WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
•
6 j'aime•2,136 vues
To view recording of this webinar please use the below URL: http://wso2.com/library/webinars/2015/12/fido-universal-second-factor-u2f-for-wso2-identity-server In this webinar, WSO2, Yubico co-creator of U2F, and WSO2's premier integrator Yenlo explain the technology, discuss the use cases for strong authentication, and demonstrate the power and ease-of-use of the U2F security key. WSO2 will present the Authentication framework of WSO2 Identity server, Multi factor and Multi step authentication configuration and more.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (18)
Similaire à WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
Similaire à WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server (20)
Plus de WSO2
Plus de WSO2 (20)
Dernier
Dernier (20)
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
- 1. FIDO Universal Second Factor (U2F) for WSO2 Iden9ty Server Ishara Karunarathna, Senior Software Engineer, WSO2 Jerrod Chong, Solutions Team leader, Yubico Rob Blaauboer, Integration Consultant Yenlo December 8th 2015
- 2. About the presenters 2 Ishara Karunarathna Senior So3ware Engineer, WSO2 Ishara is a Senior So,ware Engineer at WSO2 and a key member of WSO2 Iden:ty server team, contribu:ng towards the Iden:ty Server and WSO2's plaBorm security. He has par:cipated in several customer engagements helping them to realize enterprise use cases and to build solu:ons On top of WSO2 plaBorm. Jerrod Chong Solu>ons Team leader, Yubico Jerrod leads the Solu:ons team at Yubico with over fi,een years of experience specializing in enterprise security solu:ons. He works with small, medium and enterprise customers to consult and build open scalable security solu:ons. Jerrod is also an ac:ve contributor in the FIDO Alliance U2F technical working group and security cer:fica:on development commiNee. Rob Blaauboer Senior Consultant, Yenlo Rob is a Senior Business Consultant and Solu:on Architect with more than twenty years experience. In addi:on to his work he is an ac:ve blogger working on a number of ar:cles on the 'Internet of Things' and a WSO2 'GeTng Started with ...' series in which he talks about WSO2 components and their purpose especially aimed at non technical readers.
- 3. 3 • Global enterprise, founded in 2007 with an interna>onal focus on delivering integra>on solu>ons based on Java open source • #1 in the field of Integra:on Solu:ons • #1 in Managed Services for middleware environments • #1 Global Strategic Alliance partner of WSO2 • WSO2 Product Support • WSO2 Development • WSO2 QuickStarts • WSO2 Training & Cer:fica:ons • WSO2 24/7 Managed Services • WSO2 Events About Yenlo
- 4. What Yenlo delivers 4 Enterprise Architecture So,ware Development Managed Services WSO2 Product Support WSO2 Development Support WSO2 QuickStart WSO2 Training & Cer:fica:ons WSO2 Managed Services WSO2 Events
- 5. Agenda 5 Making WSO2 Iden>ty Server more secure with FIDO UAF & U2F • Our security is at risk • introduction to FIDO and Why FIDO U2F •Introduction WSO2 IS • Demo • Benefits of the solution • Q&A
- 6. Our security is at risk
- 7. Making it more secure Starts at the basis! Access to a mail service enables a hacker to access many more systems Gmail supports Fido and other 2nd factors Sensitive information should be secured
- 8. What is a factor? o Something you know is for instance as password or even a username o Something you have is a smartcard, token or smartphone o Something you are is your face, voice and fingerprint (and many more, even the way you type) o The more factors the better
- 9. Depending on the use case the level of security needs to be higher o Logging in to a news website: userId and password o Logging in to an eCommerce website like Amazon: userId and password and the option to increase the level of security o Logging into your internet banking or government services: userId and password and a challenge / response
- 10. 10 FIDO Universal 2nd Factor Simple, secure, open and scalable 2FA
- 11. 11 Benefits of U2F Over Other 2FA One device, many sites, with no shared secrets Open standard, platform/ browser support (no client, no driver) Protection against phishing and MitM
- 12. 12 Stats from Google Deployment U2F vs Google Authenticator ● 4x faster to login ● Support reduced by 40% ● Significant fraud reduction
- 13. 13 Online services Chip providers Device providers Biometrics technology Enterprise servers Open source sw/servers Mobile apps & clients Browsers FIDO U2F Ecosystem 250+ Members
- 14. 1414 Server sends challenge 1 Server receives and verifies device signature using aNesta:on cert 5 Key handle and public key are stored in database 6 Device generates key pair 2 Device creates key handle 3 Device signs challenge + client info 4 Server sends challenge + key handle 1 Server receives and verifies using stored public key 4 Device unwraps/derives private key from key handle 2 Device signs challenge + client info 3 Authentication IndividualwithU2FDevice Relying Party Registration
- 15. 15 Relying Party User Side U2F Code USB (HID) API U2F JS APISecure U2F Element (optional) Transport USB (HID) Web Application U2F Library Public Keys + Key Handles + Certificates User Action FIDO Client Browser U2F Authenticator U2F Entities NFC API Bluetooth API NFC Bluetooth
- 17. 17 U2F Device Client Relying Party challenge challenge Sign with kpriv signature(challenge) s Check signature (s) using kpub s Lookup kpub Authentication
- 18. 18 U2F Device Client Relying Party challenge challenge, origin, channel id Sign with kpriv signature(c) c, s Check s using kpub Verify origin & channel id s Lookup kpub Phishing/MitM Protection
- 19. 19 U2F Device Client Relying Party handle, app id, challenge h, a; challenge, origin, channel id, etc. c a Check app id Lookup the kpriv associated with h Sign with kpriv signature(a,c) c, s Check s using kpub Verify origin & channel id s h Lookup the kpub associated with h Application-Specific Keys
- 20. 20 U2F Device Client Relying Party app id, challenge a; challenge, origin, channel id, etc. c a Check app id Generate: kpub kpriv handle h kpub, h, attestation cert, signature(a,c,kpub,h) c, kpub, h, attestation cert, s Associate kpub with handle h for user s Registration + Device Attestation
- 21. 21 Original DB Original Database user_id Password# JohnDoe 4^hfd;`gpo U2F Database U2F DB Relation Relying Party user_id Meta U2F Data JohnDoe Yubico, Security Key, USB Key handle, public key, certificate JohnDoe Yubico, YubiKey NEO, USB + NFC Key handle, public key, certificate Adding U2F Support
- 22. Yubico - inventors of the YubiKey Find out more at yubi.co
- 23. Introduc>on WSO2 Iden>ty Server
- 24. What is WSO2 Identity Server An open source Identity & Entitlement management server o 100% free and open source with commercial support o Lightweight and high performance o Highly modular and extensible o User friendly with minimal learning curve o Based on open standards
- 25. Authentication framework o No more federation silos or spaghetti identity anti-patterns o Multi-option and multi--step authentication o Authentication Bridge o Provisioning Bridge
- 27. Local and federated authentication
- 28. FIDO U2F implementation in Identity server o Implements the U2F authentication via local authenticator
- 29. FIDO U2F implementation in Identity server o Implements the U2F registration via user dashboard
- 30. ADDING FIDO TO A LOGIN SEQUENCE
- 31. Demo scenario o Prerequisites for the demo o Start WSO2 Identity Server 5.1.0 o Log in on User Dashboard o Add U2F device (Yubico)
- 32. Secure Single Sign-On solution
- 33. Demo …….
- 34. FIDO AND WSO2 IDENTITY SERVER: WHAT ARE THE BENEFITS?
- 35. Making it more secure Fido is an open standard One key can be used for multiple applications + WSO2 is an open platform Integration is easy = Level of security increases Cost is relatively low
- 37. Thank you!