Google Information Security Authentication at Web … Srinivas Product Management Director Information Security Google Authentication at Web Scale Google Confidential and Proprietary

Google Confidential and Proprietary

Sam SrinivasProduct Management DirectorInformation SecurityGoogle

Authentication at Web Scale


1. Its pretty messy out there with passwords ○ It’s hard to get people to change habits

2. But technology shifts can help make authentication:○ easy to use○ more secure than ever before

Two main ideas we will cover


Reality Check


How do people pick passwords?

Average Internet user has > 30 accounts

Coping with yet another Internet account?

Reuse existing password

Bad idea!● Datacenter intrusion, SQL injection● Salting and hashing defeated by GPU power

What we see:Attacker trying 1 million different accounts every single day for weeks!


Other attacks

Let’s say:● you use a password manager● or, you write down your passwords● you create a unique passwords for every account

Is that good enough?


What is the URL bar?

What is a web app?

What is a browser?

Why don’t we let the browser tell you if something is wrong?

Prerequisites for reasonable trust decision


18% click-through rate on warning!


70% click-through rate on warning!


13-30% click-through rate on warning!


Even experts can slip up!!!


What does all this mean?


Things have to just work......You cannot expect trust decisions on a daily basis

Maybe during device setup time● Maybe?

Enterprise: an IT admin should pre-setup policy decisions, and replicate on all new devices


How to make things just work?

1. Malware-resistant platforms

2. Secure communication channels: SSL deployment and certificate transparency

3. Non-stealable credentials4. Out-of-band notifications, approvals, revocations


Let’s talk about fixing credential theft


Risk Analysis: Very high success rate of detection for automated attacks.

However:● Adversary can find answers with some research● More friction for user who did something anomalous

Risk Analysis


2-Step Verification

google.com/2step

Users opt-in to turn on extra protection using their phone● One common Google account for Gmail, Drive, Google+


Standard 2nd Factor Approach

1. Something you know

2. Something you have


User configures verified phone number


Multiple ways to obtain code

SMS Voice

Google Authenticator

Print

836026


Sign-in screen asking for code


Library

How often to prompt?

Personal

Security vs usability tradeoff for users


Challenges….


What if you lost your phone?


Check settings every quarter


Flexible Authentication UI

Google Authored apps work without App Passwords now!!!


Other issues…

Typing OTPs adds friction and errors

OTPs are still phishable

Can the UX friction and security issue be fixed together?


A solution: FIDO Universal 2nd Factor (U2F)

● One device, many services● Easy: Insert and press button● Safe: Un-phishable Security


1 2 3

Userid & Password Insert, Press button Successful Sign in

Simple for Users


User self-registration

1 2

3

Insert, Press Button

Backup Options 4 Registration Done

Userid & Password


How does it work?

Registered public-key for user● Eliminates secret from datacenter

Challenge response with private-key during Sign-In● Or, periodic challenge for sensitive transactions

Sign something from the SSL session● Thwart MITM by eliminating bearer tokens

Test-of-user-presence: button touch, nfc tap


What can we do to help adoption?

Driverless mode● Direct access from browser with no middleware

One token works for multiple sites (infinite)● Unique keypair for each registration event● Private key never exposed outside Secure Element

Website integration is proposed through two JavaScript APIs● Register and Sign● UI completely within control of website

Standardization efforts: FIDO Alliance→W3C, IETF


Feature within2-Step Verification

● Internal version deployed at Google for corp data access

● Will be available to all Google users not too far in future.


Human Factors...

Tangible feel of control over account with a key

Can passwords be reused now?

Can passwords be reduced to a PIN?● People are used to ATM-card model● Bring that to the web?


Can’t this be built into my device?

Device-Centric Authentication

● Device can do public-key crypto for data sync

● User can do lightweight screen unlock


Might as well write it, lock it, and forget it!

How to bootstrap new device?● Can we use an older device to help bootstrap a newer device? (ala

U2F)

Low probability event: user loses all devices● Ask for “recovery password”● Risk analysis, phone verification, time delay, ask old device for out

of band approval

What happens to the password?


Getting it right is hard work

Authentication is complex if you want to get it right at scale

Needs:● Implement device centric protocols● Implement bootstrapping flows● Risk analysis as a layer● Account recovery● Use beyond just sign-in, for transactional auth too!

If appropriate, relying parties can federate:● Industry momentum behind OAuth 2.0 and OpenID Connect


What do we need to do collectively?

Work together to come up with standards for strong client to cloud authentication:

● Incorporate device as a second-factor● Allow for simple and strong in-app authentication● Allow for choice of device unlock: one size cannot fit all

Make human supplied credentials less catastrophic to lose!

Let’s seize this opportunity!

FIDO Alliance is the right forum!


Comments to:Sam [email protected]

Thank You

Documents

Google Information Security Authentication at Web … Srinivas Product Management Director Information Security Google Authentication at Web Scale Google Confidential and Proprietary