the website now your browser has to do some work so you said hey i'm a new user what what languages do you speak site and the site's like i can do this so now your now your client your browser calls navigator.credential.create and also when it's calling that it matches up the origin from where you're talking to the credential that you're creating um and then this will start when it calls nominated and not created to create it's like hey windows hit mac

or whatever fire up your windows hello or your tpm or whatever to authenticate this user so the user will get that little pop-up they will swipe their fingerprint it's funny when you swipe the fingerprint they call it a uh authentication ceremony so like every time i'm like doing this i imagine like being in church or something i think they like ran out of words to call things like it's not a tap it's not a swipe it's not a click oh what is it we're adding stuff to call it how about a ceremony so authentication ceremony so on the example i showed when when when the user got a pop-up the user scans their fingerprint does

the ceremony your browser says navigator.credentialcreate i want to create a new credential the os gives the browser this information so what is this information the operating system creates a coin for the new public private keeper that it just generated so it's like here's this guide it um this is the attestation that confuses everyone but this is just the private the public key so it's like here's alice's public key and here's the gui here's what you're going to call this key here's what the key is and also here's a little information about the authenticator i used to create that key ah so let's demo this another new one i'm i'm a glider for pain um i have

burp suite which some of you are familiar with this is a web http proxy so i can see the traffic and tell you what's going on i'm going to go to webauthn.io this is a site i don't know who made it but it is awesome and you can play around with it's like a web authentic playground you can like probably go there on your phones now if you want um but it has two functions it lets you create accounts and lets you log into accounts there's nothing behind the login it's just like to see web often happening so i'm going to create a new user management family um this attestation type and authenticator type and these advanced

settings these are normally set by the site that you would visit so a user normally doesn't get to choose all this normally the site's like here's what i'll talk so we're going to leave these alone but in the playground it lets you set all this stuff so that you can create a user with the settings but normally the user would wouldn't pick any of this stuff the site speaks what it speaks so i'm going to register a new user hold up what just happened so i got to pop up how did this happen so i'm going to show you what it looks like in our http proxy um right here my browser said hey i want to create a

new user called maddie mcfadden and the site responded with this let me make it a little bigger for you which is what i just described to you so it says here's a challenge here's the id of the site that i want a new korean credential for here's the username here's the languages i speak as far as crypto languages and here's the authenticator types that i'll accept and also you have 60 000 milliseconds to do that um then my browser called navigator.credentialcreate using this information that was from the site so i said hey browser her browser said hey operating system create creating a new credential and that's when we got this pop-up so navigator.credential create pop-up this

is saying hey this wants to create a new key swipe your fingerprint will make a new key so i'm going to swipe i now have a new public private key stored in my tpm my windows hello um and oh sorry there's one more thing that i want to show you after i've made the credential so this came from the operating system and i'm sending it to the site so i'm like hey site i created a new credential here's this big long id and here's this attestation object that confuses everyone and also here's some information about the authenticator that i'm using so from now on the site will when matt comes back it's gonna say oh you're mad

well look up this this private key for this id and sign this challenge so it's going to use this information when matt comes back okay so what does matt coming back look like in the weeds

so matt's back he says hey i want back in i created the credential the server is going to say okay this is a shorter response because it doesn't have to say all the algorithm and all this other stuff the server is going to say okay great you're mad you should have this id that you gave me so look in your tpm for this id when you register it and sign this challenge using your private key to prove that you're mad and then my browser is going to say navigator.credentialgit instead of create so it's going to say give me this credential and this will call it the ctap2 api for my operating system and pull the credential and that's when

i'll get that little pop-up to swipe my fingerprint um my the operating system is going to give back to my browser this information which it'll say hey that id i found it for this id here's a cryptographic signature so there's my signature that proves i'm mac you have the public key go ahead and validate that i know who i say i am and also here's a little information about the authenticator i've used and so let's see that so back here on web created a manufacturing account i'm going to log in wait what's going on let's see so it says get me maddie mcfadden and it says cool maddie mcfatty has this channel or this is the challenge i

wanted to sign you guys cannot see that it doesn't matter it's all generation um it's like big long characters that don't mean anything and this is the domain that you're on and here's the key id that i want you to sign up with so sign this challenge with this key and then my browser called navigator.credentialgit popped up a thing for me i'm going to swipe my fingerprint and i'm in so what happened there from my operating system it said okay i found that id here is the signature so i signed your challenge and also here's some information about the authenticator that i use so the site said over here signature verified come on in magnificent batting so like then use the

public key it already has to verify that signature on that challenge um okay we're done with the boring stuff so you can come back to her um so i heard one uh talk on this that the speaker called web often is a unicorn i was like why aren't they going in the unicorn he said for security for most things as things get more secure there's more friction for the user so it's harder for the user think of like mma tokens like you're like oh crap my phone like you gotta pull your phone out then you're like which authenticator was that because i got like six on my phone now and so like there's more friction for the user

imagine your front door with a lock that had like six locks like how long would that take you to get rid of so more security usually means more friction web off then on the other hand is more secure than passwords and easier than passengers so it's a unicorn it makes it less friction for the user but you're using public and private keys so it's more secure um and it's fishing resistant so here's some mfa options in order of increasing security but like i showed with alice these can all be fish like if they're entered in out of band they can accidentally be entered into a fishing site um these on the other hand are harder to

fish so there's uv keys and the web often vitamin d keys um and there's no because of that route because of that id the browser is enforcing like hey you're not on octo.com you're on id.octo.com so the browser's enforcing the domain so i can't trick anything here as an attacker so i want to show you one last demo this is the last one i promise i'm like addicted to demos today um let's go back to uh that evil site that i set up i think so i set up two users on octa.com one user i set up with mfa and you saw him blogging you saw him get phished i set up a second user using web

authentic traditionally on sites web authent is supposed to be like the primary authentication mechanism octa has it as a as an mfa option so normally you wouldn't need a username and password but has it as like a second factor of authentication but it's fine i wanted to show you it in in action so i'm on eviloptile.com this is id octa.com and on my evil genic site it's like oh you got a new user coming in so let me enter in his username and password and it's like oh you got a security environment things happening and on evogenics got his username i got his password yes um but notice what it's saying here it's like hey

um i'm looking for a key for id.okay.com i don't got it plug in your ubt or wherever this thing is because i don't have it my windows hello my tpm does not have a key for id.shocker.com and there's no way for it to like unless i set up unless i set up the user on ig.com there's no there's no key in there so the only button i can press is cancel and the knock just like you uh you're not being there we actually had an engagement where we were doing this octo fish and the the system that man or the cso or whatever was like hey this web authentic technology would be a good idea for everyone to get up get on this

web open technology and he did that two weeks before our penetration test i'm like oh okay great so he had all his users switch the web option before i tried to fish his organization it was hilarious um he studied for the test that's what we call it he studied through that test didn't you um luckily they had fallback mechanisms like like if the fingerprint didn't work you could use your phone or something else so there are some fallbacks um okay so let's talk about some pros and cons i kind of hammered the nail that is breach resistant it's uh well i didn't hear with that now reach resistant means if your site is hacked i

dump all your users and all their credentials um with web authent all i have is a public key who cares if i have 400 public keys it's public information it doesn't do me any good as an attacker so if your site gets breached here on have i been owned it doesn't matter like there's no there's no nothing good there um also it's based on strong crypto that we're already using public private key exchange it's time crypto and this means attackers are attacking that so i'm not attacking your creativity i'm making like a complex password i'm attacking mac and that's much harder for me to attack um also it's reverse compatible with the 501 so you can use uv keys and stuff with this

one word of caution though if you are using unique keys i would recommend you know if you lose if you're if you switch to web authent for all your accounts and you're just using a normal uvt if you lose that there's no user verification there's no pin so people get your uv key they can get into automating so i would recommend if you do switch over even though it's reverse compatible i would recommend getting like a 502 like a web open device um and um all major browsers already supported this is already like your browser already has this ready to rock your operating system already has this ready to rocket already here just a matter of the site starting to

support it and [Music] and there's platform support so mac iphone windows android they all support it so cons your device can be lost or stolen imagine you've got your laptop from your fingerprint scanner set up with all these sites and then someone steals your laptop you're having hair up agreed the official recommendation is that you authentic you you register multiple authenticators so ideally you know five years from now we're all using web opt-in we'll have you know our home laptop our work laptop and our phone and one of these like te authenticators all registered to your site but that brings me to a second comp because it's costly these authenticators these uh usb keys cost about 40 bucks give or

take um laptops hasn't been new enough to have a fingerprint scanner um 40 bucks doesn't sound like a lot to us but think of someone from like a third world country or something 40 bucks can be a lot and if you're saying you need two of them for each site to visit in case [Music] and i haven't heard anyone talking about this but there could be legal implications meaning under the fifth amendment you can't be compelled to share your password because it would be self-incriminating but you can be compelled to share a fingerprint or some other biometric thing so i'm not a lawyer i have no idea what i'm talking about but if all of your stuff is

fingerprint enabled and you can just swipe in the fingerprint there may be a way for law enforcement to compel that access to that so that's another thing to consider um what sucks for me is web health it makes it harder for bad guys so now i'm fighting crypto like i said instead of grandma's creativity i'm not uh there's no more hash passwords to dump so when i get sql injection i'm like yes i got the whole database oh it's all correct it's all public keys who cares so i need no more fishing that you i showed you what happens when i try to fish it just stops me so it's a very sad day in

hackertown um so what does this mean for the future i'm gonna act like i'm like an industry expert or something to predict what this means for the future actually i just stole these ideas from other people that are smarter than me um normally we fish a credential to get into your organization and so phishing has been on the rise especially as cloud cloud said cloud drink especially as cloud stuff is more and more popular so like i'm not really i don't really care about getting into your onto your laptop i really care about getting into your aws or into your octa or something like that i'm so fishing on the rise now but if everyone switches web off in i think

all work could be on the rise so like people will be okay well everyone's got these authenticators turning it on the machine and try to get in the middle of authentication in that way and there's some barriers to widespread adoption like i said cost um and then as i was testing and rdp into my windows like it was like oh you're in an rdp session like web offense not a thing like there's no usb device so we're going to have to figure out rdp and media type situations um great potential for innovation and adoption this is a disruptive technology we all know password we've been using passwords since the internet's been a thing so i think there is there's a need for

some disruption here so i think it's going to take off um and there's potential that especially with the fact that they have it extensible so like if you think of something cool that you can add the web often to improve it there's space for it to be improved um i think i think that's everything so i've got um i've reached out to this company i think they're called and i was like hey i'm getting this talk will you give me some keys and i'll throw them to people if they're brave enough to ask a question and i don't get paid by these people so i have no relationship with them they were just being really chill and giving me

keys so if you've got questions go ahead and ask them i think we already had a couple of people last question do you want to keep all right come up and come up and grab a key if you already asked the question um but yeah who's got other questions

so the question is how do you protect just the thumbprint if that's what it is

good question so this question is like if i get compromised i can't chop off my thumb and get a new thumb what does that mean for web offhand well the thumb print just unlocks your authenticator device so you can use a thumbprint you can use a pin number uh iphone has the facial id stuff so all that is is a way of like if your laptops gets stolen if your phone gets lost it's a way of keeping your private keys private to prevent other people from authenticating as you so the the sites don't have your thumb prints no one really has your thumbprint it kind of stays on the device so imagine like if you have a uv key and you're using

that to log into everything but there's no thumb print validation if you lose that key i can just plug it into my machine go to facebook.com i'm in as you but with the thumbprint over the facial id there's another hurdle for me to get over in order to unlock that device to get nsu so it's just a way to protect the authenticator device

so the question is is there any like like could someone steal my thumbprint unlock the device that's a manufacturer like a hardwood hardware manufacturer manufacturer kind of thing so i imagine like as i was doing this research and i'm like how do i attack this i think people might start like if there's a uvt or something that's very popular they might start targeting that and try to find a weakness or some sort of flaw with the way that hardware is set up to try and get it to dump your keys or try to get it tricky into unlocking when it's not really your thumb print or something like that um so yeah it would be a hard work by hardware

kind of thing come come grab one of these who else this guy's had his hand up in the back for a long time yeah so regarding that can you define a reputation to find some arbitrary specific device that you designed yourself to at least show that your tactics are uh at least that initial query as part of that packed initial pass did you send something arbitrary there so you can say i don't want you to

so his question was about attestation like could i make my own attestation object i don't know so attestation is like a certificate like when you're manufacturing something i would imagine i don't know that there's like some sort of central attestation repository anywhere i think it's or maybe there might be um i don't know enough about it to answer that question intelligently but i don't i don't think like if let's say it's not you trying to create one for yourself let's say you're a small business trying to get going am i allowed to play too can i create an attestation certificate i think the answer would have to be yes i think you should be able to play and

create your own devices so i don't know exactly how it works but i think the answer to your question is yes you should be able to create an attestation signature for you for bill's thumbprint scanner or whatever like you should be able to do that yes since you're already using it to say if you only allow certain devices i figured maybe you can have another new device yeah that's a good idea come get a forget a little thing bill yeah you remember thank you um is there an easy way for uh website owners to just like plug and play switch over authentication like is that built yet or is it um i mean obviously it's going to differ

how they authenticate right but like how prohibitive is it for website owners to implement this technology so manikins this question is how hard is this going to be for web owners to switch over i don't know i would have to imagine it depends on your framework so if you're using node or something i would imagine that there's like a node web authentic module that you can install but it would depend a lot on your framework um hopefully it's easier than passwords because you're not storing all the hashes [Music] so hopefully it's easier but i don't know i don't know for sure come here um

so the question is would a more complex man-in-the-middle attack work and i when that company switched everything open well then right before i pin tested it i was like racking my brain like how am i going to attack this only thing i because it's the domain so evilmocta.com i don't have a key for that i'd have to like trick them into registering on evilocted.com first and then when they come back i'd have to trick them into going back there to reread to re-authenticate um i could not think of a good way the one thing that i came up with i was like what if i s what if i mailed them like crappy authenticator devices and it's

like the same private key for every request i could just get the same response or something i wonder if i could like trick them into using that to authenticate to octa.com that's the only way i can think of it but it and it would that would be a hard like i think to answer that question you'd be attacking the hardware to be attacking weakness with one of these authenticators or something

so i have uh at my job i have my user account and i have some admin account and because of web controls i need to do certain things i only use one browser for my user and i only use a different browser for my admin i see where you're going if i go through all the process of getting web offense set up i'm technically going to have a key tied to that browser so his question is what if i got one machine and like multiple accounts for the same site with the same thing so like if i've got an admin user and a regular user that i need to walk log into great question um

each time you register you tell it this username so you're going to tell it the username when you're registering that device and each time you create a new key pair it gives you a random id so when you come back in and say okay i'm not i'm not matt i'm admin it's going to say well i have a key for admin and this is the gui so give me that private like sign using my good so it's perfectly fine to be able to do what you ask go ahead and get yourself a key

[Music] so the question is using using this with something that doesn't use a browser um that is a great question that i haven't thought about it's designed again for like users using a browser to log into web apps so it's like a web app user kind of thing um i don't think there would be anything that prohibits like steam or some sort of thick client from using this technology so it shouldn't be prohibitive what i'm thinking is the standard that's like security people created and stuff like if steam is doing their own or like if i build an app i'm an idiot if i'm like well i got to implement this web off in stuff like there might be a uh it might

be right for errors if i'm like doing it myself so there might be problems there but i think it could be done i don't know i got one left up there if you want to grab it i'm not going to be uh teased but if anyone else has any questions they were like i don't have questions now what about you this is just like everything else

so his question was what about backup recovery stuff and i think i had notes in here to talk about in my slides but i was nervous and skipped over it um the the recommendations are you can so the ideal recommendation is to have more than one authenticator like i mentioned which is yeah um do a normal pass forgot password type thing like my dog ate my authenticator and you could do a forgot password where they would email you a magic link that's the second best um what i read time and time again was do not fall back to passwords because it'd be like i forgot my authenticator cool what's your password then an attacker is just going to say what i

forgot what i forgot is authenticator too so you're just attacking passwords so don't fall back to password anything else we're almost we're almost lunchtime [Music] vectors to steal the private key off the client and i was thinking a lot about that when i had that situation like how am i going to break this and what i came to is it's going to be hard to har manufacture the manufacturer type situation these keys were very easy for me to break into and change the keys before i gave them to all of you guys um i literally did not do anything for these like i'm not that smart um it would it would depend on the hardware

implementation and so i would think that windows and tpm and i ios and all that would be pretty well protected against attacks like that but this is a brand new technology so this is kind of uncharted water so if you want to try to break it and steal people's private keys that might be a good area of research so let's go to lunch

all