Google Case Study: Becoming Unphishable presented by Christiaan Brand

1. Proprietary + Confidential
Becoming Unphishable
Towards Simpler, Stronger Authentication
Christiaan Brand, Google

2. Largest and most
secure infrastructure

3. Proprietary + Confidential
Mobile UI
Application
Network
Software
Hardware
Google Security Stack

4. Tomorrow
We work on
Quantum resistant
encryption
Abuse & Spam
Used machine
learning to solve
Today less than
0.001% spam in
your Gmail inbox
Security
Supply Chain
Built from the
ground up
Manufactured our
own components

5. Today we tackle authentication

6. Proprietary + Confidential
Protect Yourself And Your Users
It's easier than you think for someone to steal a password
Password Reuse Phishing Interception
Social Media
BANK

7. Proprietary + Confidential
123456
Most popular password in 2015
Source: SplashData:
https://www.teamsid.com/wor
st-passwords-2015/
password
2nd most popular password in 2015

8. Proprietary + Confidential
76%
of account
vulnerabilities were due
to weak or stolen
passwords
43%
success rate
for a well designed
phishing page
goo.gl/YYDM79

9. Proprietary + Confidential
SMS Usability
Coverage Issues,
Delay, User Cost
Device Usability
One Per Site,
Expensive, Fragile
User Experience
Users find it hard
Phishable
OTPs are increasingly
phished
$
?
Today: The reality of One Time Passwords

10. Proprietary + Confidential
Introducing FIDO U2F
Your Password
Security Key
Account Data

11. Core idea - Standard public key cryptography
● User's device mints new key pair, gives public key to server
● Server asks user's device to sign data to verify the user.
● One device, many services, "bring your own device" enabled
Based on Asymmetric Cryptography

12. Google’s Experience

13. ● Enterprise use case
○ Mandated for Google employees
○ Corporate SSO (Web)
○ SSH
○ Forms basis of all authentication
● Consumer use case
○ Available as opt-in for Google consumers
○ Adopted by other relying parties too: Dropbox, Github
Deployment at Google

14. Time to authenticate

15. Time to authenticate

16. Second factor support incidents

17. Second factor support incidents

18. We’re not quite done

19. Proprietary + Confidential
Does this work
with a mobile?
How do we deploy
this at scale?
What if they
lose their key?
We are not there yet for the Enterprise

20. Proprietary + Confidential
Making progress towards stronger authentication
Productizing FIDO U2F

21. Proprietary + Confidential
Demo: Bootstrapping account

22. How can you get started?

23. Proprietary + Confidential
● Internal enterprise authentication (B2B)
Authenticate to your own web applications, mobile applications, etc
● Authenticate to your service providers
(“token necklace”)
U2F works well in a non-federated environment
Complete isolation between various RPs
● External customer authentication
Authenticate your high-value customers using U2F
FIDO U2F use cases

24. Proprietary + Confidential
Resources
● To use with Google
Enable 2-Step Verification on your account
Go to: https://security.google.com
Click: 2-Step Verification
Click on the Security Keys tab
● Also use with GitHub, Dropbox, SalesForce
● And / or play with some code
https://github.com/google/u2f-ref-code
https://developers.yubico.com/U2F/Libraries/List_of_libraries.html

25. Proprietary + Confidential
Questions?