EVALUATION AND IMPLEMENTATION OF SQRL AND U2F AS 2FA FOR CERN SSO
SUPERVISORS BY VINCENT BRILLAULT (IT-DI-CSO) AZQA NADEEM (IT-DI-CSO) STEFAN LUEDERS (IT-DI-CSO) PROJECT GOALS
2 AZQA NADEEM (IT-DI-CSO) PROJECT GOALS
Evaluation of SQRL and U2F
2 AZQA NADEEM (IT-DI-CSO) PROJECT GOALS
Evaluation of SQRL and U2F Implementation of feasible 2FA algorithm
2 AZQA NADEEM (IT-DI-CSO) PROJECT GOALS
Evaluation of SQRL and U2F Implementation of feasible 2FA algorithm Integration with CERN Single Sign-on (SSO)
2 AZQA NADEEM (IT-DI-CSO) 2ND FACTOR AUTHENTICATION
3 AZQA NADEEM (IT-DI-CSO) 2ND FACTOR AUTHENTICATION
3 AZQA NADEEM (IT-DI-CSO) 2ND FACTOR AUTHENTICATION
4 AZQA NADEEM (IT-DI-CSO) 2ND FACTOR AUTHENTICATION
• Username • Password
5 AZQA NADEEM (IT-DI-CSO) 2ND FACTOR AUTHENTICATION
• Cell phone • Physical token • Biometrics
6 AZQA NADEEM (IT-DI-CSO) CERN SINGLE SIGN-ON
7 AZQA NADEEM (IT-DI-CSO) CERN SINGLE SIGN-ON
SMS
7 AZQA NADEEM (IT-DI-CSO) CERN SINGLE SIGN-ON
SMS Google Authenticator
7 AZQA NADEEM (IT-DI-CSO) CERN SINGLE SIGN-ON
SMS Google Authenticator Yubikey
7 AZQA NADEEM (IT-DI-CSO) CERN SINGLE SIGN-ON
SMS Google Authenticator Yubikey Smartcard
7 AZQA NADEEM (IT-DI-CSO) CERN SINGLE SIGN-ON
Can we do better?
8 AZQA NADEEM (IT-DI-CSO) SQRL VS. U2F
Secure Quick Reliable Login (SQRL) Universal 2nd Factor (U2F)
9 AZQA NADEEM (IT-DI-CSO) SECURE QUICK RELIABLE LOGIN (SQRL)
10 AZQA NADEEM (IT-DI-CSO) SECURE QUICK RELIABLE LOGIN (SQRL)
• Software based authentication mechanism
10 AZQA NADEEM (IT-DI-CSO) SECURE QUICK RELIABLE LOGIN (SQRL)
• Software based authentication mechanism
• Aims to replace username/passwords
10 AZQA NADEEM (IT-DI-CSO) SECURE QUICK RELIABLE LOGIN (SQRL)
• Software based authentication mechanism
• Aims to replace username/passwords
• Scan, tap or click on the QR code
10 AZQA NADEEM (IT-DI-CSO) SECURE QUICK RELIABLE LOGIN (SQRL)
11 AZQA NADEEM (IT-DI-CSO) SECURE QUICK RELIABLE LOGIN (SQRL)
But… Is it secure?
11 AZQA NADEEM (IT-DI-CSO) SECURE QUICK RELIABLE LOGIN (SQRL)
But… Is it secure?
NO!!
11 AZQA NADEEM (IT-DI-CSO) SECURE QUICK RELIABLE LOGIN (SQRL)
Man-in-the-middle attack
12 AZQA NADEEM (IT-DI-CSO) UNIVERSAL 2ND FACTOR (U2F)
13 AZQA NADEEM (IT-DI-CSO) UNIVERSAL 2ND FACTOR (U2F)
• Physical token
13 AZQA NADEEM (IT-DI-CSO) UNIVERSAL 2ND FACTOR (U2F)
• Physical token One key – Many services One service– Many keys
• Many-to-many relationship
13 AZQA NADEEM (IT-DI-CSO) UNIVERSAL 2ND FACTOR (U2F)
• Physical token One key – Many services One service– Many keys
• Many-to-many relationship
• Adapted by
13 AZQA NADEEM (IT-DI-CSO) THE STORY
14 AZQA NADEEM (IT-DI-CSO) THE STORY
14 AZQA NADEEM (IT-DI-CSO) THE STORY
+ =
14 AZQA NADEEM (IT-DI-CSO) THE STORY
+ =
14 AZQA NADEEM (IT-DI-CSO) THE STORY
15 AZQA NADEEM (IT-DI-CSO) THE STORY
15 AZQA NADEEM (IT-DI-CSO) THE STORY
+ =
15 AZQA NADEEM (IT-DI-CSO) THE STORY
+ =
15 AZQA NADEEM (IT-DI-CSO) THE STORY
16 AZQA NADEEM (IT-DI-CSO) THE STORY
Web API
Authenticate Register API API
16 AZQA NADEEM (IT-DI-CSO) THE STORY
Web API
Authenticate Register API API
16 AZQA NADEEM (IT-DI-CSO) THE STORY
CERN Self Web API Registration Service
Authenticate Register API API
16 AZQA NADEEM (IT-DI-CSO) THE STORY
CERN Self Web API Registration Service
Authenticate Register API Register Authenticate API
16 AZQA NADEEM (IT-DI-CSO) THE STORY
17 AZQA NADEEM (IT-DI-CSO) THE STORY
Web API
Authenticate Register API API
17 AZQA NADEEM (IT-DI-CSO) THE STORY
CERN Self Web API Registration Service
Authenticate Register API API Register Authenticate
17 AZQA NADEEM (IT-DI-CSO) THANK YOU!