EVALUATION AND IMPLEMENTATION OF SQRL AND U2F AS 2FA FOR CERN SSO SUPERVISORS BY VINCENT BRILLAULT (IT-DI-CSO) AZQA NADEEM (IT-DI-CSO) STEFAN LUEDERS (IT-DI-CSO) PROJECT GOALS 2 AZQA NADEEM (IT-DI-CSO) PROJECT GOALS Evaluation of SQRL and U2F 2 AZQA NADEEM (IT-DI-CSO) PROJECT GOALS Evaluation of SQRL and U2F Implementation of feasible 2FA algorithm 2 AZQA NADEEM (IT-DI-CSO) PROJECT GOALS Evaluation of SQRL and U2F Implementation of feasible 2FA algorithm Integration with CERN Single Sign-on (SSO) 2 AZQA NADEEM (IT-DI-CSO) 2ND FACTOR AUTHENTICATION 3 AZQA NADEEM (IT-DI-CSO) 2ND FACTOR AUTHENTICATION 3 AZQA NADEEM (IT-DI-CSO) 2ND FACTOR AUTHENTICATION 4 AZQA NADEEM (IT-DI-CSO) 2ND FACTOR AUTHENTICATION • Username • Password 5 AZQA NADEEM (IT-DI-CSO) 2ND FACTOR AUTHENTICATION • Cell phone • Physical token • Biometrics 6 AZQA NADEEM (IT-DI-CSO) CERN SINGLE SIGN-ON 7 AZQA NADEEM (IT-DI-CSO) CERN SINGLE SIGN-ON SMS 7 AZQA NADEEM (IT-DI-CSO) CERN SINGLE SIGN-ON SMS Google Authenticator 7 AZQA NADEEM (IT-DI-CSO) CERN SINGLE SIGN-ON SMS Google Authenticator Yubikey 7 AZQA NADEEM (IT-DI-CSO) CERN SINGLE SIGN-ON SMS Google Authenticator Yubikey Smartcard 7 AZQA NADEEM (IT-DI-CSO) CERN SINGLE SIGN-ON Can we do better? 8 AZQA NADEEM (IT-DI-CSO) SQRL VS. U2F Secure Quick Reliable Login (SQRL) Universal 2nd Factor (U2F) 9 AZQA NADEEM (IT-DI-CSO) SECURE QUICK RELIABLE LOGIN (SQRL) 10 AZQA NADEEM (IT-DI-CSO) SECURE QUICK RELIABLE LOGIN (SQRL) • Software based authentication mechanism 10 AZQA NADEEM (IT-DI-CSO) SECURE QUICK RELIABLE LOGIN (SQRL) • Software based authentication mechanism • Aims to replace username/passwords 10 AZQA NADEEM (IT-DI-CSO) SECURE QUICK RELIABLE LOGIN (SQRL) • Software based authentication mechanism • Aims to replace username/passwords • Scan, tap or click on the QR code 10 AZQA NADEEM (IT-DI-CSO) SECURE QUICK RELIABLE LOGIN (SQRL) 11 AZQA NADEEM (IT-DI-CSO) SECURE QUICK RELIABLE LOGIN (SQRL) But… Is it secure? 11 AZQA NADEEM (IT-DI-CSO) SECURE QUICK RELIABLE LOGIN (SQRL) But… Is it secure? NO!! 11 AZQA NADEEM (IT-DI-CSO) SECURE QUICK RELIABLE LOGIN (SQRL) Man-in-the-middle attack 12 AZQA NADEEM (IT-DI-CSO) UNIVERSAL 2ND FACTOR (U2F) 13 AZQA NADEEM (IT-DI-CSO) UNIVERSAL 2ND FACTOR (U2F) • Physical token 13 AZQA NADEEM (IT-DI-CSO) UNIVERSAL 2ND FACTOR (U2F) • Physical token One key – Many services One service– Many keys • Many-to-many relationship 13 AZQA NADEEM (IT-DI-CSO) UNIVERSAL 2ND FACTOR (U2F) • Physical token One key – Many services One service– Many keys • Many-to-many relationship • Adapted by 13 AZQA NADEEM (IT-DI-CSO) THE STORY 14 AZQA NADEEM (IT-DI-CSO) THE STORY 14 AZQA NADEEM (IT-DI-CSO) THE STORY + = 14 AZQA NADEEM (IT-DI-CSO) THE STORY + = 14 AZQA NADEEM (IT-DI-CSO) THE STORY 15 AZQA NADEEM (IT-DI-CSO) THE STORY 15 AZQA NADEEM (IT-DI-CSO) THE STORY + = 15 AZQA NADEEM (IT-DI-CSO) THE STORY + = 15 AZQA NADEEM (IT-DI-CSO) THE STORY 16 AZQA NADEEM (IT-DI-CSO) THE STORY Web API Authenticate Register API API 16 AZQA NADEEM (IT-DI-CSO) THE STORY Web API Authenticate Register API API 16 AZQA NADEEM (IT-DI-CSO) THE STORY CERN Self Web API Registration Service Authenticate Register API API 16 AZQA NADEEM (IT-DI-CSO) THE STORY CERN Self Web API Registration Service Authenticate Register API Register Authenticate API 16 AZQA NADEEM (IT-DI-CSO) THE STORY 17 AZQA NADEEM (IT-DI-CSO) THE STORY Web API Authenticate Register API API 17 AZQA NADEEM (IT-DI-CSO) THE STORY CERN Self Web API Registration Service Authenticate Register API API Register Authenticate 17 AZQA NADEEM (IT-DI-CSO) THANK YOU!.