2FA So Strong It Could Be 1FA: Integrating WebAuthn for Phishing-Resistant Authentication

okay hello and welcome to 2fa so strong it could be one effe integrating web off n for phishing resistant authentication and our speaker today is Greg Strohmeyer and Greg is an application security engineer for Gemini where he works to shift security as far left as possible he's gonna tell us what that means okay good when he's not developing features to enhance the security of Gemini's main products he's performing security assessments building developer tools and creating secure coding curriculum we're gonna have time for questions at the end and if you want to ask a question please use the microphone this is a big room here and would you please give a very warm welcome - great thanks very much so

yeah - it's the promise of I wanted to start out with myself so I'm Greg

previously I worked at a startup doing privacy and security called toffee not sure if anyone's heard and I'm coming to application security from the developer perspective I'm a software engineer by trade but just got super into security and I think there's you know ways the weekend may get really great for the developers and for security engineers and for the users so it has anyone heard of Gemini yes cool we're hiring come work for us okay so yeah Gemini is a licensed digital asset exchange and custodian founded by Cameron boss a couple more points that are pretty important but I'm gonna try and squeeze a lot of content in so I'm gonna keep moving so yeah I try and shift left

as far as possible so traditionally shift left means moving the security and capturing vulnerabilities before they make the prod as soon as possible so kind of thinking about watching for vulnerabilities and sort of anomaly anomaly monitoring watching the build pipeline and keep shifting left and so we get to threat modeling so in the design phase or creating security features where no insecure code hits the hits production so one of my latest projects was web off in another project I was like a compiler plug-in so that the developers don't even get a clean compile if they are using sort of an insecure method or framework or something so I'd love to talk about this stuff seriously come jam'iyyah

so web off then it's pretty awesome it's pretty new standard so I'm going to kind of run through what it is what problems it addresses how we integrated it at Gemini hopefully I can work out demonstrations if I can figure out display issues and then some sort of important considerations since this is a new sort of standard there's still a lot to be learned from it and then definitely take questions so this is one of my favorite quotes about the technology it is a web ball then is a unicorn because it decreases user friction and increases security a lot of times us in the security engineering kind of see convenience and security as like mutually exclusive but web then is

a great counter example so I imagine people have some idea what web app then has anyone used it before that's like a consumer that's awesome how about anyone ever implemented it for their own code or production or hobby or something nice so weboth then is a w3c recommendation standard that was published in March of this year so it specifically defines an API for strong attested scoped and public key based credentials for web applications so that they can users can strongly authenticate so it's kind of weird to think about new specification talking about authenticating users surely we've gotten it right by now but there's really a lot of the same issues we keep having over and over so the biggest issue is users

need to authenticate to services securely and typically the three sort of approaches for this are to claim who you are by something you know something you are or something that you have I know this is pretty like old premise here but I think bringing up in light of new technology kind of gives us some interesting perspectives so we use this everywhere everyone has passwords we have probably too many to count and hopefully everyone has a password manager so a lot of the something that you are or there's something that you have they haven't really caught on there's a little bit of more adoption I'd say recently with things like touch ID or Windows hello but a lot of the

issues that we're having with it sort of historically were things like just not user friendly or things like batteries would die your screens would crack or there be multiple keys individual service that you have to keep track of so password authentication everyone's pretty familiar it's about something you know and where can this go wrong well it can go wrong in countless ways and it often does so we can think about passwords as being really easy or really available at least for users but they're really failing us as an authentication method and really they're pretty much always happen so where are these where are the ways that passwords are failing us it's something that you know which means it's a shared secret

which has its own risks involved there's poor generation often time by our own heads which are infamously terrible at this there's poor management of it so there's you know writing it down in books - laughs debit options may be better than reusing them which is another huge issue so we think about using passwords and authenticating and proving who we are pastors just aren't enough but we still use them so let's add something on to it so we have first factor pass first factor authentication and passwords we have second factor with a number of different ways so thinking about things that you have things that you are something that you know be is something that you have it all be kind of tricky

here so one-time passwords time-based otps biometrics security keys cards fobs all these kind of fit in those little categories and they really haven't shown up for us in the ways that we need them to so something like SMS two-factor off it's something that you know so if you have the first factor password authentication it's also something that you have kind of because it's a cell phone that you don't necessarily always control and it can get out of control pretty quickly so there's a bunch of huge risks here that we all kind of just accept and maybe there's a better way so one of those a handful of the problems that we're seeing here is many of them can just be fished whether

it's the otps or even like email links associated with the phone numbers which are pretty historically bad at you know being sources of identity phones can often be ported or spin swapped and what's even the difference between those and many of these are used for account recovery so if you have SMS as your fallback mechanism to getting back into your Gmail then that's your lowest bar for security and it's potentially a huge risk and we've heard that you know some of our users tonight are going through the extra steps of getting into contact with their telco providers and saying hey I want extra security on my account give me a pin and then it turns out that

some of the people providing customer service just wanna make customers so happy that they'll bypass other accounts security measures just so that they can be better suited better you know helping those customers so it's a it's a tricky spot that we're in here and it has huge impacts so I've got a couple headlines from the crypto industry but obviously they're primarily targeted but we're all sort of you know at risk in the same ways this guy had a great moment where he fell victim to an attack he knew he knew he should have known better think it was an engineer and he publicized it how people kind of raise awareness so my talk is about - if a so

strong it could be first factor authentication so I've got a list of things but I do want to revisit it later and the primary thing that I think is really great about it is it's phishing resistance so all the problems that we have with phishing in with SMS and other features it addresses those but it also goes for farther with replay prevention man-in-the-middle defense database breach it's agnostic to those where if there's a database breach of your web authentic key so it doesn't matter about anything and then additional features were silent tracking or covert log log and prevention is really handy for you know devices that are capable and a lot of these authenticators these devices are

integrated with you know trusted platform modules or other secure enclaves where you know they're not really gonna get cloned or or be severely at risk for it so well often is part of Fido tubes a bigger standards kind of a overall umbrella standard and it's about something that you have and potentially something that you are so something that you have something like a USB security key like a Yubikey something that you are could be the you know the touch bar using your fingerprint I could also act as a web off an Authenticator so if you look at the authenticators and then the client and then the relying party these are some of the terms they're kind of being used for

this standard and we see that web off that is kind of the interface around the client some with the relying party and then something called C tap 2 which is client to Authenticator protocol the second version of it and this is great and it's got a lot of security properties to it but it also kind of looks familiar for the people that have kind of been in the space for a while so the web off then sort of part of it is really kind of a JavaScript API so it allows people to create and use those public key credentials but the familiar part of it is we've kind of seen this before with u2f and in fact this standard takes you

to eff renames it to see tap 1 and it's also backwards compatible so it's a great way to like not leave users behind who have really put in the effort to have their u2f as a protection mechanism and it gets to bring that forward into this new protocol the additional features that a lot of us on web often brings is a requirement for a user presence so this kind of goes back to a previous slide where I was talking about sort of covert login where that's really not gonna happen with web and it requires some kind of gesture whether it's a tap of a UV key or touching of a touch bar so I'm gonna talk about how we

at Gemini integrated it with our platform so we have been requiring 2fa for our users since pretty much the beginning so it's really important for us to have a secure exchange and I think our users are pretty grateful for that so we got started before the spec was even standardized in fact we weren't even sure when it was gonna happen it was just like we better get this out there we want to see it working doesn't matter this sort of experimental we'll take that we weren't sure what the user adoption would be either especially considering browser adoption or browser support could could either way so I'm gonna give a quick few slides or screenshots of what it looks

like on our platform so just adding a security key you go to our security settings page and you give it a little nickname so you can sort of add a bunch of authenticators and you can tell them apart and it's kind of a little bit of user interface to it and then some of the UI is already built into the browsers so this is a screenshot of chrome showing the authenticators that are available for my laptop so it recognized that I have a USB security key plugged in it recognized that I have a Mac the touch bar that can also act like it and so that's a nice thing for engineers for the developers who kind of

worry about you know creating a UI that's gonna maybe look different from the UI of another side and really want to get users comfortable with it with the browser's kind of taking on the responsibility it makes everyone kind of like move forward a lot faster so some more screens the left is actually using a security key in the right screen is actually using the touch bar so another level of some nice UI and you get to sort of have fall backs as well so you can kind of see the use password or to choose another option there and so when we took this on a big part of what we were thinking about is if users are just

kind of opt into these security keys and then sort of have that as their only way to get into their account and then they lose it then we kind of forced them into an account recovery thing which can be really cumbersome and they're gonna think twice about trying to up their security so we have a rule where you can't sort of disable our original off the second method unless you register two keys and that gives you your sander key and then maybe a fallback that you keep in a safety deposit box or something so I was going to try demo I'll see you see that I'm not going to well maybe no nevermind I'm not gonna be able to like see both

things

[Music]

all right so this is our site this is just me running the application locally see if I can super secret to a fake code and then we're into this site so this is what it looks like now you go up to the security settings for your own account and then there's a and I kind of show slides from this but I think what might happen is I push this and then some of those like UI browser things might actually just show up on my laptop but here's something all right so I'm going to use my unique key that's plugged in and I just had it right there and then it's asking to confirm it and so there's

the same sort of interface there and now there's a security key it's integrated and so I'm going to do this again with my touch bar and there's actually a little prompt on here that you can't see but you have to believe me now and then I verify it in the same way and now I have two security keys enrolled and I can actually disable you know of--they if I wanted to so I think that's pretty cool it's pretty nice and easy it's pretty well integrated with Chrome and I think that brings a lot of security where some of the more traditional methods aren't really there I can stop now for questions if there's any where I can

just go so another cool thing is you can demo this at home as well there's a handful of sites thanks handful of sites that sort of walk you through the process and it's really cool just try it out on your own figure out which browsers are working which you know devices you have available some of the you know older Yuki's maybe they don't work it's pretty interesting so I'm diving into the API right now I'm going to show some JSON blobs but I think there's some pretty interesting things to pull out here so I've got John Snow at the wall and he authenticated for our website it's on localhost right now which is fine but some of these

payloads are going to be useful for us when they get signed and then returned back to us especially the challenge which is going to sort of prevent the replay attacks that we mentioned earlier so yeah going back real quick the Navigator credentials dot create that's a JavaScript API that's in a browser right now and you could try it out so this is just continuing on with that with that blob that requests the initial request for registration and you can see that there's some funky params which are about showing the algorithms algorithms that are available so I think minus 7 is the PG 56 curve doing the ECDSA and then that- 257 is RSA so there's some other

stuff the requires resident key is a pretty interesting component to this where you can require the key that you generate for web off the end for this service to be stored directly on the device that you're using sometimes with with touch ID or with some of the UV keys was actually happening is a key wrapping where they have their own internal key but then they encrypt the private key for a newly generated one which is great because it allows them to not sort of run out of space for additional services so you can use the same key for all of your accounts if everyone just decided to use it but because you can specifically require a resident key then that gives

you an ability to say I have this expectation of the devices being used and I know that the key never left the platform you get a question yeah so it's basically what you saw just now both of the touch ID and the security key they don't require require a resident key it's just a matter of like key wrapping where the private key is encrypted with sort of like a single key that's sort of being reused for different services so it's not sort of a like a loss of security in some ways it's more about those sort of properties of the Authenticator itself so there's some attestation that's another feature to this to this protocol I it has some

properties to that I'm not getting included here but it's a pretty wide open protocol that has a lot of features to it so and then the response that you get back includes sort of this this type this ID and then the client data JSON is some of the data that's being sort of packaged up and returned to you to show that yes this was something that we created in fact it's just basically poor encoded and you can sort of dive into it and it shows sort of the original challenge the origin and it helps prevent those phishing attacks and there was man in the middle attacks as well so the counterpart to it is once you've

created once you've registered a credential or Authenticator then you use the navigators that credentials don't get to sort of perform an authentic authentication or authorization so it's a lot of the similar properties here in fact it's pretty symmetrical between the two API looking for something that's kind of unique to it there's definitely the signature over the client data that is part of the signing of the action being done and then again it's just a sort of client data basically for encoding there's some pretty interesting design decisions made around this protocol where some of it is basically foreign code is some of it still raw binary some of its in old cozy cozy format and you know knowing how to parse

those or get the right data out can kind of be troublesome so again back to 2fa so strong it could be one of they I showed some of the initial promises and now I'm kind of going back on like how it's delivering on those so the fishing resistance is with that origin the browser is going to check that and the authenticators are going to sign over it so there's no way to sort of intercept it and stand up a fake site it's going to be able to sort of pass along a fake authentication it's just not going to work so replay prevention with the challenges in there there's a man-in-the-middle defense because protocol actually requires HTTPS as well

as that origin check diagnostic to database breaches again because it's just public key crypto only the public keys are being stored it prevents the tracking because of that user presses so again it requires some kind of gesture and not to be the touch ID that's having a UV key sometimes it could be like a Bluetooth interaction there and then it detects Authenticator cloning or at least gives you some heads-up by keeping a signature counter so if for some reason you were keep track and I signed into Gemini you know ten times with off it with this Authenticator and then somehow it showed up it that my next one claimed it only signed up for nine then

at some point it's a pretty big indicator that there's an attempt to clone this Authenticator so it's a great like additional step for understanding security and being knowledgeable and being able to make informed decisions so the true face so strong it could be one of a because of the security properties like user presence because of the idea of resident keys because that you can take it even from password lists to user nameless because you can think of those resident keys also keeping track of the actual user identity so you kind of skip a step sort of requesting like oh who's this who am i signing for year it's already gonna have that so some quick

hints and suggestions and recommendations around integrating web off in yourself definitely some things to keep in mind the account recovery story the recovery story around you know lost email or you know getting a new phone it's pretty different to I dropped my yubikey as you were great or something it's not really strong you know real simple ways to sort of recover from that so having those backups can be really helpful also it's still pretty new in the standardization there's still some device and browser support that needs to catch up I think we're at Chrome's doom grave Firefox is doing great Safari is actually kind of running a little bit behind on this which is you bad and then

there's the idea of platform versus roaming authenticators and I've kind of been talking about it the whole time but they actually kind of have names to it where platform is something like a touch bar or touch ID or Windows hello where it's integrated into the platform typically with its own little secure Enclave and then roaming authenticators basically you take them with you their security keys their you know access cars things like that and because they have different security properties maybe you want them want each one in a different scenario and it can be really helpful to know which is which and you can actually you know sort of decide which ones you're gonna accept which ones you're

gonna deny requiring backup keys super-important there's a also the ability to sort of go out and collect data from the authenticators themselves so as a relying party or the you know service sort of integrating it right now you can say hey I want to know more about this Authenticator maybe is it does it have a strong access station from its manufacturer does it just have some general model device numbers and information that I can sort of keep track of and understand and then you have the ability to actually enforce at test stations so because this is such a new technology than a lot of the manufacturers aren't sort of publishing it so Yubikey yubico with their unique

ease are kind of like leading the front lines on this because it can they're part of the protocol proposal to begin with so it's hard to sort of require that other of the users when it's you might not even have many with you know supporting devices but it could be something like in a long term we saw it we see get more adoption and things like Android activations are really getting more adoption as well so there could be a lot of sort of cross device security stories there and then there's some future work involved where there's potential to include prompts for individual transactions so it's moving beyond just sort of logging in or accessing a particular site it's do you

agree to this particular chunk of information for us - super interesting because it's literally a transaction and on our exchange but you can imagine it a lot of different ways so again account recovery super important measure that there's backups making sure that the recovery mechanism isn't diminishing your security it's so the browser and device support we're only gonna get better but it's still a new technology and then trying to have like some fall backs in place or the ability to check the platform roaming before I Gemini we actually were pretty fortunate because we were already using uni keys as part of our infrastructure so sort of requiring it for internal tooling it was a pretty smooth

transition so it's actually like made it simpler for some of the security mechanisms we put in place because it's literally everyone has the same laptop everyone has the same UV keys and so everyone knows that they can just tap it and then long so again going back to collecting Authenticator data it's recommended to start collecting it from the very beginning and that way you can start to build your trust models or to figure out you know are there certain patterns maybe you don't make any decisions on them right away maybe there's not a lot out there but if you start collecting it initially then you'll be more informed down the road and then actually integrating it it's super helpful to

just get a head start by finding your library that already like handles a lot of the heads a lot of the heavy work so there's go there's Java there's Ruby and there's more on the way I'm sure so web often is that beautiful unicorn fishing resistance replay prevention man-in-the-middle defense breach agnosticism the covert login prevention cloning detection all strongly authenticating users any questions yes

would you mind going over once more what breach agnosticism is please yeah basically like that is if there's a like database breach and a bunch of people's usernames and passwords are leaked online then that's pretty unfortunate even if they're hash they're gonna be some rainbow tables and it's you know puts everyone in a tough spot but if you're using weapon