Eliminating Passwords from Legacy Web Applications

#RSAC

SESSION ID: SDS-F04

ELIMINATING PASSWORDS FROM LEGACY WEB APPLICATIONS

Arshad Noor CTO StrongKey (was StrongAuth, Inc.) @cryptoengine Agenda #RSAC

Introduction to FIDO What’s involved in FIDO-enabling a web-application? US NIST National Cybersecurity Center of Excellence (NCCoE) projects Mobile Single Sign-On for Public Safety/First Responders FIDO Sign-On Gateway How to use FIDO for legacy web-applications without modifying them Applying these lessons

2 #RSAC

INTRODUCTION TO FIDO Introduction to FIDO #RSAC

FIDO Alliance Protocols Universal Authentication Framework (UAF) Universal 2nd Factor (U2F) FIDO2/WebAuthn

4 FIDO Alliance* #RSAC

More than 250 members worldwide US NIST, UK Cabinet Office, Germany FOIS, Australia DTO, … AMEX, Discover, MC, Visa, JCB, Chase, BofA, Wells Fargo, MUFG, Vanguard, … ARM, Intel, Infineon, NXP, Gemalto, STM, Qualcomm, Feitian, Samsung, .. Verizon, Telstra, NTT, … Google, Alibaba, Amazon, Facebook, Yahoo, … Alliances/Liaison W3C, Global Platform, EMVCo, TCG, Bluetooth, NFC Forum, …

* https://fidoalliance.org/

5 Common to All Protocols - 1 #RSAC

1 Human user .. (Mandatory “test-of-user-presence”)

6 Common to All Protocols - 2 #RSAC

2 Uses a FIDO Authenticator ..

7 Common to All Protocols - 3 #RSAC

3 With a “user agent” .. (typically, a browser)

8 Common to All Protocols - 4 #RSAC

3 Relying Party Web Application 4

2 To connect to a web-application ..

9 Common to All Protocols - 5 #RSAC

3 Relying Party Web Application 4

FIDO Server 5

Using a FIDO server for strong-authentication ..

10 Common to All Protocols - 6 #RSAC

3 Relying Party Web Application 4

FIDO Server 5

Metadata 6 Services 1 Referencing a metadata service.

11 To make FIDO work ... #RSAC

You must have You must have a FIDO-enabled FIDO-aware web- Platform applications

RP’s Banking Web Application

RP’s eCommerce FIDO Server Web Application

RP’s Healthcare Web Application Your web-app must have a built-in FIDO Server or You must communicate with an have a FIDO external FIDO Server Authenticator

12 Universal Authentication Framework (UAF) #RSAC

Only works on mobile devices Password-less protocol Leverages biometrics for “local authentication” if available Allows for specifying policy for FIDO actions Ex: Must use biometric for local authentication Ex: Must be in specific GPS coordinate to use FIDO Secure Display + Transaction Confirmation

13 Universal 2nd Factor (U2F) #RSAC

Works on all platforms: desktop, laptop, mobile, ... CTAP works over USB, BLE and NFC transports Can require password or be password-less Can leverage biometrics for “local authentication” if integrated Does not allow for specifying policy for FIDO actions Exception: Can choose which Authenticators to register (Attestation) No secure display or transaction confirmation

14 FIDO2/WebAuthn #RSAC

Works on all platforms: desktop, laptop, mobile, ... Merges UAF features and U2F Support for RP Policies, Secure Display, Transaction Authorization CTAP2 transport protocols standardized by FIDO Alliance (TBD) Windows 10, Android JavaScript API standardized by W3C (TBD) Chrome, Firefox, Edge Backwardly compatible with U2F – but not UAF (TBD)

15 #RSAC

NIST NCCOE PROJECT

Mobile Single Sign-On NIST NCCoE Project #RSAC

Public Safety/First Responder Police, Fire and Emergency Medical Service (EMS) Mobile SSO Project Federal Register Notice (FRN) – open to anyone, anywhere in the world Letter of Intent (LOI) Cooperative Research and Development Agreement (CRADA) Selected Technical Collaborators

17 NIST NCCoE Project Architecture #RSAC

18 NIST NCCoE Project Architecture #RSAC

19 NIST NCCoE MSSO U2F Demo - 1 #RSAC

20 NIST NCCoE MSSO U2F Demo - 2 #RSAC

21 NIST NCCoE MSSO U2F Demo - 3 #RSAC

22 NIST NCCoE MSSO U2F Demo - 4 #RSAC

23 NIST NCCoE MSSO U2F Demo - 5 #RSAC

24 NIST NCCoE MSSO U2F Demo - 6 #RSAC

25 NIST NCCoE MSSO U2F Demo - 7 #RSAC

26 NIST NCCoE MSSO Solution Applicability #RSAC

27 #RSAC

FIDO GATEWAY SOLUTION

Enabling FIDO for “legacy web-applications” Remember this? #RSAC

You must have You must have a FIDO-enabled FIDO-aware web- Platform applications

RP’s Banking Web Application

RP’s eCommerce FIDO Server Web Application

RP’s Healthcare Web Application Your web-app must have a built-in FIDO Server or You must communicate with an have a FIDO external FIDO Server Authenticator

29 Problem #RSAC

Integrating FIDO into web-applications requires modifying the web- application There are millions of web-applications that need to be protected Securing internally-developed & vendor-supplied web-applications with FIDO will take years How does one break this security-logjam?

30 Solution: FIDO Gateway #RSAC

31 What does a FIDO gateway solve? #RSAC

Enables FIDO-based SSO to legacy web-applications Standard Userid/Passwords only Shields legacy web-applications from password-attacks Eliminates the need for password-policies User never needs to remember a password again Changes password each time user logs-out of application Extends the life of legacy web-applications while eliminating their authentication-vulnerabilities

32 Demo – Login Screen - 1 #RSAC

33 Demo – Activating Security Key - 2 #RSAC

34 Demo – Dashboard - 3 #RSAC

35 Demo – Application #1 Login - 4 #RSAC

36 Demo – Application #2 Login - 5 #RSAC

37 Demo – Application #3 Login - 6 #RSAC

38 Demo – Logout - 7 #RSAC

39 Demo – Logged out - 8 #RSAC

40 Summary #RSAC

Eliminating passwords with strong-authentication is a reality NIST has recognized the need for simpler, stronger authentication NIST Special Publication 800-63-3: Digital Identity Guidelines FIDO Alliance-NIST webinar on SP 800-63-3 Long Term : Web/mobile-applications must be modified to leverage FIDO (with or without OAUTH2) Short Term : Gateway solutions provide a pathway to secure “legacy web-applications”

41 #RSAC

APPLY WHAT YOU’VE LEARNED TODAY Applying what you’ve learned today - 1 #RSAC

Today, you should: Visit the Expo Hall to review demos of these SSO mechanisms Next week, you should: Acquire a FIDO U2F Authenticator (available for less than S$15) Test your FIDO U2F Authenticator with demonstration sites listed here Identify three legacy web-applications for testing FIDO migration Identify useful resources on FIDO Alliance’s website for further learning Download the NIST Practice Guide for Mobile SSO

43 Applying what you’ve learned today - 2 #RSAC

In the next month, you should: Follow a tutorial for integrating FIDO into web-applications Review the NIST Practice Guide for enabling SSO with FIDO Evaluate and select a method for enabling FIDO within your company Determine your plan for protecting legacy web-applications with FIDO In the first three months following this presentation you should: Complete migrating one legacy web-application to use FIDO Test FIDO SSO with the remaining two legacy web-applications

44 Applying what you’ve learned today - 3 #RSAC

Within six months, you should: Roll out FIDO for one to two web-applications in limited deployments Plan for how to natively integrate FIDO into high-risk web-applications Plan for what to do with medium-to-low risk web-applications that might be too difficult or expensive to integrate FIDO Keep abreast of the FIDO ecosystem and how it will impact new web- application development

45 #RSAC

QUESTIONS?