To view recording of this webinar please use the below URL:
http://wso2.com/library/webinars/2015/12/fido-universal-second-factor-u2f-for-wso2-identity-server
In this webinar, WSO2, Yubico co-creator of U2F, and WSO2's premier integrator Yenlo explain the technology, discuss the use cases for strong authentication, and demonstrate the power and ease-of-use of the U2F security key. WSO2 will present the Authentication framework of WSO2 Identity server, Multi factor and Multi step authentication configuration and more.
A Beginners Guide to Building a RAG App Using Open Source Milvus
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
1. FIDO
Universal
Second
Factor
(U2F)
for
WSO2
Iden9ty
Server
Ishara Karunarathna, Senior Software Engineer, WSO2
Jerrod Chong, Solutions Team leader, Yubico
Rob Blaauboer, Integration Consultant Yenlo
December
8th
2015
2. About
the
presenters
2
Ishara
Karunarathna
Senior
So3ware
Engineer,
WSO2
Ishara
is
a
Senior
So,ware
Engineer
at
WSO2
and
a
key
member
of
WSO2
Iden:ty
server
team,
contribu:ng
towards
the
Iden:ty
Server
and
WSO2's
plaBorm
security.
He
has
par:cipated
in
several
customer
engagements
helping
them
to
realize
enterprise
use
cases
and
to
build
solu:ons
On
top
of
WSO2
plaBorm.
Jerrod
Chong
Solu>ons
Team
leader,
Yubico
Jerrod
leads
the
Solu:ons
team
at
Yubico
with
over
fi,een
years
of
experience
specializing
in
enterprise
security
solu:ons.
He
works
with
small,
medium
and
enterprise
customers
to
consult
and
build
open
scalable
security
solu:ons.
Jerrod
is
also
an
ac:ve
contributor
in
the
FIDO
Alliance
U2F
technical
working
group
and
security
cer:fica:on
development
commiNee.
Rob
Blaauboer
Senior
Consultant,
Yenlo
Rob
is
a
Senior
Business
Consultant
and
Solu:on
Architect
with
more
than
twenty
years
experience.
In
addi:on
to
his
work
he
is
an
ac:ve
blogger
working
on
a
number
of
ar:cles
on
the
'Internet
of
Things'
and
a
WSO2
'GeTng
Started
with
...'
series
in
which
he
talks
about
WSO2
components
and
their
purpose
especially
aimed
at
non
technical
readers.
3. 3
• Global
enterprise,
founded
in
2007
with
an
interna>onal
focus
on
delivering
integra>on
solu>ons
based
on
Java
open
source
• #1
in
the
field
of
Integra:on
Solu:ons
• #1
in
Managed
Services
for
middleware
environments
• #1
Global
Strategic
Alliance
partner
of
WSO2
• WSO2
Product
Support
• WSO2
Development
• WSO2
QuickStarts
• WSO2
Training
&
Cer:fica:ons
• WSO2
24/7
Managed
Services
• WSO2
Events
About Yenlo
4. What
Yenlo
delivers
4
Enterprise
Architecture
So,ware
Development
Managed
Services
WSO2
Product
Support
WSO2
Development
Support
WSO2
QuickStart
WSO2
Training
&
Cer:fica:ons
WSO2
Managed
Services
WSO2
Events
5. Agenda
5
Making
WSO2
Iden>ty
Server
more
secure
with
FIDO
UAF
&
U2F
• Our security is at risk
• introduction to FIDO and Why FIDO U2F
•Introduction WSO2 IS
• Demo
• Benefits of the solution
• Q&A
7. Making it more secure
Starts at the basis!
Access to a mail service enables a hacker to
access many more systems
Gmail supports Fido and other 2nd factors
Sensitive information should be secured
8. What is a factor?
o Something you know is for instance as password
or even a username
o Something you have is a smartcard, token or
smartphone
o Something you are is your face, voice and
fingerprint (and many more, even the way you
type)
o The more factors the better
9. Depending on the use case the level of
security needs to be higher
o Logging in to a news website: userId and
password
o Logging in to an eCommerce website like
Amazon: userId and password and the option to
increase the level of security
o Logging into your internet banking or
government services: userId and password and
a challenge / response
11. 11
Benefits of U2F Over Other 2FA
One device, many sites,
with no shared secrets
Open standard, platform/
browser support
(no client, no driver)
Protection against
phishing and MitM
12. 12
Stats from Google Deployment
U2F vs Google Authenticator
● 4x faster to login
● Support reduced by 40%
● Significant fraud reduction
13. 13
Online services
Chip providers
Device providers
Biometrics technology
Enterprise servers
Open source sw/servers
Mobile apps & clients
Browsers
FIDO U2F Ecosystem
250+ Members
14. 1414
Server
sends
challenge
1
Server
receives
and
verifies
device
signature
using
aNesta:on
cert
5
Key
handle
and
public
key
are
stored
in
database
6
Device
generates
key
pair
2
Device
creates
key
handle
3
Device
signs
challenge
+
client
info
4
Server
sends
challenge
+
key
handle
1
Server
receives
and
verifies
using
stored
public
key
4
Device
unwraps/derives
private
key
from
key
handle
2
Device
signs
challenge
+
client
info
3
Authentication
IndividualwithU2FDevice
Relying
Party
Registration
15. 15
Relying Party
User Side
U2F Code
USB (HID) API
U2F JS APISecure U2F
Element (optional)
Transport
USB (HID)
Web Application
U2F Library
Public Keys +
Key Handles +
Certificates
User Action
FIDO Client
Browser
U2F Authenticator
U2F Entities
NFC API
Bluetooth API
NFC
Bluetooth
19. 19
U2F
Device Client
Relying
Party
handle, app id, challenge
h, a; challenge, origin, channel id, etc.
c
a
Check
app id
Lookup
the kpriv
associated
with h
Sign
with kpriv
signature(a,c)
c, s
Check s
using kpub
Verify origin &
channel id
s
h
Lookup
the kpub
associated
with h
Application-Specific Keys
20. 20
U2F
Device Client
Relying
Party
app id, challenge
a; challenge, origin, channel id, etc.
c
a
Check
app id
Generate:
kpub
kpriv
handle h kpub, h, attestation cert, signature(a,c,kpub,h)
c, kpub, h, attestation cert, s
Associate
kpub with
handle h
for user
s
Registration + Device Attestation
21. 21
Original DB
Original Database
user_id Password#
JohnDoe
4^hfd;`gpo
U2F Database
U2F DB
Relation
Relying Party
user_id Meta U2F Data
JohnDoe
Yubico, Security
Key, USB
Key handle, public
key, certificate
JohnDoe
Yubico, YubiKey
NEO, USB + NFC
Key handle, public
key, certificate
Adding U2F Support
24. What is WSO2 Identity Server
An open source Identity & Entitlement management
server
o 100% free and open source with commercial
support
o Lightweight and high performance
o Highly modular and extensible
o User friendly with minimal learning curve
o Based on open standards
25. Authentication framework
o No more federation silos or spaghetti identity
anti-patterns
o Multi-option and multi--step authentication
o Authentication Bridge
o Provisioning Bridge
34. FIDO
AND
WSO2
IDENTITY
SERVER:
WHAT
ARE
THE
BENEFITS?
35. Making it more secure
Fido is an open standard
One key can be used for multiple applications
+
WSO2 is an open platform
Integration is easy
=
Level of security increases
Cost is relatively low