Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand


Published on

Google Case Study: Becoming Unphishable presented by Christiaan Brand

Published in: Technology
  • Login to see the comments

Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authentication -FIDO Alliance -Tokyo Seminar -Brand

  1. 1. Proprietary + Confidential Becoming Unphishable Towards Simpler, Stronger Authentication Christiaan Brand, Google
  2. 2. Largest and most secure infrastructure
  3. 3. Proprietary + Confidential Mobile UI Application Network Software Hardware Google Security Stack
  4. 4. Tomorrow We work on Quantum resistant encryption Abuse & Spam Used machine learning to solve Today less than 0.001% spam in your Gmail inbox Security Supply Chain Built from the ground up Manufactured our own components
  5. 5. Today we tackle authentication
  6. 6. Proprietary + Confidential Protect Yourself And Your Users It's easier than you think for someone to steal a password Password Reuse Phishing Interception Social Media BANK
  7. 7. Proprietary + Confidential 123456 Most popular password in 2015 Source: SplashData: st-passwords-2015/ password 2nd most popular password in 2015
  8. 8. Proprietary + Confidential 76% of account vulnerabilities were due to weak or stolen passwords 43% success rate for a well designed phishing page
  9. 9. Proprietary + Confidential SMS Usability Coverage Issues, Delay, User Cost Device Usability One Per Site, Expensive, Fragile User Experience Users find it hard Phishable OTPs are increasingly phished $ ? Today: The reality of One Time Passwords
  10. 10. Proprietary + Confidential Introducing FIDO U2F Your Password Security Key Account Data
  11. 11. Core idea - Standard public key cryptography ● User's device mints new key pair, gives public key to server ● Server asks user's device to sign data to verify the user. ● One device, many services, "bring your own device" enabled Based on Asymmetric Cryptography
  12. 12. Google’s Experience
  13. 13. ● Enterprise use case ○ Mandated for Google employees ○ Corporate SSO (Web) ○ SSH ○ Forms basis of all authentication ● Consumer use case ○ Available as opt-in for Google consumers ○ Adopted by other relying parties too: Dropbox, Github Deployment at Google
  14. 14. Time to authenticate
  15. 15. Time to authenticate
  16. 16. Second factor support incidents
  17. 17. Second factor support incidents
  18. 18. We’re not quite done
  19. 19. Proprietary + Confidential Does this work with a mobile? How do we deploy this at scale? What if they lose their key? We are not there yet for the Enterprise
  20. 20. Proprietary + Confidential Making progress towards stronger authentication Productizing FIDO U2F
  21. 21. Proprietary + Confidential Demo: Bootstrapping account
  22. 22. How can you get started?
  23. 23. Proprietary + Confidential ● Internal enterprise authentication (B2B) Authenticate to your own web applications, mobile applications, etc ● Authenticate to your service providers (“token necklace”) U2F works well in a non-federated environment Complete isolation between various RPs ● External customer authentication Authenticate your high-value customers using U2F FIDO U2F use cases
  24. 24. Proprietary + Confidential Resources ● To use with Google Enable 2-Step Verification on your account Go to: Click: 2-Step Verification Click on the Security Keys tab ● Also use with GitHub, Dropbox, SalesForce ● And / or play with some code
  25. 25. Proprietary + Confidential Questions?