DOCSLIB.ORG

FIDO and PAYMENTS AUTHENTICATION Philip Andreae Vice President Oberthur Technologies

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
FIDO and PAYMENTS AUTHENTICATION Philip Andreae Vice President Oberthur Technologies FIDO AND PAYMENTS AUTHENTICATION Philip Andreae Vice President Oberthur Technologies All Rights Reserved. FIDO Alliance. Copyright 2016 1 The Problem The Solution The Alliance Updates Data Breaches… 781 data breaches in 2015 170 million records in 2015 (up 50%) $3.8 million cost/breach (up 23% f/2013) All Rights Reserved. FIDO Alliance. Copyright 2016 3 The world has a PASSWORD PROBLEM All Rights Reserved. FIDO Alliance. Copyright 2016 4 WE NEED A NEW MODEL All Rights Reserved. FIDO Alliance. Copyright 2016 5 WE CALL OUR NEW MODEL Fast IDentity Online online authentication using public key cryptography All Rights Reserved. FIDO Alliance. Copyright 2016 6 The Problem The Solution The Alliance Updates All Rights Reserved. FIDO Alliance. Copyright 2016 7 THE OLD PARADIGM SECURITY USABILITY All Rights Reserved. FIDO Alliance. Copyright 2016 8 HOW FIDO AUTHN WORKS The user authenticates The device “locally” to their authenticates the user device by various online using public key means cryptography LOCAL ONLINE AUTHENTICATOR All Rights Reserved. FIDO Alliance. Copyright 2016 9 Passwordless Experience (UAF Standards) 1 2 3 ? Authentication Challenge Biometric Verification* Authenticated Online Second Factor Experience (U2F Standards) 1 2 3 Second Factor Challenge Insert Dongle* / Press Button Authenticated Online *There are other types of authenticators All Rights Reserved. FIDO Alliance. Copyright 2016 10 FIDO UAF UNIVERSAL AUTHENTICATION FRAMEWORK Same User Same Authenticator as enrolled before? as registered before? AUTHENTICATOR All Rights Reserved. FIDO Alliance. Copyright 2016 11 FIDO U2F UNIVERSAL 2ND FACTOR Is a user present? USER VERIFICATION FIDO AUTHENTICATION AUTHENTICATOR Same authenticator as registered before? All Rights Reserved. FIDO Alliance. Copyright 2016 12 USABILITY, SECURITY and PRIVACY All Rights Reserved. FIDO Alliance. Copyright 2016 13 No 3rd Party in the Protocol No Secrets on the Server Side Biometric Data (if used) Never Leaves Device No Link-ability Between Services No Link-ability Between Accounts All Rights Reserved. FIDO Alliance. Copyright 2016 14 The Problem The Solution The Alliance Updates All Rights Reserved. FIDO Alliance. Copyright 2016 15 The FIDO Alliance is an open industry association of over 250 global member organizations All Rights Reserved. FIDO Alliance. Copyright 2016 16 FIDO SCOPE Single Sign-On MODERN AUTHENTICATION Federation Passwords Strong Risk-Based Authentication User Management Physical-to-digital identity FIDO Alliance Mission 1 2 3 Develop Operate Pursue Formal Specifications Adoption Programs Standardization Associate Members All Rights Reserved. FIDO Alliance. Copyright 2016 19 Sponsor Members The image part with relationship ID rId57 was not found in the file. All Rights Reserved. FIDO Alliance. Copyright 2016 20 Board Members All Rights Reserved. FIDO Alliance. Copyright 2016 21 Liaison Program • Our mission is highly complementary to many other associations around the world. We welcome the opportunity to collaborate with this growing list of industry partner organizations. All Rights Reserved. FIDO Alliance. Copyright 2016 22 Government Members • “The fact that FIDO has now welcomed government participation is a logical and exciting step toward further advancement of the Identity Ecosystem; we look forward to continued progress.” -- Mike Garcia, NSTIC NPO All Rights Reserved. FIDO Alliance. Copyright 2016 23 The Problem The Solution The Alliance Updates FIDO TIMELINE Broad New U2F Adoption Certification Transports Program FIDO 1.0 First FINAL Specification Deployments Review Draft FIDO Ready Program Alliance Announced FEB DEC FEB FEB-OCT DEC 9 MAY JUNE TODAY 2013 2013 2014 2014 2014 2015 2015 >250 6 Members Members 2014 FIDO ADOPTION “Secure Consumer Payments Enabled for Alipay Customers with Easy-to-Use Fingerprint Sensors on Recently-Launched Samsung Galaxy S5” September 17, 2014 “Google Launches Security Key, World’s First Deployment of Fast Identity Online Universal Second Factor (FIDO U2F) Authentication” October 21, 2014 “PayPal and Samsung Enable Consumer Payments with Fingerprint Authentication on New Samsung Galaxy S5” Feb 24, 2014 2015 FIDO ADOPTION “Today, we’re adding Universal 2nd Factor (U2F) security keys as an additional method for two-step verification, giving you stronger authentication protection.” August 12, 2015 “Google for Work announced Enterprise admin support for FIDO® U2F ‘Security Key’” April 21, 2015 “Qualcomm launches Snapdragon fingerprint “[T]he technology scanning technology” supporting fingerprint “GitHub says it March 2, 2015 sign-in was built will now handle according to FIDO “Largest mobile network in what is called (Fast IDentity Online) Japan becomes first the FIDO standards.” wireless carrier to enhance Universal 2nd September 15, 2015 customer experience with Factor, or U2F, natural, simple and strong specification.” ways to authenticate to October 1, 2015 “Microsoft Announces FIDO DOCOMO’s services using Support Coming to Windows 10” FIDO standards.” Feb 23, 2015 May 26, 2015 2016 FIDO ADOPTION “FIDO Universal 2nd Factor (U2F) authentication is now being used to allow all UK citizens to easily and securely access GOV.UK Verify digital public services. Mar 23, 2016 “BC Card provides Token and FIDO services to strengthen security and safety of Samsung Pay” March 1, 2016 “NTT DOCOMO is now offering FIDO-enabled biometric authentication for customers using Apple iOS devices” Mar 7, 2016 “RSA Via Access Server is now FIDO Certified” March 1, 2016 Deployments are enabled by FIDO Certified™ products available today All Rights Reserved. FIDO Alliance. Copyright 2016 29 OEMs Now Shipping FIDO Certified Devices Samsung S5, Mini Alpha Note 4, 5 Note Edge Tab S, Tab S2 S6, S6 Edge LG Sharp Aquos Sony Experia Z5 Fujitsu Arrows V10 & G5 Zeta SO-01H, Fit F-01H, SH-01H, SH-03G Compact SO-02H, NX F-02H, Premium SO-03H NX F-04G All Rights Reserved. FIDO Alliance. Copyright 2016 30 App Developers can add FIDO to any TouchID-enabled device running iOS 9+ Supported iOS Fingerprint Devices iPhone 5s iPhone 6, 6+ iPhone 6s, 6s+ iPad Air 2, Mini 3 iPad Mini 4 iPad Pro All Rights Reserved. FIDO Alliance. Copyright 2016 31 All Rights Reserved. FIDO Alliance. Copyright 2016 32 FIDO 2.0 & W3C November 2015 February 2016 FIDO Authentication Poised for Continued Growth W3C Launches New Standards Effort as Alliance Submits FIDO 2.0 Web API to W3C Based on FIDO 2.0 Web APIs • W3C has accepted our submission • W3C announces the chartering of the • Specifications required to define a FIDO-compliant Web Authentication Working Group Web API • Designed to extend FIDO’s existing reach to all • Standardizing the submitted FIDO Web platforms APIs can ensure standards-based strong • OEM community should begin to plan their support authentication across all Web browsers now and related Web platform infrastructure • RP community should deploy FIDO 1.x now knowing • The first meeting of the Working group FIDO standards are “future proof” -- strategically was early March positioned as the de facto authentication scheme for the Web & OS Platforms All Rights Reserved. FIDO Alliance. Copyright 2016 33 @FIDOAlliance www.fidoalliance.org www.linkedin.com/company/the-fido-alliance .
Load more

Recommended publications
  • Support for U2F FIDO Tokens in Mobile Applications
    Masaryk University Faculty of Informatics Support for U2F FIDO tokens in mobile applications Bachelor’s Thesis Marek Hrašna Brno, Spring 2019 Masaryk University Faculty of Informatics Support for U2F FIDO tokens in mobile applications Bachelor’s Thesis Marek Hrašna Brno, Spring 2019 This is where a copy of the official signed thesis assignment and a copy ofthe Statement of an Author is located in the printed version of the document. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Marek Hrašna Advisor: RNDr. Petr Švenda Ph.D. i Acknowledgements I would like to express my gratitude to my advisor, RNDr. Petr Švenda Ph.D. his guidance, patience, and helpful advice throughout the mak- ing of this thesis. iii Abstract One of the biggest security problems on the Internet is the usage of weak credentials, such as passwords, for user authentication. Second- Factor Authentication (2FA) provides a valid answer to this threat. Still, there are many 2FA schemes vulnerable to prominent web threats such as phishing attacks. The U2F protocol provides a phishing-resistant 2FA solution, optionally based on secure hardware elements. This thesis provides an analysis of the security brought by the U2F authen- tication scheme and shows its real-world adaptation in mobile plat- forms. It discusses problems that occur while using commercial tokens implementing this standard and describes the process of installing a U2F applet onto a JavaCard while discussing possible problems that may occur.
    [Show full text]
  • Security Keys: Practical Cryptographic Second Factors for the Modern Web
    Security Keys: Practical Cryptographic Second Factors for the Modern Web Juan Lang, Alexei Czeskis, Dirk Balfanz, Marius Schilder, and Sampath Srinivas Google, Inc., Mountain View, CA, USA Abstract. \Security Keys" are second-factor devices that protect users against phishing and man-in-the-middle attacks. Users carry a single de- vice and can self-register it with any online service that supports the protocol. The devices are simple to implement and deploy, simple to use, privacy preserving, and secure against strong attackers. We have shipped support for Security Keys in the Chrome web browser and in Google's online services. We show that Security Keys lead to both an increased level of security and user satisfaction by analyzing a two year deployment which began within Google and has extended to our consumer-facing web applications. The Security Key design has been standardized by the FIDO Alliance, an organization with more than 250 member companies spanning the industry. Currently, Security Keys have been deployed by Google, Dropbox, and GitHub. An updated and extended tech report is available at https://github.com/google/u2f- ref-code/docs/SecurityKeys_TechReport.pdf. 1 Introduction Recent account takeovers [1{3] have once again highlighted the challenge of securing user data online: accounts are often protected by no more than a weak password [4] and whatever implicit signals (if any) that the online service provider has collected to distinguish legitimate users from account hijackers. Academic research has produced numerous proposals to move away from passwords, but in practice such efforts have largely been unsuccessful [5, 6]. In- stead, many service providers augment password-based authentication with a second factor in the form of a one-time passcode (OTP), e.g., [7, 8].
    [Show full text]
  • A Tale of Two Studies: the Best and Worst of Yubikey Usability
    A Tale of Two Studies: The Best and Worst of YubiKey Usability †∗ ∗ ∗ ∗ z ∗ Joshua Reynolds , Trevor Smith , Ken Reese , Luke Dickinson , Scott Ruoti , Kent Seamons y ∗ z University of Illinois at Urbana-Champaign, Brigham Young University, MIT Lincoln Laboratory [email protected], ftsmith, ken.reese, [email protected], [email protected], [email protected] Abstract—Two-factor authentication (2FA) significantly device that authenticates the user after the user presses a improves the security of password-based authentication. button on the security key [8]. The button tap is a test of Recently, there has been increased interest in Universal 2nd user presence and prevents malware on the host device from Factor (U2F) security keys—small hardware devices that require users to press a button on the security key to authenticate. To using the security key surreptitiously. Most commonly, security examine the usability of security keys in non-enterprise usage, keys are designed to be plugged into a USB port, though we conducted two user studies of the YubiKey, a popular line they can also communicate with other devices using wireless of U2F security keys. The first study tasked 31 participants protocols (e.g., NFC, Bluetooth). with configuring a Windows, Google, and Facebook account to U2F security keys are designed to be easy-to-adopt and authenticate using a YubiKey. This study revealed problems with setup instructions and workflow including users locking use in day-to-day life, while protecting users against phishing themselves out of their operating system or thinking they had and man-in-the-middle attacks [8].
    [Show full text]
  • Of Two Minds About Two-Factor: Understanding Everyday FIDO U2F
    Of Two Minds about Two-Factor: Understanding Everyday FIDO U2F Usability through Device Comparison and Experience Sampling Stéphane Ciolino, OneSpan Innovation Centre & University College London; Simon Parkin, University College London; Paul Dunphy, OneSpan Innovation Centre https://www.usenix.org/conference/soups2019/presentation/ciolino This paper is included in the Proceedings of the Fifteenth Symposium on Usable Privacy and Security. August 12–13, 2019 • Santa Clara, CA, USA ISBN 978-1-939133-05-2 Open access to the Proceedings of the Fifteenth Symposium on Usable Privacy and Security is sponsored by USENIX. Of Two Minds about Two-Factor: Understanding Everyday FIDO U2F Usability through Device Comparison and Experience Sampling Stéphane Ciolino Simon Parkin Paul Dunphy OneSpan Innovation Centre University College London OneSpan Innovation Centre & University College London [email protected] [email protected] [email protected] Abstract words and tokens) is widely recognized as an effective tech- Security keys are phishing-resistant two-factor authentica- nique to protect both corporate and personal online accounts tion (2FA) tokens based upon the FIDO Universal 2nd Factor against account hijacking threats. Indeed, there are already ex- (U2F) standard. Prior research on security keys has revealed amples of citizens being advised to use Two-Factor Authenti- intuitive usability concerns, but there are open challenges to cation (2FA) by government agencies (as in the UK [35]). The better understand user experiences with heterogeneous de- most common second factor is a One-Time Passcode (OTP) vices and to determine an optimal user experience for every- received via a text message to a mobile device [5].
    [Show full text]
  • The Webauthn Standard: Why It Should Matter to the Public Sector and How It Works Executive Summary
    WEBAUTHN WHITE PAPER SERIES: MAY 2020 The WebAuthn Standard: Why It Should Matter to the Public Sector and How It Works Executive Summary This paper is the second in a series of WebAuthn whitepapers published by Yubico. For an introduction to WebAuthn and why it is both more secure and easier to use, see the first paper, Introducing WebAuthn: Enabling a Streamlined and More Secure User Authentication Experience. Most websites, services, and applications have difficulty providing secure, convenient authentication for users. Passwords are the problem. They tend to be either so simple they are easily guessed by hackers or so complex they are hard for users to remember. And all passwords, regardless of their complexity, are vulnerable to phishing and data breaches. Fortunately, WebAuthn, a new web authentication standard approved in March 2019 by the World Wide Web Consortium (W3C), makes it easy for websites, services, and applications to offer strong authenti- cation without relying on passwords. By replacing passwords with strong authentication based on public key cryptography, in which the private key never leaves the user’s device, WebAuthn makes authentication both easier to use and more secure, benefitting users and service providers alike. The WebAuthn standard is already supported by all major browsers and most platforms including: ● Windows 10 ● Android ● Google Chrome ● Mozilla Firefox ● Microsoft Edge ● Apple Safari ● Apple iOS WebAuthn supports various models for account authentication, leveraging both external roaming authenticators, such as hardware security keys, and authenticators built into computing and mobile devices, such as fingerprint readers and facial recognition technology. Applications and web services can choose to implement WebAuthn for passwordless authentication, two-factor authentication (2FA), and multi-factor authentication (MFA).
    [Show full text]
  • A Tale of Two Studies: the Best and Worst of Yubikey Usability
    2018 IEEE Symposium on Security and Privacy A Tale of Two Studies: The Best and Worst of YubiKey Usability †∗ ∗ ∗ ∗ ‡ ∗ Joshua Reynolds , Trevor Smith , Ken Reese , Luke Dickinson , Scott Ruoti , Kent Seamons † ∗ ‡ University of Illinois at Urbana-Champaign, Brigham Young University, MIT Lincoln Laboratory [email protected], {tsmith, ken.reese, luke}@isrl.byu.edu, [email protected], [email protected] Abstract—Two-factor authentication (2FA) significantly device that authenticates the user after the user presses a improves the security of password-based authentication. button on the security key [8]. The button tap is a test of Recently, there has been increased interest in Universal 2nd user presence and prevents malware on the host device from Factor (U2F) security keys—small hardware devices that require users to press a button on the security key to authenticate. To using the security key surreptitiously. Most commonly, security examine the usability of security keys in non-enterprise usage, keys are designed to be plugged into a USB port, though we conducted two user studies of the YubiKey, a popular line they can also communicate with other devices using wireless of U2F security keys. The first study tasked 31 participants protocols (e.g., NFC, Bluetooth). with configuring a Windows, Google, and Facebook account to U2F security keys are designed to be easy-to-adopt and authenticate using a YubiKey. This study revealed problems with setup instructions and workflow including users locking use in day-to-day life, while protecting users against phishing themselves out of their operating system or thinking they had and man-in-the-middle attacks [8].
    [Show full text]
  • Understanding Everyday FIDO U2F Usability Through Device Comparison and Experience Sampling
    Of Two Minds about Two-Factor: Understanding Everyday FIDO U2F Usability through Device Comparison and Experience Sampling Stéphane Ciolino Simon Parkin Paul Dunphy OneSpan Innovation Centre University College London OneSpan Innovation Centre & University College London [email protected] [email protected] [email protected] Abstract words and tokens) is widely recognized as an effective tech- Security keys are phishing-resistant two-factor authentica- nique to protect both corporate and personal online accounts tion (2FA) tokens based upon the FIDO Universal 2nd Factor against account hijacking threats. Indeed, there are already ex- (U2F) standard. Prior research on security keys has revealed amples of citizens being advised to use Two-Factor Authenti- intuitive usability concerns, but there are open challenges to cation (2FA) by government agencies (as in the UK [35]). The better understand user experiences with heterogeneous de- most common second factor is a One-Time Passcode (OTP) vices and to determine an optimal user experience for every- received via a text message to a mobile device [5]. While this day Web browsing. In this paper we contribute to the growing technique conveniently leverages pre-existing telecommuni- usable security literature on security keys through two user cations infrastructure and mobile devices that users already studies: (i) a lab-based study evaluating the first-time user ex- own, it is vulnerable to Person-In-The-Middle (PITM) at- perience of a cross-vendor set of security keys and SMS-based tacks [8, 23, 32], such as phishing attacks. Hardware-based one-time passcodes; (ii) a diary study, where we collected authentication tokens have historically been deployed for 2FA 643 entries detailing how participants accessed accounts and in closed user communities such as corporations, or for bank- experienced one particular security key over the period of ing customers, particularly in territories such as Europe.
    [Show full text]
  • Installation
    privacyIDEA Authentication System Release 2.17 Cornelius Kölbel January 10, 2017 Contents 1 Table of Contents 3 1.1 Overview.................................................3 1.2 Installation................................................3 1.3 First Steps................................................ 17 1.4 Configuration............................................... 25 1.5 Components............................................... 70 1.6 Tokenview................................................ 70 1.7 Userview................................................. 75 1.8 Policies.................................................. 79 1.9 Event Handler.............................................. 106 1.10 Audit................................................... 115 1.11 Client machines............................................. 116 1.12 Workflows and Tools........................................... 118 1.13 Application Plugins........................................... 121 1.14 Code Documentation........................................... 129 1.15 Frequently Asked Questions....................................... 254 2 Indices and tables 265 HTTP Routing Table 267 Python Module Index 269 i ii privacyIDEA Authentication System, Release 2.17 privacyIDEA is a modular authentication system. Using privacyIDEA you can enhance your existing applications like local login, VPN, remote access, SSH connections, access to web sites or web portals with a second factor during authentication. Thus boosting the security of your existing applications. Originally
    [Show full text]
  • Yubikey 5 Series
    YubiKey 5Ci YubiKey 5 NFC YubiKey 5 Nano YubiKey 5 Series: The Multi-Protocol Security Key YubiKey 5C YubiKey 5C Nano Streamline authentication for existing enterprise systems and pave the way to a passwordless The YubiKey 5 Series security keys deliver future. expanded authentication options ● Strong Single Factor—Passwordless: Replaces weak Relying solely on username and password passwords with passwordless tap-n-go secure login. security puts enterprise data at risk ● Strong Two Factor—Password + Authenticator: Adds a tap- Catastrophic security breaches top world headlines n-go second factor for secure two factor authentication. every day, and for good reason. A single corporate security breach costs an average of $3.86M1, and 81% ● Strong Multi-Factor—Passwordless + PIN: Combines of breaches are caused by stolen or weak passwords.2 tap-n-go authentication with a PIN, to solve high As a result, IT organizations cannot rely exclusively on assurance requirements such as financial transactions, passwords to protect access to corporate data. Adopting or submitting a prescription. stronger employee and customer authentication is The YubiKey delivers strong authentication at scale essential to avoiding risk and becoming the next target. The YubiKey multi-protocol support streamlines authenti- From smart card to a passwordless future cation for existing systems while paving the way forward The YubiKey 5 Series is a hardware based authentication to a passwordless future. solution that provides superior defense against account ● Authentication and cryptographic protocols supported takeovers and enables compliance. The YubiKey offers include FIDO Universal 2nd Factor (U2F), WebAuthn/ strong authentication with support for multiple protocols, FIDO2, Personal Identity Verification-compatible (PIV) including existing Smart Card authentication, and WebAuthn/ Smart Card, and OpenPGP smart card.
    [Show full text]
  • Citrix Workspace, Yubico, and Microsoft
    Solution Overview Citrix Workspace, Yubico, and Microsoft Passwordless Yubikey authentication for Citrix Workspace via Microsoft Azure Active Directory Citrix.com Embrace passwordless authentication and access to Citrix Workspace using FIDO2 with Microsoft Azure Active Directory and the Yubikey. With most cyberattacks now beginning with compromised passwords, organizations need better ways to authenticate users and provide access to critical applications, services, and data.1 Multifactor authentication solutions are an improvement, but have been known to complicate and slow the user experience. In contrast, FIDO2 passwordless authentication with a Yubikey lets Citrix Workspace customers strengthen network security, reduce IT expenses, and improve their productivity. It's time to leave passwords behind Long the defacto standard for access and authentication, passwords have indeed outlived their usefulness. Though almost every digital experience still requires Citrix Workspace passwords in some form, they have become a severe liability. The average U.S. Only Citrix offers the most complete consumer tries to keep track of over 14 different passwords, which they use and integrated workspace to enable across all of their web sites and services.2 Business users are responsible for even people to securely access their apps, more, having to manage as many as 191 passwords.3 These unsustainable trends desktops, and data from anywhere. lead to inevitable compromise. Rely on Windows and Linux app and • Password fatigue leads to data breaches. Users grow tired of creating new desktop delivery from Citrix Virtual passwords for different services and resist being forced to change passwords Apps and Desktops, device security periodically, often relying on simplistic passwords that are easy to crack.
    [Show full text]
  • Yubikey Edge and Yubikey Edge-N Product Sheet
    YubiKey Edge and YubiKey Edge-n • YubiKey Edge and YubiKey Edge-n offer strong Description: authentication via Yubico one-time passwords (OTP) YubiKey Edge and YubiKey Edge-n are USB devices and FIDO Universal 2nd Factor (U2F) with a simple tap supporting multiple authentication and cryptographic or touch of a button protocols. With a simple touch, YubiKey protects access to computers, networks, and online services for everyone from • Works instantly with no need to re-type passcodes -- individual consumers to the world’s largest organizations. replacing SMS texts, authenticator apps, RSA tokens, YubiKey Edge and YubiKey Edge-n work on Microsoft and similar devices Windows, Mac OS X, and Linux operating systems, and on major browsers. • Identifies as a USB keyboard -- no client software or drivers need to be installed, no batteries, no moving parts -- and works over USB Product Identification Information • Crush- and water-resistant, YubiKey Edge and YubiKey YubiKey Edge YubiKey Edge-n Edge-n are practically indestructible during normal use Size 18mm x 45mm x 3mm 12mm x 13mm x 3mm • YubiKey Edge weighs only 3g, and attaches to your Weight 3g 1g keychain alongside your house and car keys while YubiKey Edge-n fits inside a USB port FIDO Certified™ Yes Yes ECCN 5A992.a ECCN 5A992.a BIS Classification • Manufactured in USA and Sweden with high security CCATS G153476 CCATS G153476 and quality yubico.com One key many services: YubiKey Edge and YubiKey Edge -n Where Can You Use and easily using your own tools or Gmail, GitHub, or Dropbox accounts. Your YubiKey? tools from our enterprise partners.
    [Show full text]
  • Security Analysis of U2F Remember Me Implementations in the Wild Gwendal Patat, Mohamed Sabt
    Please Remember Me: Security Analysis of U2F Remember Me Implementations in The Wild Gwendal Patat, Mohamed Sabt To cite this version: Gwendal Patat, Mohamed Sabt. Please Remember Me: Security Analysis of U2F Remember Me Implementations in The Wild. Actes SSTIC 2020, 18ème Symposium sur la sécurité des technologies de l’information et des communications (SSTIC 2020), 2020, Rennes, France. hal-02865105 HAL Id: hal-02865105 https://hal.inria.fr/hal-02865105 Submitted on 11 Jun 2020 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Please Remember Me: Security Analysis of U2F Remember Me Implementations in The Wild Gwendal Patat and Mohamed Sabt [email protected] [email protected] Univ Rennes, CNRS, IRISA Abstract. Users and service providers are increasingly aware of the security issues that arise because of password breaches. Recent studies show that password authentication can be made more secure by relying on second-factor authentication (2FA). Supported by leading web service providers, the FIDO Alliance defines the Universal 2nd Factor (U2F) protocols, an industrial standard that proposes a challenge-response 2FA solution. The U2F protocols have been thoughtfully designed to ensure high security.
    [Show full text]