What is U2F ?
Universal 2nd Factor
Open standard
Physical device using USB, NFC or Bluetooth(depends on model)
Goal: Strong authentication and online privacy
Initially developed by Google and Yubico
Maintained by FIDO Alliance
Draft W3C standard (Web Authentication)
Support in Chrome (now), FF and Edge (soon)
2
Dashlane User Experience
3
Registering an U2F key
Request to add a key Insert key in USB port Push button on key (if present) Done !
Dashlane User Experience
Login with a registered U2F key
4
Enter 1st authentication factor Insert key in USB port Push button on key (if present) Done !
Base Challenge – Response protocol
6
FIDO Authenticator(USB key)
FIDO Client(Browser or App)
Relying Party(Website)
challenge
challenge
Sign challengewith private key
sig(challenge)
sig(challenge)
Classic Public/Private key challenge-response Uses ECC (Elliptic Curve Cryptography)
Decrypt signature with public key
Validate data
Generate and store random challenge
Registration challenge
7
FIDO Authenticator(USB key)
FIDO Client(Browser or App)
Relying Party(Website)
app id, challenge
Sign challenge, public key, app id and key handle
pub key, handle,sig(challenge, pub key, handle, app id)
Decrypt signature
Validate data
Authenticator generates new public/private key pair for each registration Additional data during registration:
Application id (challenge) Public key + key handle (response)
app id, challenge
Generate key pair and key handle
pub key, handle,sig(challenge, pub key, handle, app id)
Store pub key, handle in account
Generate and store random challenge
Authentication challenge
8
FIDO Authenticator(USB key)
FIDO Client(Browser or App)
Relying Party(Website)
Generate and store random challenge
handle, app id, challenge
Sign challenge and app id
sig(challenge, app id)
Decrypt signature
Validate data
Additional data during authentication:
Application id + key handle
Find private key for key handle
Grant access
handle, app id, challenge
Find key handle in user account
sig(challenge, app id)
Strong privacy
Only guarantee of successful authentication challenge : Same U2F key used for auth and registration
No unique identifier for the key
New key pair generated at every registration
No reliance on shared secret with the website (contrary to OTP)
A single U2F key can be used: By same user on 2 websites
By 2 users on 1 website
By 1 user creating 2 accounts on same website
website can’t track the user by U2F key usage
Tracking is still possible by other means, of course10
Protection against website security breach
OTP is vulnerable to security breach
If attacker steals shared secret, he can generate passwords
If the attacker steals U2F public key and key handle
Public key cryptography makes them useless for attacker
He can’t compute the private key
So he can’t authenticate on legitimate site
11
Protection against MITM or Phishing
Attacker intercepts and forwards user’s requests
Phishing mail with link to hacker’s site mimicking legitimate site
DNS spoof to redirect goodsite.com to hacker’s server
…
OTP is vulnerable
One-Time Passwords are still passwords
If the attacker can use it before the user, he wins
12
Protection against MITM or Phishing
U2F challenge message contains legitimate site’s app id
If the attacker doesn’t change the app id (https://goodsite.com)
Browser knows challenge comes from wrong site (https://hacker.com) or using wrong protocol (http://goodsite.com using DNS spoof)
Browser denies usage of U2F key
If the attacker changes the app id U2F key signs attacker’s app id with its private key
Legitimate site can see the app id in response doesn’t match his own13
Support for unlimited number of websites
OTP requires client and server sharing a secret
Not a problem for software clients (e.g. Google Authenticator)
Cheap hardware has very limited storage Yubikeys using OTP support at most 2 sites
U2F private key is retrieved from key handle
Software clients use key handle as index in private key map
Hardware clients can encrypt part of private key in key handle Uses no storage very cheap device
Safe as long as nobody else can decrypt key handle
14
We’re changing the world… one password at a time
Dashlane wants to make identity and
payment simple and secure everywhere!
17
Want to be a part of life in the Dashlane?
Visit dashlane.com/jobs for all the info!
Dashlane is a premier, award-winning password manager and
digital wallet, intrinsically designed to make identity and payments
simple and secure on every website and every device.
We’re a rapidly growing, tech startup using the world’s best security
and privacy architecture to simplify the lives of more than 3 billion
Internet users worldwide.
Since our first product launch in 2013, our brilliant team of engineers and developers tirelessly work on new coding challenges, build code using
the latest up-to-date frameworks for native development across desktop and mobile, use cutting-edge web service architecture, and are at the
forefront of building applications that help millions of people every day!
So far, all of our hard work has been paying off! Dashlane was recently recognized by Google as one of the “Best of 2015” apps! Google also
recognized our Android password manager as an Editors’ Choice winner on the Google Play Store, and selected Dashlane to demo its adoption
of Android M fingerprint technology at Google I/O!
We work with the latest technology!
See our code in action! Check out some of our
projects on Github!
Github.com/Dashlane
In addition, each member of the Dashlane team can take some time to
share his insights in Tech Conferences and become a thought leader
in the tech community.
18
Alexis Fogel
@ Droid Con
Goo.gl/7h4guk
Emmanuel Schalit
@ The Dublin
Web Summit
Goo.gl/M4H7vg
Emmanuel Schalit
@ Le Wagon
Goo.gl/kvPLG0
Desktop Mobile Web App/Server Security
Dashlane is dedicated to building high-quality user experiences on Mobile, Desktop, and on the web using the latest up-to-date
technologies and languages.
Ready to join #LifeInTheDashlane?
We’re filling our ranks from top to bottom with
some of the smartest and friendliest developers
and engineers in the industry! Come join us!
Visit Dashlane.com/jobs to learn more about
joining the Dashlane team!
19
Dashlane.com/stackoverflow
Dashlane.com/linkedin
Dashlane.com/vimeo
Dashlane.com/blog
Also visit us here: