#RSAC
SESSION ID: SDS-F04
ELIMINATING PASSWORDS FROM LEGACY WEB APPLICATIONS
Arshad Noor CTO StrongKey (was StrongAuth, Inc.) @cryptoengine Agenda #RSAC
Introduction to FIDO What’s involved in FIDO-enabling a web-application? US NIST National Cybersecurity Center of Excellence (NCCoE) projects Mobile Single Sign-On for Public Safety/First Responders FIDO Sign-On Gateway How to use FIDO for legacy web-applications without modifying them Applying these lessons
2 #RSAC
INTRODUCTION TO FIDO Introduction to FIDO #RSAC
FIDO Alliance Protocols Universal Authentication Framework (UAF) Universal 2nd Factor (U2F) FIDO2/WebAuthn
4 FIDO Alliance* #RSAC
More than 250 members worldwide US NIST, UK Cabinet Office, Germany FOIS, Australia DTO, … AMEX, Discover, MC, Visa, JCB, Chase, BofA, Wells Fargo, MUFG, Vanguard, … ARM, Intel, Infineon, NXP, Gemalto, STM, Qualcomm, Feitian, Samsung, .. Verizon, Telstra, NTT, … Google, Alibaba, Amazon, Facebook, Yahoo, … Alliances/Liaison W3C, Global Platform, EMVCo, TCG, Bluetooth, NFC Forum, …
* https://fidoalliance.org/
5 Common to All Protocols - 1 #RSAC
1 Human user .. (Mandatory “test-of-user-presence”)
6 Common to All Protocols - 2 #RSAC
2 Uses a FIDO Authenticator ..
1
7 Common to All Protocols - 3 #RSAC
3 With a “user agent” .. (typically, a browser)
2
1
8 Common to All Protocols - 4 #RSAC
3 Relying Party Web Application 4
2 To connect to a web-application ..
1
9 Common to All Protocols - 5 #RSAC
3 Relying Party Web Application 4
2
FIDO Server 5
Using a FIDO server for strong-authentication ..
1
10 Common to All Protocols - 6 #RSAC
3 Relying Party Web Application 4
2
FIDO Server 5
Metadata 6 Services 1 Referencing a metadata service.
11 To make FIDO work ... #RSAC
You must have You must have a FIDO-enabled FIDO-aware web- Platform applications
RP’s Banking Web Application
RP’s eCommerce FIDO Server Web Application
RP’s Healthcare Web Application Your web-app must have a built-in FIDO Server or You must communicate with an have a FIDO external FIDO Server Authenticator
12 Universal Authentication Framework (UAF) #RSAC
Only works on mobile devices Password-less protocol Leverages biometrics for “local authentication” if available Allows for specifying policy for FIDO actions Ex: Must use biometric for local authentication Ex: Must be in specific GPS coordinate to use FIDO Secure Display + Transaction Confirmation
13 Universal 2nd Factor (U2F) #RSAC
Works on all platforms: desktop, laptop, mobile, ... CTAP works over USB, BLE and NFC transports Can require password or be password-less Can leverage biometrics for “local authentication” if integrated Does not allow for specifying policy for FIDO actions Exception: Can choose which Authenticators to register (Attestation) No secure display or transaction confirmation
14 FIDO2/WebAuthn #RSAC
Works on all platforms: desktop, laptop, mobile, ... Merges UAF features and U2F Support for RP Policies, Secure Display, Transaction Authorization CTAP2 transport protocols standardized by FIDO Alliance (TBD) Windows 10, Android JavaScript API standardized by W3C (TBD) Chrome, Firefox, Edge Backwardly compatible with U2F – but not UAF (TBD)
15 #RSAC
NIST NCCOE PROJECT
Mobile Single Sign-On NIST NCCoE Project #RSAC
Public Safety/First Responder Police, Fire and Emergency Medical Service (EMS) Mobile SSO Project Federal Register Notice (FRN) – open to anyone, anywhere in the world Letter of Intent (LOI) Cooperative Research and Development Agreement (CRADA) Selected Technical Collaborators
17 NIST NCCoE Project Architecture #RSAC
18 NIST NCCoE Project Architecture #RSAC
19 NIST NCCoE MSSO U2F Demo - 1 #RSAC
20 NIST NCCoE MSSO U2F Demo - 2 #RSAC
21 NIST NCCoE MSSO U2F Demo - 3 #RSAC
22 NIST NCCoE MSSO U2F Demo - 4 #RSAC
23 NIST NCCoE MSSO U2F Demo - 5 #RSAC
24 NIST NCCoE MSSO U2F Demo - 6 #RSAC
25 NIST NCCoE MSSO U2F Demo - 7 #RSAC
26 NIST NCCoE MSSO Solution Applicability #RSAC
27 #RSAC
FIDO GATEWAY SOLUTION
Enabling FIDO for “legacy web-applications” Remember this? #RSAC
You must have You must have a FIDO-enabled FIDO-aware web- Platform applications
RP’s Banking Web Application
RP’s eCommerce FIDO Server Web Application
RP’s Healthcare Web Application Your web-app must have a built-in FIDO Server or You must communicate with an have a FIDO external FIDO Server Authenticator
29 Problem #RSAC
Integrating FIDO into web-applications requires modifying the web- application There are millions of web-applications that need to be protected Securing internally-developed & vendor-supplied web-applications with FIDO will take years How does one break this security-logjam?
30 Solution: FIDO Gateway #RSAC
31 What does a FIDO gateway solve? #RSAC
Enables FIDO-based SSO to legacy web-applications Standard Userid/Passwords only Shields legacy web-applications from password-attacks Eliminates the need for password-policies User never needs to remember a password again Changes password each time user logs-out of application Extends the life of legacy web-applications while eliminating their authentication-vulnerabilities
32 Demo – Login Screen - 1 #RSAC
33 Demo – Activating Security Key - 2 #RSAC
34 Demo – Dashboard - 3 #RSAC
35 Demo – Application #1 Login - 4 #RSAC
36 Demo – Application #2 Login - 5 #RSAC
37 Demo – Application #3 Login - 6 #RSAC
38 Demo – Logout - 7 #RSAC
39 Demo – Logged out - 8 #RSAC
40 Summary #RSAC
Eliminating passwords with strong-authentication is a reality NIST has recognized the need for simpler, stronger authentication NIST Special Publication 800-63-3: Digital Identity Guidelines FIDO Alliance-NIST webinar on SP 800-63-3 Long Term : Web/mobile-applications must be modified to leverage FIDO (with or without OAUTH2) Short Term : Gateway solutions provide a pathway to secure “legacy web-applications”
41 #RSAC
APPLY WHAT YOU’VE LEARNED TODAY Applying what you’ve learned today - 1 #RSAC
Today, you should: Visit the Expo Hall to review demos of these SSO mechanisms Next week, you should: Acquire a FIDO U2F Authenticator (available for less than S$15) Test your FIDO U2F Authenticator with demonstration sites listed here Identify three legacy web-applications for testing FIDO migration Identify useful resources on FIDO Alliance’s website for further learning Download the NIST Practice Guide for Mobile SSO
43 Applying what you’ve learned today - 2 #RSAC
In the next month, you should: Follow a tutorial for integrating FIDO into web-applications Review the NIST Practice Guide for enabling SSO with FIDO Evaluate and select a method for enabling FIDO within your company Determine your plan for protecting legacy web-applications with FIDO In the first three months following this presentation you should: Complete migrating one legacy web-application to use FIDO Test FIDO SSO with the remaining two legacy web-applications
44 Applying what you’ve learned today - 3 #RSAC
Within six months, you should: Roll out FIDO for one to two web-applications in limited deployments Plan for how to natively integrate FIDO into high-risk web-applications Plan for what to do with medium-to-low risk web-applications that might be too difficult or expensive to integrate FIDO Keep abreast of the FIDO ecosystem and how it will impact new web- application development
45 #RSAC
QUESTIONS?