Authentication at Web Scale Sam Srinivas Product Management Director Information Security Google

Google Confidential and Proprietary Two main ideas we will cover

1. Its pretty messy out there with passwords ○ It’s hard to get people to change habits

2. But technology shifts can help make authentication: ○ easy to use ○ more secure than ever before

Google Confidential and Proprietary Reality Check

Google Confidential and Proprietary How do people pick passwords?

Average Internet user has > 30 accounts

Coping with yet another Internet account?

Reuse existing password

Bad idea! ● Datacenter intrusion, SQL injection ● Salting and hashing defeated by GPU power

What we see: Attacker trying 1 million different accounts every single day for weeks!

Google Confidential and Proprietary Other attacks

Let’s say: ● you use a password manager ● or, you write down your passwords ● you create a unique passwords for every account

Is that good enough?

Google Confidential and Proprietary Prerequisites for reasonable trust decision

What is the URL bar?

What is a web app?

What is a browser?

Why don’t we let the browser tell you if something is wrong?

Google Confidential and Proprietary 18% click-through rate on warning!

Google Confidential and Proprietary 70% click-through rate on warning!

Google Confidential and Proprietary 13-30% click-through rate on warning! Google Confidential and Proprietary Even experts can slip up!!!

Google Confidential and Proprietary What does all this mean?

Google Confidential and Proprietary Things have to just work...

...You cannot expect trust decisions on a daily basis

Maybe during device setup time ● Maybe?

Enterprise: an IT admin should pre-setup policy decisions, and replicate on all new devices

Google Confidential and Proprietary How to make things just work?

1. Malware-resistant platforms

2. Secure communication channels: SSL deployment and certificate transparency

3. Non-stealable credentials

4. Out-of-band notifications, approvals, revocations

Google Confidential and Proprietary Let’s talk about fixing credential theft

Google Confidential and Proprietary Risk Analysis

Risk Analysis: Very high success rate of detection for automated attacks.

However: ● Adversary can find answers with some research ● More friction for user who did something anomalous

Google Confidential and Proprietary 2-Step Verification google.com/2step

Users opt-in to turn on extra protection using their phone ● One common Google account for Gmail, Drive, Google+

Google Confidential and Proprietary Standard 2nd Factor Approach

1. Something you know

2. Something you have

Google Confidential and Proprietary User configures verified phone number

Google Confidential and Proprietary Multiple ways to obtain code

Print

SMS 836026 Voice

Google Authenticator

Google Confidential and Proprietary Sign-in screen asking for code

Google Confidential and Proprietary How often to prompt?

Security vs usability tradeoff for users

Library Personal

Google Confidential and Proprietary Challenges….

Google Confidential and Proprietary What if you lost your phone?

Google Confidential and Proprietary Check settings every quarter

Google Confidential and Proprietary Flexible Authentication UI

Google Authored apps work without App Passwords now!!!

Google Confidential and Proprietary Other issues…

Typing OTPs adds friction and errors

OTPs are still phishable

Can the UX friction and security issue be fixed together?

Google Confidential and Proprietary A solution: FIDO Universal 2nd Factor (U2F)

● One device, many services ● Easy: Insert and press button ● Safe: Un-phishable Security

Google Confidential and Proprietary Simple for Users

1 2 3

Userid & Password Insert, Press button Successful Sign in

Google Confidential and Proprietary User self-registration

1 Userid & Password 2 Insert, Press Button

3 Backup Options 4 Registration Done

Google Confidential and Proprietary How does it work?

Registered public-key for user ● Eliminates secret from datacenter

Challenge response with private-key during Sign-In ● Or, periodic challenge for sensitive transactions

Sign something from the SSL session ● Thwart MITM by eliminating bearer tokens

Test-of-user-presence: button touch, nfc tap

Google Confidential and Proprietary What can we do to help adoption?

Driverless mode ● Direct access from browser with no middleware

One token works for multiple sites (infinite) ● Unique keypair for each registration event ● Private key never exposed outside Secure Element

Website integration is proposed through two JavaScript APIs ● Register and Sign ● UI completely within control of website

Standardization efforts: FIDO Alliance→W3C, IETF

Google Confidential and Proprietary Feature within 2-Step Verification ● Internal version deployed at Google for corp data access

● Will be available to all Google users not too far in future.

Google Confidential and Proprietary Human Factors...

Tangible feel of control over account with a key

Can passwords be reused now?

Can passwords be reduced to a PIN? ● People are used to ATM-card model ● Bring that to the web?

Google Confidential and Proprietary Can’t this be built into my device?

Device-Centric Authentication

● Device can do public-key crypto for data sync

● User can do lightweight screen unlock

Google Confidential and Proprietary What happens to the password?

Might as well write it, lock it, and forget it!

How to bootstrap new device? ● Can we use an older device to help bootstrap a newer device? (ala U2F)

Low probability event: user loses all devices ● Ask for “recovery password” ● Risk analysis, phone verification, time delay, ask old device for out of band approval

Google Confidential and Proprietary Getting it right is hard work

Authentication is complex if you want to get it right at scale

Needs: ● Implement device centric protocols ● Implement bootstrapping flows ● Risk analysis as a layer ● Account recovery ● Use beyond just sign-in, for transactional auth too!

If appropriate, relying parties can federate: ● Industry momentum behind OAuth 2.0 and OpenID Connect

Google Confidential and Proprietary What do we need to do collectively?

Work together to come up with standards for strong client to cloud authentication:

● Incorporate device as a second-factor ● Allow for simple and strong in-app authentication ● Allow for choice of device unlock: one size cannot fit all

Make human supplied credentials less catastrophic to lose!

Let’s seize this opportunity!

FIDO Alliance is the right forum!

Google Confidential and Proprietary Thank You

Comments to: Sam Srinivas [email protected]

Google Confidential and Proprietary