Authentication at Web Scale Sam Srinivas Product Management Director Information Security Google
Google Confidential and Proprietary Two main ideas we will cover
1. Its pretty messy out there with passwords ○ It’s hard to get people to change habits
2. But technology shifts can help make authentication: ○ easy to use ○ more secure than ever before
Google Confidential and Proprietary Reality Check
Google Confidential and Proprietary How do people pick passwords?
Average Internet user has > 30 accounts
Coping with yet another Internet account?
Reuse existing password
Bad idea! ● Datacenter intrusion, SQL injection ● Salting and hashing defeated by GPU power
What we see: Attacker trying 1 million different accounts every single day for weeks!
Google Confidential and Proprietary Other attacks
Let’s say: ● you use a password manager ● or, you write down your passwords ● you create a unique passwords for every account
Is that good enough?
Google Confidential and Proprietary Prerequisites for reasonable trust decision
What is the URL bar?
What is a web app?
What is a browser?
Why don’t we let the browser tell you if something is wrong?
Google Confidential and Proprietary 18% click-through rate on warning!
Google Confidential and Proprietary 70% click-through rate on warning!
Google Confidential and Proprietary 13-30% click-through rate on warning! Google Confidential and Proprietary Even experts can slip up!!!
Google Confidential and Proprietary What does all this mean?
Google Confidential and Proprietary Things have to just work...
...You cannot expect trust decisions on a daily basis
Maybe during device setup time ● Maybe?
Enterprise: an IT admin should pre-setup policy decisions, and replicate on all new devices
Google Confidential and Proprietary How to make things just work?
1. Malware-resistant platforms
2. Secure communication channels: SSL deployment and certificate transparency
3. Non-stealable credentials
4. Out-of-band notifications, approvals, revocations
Google Confidential and Proprietary Let’s talk about fixing credential theft
Google Confidential and Proprietary Risk Analysis
Risk Analysis: Very high success rate of detection for automated attacks.
However: ● Adversary can find answers with some research ● More friction for user who did something anomalous
Google Confidential and Proprietary 2-Step Verification google.com/2step
Users opt-in to turn on extra protection using their phone ● One common Google account for Gmail, Drive, Google+
Google Confidential and Proprietary Standard 2nd Factor Approach
1. Something you know
2. Something you have
Google Confidential and Proprietary User configures verified phone number
Google Confidential and Proprietary Multiple ways to obtain code
SMS 836026 Voice
Google Authenticator
Google Confidential and Proprietary Sign-in screen asking for code
Google Confidential and Proprietary How often to prompt?
Security vs usability tradeoff for users
Library Personal
Google Confidential and Proprietary Challenges….
Google Confidential and Proprietary What if you lost your phone?
Google Confidential and Proprietary Check settings every quarter
Google Confidential and Proprietary Flexible Authentication UI
Google Authored apps work without App Passwords now!!!
Google Confidential and Proprietary Other issues…
Typing OTPs adds friction and errors
OTPs are still phishable
Can the UX friction and security issue be fixed together?
Google Confidential and Proprietary A solution: FIDO Universal 2nd Factor (U2F)
● One device, many services ● Easy: Insert and press button ● Safe: Un-phishable Security
Google Confidential and Proprietary Simple for Users
1 2 3
Userid & Password Insert, Press button Successful Sign in
Google Confidential and Proprietary User self-registration
1 Userid & Password 2 Insert, Press Button
3 Backup Options 4 Registration Done
Google Confidential and Proprietary How does it work?
Registered public-key for user ● Eliminates secret from datacenter
Challenge response with private-key during Sign-In ● Or, periodic challenge for sensitive transactions
Sign something from the SSL session ● Thwart MITM by eliminating bearer tokens
Test-of-user-presence: button touch, nfc tap
Google Confidential and Proprietary What can we do to help adoption?
Driverless mode ● Direct access from browser with no middleware
One token works for multiple sites (infinite) ● Unique keypair for each registration event ● Private key never exposed outside Secure Element
Website integration is proposed through two JavaScript APIs ● Register and Sign ● UI completely within control of website
Standardization efforts: FIDO Alliance→W3C, IETF
Google Confidential and Proprietary Feature within 2-Step Verification ● Internal version deployed at Google for corp data access
● Will be available to all Google users not too far in future.
Google Confidential and Proprietary Human Factors...
Tangible feel of control over account with a key
Can passwords be reused now?
Can passwords be reduced to a PIN? ● People are used to ATM-card model ● Bring that to the web?
Google Confidential and Proprietary Can’t this be built into my device?
Device-Centric Authentication
● Device can do public-key crypto for data sync
● User can do lightweight screen unlock
Google Confidential and Proprietary What happens to the password?
Might as well write it, lock it, and forget it!
How to bootstrap new device? ● Can we use an older device to help bootstrap a newer device? (ala U2F)
Low probability event: user loses all devices ● Ask for “recovery password” ● Risk analysis, phone verification, time delay, ask old device for out of band approval
Google Confidential and Proprietary Getting it right is hard work
Authentication is complex if you want to get it right at scale
Needs: ● Implement device centric protocols ● Implement bootstrapping flows ● Risk analysis as a layer ● Account recovery ● Use beyond just sign-in, for transactional auth too!
If appropriate, relying parties can federate: ● Industry momentum behind OAuth 2.0 and OpenID Connect
Google Confidential and Proprietary What do we need to do collectively?
Work together to come up with standards for strong client to cloud authentication:
● Incorporate device as a second-factor ● Allow for simple and strong in-app authentication ● Allow for choice of device unlock: one size cannot fit all
Make human supplied credentials less catastrophic to lose!
Let’s seize this opportunity!
FIDO Alliance is the right forum!
Google Confidential and Proprietary Thank You
Comments to: Sam Srinivas [email protected]
Google Confidential and Proprietary