1 of 19

Stronger Consumer Authentication

5 year report by Google

2 of 19

Shortlink

http://goo.gl/DFLnS

3 of 19

Progress in last 5 years

  • Strict two-factor login challenges & OpenID style login (as described 5 years ago)
  • Risk-based login challenges
  • OAuth in Native Apps

4 of 19

Bad news

  • Migration to OpenID is hard
  • Account Recovery is our achilles heel
  • Bad guys evolve
    • More sophisticated attacks
    • More $$$ per attack which increases incentives

5 of 19

Next 5 years

  • Setup, not sign-in
  • Tying down bearer tokens
  • Smarter hardware
  • Beyond bootstrapping
    • Unlocking
    • Confirmation of risky actions

6 of 19

Setup, not sign-in

  • Change sign-in to a once per device action, but make it higher friction
  • Default to two factors for ALL users
  • Leverage adoption of smartphones and smart apps for OTPs and other tricks

7 of 19

OS Account Managers

  • Mental model of mobile is "Setup device with account" while desktop is "Sign-in and out every few minutes"
  • What should tablet model be? Why isn't that the model for all three?
  • Ugly truth - Consistent identity for mobile apps, but not the browser/websites. Need more plumbing.

8 of 19

Tying down bearer tokens

  • IETF ChannelID draft proposal
    • Per domain on-the-fly generation of a public/private key pair
    • Server cookies stamped with public key
  • No additional user facing UI
    • Google accounts doing this on Chrome today
  • Reduce threat of cookies/tokens leaking on client/network/server
  • More: on-board TPMs, OAuth tokens, ...
  • Future: Tell Google your account cannot be used with bearer tokens

9 of 19

Smarter Hardware

  • Smartphone apps to generate OTPs
  • But why not go further?
    • For example...

10 of 19

11 of 19

12 of 19

13 of 19

14 of 19

Smarter Hardware

  • Improved usability, and stronger protection against phishing of OTPs
  • But social engineering attacks still possible
  • So how do we go beyond even that?

15 of 19

Android-Chrome-Android

  • Use Google device A to bootstrap device B using NFC.
    • Android->Chrome
    • Android->Android
  • But what about non-Google devices?
  • Need standards
    • FIDO U2F working group (Gnubby term)
  • Need more backwards compatability
    • USB tokens, not just NFC (with TPMs)
  • Future: Tell Google your account can only be added to a device this way

16 of 19

Beyond Bootstrapping

  • How does a user “unlock” a device that has already been connected to their account?
  • How does a user “confirm” highly risky actions that are being performed on a device that has already been connected to their account?

17 of 19

Unlocking

  • Mostly an OS problem
  • New techniques being tried
    • Facial recognition
    • Fingerprint scanners
    • etc.

18 of 19

Confirmation of risky actions

  • Want to transfer $100,000?
  • Traditional solution: Knowledge tests on the device (re-enter password)
  • Confirm the action on another device (smartphone app + PC browser)
  • Local device proofs
    • Facial recognition, fingerprint scanners (like previous slide)
    • Standards effort - FIDO OSTP group

19 of 19

What else will the next 5 years bring?

http://goo.gl/DFLnS

Eric Sachs

esachs@google.com